European guidelines on personal data processing during the Covid-19 outbreak

The COVID-19 pandemic is sparking debate about the relation between the right to privacy and the right to health as if the first one hinders the second.

Actually, the two rights can, and must, always coexist, especially during an emergency in which there could be a strong temptation to lower the guard.

In this situation, the Italian Data Protection Authority and the European Data Protection Board (EDPB) have reiterated that the General Data Protection Regulation does not represent an obstacle to preventive measures.

On March 19th 2020, the EDPB also released a formal statement underlying that a health emergency situation can be a legal condition for legitimizing the restrictions of freedoms if they are proportional and limited to the emergency period.

The 2016/679 Regulation has a wide reach and contains rules that apply to the personal data processing in such circumstances as the one of COVID-19. Recital no. 46 explicitly refers to the control of an epidemic.

The GDPR allows, in the articles 6 and 9, the processing of personal data and the categories of personal data by the competent public authorities, in particular when it falls in the area of competence attributed to the Public Authority by National law.

Moreover, in the employment setting, the processing of personal data can be necessary for compliance with a legal obligation. In this case, the GDPR includes a derogation to the prohibition of processing certain categories of personal data, as stated in art. 9.2.c and 9.2.i.

About the processing of data in the telecommunication context, such as user location data, the EDPB warns that national laws implementing the E-Privacy Directive have to be respected. The introduction of legislative measures to safeguard public safety must be exceptional and it must comply with principles of necessity, proportionality, and adequacy.

In regards to the use of mobile user location data to monitor and contain the spread of the virus, the EDPB asserts that the public authorities must first try to process location data anonymously. If that is not possible, the E-Privacy Directive enables European Member States to introduce legislative measures to safeguard public safety, but the most proportionate and least intrusive solutions should be preferred.

If data processing is possible and necessary to protect public health, the protection of fundamental human rights cannot be forgotten.

The data, even collected by an app, must be processed for specific and explicit purposes and users have to be informed about the processing activities, including the conservation terms and purposes.

The subjects managing the data have to care about safety and adopt measures that prevent the disclosure of data to non-authorized subjects. This represents an even more important precaution given what is at stake.

Any measure to safeguard our health is welcomed, but incompetence and shallowness must be avoided at all costs.