Data Protection under SARS-CoV-2
The sudden outbreak of cases of COVID-19-afflictions ("Corona-Virus"), which was declared a pandemic by the WHO affects data protection in various ways. Different data protection authorities published guidelines for employers and other parties involved in the processing of data related to the Corona-Virus (read more below).
The Corona-Virus has also given cause to the use of different technologies based on data collection and other data processing activities by the EU member states and private companies. These processing activities mostly focus on preventing and slowing the further spreading of the Corona-Virus and on monitoring the citizens' abidance with governmental measures such as quarantine. Some of them are based on anonymous or anonymized data (like for statistics or movement patterns), but some proposals also revolved around personalized tracking.
At the moment, it is not easy to figure out, which processing activities are actually supposed to be conducted and which are only rumors. This page will therefore be adapted once certain processing activities have been confirmed. For now, this article does not assess the lawfulness of particular processing activities, but rather outlines the general conditions for data processing in connection with the Corona-Virus.
It must be noted that several activities - such as monitoring, if citizens comply with quarantine and stay indoors by watching at mobile phone locations - can be done without having to use personal data under Article 4(1) GDPR, if all necessary information can be derived from anonymised data. The GDPR does not apply to activities that only rely on anonymised data.
Principles of Article 5 GDPR
Regardless of the exceptional situation, data processing activities in connection with measures against the Corona-Virus that rely on personal data (Article 4(1) GDPR) have to comply with the principles of data processing as lined out in Article 5 GDPR (read more). As a situation like the Corona-Outbreak will often allow processing under different legal basis (see below), the main element to contain disproportionate processing, are the principles in Article 5:
- Lawfulness, fairness and transparency: Data processing must be lawful under Article 6 GDPR and/or Article 9 GDPR. Some member states have already passed laws that deal with the Corona-Virus which must be taken into consideration when assessing the lawfulness of processing. See below for more information. Furthermore, processing must be fair and transparent. This includes i.e. that data subjects whose data is being processed for purposes of fighting the Corona-Virus must be informed under Article 13 GDPR or Article 14 GDPR once their data has been obtained.
- Purpose limitation: Personal data collected for specific purposes, like preventing/slowing the further spreading of the Corona-Virus within a company, monitoring the citizens' abidance with governmental measures, medial research or tracking of interactions with infected persons shall only be processed for these purposes. The purpose must be in line with the legal basis chosen by the controller or defined by national legislation.
- Data minimisation: Only personal data that is truly necessary for these purposes may be collected and processed. It is not possible to process data that is not crucially necessary to fulfill the choose purpose.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date. Especially "big data" and "quick and dirty" approaches that may be though of at times of crisis, may conflict with this principle. In cases where personal consequences may rely on data (e.g. limitation of movement, access to health care or saving people from infections) the accuracy of personal data is of utmost importance.
- Storage limitation: Once the purposes for processing are fulfilled, the data must be deleted or anonymised. When processing data about individual persons, the currently established timelines (e.g. the now common 14 days of quarantine) also form the basis for any storage limitation. Data may be anonymized, to be further used for statistics or research purposes.
- Integrity and confidentiality: Appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage must be ensured with the implementation of technical or organisational measures (Article 32 GDPR). Taking security measures seriously is especially crucial when processing operations are stated under short timelines and pressure and the wider populations should trust these measures.
Legal Basis under Article 6 GDPR
Insofar data processing concerns only personal data, that does not qualify as special categories of personal data (such as health data under Article 9(1) GDPR (see below)), processing activities can realistically be based on:
- Article 6(1)(d) GDPR, if processing is necessary to protect vital interests of the data subject or of another natural person; since the Corona-Virus is considered to be highly virulent, data can be processed in order to protect both infected people and others, to prevent them from being infected.
- Article 6(1)(e) GDPR, if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; this legal basis can be invoked by public authorities pursuing the mentioned purpose. Such a measure may be based on a national implementing law (Article 6(2) GDPR).
- Article 6(1)(f) GDPR, legitimate interests pursued by the controller or by a third party; this legal basis may also be invoked by private controllers, since there will not always be vital interest of the data subject or of other persons at stake, but processing is only necessary for "less severe" reasons, e.g. if certain goods and services are limited due to difficulties of supply and it must be ensured that these goods and services are equally distributed among customers. Article 6(1)(f) GDPR does not apply to processing carried out by public authorities in the performance of their tasks; these authorities have to rely on Article 6(1)(e) GDPR.
