The world is facing extraordinary circumstances as a result of the COVID-19 pandemic. Governments and public and private institutions worldwide are struggling to mitigate the spread of the virus by implementing measures that may include, amongst other things, the processing of personal data.
Data protection law does not interfere with the fight against the virus, since it is in all our interests to fight with whatever weapons we can to stop the spread and eradicate the present threat. Nevertheless, when deploying any necessary measures, data controllers and processors must ensure the protection of the data subjects with respect to their personal data, even in these exceptional times.
In Romania, as in other countries, although the declaration of the state of emergency can be a legitimate reason to restrict the rights and fundamental freedoms of citizens, these restrictions must comply with general principles of law, must be necessary, proportionate and limited to the duration of the state of emergency.
EU Regulation 2016/679 (“GDPR”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and which repeals Directive 95/46/EC, allows competent public health authorities and employers to process personal data in the context of an epidemic, in accordance with national law and within the conditions set therein.
In accordance with the statement of the European Data Protection Board (“EDPB”) and the National Supervisory Authority (“ANSPDCP”) on data processing in the context of COVID-19, we have put together an overview on the applicable rules during these exceptional circumstances.
1. Considerations for data controller and processors
As regards the lawfulness of processing, health data can be processed, if:
a) the processing is necessary for the purposes of carrying out obligations and exercising specific rights of the controller, or of the data subject, in the field of employment, social security and social protection law in so far as it is authorised by EU or Member State law, or by a collective agreement pursuant to Member State law, and it provides appropriate safeguards for the fundamental rights and the interests of the data subject (Article 9 par.2 (b) of GDPR);
b) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent (Article 9 par.2 (c) of GDPR);
c) the processing is necessary for reasons of substantial public interest on the basis of EU or Member State law and shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (Article 9 par.2 (g) of GDPR);
d) the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of EU or Member State law, or pursuant to a contract with a health professional, and subject to the conditions and safeguards referred to in paragraph 1c) above (Article 9 par.2 (h) of GDPR);
e) the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health and ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy (Article 9 par.2 (i) of GDPR);
Other categories of data can be processed based on the conditions stipulated in Article 6 of GDPR.
Furthermore, Article 23 par. 1(e) of GDPR stipulates the restrictions on the data controllers’ obligations, and the corresponding data subjects’ rights, that may be imposed by member state law, in so far as such restrictions respect the essence of the fundamental rights and freedoms and are necessary and proportionate measures in a democratic society to safeguard public health.
In addition, processing of personal data should also be regarded as lawful where it is necessary to protect an essential interest such as the data subject’s life or that of another natural person. So processing may serve both the important grounds of public interest and the data subject’s vital interests; for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
With regard to the processing of telecom data, such as location data, data controllers must comply with the provisions of EU Directive 2002/58/EC (“ePrivacy Directive”) concerning the processing of personal data and the protection of privacy in the electronic communications sector, as well as those of Romanian Law no. 506/2004 on data processing and protection of privacy in the electronic communications sector.
As a result, location data can only be processed in one of the following situations:
- when the data referred to is transformed into anonymous data;
- with the explicit prior consent of the data subject as to the extent of, and the necessary period for, the provision of a value-added service; or
- when the service that provides the location function aims to transmit unidirectional and undifferentiated information to users.
However, Art. 15 of the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security. Such exceptional legislation is only possible if it constitutes a necessary, appropriate and proportionate measure within a democratic society. These measures must be in accordance with the Charter of Fundamental Rights and the European Convention on Human Rights (“ECHR”). Moreover, it is subject to the judicial control of the European Court of Justice and the European Court of Human Rights. In the case of an emergency situation, it should also be strictly limited to the duration of the emergency at hand.
Although an epidemic situation may entail certain derogations of the data controller’s obligations, and data subject’s rights, the principle of data processing security must be fully respected. When talking about suitable and specific measures to safeguard the fundamental rights and the interests of the data subject, data controllers must comply with the provisions of Art. 32 of GDPR that stipulates the appropriate technical and organisational measures to ensure a high level of processing security, as well as confidentiality policies ensuring that personal data is not disclosed to unauthorised parties.
