Personal data protection and geolocating in the coronavirus era

European Committee explanations on data protection

In this emergency period, a topical issue concerns the balance between the right to privacy and the protection of public health. The application of the legislation on the treatment of personal and sensitive data in the medical-health field has always involved many critical issues, mainly due to the need to weigh up the individual protection of confidentiality with the need to ensure the health of the patient, especially in case of therapeutic needs require measures relatively quickly.

Unfortunately, Regulation (EU) 2016/679 has not been able to provide means of fully resolving the problems of the processing of personal data in healthcare, except for those rules concerning “particular categories of personal data” including so-called “sensitive data” (wanting to use a term particularly dear to the Italian legislator of 2003).
Article 9 of the GDPR prohibits the processing of personal data that reveal “racial or ethnic origin, political views, religious or philosophical beliefs, or union membership,” as well as “genetic data, biometric data meant to uniquely identify a person” or “data relating to the person’s health or sex life or sexual orientation.”
However, the second paragraph, which acts as a counterbalance to this prohibition, establishes the inapplicability of the principle to face proven public requirements, i.e. the protection of the citizen not as an individual, but as a member of a community as a whole.
In particular, EU legislation intervenes in all those cases where treatment is necessary, i.e. for the purposes of preventive medicine or occupational medicine, assessment of the employee’s work capacity, diagnosis, health or social care or treatment or management of health or social systems and services on the basis of EU or Member State law (article 9 par. 2 lett. h).
Finally, the prevalence of the public interest relates to the aspects of protection from serious cross-border health threats, as well as the guarantee of high quality and safety parameters of health care and medicines and medical devices (article 9 par. 2 lett. i).

It is in emergency contexts – as is what we are unfortunately living – where we need to assess the extent of the applicability of these regulations.
On 17 March, the European Data Protection Board (EDPB) intervened to provide some important clarifications, especially as a result of the many internal regulations that have succeeded on this point in recent weeks.

In an almost obvious way (but perhaps worth reiterating) the EDPB has made it clear that EU legislation on the processing of personal data does not oppose or represent a limit to measures to contrast COVID19.

The GDPR provides a number of legal bases that can be used in place of consent in order to justify the processing of personal data in measures to contrast and contain infection.
These include the need for public interest in the health sector (art. 9 par. 2 lett. i), the protection of a vital interest of the person or another individual (artt. 6 par. 1 lett. d and 9 par. 2 lett. c) and, lastly, the fulfilment of a legal obligation (artt. 6 par. 1 lett. c and 9 par. 2 lett. b).
According to some, this possibility would first allow companies to collect the health data of their employees, in order to protect their health in accordance with applicable national legislation, in a transparent manner (i.e. providing adequate information to those concerned) and ensuring their safety from possible illicit use.

Another aspect analysed by the EDPB concerns the possibility of Member States using geolocation to monitor population movements (c.d. contact tracing based on the model adopted in South Korea) in order to limit the number of infections, especially by those who have tested positive for the virus.
From this point of view, the Committee has opened up the possibility of the use of technologies that allow the tracking of movements, provided that appropriate measures are taken to prevent them from being used for different purposes or, in the worst case, illegal. Among these, the main one is certainly anonymisation which, as an irreversible process, does not allow to identify the subject concerned even indirectly (unlike what would happen if the data were only pseudonymized).
In fact, n. 26 of the GDPR expressly states that “Data protection principles should therefore not apply to anonymous information, i.e. information that does not relate to an identified or identifiable natural person or personal data made sufficiently anonymous to prevent or no longer allow identification of the person concerned. This regulation therefore does not apply to the processing of such anonymous information, including for statistical or research purposes.”
However, in case anonymisation of data cannot be used, the EDPB pointed out that Directive 2002/58/EC allows the use of data relating to the geolocation of users even without their consent, provided that this happens in the express context of an emergency legislation adopted by each Member State (such as the various DPCMs adopted by the Italian Government).

This use, the committee clarifies, is therefore possible by using criteria of necessity, proportionality and adequacy to identify the terms of duration and scope, as well as the criteria for data retention and their purposes.