The Coronavirus (COVID-19) continues its spread across the globe and—along with the clear public health and economic concerns—is raising numerous questions regarding privacy and data security. Data protection authorities worldwide are responding quickly, issuing guidance that variously revises and reinforces existing legal requirements. This article provides an overview of current guidance in the context of this rapidly changing event.
As the Coronavirus (COVID-19) continues its march across the globe and countries adopt increasingly drastic measures to counter the threat, public and private entities face complicated privacy and data security questions. In order to stem the spread of the virus, entities are starting to collect new categories of potentially sensitive information such as geolocation data and social contact history. In addition, entities may have problems fully complying with privacy and data security laws given the disruptions to operations caused by the outbreak.
To provide much-needed clarity, data protection authorities (DPAs) around the world are publishing guidance on how to collect and process personal data related to COVID-19 and to keep up with other obligations under privacy and data security laws.
European Data Protection (EDPB) Chair Andrea Jelinek issued a statement on March 16, 2020, reflecting the difficult balance between protecting the privacy and security of personal data an d preventing the spread of COVID-19. The statement affirms that data protection obligations should not hinder measures taken against the pandemic, but that data controllers must nonetheless ensure the security of personal data. The statement also identifies the permissible legal bases for processing personal data for employers or public authorities in relation to COVID-19, including those that do not require the data subject’s consent. According to the EDPB chair, processing necessary for the public interest in the area of public health, for the protection of vital interests or in compliance with legal obligations can all constitute valid legal bases.
The EDPB chair also specifically mentioned the relevance of the ePrivacy Directive to the processing of location data. Under the ePrivacy Directive, location data can only be processed with consent or in an anonymized form, unless emergency legislation is enacted by EU member states in the pursuit of national security or public security. The EDPB chair suggested that safeguarding public health may be a pursuit of national security or public security.
Out of the 28 national data protection authorities of European Union member states, some 20 EU countries have issued specific guidance regarding COVID-19 and data protection so far. We are beginning to see several core principles emerge from this guidance:
COVID-19 sensitive personal data, such as medical symptoms and diagnosis, travel history, and contacts with those who have been diagnosed can be processed on the basis of safeguarding public health.
The fact that an employee has tested positive for COVID-19 can be disclosed, but identifying information about the individual, in particular the individual’s name, should not be disclosed.
European DPAs have scrutinized if not discouraged or prohibited mass surveillance techniques by data controllers, such as use of questionnaires or temperature checks, other than those performed by health authorities.
Security measures must still be implemented to protect COVID-19 personal data.
France’s National Commission on Informatics and Liberty (CNIL) issued a strongly worded statement emphasizing the role of public health authorities over private entities in the processing of health data. The statement is consistent with the traditionally strict position regarding data protection and privacy under French law. Although the CNIL acknowledges employers’ obligation to protect the health and safety of employees, it makes very clear that employers’ role in this pandemic should remain limited.
The CNIL emphasizes the double protection that applies to health data under French law, and continues by forbidding mandatory temperature checks and collection of medical questionnaires. Although such measures are identical to those prohibited by the Luxembourg Authority, it is noteworthy that the CNIL starts its recommendation by outlining what is prohibited rather than permitted.
The CNIL’s approach is stricter than the United Kingdom or Ireland, and, as noted above, is in line with the French position regarding the processing of health data in the context of pandemics, which is that such processing activities are primarily the responsibility of public health authorities. Moreover, under French law, any health data processing activity must demonstrate an element of public interest, whether it be carried out by public or private entity.
Luxembourg’s National Commission for Data Protection (CNPD) released guidance that, like CNIL’s guidance, focuses on limitations in processing activities that organizations should be aware of in the midst of COVID-19.
Belgium’s Data Protection Authority (ADP) published a statement explaining the valid legal bases of processing and the duty of employers to ensure a safe work environment. The statement heavily limits the practical measures employers can take in response to COVID-19.
Taken as a whole, the three francophone (French-speaking) authorities firmly prohibit employers from certain health data collection techniques, such as mandatory temperature checks or collection of medical questionnaires. In addition, all three authorities prohibit employers from disclosing the identities of persons who have been infected, as it would constitute a breach of confidentiality.
Spain’s Data Protection Agency (AEDP) issued a short statement accompanied by a lengthier report on COVID-19, in which it analyzes in detail the legal bases under which personal data and health data may be processed in the context of COVID-19. The AEDP provides reminders that health data processing must meet the requirements for sensitive data processing in addition to the requirements for general personal data processing. Such health data processing must also meet the requirements of the various public health and interest justifications for processing health data, including to prevent the spread of epidemics.
Ireland’s Data Protection Commissioner (DPC) has adopted perhaps the most flexible position with respect to the collection of COVID-19 data, with detailed guidance and useful FAQs. The DPC asserts that data protection law does not stand in the way of management of public health issues. Data collection conducted in response to COVID-19 is permissible but must continue to comply with data processing principles established under GDPR and local law, including the implementation of suitable safeguards such as access controls, time limits on erasure and staff training. Such health data processing must be necessary and proportional, transparent and limited to the minimum amount of data necessary, and relevant decision making must be documented.
