The GDPR and the right to privacy and protection of personal data
Protection of personal data is guaranteed by article 16(1) of the TFEU and by article 8(1) of the CFREU. Article 8 of the ECHR guarantees to right to privacy. Though article 8 ECHR does not outrightly state the protection of personal data, the European Court of Human Rights has interpreted this article in support of its inclusion, which includes protection of data pertaining to an individual’s health. In 1995, the EU recognized the need to implement legislation in order to protect the right to privacy due to the creation of the Internet and the technological advancements that were on the rise at this time. As a result, the European Data Protection Directive was passed and ‘establish[ed] minimum data privacy and security standards, upon which each member state based its own implementing law’. These minimum standards set by the directive were not enough to protect the rights of individuals with regard to privacy and data processing. The need for an updated data protection framework that would guarantee the protection of EU citizens from unlawful interference in their personal lives was apparent. Out of these discussions came the GDPR.
The scope of the GDPR applies to the collection and processing of personal data of individuals in the EU, even if the processing of the data takes place outside of the EU. It defines personal data as being
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Article 5 of the GDPR outlines the protection and accountability principles that must be followed when processing personal data. Further to this, article 6(1) provides the circumstances in which processing of personal data is considered lawful. Subsection (d) indicates that processing of personal data shall be considered lawful if the ‘processing is necessary in order to protect the vital interests of the data subject or of any other natural person’ and subsection (e) considers it lawful if the ‘processing is necessary for the performance of a task carried out in the public interest’. And finally, article 9(1) of the GDPR holds that the processing of personal data related to several factors, including health-related data, is strictly prohibited; however, such data, whether related to health or another listed factor, may be processed if the data subject provides explicit consent or if the ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health’. Based on these requirements, national public authorities have a lawful basis for processing data related to the health of a data subject using contact tracing apps, to monitor the spread of the COVID-19 virus and protect the public from infection, and can do so because the processing of such data ‘is necessary for reasons of public interest in the area of public health’.