COVID-19 vs the General Data Protection Regulation: Contact tracing apps and the protection of personal health and location data
In times of national emergency, governments make difficult decisions to suspend certain rights in order to advance national security protocols for the benefit of the greater good. In the European Union (EU), threats to public health are considered matters of national security. The COVID-19 pandemic led some Member States to declare a state of emergency in order to control the spread of the virus. They were met with significant difficulties trying to control the spread throughout their communities. While businesses took a manual approach to contact tracing of their employees and patrons accessing their services, national public health authorities developed nation-wide contact tracing models through the collection of data via smartphone applications (apps). In the wake of the virus, guidance from the European Data Protection Board (EDPB) was published to support Member States as they navigated the troubling waters of processing personal data via contact tracing while upholding the fundamental rights and freedoms of their citizens. This commentary aims to demonstrate how secondary EU legislation, including the General Data Protection Regulation (GDPR), the Health Threats Decision, as well as the ePrivacy Directive, works to uphold the fundamental rights and freedoms of EU citizens with regard to personal data and privacy guaranteed by the Treaty for the Functioning of the European Union (TFEU), the European Convention on Human Rights (ECHR) and the Charter of Fundamental Rights of the European Union (CFREU) during the COVID-19 pandemic.
Public health crises and national security
The recognition of public health crises as matters of national security first appeared in the 2013 Health Threats Decision. This decision was adopted in the aftermath of the H1N1 pandemic of 2009 as a means of promoting ‘cooperation and coordination between member states in the field of serious health threats’. It requires that Member States share public health data with one another to track cross-border threats. This decision ‘open[ed] the door to bring communicable disease tools of contact tracing into the realm of security’. While the securitization of public health could lead to breaches of fundamental rights in national health emergencies, the EDPB emphasized the flexibility provided by the GDPR, stating that its ‘data protection rules do not hinder measures taken in the fight against the coronavirus pandemic’ and that ‘even in these exceptional times, the data controller and processor must ensure the protection of the personal data of the data subjects’. In saying this, the EDPB maintains the importance of upholding fundamental rights, even in a national public health crisis.
The GDPR and the right to privacy and protection of personal data
Protection of personal data is guaranteed by article 16(1) of the TFEU and by article 8(1) of the CFREU. Article 8 of the ECHR guarantees to right to privacy. Though article 8 ECHR does not outrightly state the protection of personal data, the European Court of Human Rights has interpreted this article in support of its inclusion, which includes protection of data pertaining to an individual’s health. In 1995, the EU recognized the need to implement legislation in order to protect the right to privacy due to the creation of the Internet and the technological advancements that were on the rise at this time. As a result, the European Data Protection Directive was passed and ‘establish[ed] minimum data privacy and security standards, upon which each member state based its own implementing law’. These minimum standards set by the directive were not enough to protect the rights of individuals with regard to privacy and data processing. The need for an updated data protection framework that would guarantee the protection of EU citizens from unlawful interference in their personal lives was apparent. Out of these discussions came the GDPR.
The scope of the GDPR applies to the collection and processing of personal data of individuals in the EU, even if the processing of the data takes place outside of the EU. It defines personal data as being
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Article 5 of the GDPR outlines the protection and accountability principles that must be followed when processing personal data. Further to this, article 6(1) provides the circumstances in which processing of personal data is considered lawful. Subsection (d) indicates that processing of personal data shall be considered lawful if the ‘processing is necessary in order to protect the vital interests of the data subject or of any other natural person’ and subsection (e) considers it lawful if the ‘processing is necessary for the performance of a task carried out in the public interest’. And finally, article 9(1) of the GDPR holds that the processing of personal data related to several factors, including health-related data, is strictly prohibited; however, such data, whether related to health or another listed factor, may be processed if the data subject provides explicit consent or if the ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health’. Based on these requirements, national public authorities have a lawful basis for processing data related to the health of a data subject using contact tracing apps, to monitor the spread of the COVID-19 virus and protect the public from infection, and can do so because the processing of such data ‘is necessary for reasons of public interest in the area of public health’.
What’s different about location (proximity) data?
While the processing of health-related data is lawful under the current circumstances, the EDPB in its guidance on data processing through contact tracing apps has encouraged national public health authorities and their data controllers to do so in a way that maintains respect for the privacy of data subjects. In their guidance on contact tracing apps released on 19 March 2020, the EDPB indicated that where data is processed ‘for reasons of substantial public interest in the area of public health’, explicit consent of the individual is not required; however, where the collected data includes location data, such data can only be used if it is ‘made anonymous or with the consent of individuals’. The ePrivacy Directive makes matters dealing with telecommunication data slightly more complicated. It was developed to work alongside Directive 95/46/EC, now the GDPR, and deals specifically with the ‘processing of personal data in the electronic communication sector’. Article 15 of the ePrivacy Directive provides that member states can introduce national legislative measures that restrict data protection rights guaranteed by the directive in the name of public security, as long as these measures are proportionately democratic. These measures must not derogate from the CFREU and the ECHR, and they are subject to judicial review by the EU Court of Justice and the European Court of Human Rights. While Member States have access to safeguards under the ePrivacy Directive, it is challenging enough for governments to mobilize the nation in an effort to control the spread of an infectious disease; the additional effort required to consider all aspects of data protection while drafting emergency legislation is not likely to be at the top of their list. As a result, we can see that many Member States have opted to follow the rules laid out in the GDPR and have adopted contact tracing apps that request the consent of data subjects for processing of their location data.
It has become apparent during the COVID-19 virus outbreak worldwide that rights to privacy and protection of personal data are not absolute, and the need to protect individuals’ right to life and security is of a greater importance. While individuals may wish to maintain a level of privacy from government interference in their personal lives, a slight intrusion via contact tracing is a small price to pay for the benefit of public health and national security. The GDPR was designed to be flexible so that Member States would be able to process personal data on a lawful basis, while also guaranteeing the protection of fundamental rights and freedoms of EU citizens. The GDPR also provides appropriate remedies accessible to individuals who believe that their personal data is being processed for unlawful reasons. EU citizens are not left at the mercy of national authorities when it comes to their personal data. While the contact tracing apps developed during the COVID-19 pandemic process personal data related to the individual’s location and proximity to infected individuals, it is a means adopted by the government to protect its citizens, not to keep tabs on them. Regardless, the rights of EU citizens remain thoroughly protected by the General Data Protection Regulation.
Brittney Tessier is currently studying at Queen’s University Belfast in the LL.B Senior Status program. Her areas of interest include public law, human rights and judicial review.