The DPC instructs that employers can ask staff and building visitors for information on recent travel history and COVID-19 symptoms, but more stringent methods, such as using a questionnaire, require a strong justification based on necessity, proportionality and an assessment of risk. Similarly, an employer can require employees to inform the employer if they have been diagnosed with COVID-19, including use of medical certificates, but can only record information that is justified, factual and necessary. The DPC informs that the decision to send a sick employee home is an employment law matter, not a data protection matter. Any communication to the workforce should not name the affected individual.
Finally, the DPC expresses some flexibility with responding to data subject requests and enforcement. The DPC writes that though the timelines for responding to data subject requests are set down in law in the GDPR, the DPC recognizes that unavoidable delays may arise as a direct result of the impacts of COVID-19. It encourages organizations experiencing difficulties in responding to requests to communicate with the subject to take advantage of the two-month extension period allowed under GDPR. Alternatively, the DPC recommends responding to requests in stages. The DPC will take into account “extenuating circumstances” should a complaint be made to them in this respect.
The United Kingdom
The UK Information Commissioner’s Office (ICO) has adopted a position similar to that of Ireland’s DPC, emphasizing that privacy and data protection considerations should not and legally do not stand in the way of effectively addressing the COVID-19 pandemic. Like the DPC, the ICO advises that organizations are authorized to collect health and travel data about employees in relation to COVID-19 and share that an employee may have contracted COVID-19 without disclosing the employee’s identity.
The ICO goes further than the DPC, acknowledging “understandable delays” in responding to data subject rights, and gives assurance that organizations will not be penalized should their data protection practices not meet the “usual standard” because of the “need to prioritize other areas or adapt their usual approach during this extraordinary period.” The ICO nonetheless reminds entities that only necessary data collection and processing should be conducted and that such collection and processing should be accompanied by the necessary safeguards. The same kinds of security measures for “homeworking” should apply to normal circumstances.
Asia and the Pacific
The Cyberspace Administration of China (CAC) issued a notice on February 9, 2020, reiterating broadly the existing data protection rules and regulations. The notice was issued following a leak of personal information of individuals who had traveled out of the city of Wuhan following the outbreak of COVID-19. The notice reiterates that only public health authorities with authorization under the Cybersecurity Law and other health regulations are authorized to collect or use personal information in relation to COVID-19 without consent. The notice also provides a reminder of the principle of data minimization under the Personal Information Security Specification, reiterates that personal information should only be used for the purpose for which it was collected and not disclosed without consent, and requires the implementation of security measures.
Although the text is drafted in a restrictive manner, highlighting collection and disclosure limits and possible sanctions, it also encourages “competent companies” or “capable firms” to conduct big data analyses under the direction of relevant authorities.
Despite the absence of COVID-19-specific data protection guidance by the Personal Information Protection Commission (PIPC), South Korea has been actively using the criminal provision created by its Personal Information Protection Act (PIPA) to address unauthorized disclosure of personal information by government officials. As of March 4, 2020, 10 cases were being investigated by the Prosecutor’s Office for violations of the PIPA.
Although the Federal Office of the Privacy Commissioner of Canada has not issued guidance material related specifically to COVID-19 as of March 18, 2020, three regional authorities from Canada have issued statements regarding data collection and processing:
British Columbia’s Office of the Information and Privacy Commissioner (OIPC) issued a short statement reminding that the provincial health officer is the relevant authority for the collection and use of personal information, and recommending that entities with questions related to data collection to directly contact the British Columbia OIPC.
The OIPC of Newfoundland and Labrador issued detailed guidance material in the form of a slide deck. The Newfoundland and Labrador OIPC mentions that there exist exceptions under the relevant privacy and health data protection laws for an emergency where public interest trumps privacy protection, and explains how the exceptions would apply in the context of a pandemic. The guidance material is directed, however, primarily at public entities and health organizations.
The OIPC of Alberta similarly highlights the exceptions to applicable privacy and health data laws in emergency situations. Specifically, the OIPC of Alberta explains that under the Personal Information Protection Act, there exist exceptions to the general rule requiring consent for data collection and use, such as:
Authorization by an enactment
For the interests of the individual when consent cannot be obtained
When necessary to respond to an emergency threatening the life, health or security of an individual or the public
To contact a next of kin or friend of an injured, ill or deceased individual.
Several US agencies have issued guidance on privacy and data security in relation to COVID-19. The Department of Homeland Security’s Cyber and Infrastructure Security Agency, the Federal Trade Commission and the Secret Service have all issued guidance on avoiding phishing and scam emails relating to COVID-19. The Department of Health and Human Services (HHS) has waived sanctions and penalties against covered hospitals for certain provisions under the HIPAA Privacy Rule, including the requirement to obtain a patient’s consent before speaking with friends or family members about care, the requirement to distribute a notice of privacy practices, the patient’s right to request privacy restrictions, and the patient’s right to request confidential communications. As COVID-19 continues to spread through the United States, additional guidance is being issued by local, state and federal agencies. See the McDermott FAQs posted previously and the McDermott March 19 webex on this subject, noted above.
Alex Jiou Park, trainee in the Paris office, also substantially contributed to this client alert.