Legal Basis under Article 9 GDPR
Article 9(1) GDPR lines out the conditions under which special categories of personal data may be processed. With regards to the Corona-Virus this mostly concerns health data, genetic data and biometric data for the purpose of uniquely identifying a natural person (e.g. at airports or state borders).
Article 9(2)(i) GDPR deals with scenarios such as the current Corona-Virus, which qualifies as a "serius cross-border threat to health":
- "[...] processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy."
Furthermore, the recent Latvian DPA (the DVI)'s guidelines highlight that Article 9(2)(j) GDPR could be a legal basis for scientific research purporses or statistical purposes.
Lastly, Recital 46 of the GDPR specifically mentions epidemic scenarios:
- "The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters."
Other elements of GDPR
The concept of "privacy by design" Article 25 GDPR seems crucial in designing larger scale systems. As many processing operations will relate to sensitive health data, special precautions from a data security standpoint Article 32 GDPR should be observed.
In addition, data protection impact assessments under Article 35 GDPR will be mandatory regarding a lot of these processing activities, especially in cases of large scale processing of special categories of personal data (Article 35(3)(b) GDPR) or the systematic large scale monitoring of publicly accessible areas (Article 35(3)(c) GDPR).
In the context of the Corona Virus, the EU/EEA data protection authorities released guidelines on the processing of personal data and also on the continuity of their tasks in times of the Corona-Virus:
The Data protection authority (the DSB) issued guidelines here. The DSB explained the existing legal basis for the collection and processing of health data by employers, in particular the transfer of sensitive data to health authorities. In addition, the DSB provided a sample form for the collection of private contact details of employees in order to warn about an infection in the company. An information sheet about data security and home office can also be found on the webpage.
The Bulgarian Parliament adopted Law on Measures and Actions during the the state of emergency. One of the measures requires the establishment of checkpoints at the regional cities so that law enforcement authorities can check people.
The Bulgarian DPA (CPDP) issued an opinion regarding the legality of the the processing of personal data by the Ministry of Interior by collecting declarations from citizens passing through the checkpoint.
The Data protection authority (the AZOP) issued guidelines here. It focused on the health data of employees and stressed that a valid legal basis would be either Article 6(1)(c) GDPR, or Article 6(1)(d) GDPR or Article 9(2)(b) GDPR.
The Data protection authority (the UOOU) issued FAQS (Frequently asked questions) here. The FAQs focused on the acknowlegment of the state of emergency under Article 9(2)(i) GDPR and its the consequences on data subjects' rights.
The Data protection authority (Datatilsynet) issued guidelines on working from home here. It contains advice to the employers and employees. Datatilsynet emphasized the importance of internal guidelines for working at home and related security measures, which shall be taken on company and personal devices.
Datatilsynet also issued guidelines for employers on handling information about employees who are infected with COVID-19 or who have traveled in risk areas here.
The Data protection authority (the AKI) issued guidelines here. The AKI explained whether the employer is entitled to request medical records from employees.
The Data protection authority (the CNIL) issued guidelines here. The CNIL addressed the numerous requests from businesses about the collection and sharing of employees' health data. Moreover, the CNIL released guidelines on the good practices for home office regarding the security of the processing here.
The Federal Data protection authority (the BfDi) issued guidelines here, as well as the DPA of Bradenburg, see here. The BfDI emphasized the sensitivity of personal data in the context of COVID-19 and the continuing responsibility to comply with the data protection principles.
The Data protection authority (the HDPA) issued guidelines here. The DPA stressed that the right to the protection of personal data is not absolute and that its application should be balanced against other fundamental rights, taking into consideration the principle of proportionality. However, it emphasised that any communication of personal data (and particularly health data) to third parties shall not be allowed if it can lead to discrimination and stigmatisation.
The Data protection authority (the NAIH) issued guidelines here. The NAIH listed the data protection measures that are expected from the employers arising from the responsibility for ensuring the conditions for the safe performance of work. It also addressed the fact that health care providers and doctors shall still comply with data protection.
The Data protection authority (the Persónuvernd) issued guidelines here. The guidelines refer to the general data protection principles that need to be followed. It further contains recommendations for employers and schools.
