Fighting the pandemic by renouncing our privacy?
Over the past weeks, governments all over the globe are continuously introducing newer and stricter measures in an attempt to slow down the spreading of the new coronavirus (COVID-19). It is becoming increasingly clearer that the battle against the disease will have to be fought collectively and that people will have to renounce ceratain privileges and rights (i.e. public gathering). Does this mean that we will have to renounce our right to privacy and private data protection? Does European privacy legislation really prevent us from fighting the new coronavirus effectively and thus does not have to be respected?
In EU, data privacy is since 25 May 2018 regulated by the General Data Protection Regulation, which saw private data protection become more harmonised and strenghtened. The processing of personal data is henceforth possible only under specific conditions (see Article 6 GDPR), and GDPR provides for a number of safeguards and rights that allow individuals to control and restrict the processing of their personal data. In light of the fight against the spread of the new coronavirus and in view of the practices in some of the countries (especially China and Israel), the question whether GDPR and its strict provisions encumber attempts to curb the spread of the virus and whether, in order to stop the pandemic, protection of personal data should be set aside?
Closer analysis clearly shows that this is not the case. The GDPR already allows for derogation from some stringent provisions when national security issues are at stake. For example, the Recital 16 states that the GDPR does not apply to issues of protection of fundamental rights and freedoms related to activities concerning national security, while Recital 46 explicitly states that personal data processing should be considered lawful where it is necessary to protect public interest and the vital interests of the data subject as for instance when processing is necessary for monitoring epidemics and their spread. Additionally, GDPR allows personal data processing, when it is necessary in order to protect the vital interests of the data subject or of another natural person (Art 6/1(d)) and for the performance of a task carried out in the public interest or in the exercise of official authority (Art 6/1(e)). GDPR provisions even allow processing of special categories of personal data (i.e. data on ethnic origin, genetic data, biometric data etc.) where this is necessary for provision of health or social care or treatment or the management of health or social care systems and services (Art 9/2(h)) or for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health (Art 9/2(i)).
Considering the above, it should be stressed that even national security issues, such as an epidemic, do not justify unlimited processing of personal data. Personal data processing must still be necessary, appropriate and proportionate to the intended purpose and the data should not be kept and processed for any other purposes. This was expressly pointed out by Andrea Jelinek, Chair of the European Data Privacy Board in her statement on 16 March 2020: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.” This issue was well illustrated also by the situation in Italy, the EU Member State most severely stricken by the coronavirus. Antonello Soro, the president of Italian data protection body, Garante per la Protezione dei Dati Personali reiterated that data on mobile phones’ locations can be used to determine whether people are in fact staying in their homes only, if the data is merely locational and does not reveal other information about individuals.
While current European legislation allows for certain limitations of privacy in times of crisis, not even a virus epidemic, such as the one we are currently witnessing, does not justify unlimited interference into individuals’ privacy.
The French government has a new plan for Europe that could help the EU compete with the US tech giants: the digital commons.
The International Association of Library Associations and Institutions (IFLA), PAC Centre for digital preservation, hosted at the National Library of Poland is holding a series of 10 webinars on basic understanding of digitisation projects.
Communia, a non-governmental organisation that advocates for policies that expand the public domain and increase access to and reuse of culture and knowledge, issued twenty new copyright policy recommendations for the next decade.
The DSM Directive entered into force in June 2019 and the deadline for implementation expired on 7 June 2021. On 23 June 2021, the Commission launched multiple infringement procedures and sent letters of formal notice to Slovenia and 22 other Member States that had failed to notify it of the full transposition of the Directive. Slovenia remains among the 14 Member States against which the Commission is continuing the infringement procedure. On 19 May 2022, the Commission sent reasoned opinions to Belgium, Bulgaria, Cyprus, Denmark, Greece, France, Latvia, Poland, Portugal, Slovenia, Slovakia, Finland and Sweden.