Passport to Privacy: Lessons From EU Guidance on COVID-19 and Personal Data
Attempts by U.S. legislators to address the privacy issues raised by the ongoing COVID-19 pandemic have stalled. But for companies seeking to balance the goals of furthering public health and protecting individuals' privacy, the European Union is providing policy guidance that may be exportable.
Guidance from the European Data Protection Board (EDPB) has made clear that rights to privacy and to data protection persist, even—or especially—during a pandemic. For public authorities, this means balancing public health concerns against individuals' rights and freedoms. For private entities, this means conducting screening or requesting that individuals provide health information only when permitted by national or local employment laws.
Under the GDPR, processing special categories of personal data, such as health data, requires an additional condition beyond a legal basis (e.g., consent or legitimate interests). One such condition is when the processing is necessary for public health—provided that it occurs "on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject."
Other conditions for processing special categories of personal data include explicit consent; processing data for employment, social security, or social protection, where authorized by law; vital interests; processing by a non-profit; where the personal data has been made public by the data subject; and reasons of substantial public interest, as permitted by law.
Use of Location Data
A key pandemic privacy concern is that contact tracing requires large-scale collection and storage of information about individuals' whereabouts. Though this information is intended for use by government entities, it is often collected through platforms developed by private companies, and those companies may be responsible for data storage. The EDPB issued a statement in March that urges EU member states seeking to use mobile location data to process this data "in an anonymous way," which would mean aggregating the data so that individuals cannot be re-identified. Aggregated analyses, the EDPB suggests, could be used to generate reports regarding the concentration of mobile devices in a particular area.
When anonymous processing is not possible, such as when it is necessary to identify specific individuals who may have been exposed to COVID-19, the EDPB suggests that Member States use the least intrusive solutions to achieve the specific purpose and include adequate safeguards, such as ensuring that individuals who use electronic communications services have the right to a judicial remedy for data misuse.
The EDPB published additional guidance in April on the use of location data and contact tracing tools. This guidance cautions that anonymization is often misunderstood and mistaken for pseudonymization, which does not exempt the data from the GDPR's requirements, and reminds controllers that only datasets—not data points—can be anonymized. Anyone conducting contact tracing should note that the EDPB considers large-scale monitoring of location or contacts a "grave intrusion" into the privacy of data subjects and states that such monitoring must be voluntary. The EDPB recommends:
- Clearly defining the controller of any contact tracing application, which likely will be the national health authority, and providing clear explanations of the roles and responsibilities of any other entities that are involved.
- Designing contact tracing applications based on the principles of data minimization and data protection by design and by default, e.g., using proximity data rather than tracking individual users' movements.
- Conducting a data protection impact assessment (DPIA) before implementing any contact tracing tools.
Processing Health Data for Employment Purposes
Another frequent privacy concern is employers who screen employees' health before allowing them access to an office or while on the employer's premises, which may occur through temperature checkpoints or, in some cases, use of wearables, infrared scanners, and other advanced technology. While the GDPR permits employers to process health data for certain employment purposes where authorized by national law, the EPDB's March statement reminded employers that they must still meet other GDPR requirements, specifically the principles of proportionality and data minimization, and that employers should only access and process health data when legally obligated to do so.
Where an employee tests positive, the EPDB suggests that it is acceptable to tell other employees that they may have been exposed to COVID-19 but that the employers cannot communicate more information than necessary, must inform the sick employee in advance, and must ensure that the "dignity and integrity" of the sick employee are protected.
The EPDB guidance is an important reminder that employee privacy matters, although public-facing disclosures often focus primarily on consumer data or on the collection and sharing by organizations that have no relationship with the data subjects.
Regulators Are Multi-Tasking
While addressing data protection concerns and processing activities that are specifically related to the pandemic, companies processing data in the European Union should be mindful that COVID-19 has not caused regulators to lose sight of other privacy concerns. A recent example is the EDPB's updated guidance on consent.
The revised consent guidance clarifies, among other topics, that blocking individuals from accessing a website unless they click "Accept cookies" (commonly known as a "cookie wall") fails to provide a genuine choice and, therefore, is not valid consent to the use of non-necessary cookies. It further specifies that scrolling or swiping through a webpage (or similar actions) "will not under any circumstances" satisfy the consent requirement due to the difficulty of both showing that this is unambiguous consent and of providing an equally easy way to withdraw consent.
The facts, laws, and regulations regarding COVID-19 are developing rapidly. Since the date of publication, there may be new or additional information not referenced in this advisory. Please consult with your legal counsel for guidance.
DWT will continue to provide up-to-date insights and virtual events regarding COVID-19 concerns. Our most recent insights, as well as information about recorded and upcoming virtual events, are available at www.dwt.com/COVID-19.