5 minute read
GDPR during the crisis
from OSOZ World
by OSOZ Polska
Does the greater good, which here is the fight against coronavirus, justify the circumvention of personal data protection rules? Is it appropriate to refer to the GDPR, hindering at the same time initiatives aimed at the health of an individual and society? During the COVID-19 pandemic, balancing the “public good” and privacy requires a broader view of law adopted under completely different conditions than those which we are currently experiencing.
There is no denying that during such a crisis as the COVID-19 pandemic, many tools are created in a way that can raise many concerns in the light of the GDPR provisions in force since May 2018. The government institutions use the excuse of a higher-order need such as health and a principle of social good that is above the rights of the individual. Thus, many countries quickly introduced compulsory temperature checks in public places, applications used for controlling purposes, compulsory home quarantine, or the collection of data on the state of health and location in order to determine the risk of infecting others with coronavirus. Many of them raise concerns about fraud and the limitation of privacy rights, and may be taken to court.
Advertisement
data processing in line with social good Does the end, namely health, justify the means interpreted as initiatives undertaken in order to fight the COVID-19 pandemic? Yes and no. The statement of
Wojciech Wiewiórkowski, the European Data Protection Supervisor (EDPS), issued in connection with COVID-19, includes several operating guidelines to follow in the current crisis. As a matter of fact, today many organizations are forced to make decisions quickly, and they have no time to carry out legal analyses or refine the solutions in order to ensure privacy, which usually take months.
At the beginning of the statement we read that, although the processing of data entails high responsibility, there is also responsibility for not using tools that could help in the fight against the pandemic. In simple terms, the protection of personal data should not be an argument blocking the implementation of solutions that can save human lives in a critical situation.
The GDPR explicitly states that the processing of personal data should be designed in such a way as “to serve humanity” and that the “right to protect personal data is not an absolute right” and it should be “considered in relation to its function in society and, therefore, it has to be balanced with other fundamental rights in accordance with the principle of proportionality.” The processing of personal data – even sensitive health data – is legitimate in those cases when it is necessary due to “substantial public interest”, on the basis of the European Union or Member State law, in proportion to the intended purpose. The European Data Protection Supervisor points out that this is not a creative interpretation of the law or its bending, but a quote from the GDPR text.
The GDPR also allows the processing of sensitive data when it is necessary due to public interest in the scope of public health. An example is the protection against serious cross-border threats to health, which the coronavirus pandemic has proved to be.
There are also calls for the suspension of the Data Protection Act or its amendment in the light of the current crisis. However, the GDPR is not an obstacle to such actions or an excuse (“we are not effective because we are constrained by law”).
“Even if we consider that a non-typical manner of data processing would interfere with the right to privacy and data protection, it may still be necessary in exceptional circumstances, such as that in which we have all been living over the past few weeks,” emphasizes Wojciech Wiewiórkowski. He points out that the objective of the European Data Protection Supervisor is to ensure that all measures taken at the European and national level, concerning non-standard solutions in the scope of the use of data during the COVID-19 pandemic, are temporary (discontinued when the threat is over), limited (precise determination of the purpose and people having access to data) and purposeful (determination of the use of data collected and processed, but also deletion of these data after the return to normality).
disputable technologies of population tracking The EDPS also mentions that the GDPR does not prevent the processing of personal data when health care authorities consider it necessary to fight the pandemic. In the statement, there is also the issue of applications monitoring the movement of smartphone users, due to which it is possible to detect contact with a person with confirmed coronavirus infection and thus to send a warning. According to the EDPS, the use of a temporary transmission identifier and Bluetooth technology to track contacts appear to be a form that allows the preservation of privacy and the protection of personal data. However, people working on technological tools to fight the pandemic should design them in line with the principle of privacy at the design phase (privacy by design).
Balance between measures and objectives Despite these indications, the use of arguments based on “public interest” may potentially lead to lodging of appeals against solutions or decisions which, at first sight, seem to be in contradiction with the GDPR. Therefore, choosing the balance between measures and objectives should be the general rule. At this point, it is worth quoting the President of the Court of Justice, judge Koen Lenaerts, who stated that the law “limits the authorities in exercising their powers, requiring the preservation of balance between the measures applied and the purposes intended (or the results achieved)”. In 2016, the European data protection authorities developed a list of requirements concerning supervisory mechanisms that interfere with privacy and data protection law. The subsequent judgments of the Court of Justice of the European Union confirmed the reasoning used by the data protection authorities and, as a result, four important pillars of accepted actions were identified. They are as follows: − the requirement that the processing should be based on clear, precise and accessible rules; − demonstration of the necessity and proportionality with regard to the legitimate objectives pursued; − existence of an independent oversight mechanism as well as − availability of effective remedies to the individual. Personal data may be processed exclusively for specified legitimate purposes. The guidelines published by the European Data Protection Supervisor clearly show that the COVID-19 pandemic cannot lead to the circumvention of the currently applicable law, but at the same time the applicable law should not hamper initiatives important from the point of view of social interest, in this case – health. The right to the protection of personal data is not an absolute right and the processing of personal data must serve the people. The most important thing is the balance between the measures and objectives, as well as the transparency of the whole process.