In addition, data controllers must be able to guarantee and demonstrate that data processing is performed in accordance with the GDPR principle and to keep a record of such processing activities containing the purposes of the processing, the categories of data subjects and of the personal data, the categories of recipients, the envisaged time limits for erasing the data and a general description of the technical and organisational security measures implemented by the data controller.
Moreover, when the data processing is necessary for reasons of substantial public interest, data controllers must comply with the provisions of Article 6 of Romanian Law no. 190/2018 on measures to implement the GDPR, which mentions the following necessary safeguards:
- appropriate technical and organisational measures to respect the principles enshrined in the GDPR, in particular data minimisation, integrity and confidentiality principles;
- appointment of a data protection officer, if required; and
- appropriate storage times depending on the data category and the processing purpose, as well as specific times within which personal data must be deleted or revised for deletion.
With reference to data processing in the context of employment during a pandemic situation, the EDPB states that an employer can only request specific health information regarding visitors or employees to the extent that national law allows it, and in accordance with the principle of proportionality and data minimisation, which is particularly relevant in the current circumstances.
Although health data can be processed by the employer based on public interest, the ANSPDCP mentions in its statement that public disclosure of a person’s name and health status can only be made with his prior consent. Employers should inform staff about COVID-19 cases and take protective measures, but should not communicate more information than is necessary.
2. Considerations for data subjects
Regardless of the pandemic context and the eventual derogations from the data subjects’ rights under the state of emergency, data subjects still benefit from the rights enacted under the GDPR, such as the contact details of the data controller, the purposes of the processing as well as the legal basis for the processing, the recipients of the personal data, the envisaged storage period, the right of access and rectification and the right to lodge a complaint with a supervisory authority. The related obligation to inform data subjects of these rights can be fulfilled by the data controller by publishing them on its website, in a transparent manner, easily accessible and in clear and plain language.
Again, public disclosure of a person’s name and health status can only be made with his prior consent as mentioned by the ANSPDCP in its statement.
Furthermore, when data processing is based on the public interest, such processing cannot be overridden by the right to respect for the private and family life of the data subject, as the ECHR stipulates in Art. 8: “There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.
Consequently, where appropriate, any interference with the data subjects’ right to respect for private and family life must be conducted “in accordance with the law”, it must follow a legitimate aim and it must be “necessary in a democratic society”.
For a better understanding of the above, let’s take an example of the Romanian government:
If the government intends to monitor the location of individuals by electronic means, as a way to help mitigate the spread the COVID-19, that would imply, for instance, the possibility of geolocating individuals or sending public health messages to individuals in a specific area by phone or text message.
The government should first seek to process location data in an anonymous way (i.e. processing data in a way that individuals cannot be re-identified), which could entail generating reports on the concentration of mobile devices at a certain location (cartography). When personal data is processed appropriately in an anonymous way, data protection regulations do not apply.
If the stated purpose cannot be fulfilled by only processing data anonymously, then Art. 15 of the ePrivacy Directive enables the government to introduce legislative measures to safeguard public security. Accordingly, in such a case, the government is obliged to put in place adequate safeguards, such as providing individuals or electronic communication services the right to a judicial remedy.
The proportionality and data minimisation principle will also apply. The least intrusive solutions should always be preferred, as well as processing only the necessary amount of personal data, as per the stated purpose. Invasive measures, such as the “tracking” of individuals (i.e. processing of historical non-anonymised location data) could be considered proportional under exceptional circumstances and depending on the mode of the processing. However, such processing should be subject to enhanced scrutiny and safeguards to ensure compliance with the data protection principles (proportionality of the measure in terms of duration and scope, limited data retention, purpose limitation and the minimum necessary amount of processed data).
As regards compliance with the ECHR provisions, interference with the private life of individuals could be considered as being conducted in accordance with the law if the government introduces legislative measures to fulfill the purpose of monitoring the location of individuals by electronic means, ie. it follows a legitimate aim – mitigating the spread of COVID-19 – and it is necessary in a democratic society, taking into consideration the seriousness of the life-threatening situation of everyone worldwide.