The Data protection authority (the Garante per la protezione dei dati personali) issued guidelines "No do-it-yourself (DIY) data collection" here. The Garante mainly recommended that private and public bodies must refrain from collecting, in advance and in a systematic and generalised manner, the employees' and workers' personal data and must follow the instructions from the Ministry of Health and the competent institutions.
The Data protection authority (the DPC) issued guidelines here. The DPC elaborated on the application and meaning of the general data protection principles in the context of processing of personal data related to the virus. The DPC further focused on the existing rights of employers and the time to answer the requests of data subjects.
The Data protection authority (the DVI) issued guidelines here. The DVI clarified that the processing of sensitive data in such circumstances is lawful if necessary to protect the vital interests of the data subject or other natural person (eg surveillance of an epidemic) and for reasons of public interest in public health serious cross-border threats to health, pursuant to Article 9 (2) (i) and (j) GDPR.
The Data protection authority (the CNPD) issued guidelines here. The CNPD wrote some recommendations addressed both to private and public sphere and concerning the measures which have to be implemented for the prevention, information, and safety of all the stakeholders'.
The Data protection authority (the AP) issued guidelines here. The AP focused on the measures the employer has to take to and process sensitive data and further explains which information the employer is allowed to request and collect when an employee is ill. Both employers and employees has to follow the guidelines of the National Institute for Public Health and the Environment. The AP also offers guidelines how to work save at home and protect sensitive data here.
The Data protection authority (the Datatilsynet) issued guidelines here. Datatilsynet answered questions regarding the use of video services for communications and webcams for schools. Further recommendations relate to the data processing from health authorities, hospitals and companies in their role as controller or processors and as employers.
The President of the Personal Data Protection Office (UODO) issued a statement here. The President of UODO informed that the issues related to the processing of health data as a result of activities aimed at preventing spread of COVID-19 virus are regulated in the specific legal provisions, in particular in the so called "Special Law" of 2 March 2020. The President of UODO stated that the provisions on the protection of personal data cannot be considered as an obstacle to conducting activities with regard to fighting the virus. The adopted provisions of the Special Law do not conflict with the principles of data processing and do not infringe the GDPR.
The Data protection authority (the ANSPDCP) issued guidelines here. The ANSPDCP focused on the processing of health data under exceptional circumstances and it underlined the importance of data controllers complying with their obligations for information and transparency and for maintaining security of processing.
The Data protection authority (the IP) issued guidelines here. The IP focuses on the disclosure and processing of personal data from medical institutions and others working in the health sector. It also elaborates on the processing of statistical data in this context.
The Data protection authority (the AEPD) issued guidelines here (also available in English here). Additionally, it has also published a FAQ document, a small communication regarding webs and apps offering self-evaluation and tips on COVID-19, and another small communication regarding phishing campaigns on COVID-19.
The Data protection authority (the Datainspektionen) issued guidelines here. Datainspektionen answered questions relating to the responsibilities of the employer and the processing of personal data in connection with the virus.
The Data protection authority (the ICO) issued guidelines here. The ICO mainly focused on the processing of personal data in the employment context, i.e the security measures which have to be implemented during homeworking, collection and sharing of the employees' health data.
The EDPB issued a statement on 16 March 2020 here. Mainly, the EDPB focused on the processing necessary for reasons of public interest or to protect vital interest or to comply with another legal obligation (Articles 6 and 9 GDPR). Also, the EDPB mentioned that additional rules for the processing of electronic communications apply, in the light of the ePrivacy Directive.
On 19 March 2020, the EDPB adopted a full statement here, explaining the lawfulness of processing, processing in the employment context as well as processing of location data.
Envisaged or conducted processing activities regarding COVID-19 per EU member state
The following table shows data processing activities that have been envisaged by EU member states or private companies or that already have been implemented:
|EU member state||Processing Activities||Status||Comments||Source|
|Austria||Telecommunication provider A1 transmits - allegedly anonymised - location data of mobile phone users to the Austrian government||Confirmed||The purpose of this processing activity is to track the decrease of the presence of citizens in public areas.
According to A1, the location data are being anonymised by assigning randomly generated numbers to each mobile phone user. These numbers are changed every 24 hours. A1 also stated on its home page, that movement of persons is only analysed and visualised in "groups of 20 or more people", since the technology has originally been developed to track streams of tourists in the proximity of tourist attractions.
