Andrea Jelinek, the chair of the European Data Protection Board (EDPB), confirmed in Brussels on 16.3.2020 that the data protection rules – namely Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) – do not hinder the measures taken in the fight against the coronavirus pandemic. But she also emphasised that even in these exceptional times the data controller must ensure the protection of the personal data of the data subjects to guarantee the lawful processing of personal data[1].
The present data protection legislation sets out the legal grounds on which the processing of personal data by employers and public health authorities in connection with an epidemic is lawful even without obtaining the consent of data subjects. These legal grounds include, in particular, the reasons of public interest in the area of public health, protection of vital interests (Articles 6 and 9 of the GDPR) or compliance with a legal obligation.
In recent days, there’s been discussion about the possibility of tracking the location of individual SIM cards (known as ‘location data'[2]). This is regulated by a national law which transposes the ePrivacy Directive (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2006/24/EC and Directive 2009/136/EC), under which a mobile operator may use the location data only if they are anonymous or if the data subject has given consent thereto[3]. According to the latest information, the authorities in the neighbouring Czech Republic have begun to use SIM cards location data based on the consent given by the infected persons[4]. Anonymized location data are processed and made available for the coronavirus-related analyses and evaluation by Deutsche Telekom[5].
In this connection, the EDPB chair says that public authorities should first seek to process location data in an anonymous way, (i.e., processing of data aggregated in a way that individuals cannot be re-identified). This could enable generating reports on the concentration of mobile devices in a particular location (“cartography”).
Neither the ePrivacy Directive nor GDPR prevent Member States from introducing appropriate legislative measures to protect public health and public security, subject to putting in place adequate safeguards.
Zuzana Krajčovičová
[1]https://dataprotection.gov.sk/uoou/sk/content/vyhlasenie-predsednicky-edpb-k-spracuvaniu-osobnych-udajov-v-suvislosti-s-prepuknutim
[2] Under Section 57(2) of Act No. 351/2011 on Electronic Communications, location data are processed in a network or through a service which identifies the geographical location of the terminal user of a public service.
[3] Under Section 57(2) of Act No. 351/2011 on Electronic Communications, the undertaking may process location data other than traffic data which relate to a subscriber or user of a public network or a public service only if they are anonymised or if the subscriber or user of a public network or public service consent to it, within the scope and for the time necessary for the provision of a value added service. The undertaking shall inform the subscriber or user, prior to obtaining their consent, on the type of location data other than traffic data to be processed, on the purpose and duration of their processing, and on whether the data will be shared with a third party for the purpose of the provision of the value added service. The subscriber may revoke its consent with the processing of location data anytime.