Fighting the pandemic by renouncing our privacy?

Over the past weeks, governments all over the globe are continuously introducing newer and stricter measures in an attempt to slow down the spreading of the new coronavirus (COVID-19). It is becoming increasingly clearer that the battle against the disease will have to be fought collectively and that people will have to renounce ceratain privileges and rights (i.e. public gathering). Does this mean that we will have to renounce our right to privacy and private data protection? Does European privacy legislation really prevent us from fighting the new coronavirus effectively and thus does not have to be respected?

In EU, data privacy is since 25 May 2018 regulated by the General Data Protection Regulation, which saw private data protection become more harmonised and strenghtened. The processing of personal data is henceforth possible only under specific conditions (see Article 6 GDPR), and GDPR provides for a number of safeguards and rights that allow individuals to control and restrict the processing of their personal data. In light of the fight against the spread of the new coronavirus and in view of the practices in some of the countries (especially China and Israel), the question whether GDPR and its strict provisions encumber attempts to curb the spread of the virus and whether, in order to stop the pandemic, protection of personal data should be set aside?

Closer analysis clearly shows that this is not the case. The GDPR already allows for derogation from some stringent provisions when national security issues are at stake. For example, the Recital 16 states that the GDPR does not apply to issues of protection of fundamental rights and freedoms related to activities concerning national security, while Recital 46 explicitly states that personal data processing should be considered lawful where it is necessary to protect public interest and the vital interests of the data subject as for instance when processing is necessary for monitoring epidemics and their spread. Additionally, GDPR allows personal data processing, when it is necessary in order to protect the vital interests of the data subject or of another natural person (Art 6/1(d)) and for the performance of a task carried out in the public interest or in the exercise of official authority (Art 6/1(e)). GDPR provisions even allow processing of special categories of personal data (i.e. data on ethnic origin, genetic data, biometric data etc.) where this is necessary for provision of health or social care or treatment or the management of health or social care systems and services (Art 9/2(h)) or for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health (Art 9/2(i)).

Considering the above, it should be stressed that even national security issues, such as an epidemic, do not justify unlimited processing of personal data. Personal data processing must still be necessary, appropriate and proportionate to the intended purpose and the data should not be kept and processed for any other purposes. This was expressly pointed out by Andrea Jelinek, Chair of the European Data Privacy Board in her statement on 16 March 2020: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.” This issue was well illustrated also by the situation in Italy, the EU Member State most severely stricken by the coronavirus. Antonello Soro, the president of Italian data protection body, Garante per la Protezione dei Dati Personali reiterated that data on mobile phones’ locations can be used to determine whether people are in fact staying in their homes only, if the data is merely locational and does not reveal other information about individuals.

While current European legislation allows for certain limitations of privacy in times of crisis, not even a virus epidemic, such as the one we are currently witnessing, does not justify unlimited interference into individuals’ privacy.