Concerns have been voiced that there is no legal basis for the processing of historical location data. In addition, it is unclear whether the assignment of random temporary numbers qualifies as anonymisation or is a measure of mere pseudonymisation. If the latter is true, the GDPR fully applies.
|The Austrian Red Cross (Österreichisches Rotes Kreuz) has announced the deployment of a mobile phone app, which allows users to track their "digital handshake" - allegedly using only anonymised data. If an app-user is confirmed to be infected with the Corona-Virus, other app-users that have been in contact with the afflicted app-user are informed via the app.||Officially announced||Appartently, each app-user is assigend a (random?) ID and feeds the app with the IDs of persons he or she has been in contact with, which is done via an ultrasound audio beacon between the devices. The app-user is notified later, if one of his recent contacts has been infected, without disclosing the ID of the infected person. These IDs are retained for a period of only 48 hours.
However, this set-up still gives rise to doubts that the data are truly anonymised for all parties involved: In cases where the app-user has only been in contact with a small amount of people, it might be very easy for him or her to identify the infected person by taking notes on whom he/she has entered into the app. As the data are stored for only 48 hours it is also possible for the app-users to simply remember their encounters. Thus, the data might me anonymised for the Red Cross, but not for the app-users themselves (the app is said to collect no data of the mobile phone user).
|Bulgaria||On 13th March 2020 the Bulgarian Parliament adopted Law on Measures and Actions during the the state of emergency, effective as of 23rd March 2020, published with State Gazette No 28/24.03.2020. One of the measures adopted requires the establishment of checkpoints at the regional cities so that law enforcement authorities can check people (Article 9 and 10). Bulgarian citizens are allowed to travel between regional cities only when there is an urgent need for that - going to work, health reasons or returning to their permanent or current address. Bulgarian citizens can pass these checkpoints only with filled declaration.||Implemented||In this regard, the Bulgarian DPA issued an opinion regarding the legality of the the processing of personal data by the Ministry of Interior by collecting declarations from citizens passing through the checkpoint.||Text is available here|
|With para. 41 of the Law on Measure and Actions during the state of emergency, the Electronic Communications Act is amended giving the power to the law enforcement authorities to track citizens' mobile phone and identify their location only if the citizen is put under mandatory quarantine and does not follow the instructions given or refuse to follow them. The telecommunication companies shall provide the law enforcement authorities with the location data upon their request, i.e. no approval by the court is necessary.||Implemented||Example||Example|
|Republic of Cyprus||Example||Example||Example||Example|
|France||Processing carried out by open e-communication network operators.||The French Parliament ('l'Assemblée nationale') and the Senate ('le sénat') adopted the Law on the first reading. The Law is not yet in force.||
In the first reading version amended by the Senate, the operators were allowed to take any measures necessary to ensure that the priority needs of the population continue to be met in such crisis situation. The amendment has been deleted. See the enacting progess here.
|The provisory version adopted by the Parliaments does not contain any provision regarding any processing of personal data here.|
|Norway||Bergen municipality implemented a location based alert and information system.||Confirmed||The implemented system is used for "geo-fencing" the municipality, so that people arriving within the perimeter are notified of restrictions to avoid infection. In addition, the system can send an alert to all SIM-cards in a geographic area to break up crowds. Apparently, only an approximation of the number of people in a given area and of a certain size is provided, as well as different nationalities connected to SIM-cards.
According to the municipality, the data is received aggregated from the telecommunication providers.
|The Norwegian Institute of Public Health is working on an app to track people's movement||Exact details unclear||Working together with the state owned research and development company Simula Research Laboratory, the Norwegian Institute of Public Health is currently working on an app to track peoples movements in order to see who has been close to someone infected. The national public broadcaster NRK reported on source code that contained examples on how to discover people who had been within 50 meters of each other for at least a minute.
The Norwegian Institute of Public health confirmed that they were considering an app for tracking, but that no decision had been taken yet. According to the Institute of Public Health's newly published risk assessment of the virus, they are only a few days away from launching an app.
|Poland||On 7 March 2020, the Minister of Health adopted a Regulation on the list of diseases giving rise to obligatory quarantine or epidemiological surveillance and the period of obligatory quarantine or epidemiological surveillance (Dz. U., 2020, item 376). Since the entry into force of this Regulation, persons infected or suspected of being infected with coronavirus shall be administered to surveillance measures if the health services so decide.||Confirmed||The Polish police conducts regular checks of the persons who are subject of the 14-day quarantine obligation. Officers call the person's phone and ask them to look out the window or have a short conversation over the intercom or videophone.