In efforts to address the spread of the coronavirus in the European Union, employers and public health authorities, among others, have been processing an increased volume of personal data. In response to this, data regulators from some member states have released guidance on how to collect, share, and use personal data, especially health data, in connection with the coronavirus.
The guidance issued is not uniform among member states. For example, France’s data protection authority, the National Commission on Informatics and Liberty (“CNIL”), stated that data collection should not “go beyond the management of suspected exposure to the virus.” The CNIL explicitly denounced employers that record employees’ or visitors’ temperatures and distribute medical questionnaires. Ireland’s Data Protection Commissioner took a different approach, stating that employers may be justified – to maintain a safe workplace – in asking employees and visitors about their travel histories and symptoms.
To provide some harmony, on Monday, March 16, the European Data Protection Board (a group of national data protection authorities from each member state) provided guidance.
The board stated that the General Data Protection Regulation (“GDPR”), allows employers and public health authorities to process personal data without obtaining consent from its owner if it is used in the context of epidemics. This includes employers collecting health histories to maintain public health.
Additional rules apply to processing electronic communications data, such as mobile location data, even during the coronavirus and any subsequent health crisis. The regulators stated that for national laws implementing the EU’s ePrivacy Directive, employers and public health authorities should process location data “in an anonymous way” (i.e., focusing on a concentration of devices as opposed to a single device) or obtain consent from the person to whom the data belongs.
However, regulators noted that if such measures are not feasible, per Article 15 of the ePrivacy Directive, member states can introduce emergency legislation to address national security and public safety concerns, but must include “adequate safeguards, such as granting individuals the right to judicial remedy.”
The European Data Protection Board’s clarification is similar to actions taken by other governments to make access to medical information easier to combat the coronavirus. For example, in the United Sates, the Department of Health and Human Services Secretary issued a limited waiver of certain Health Insurance Portability and Accountability Act sanctions to improve data sharing and patient care during the pandemic.
Therefore, while companies that process EU residents’ personal data for coronavirus-related purposes have a wide latitude under the GDPR, there still should be anonymization or built-in consent-protection for electronic communications data. Also, companies should be aware of the ever-changing legal landscape regarding privacy rules over the upcoming months as EU member states may begin passing emergency legislation regarding data protections.