Article by Nicola Fabiano, President of the San Marino Data Protection Authority
As it is well-known, the coronavirus pandemic (COVID–19) has profoundly changed our life, habits, communication and interaction between people, ways of working, etc.
In essence, we are experiencing a situation that appears surreal because of the consequent behavioural rules that we are obliged to respect with social distancing to fight the battle of COVID-19.
This pandemic situation, which in addition to Italy is leading many other states to adopt the most appropriate prevention measures, also entails a series of questions regarding the protection of personal data with which one must confront.
The pandemic does not require new rules on the protection of personal data, except in the terms illustrated in more detail below, being sufficient to respect those currently in force.
Moreover, in this sense is the statement of the Chair of the European Data Protection Board (EDPB), published on 16/03/2020 entitled “Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak“. Andrea Jelinek said: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
2. What are the legal rules to be observed?
The laws on the protection of personal data are those currently in force and precisely, for Italy, the EU Regulation 2016/679 and the Legislative Decree 196/2003 (in the text modified by the Legislative Decree 101/2018), while for the Republic of San Marino, Law 171/2018.
Furthermore, we cannot dismiss the European laws, and, in particular, the well-known “Convention 108+”, the Charter of Fundamental Rights of the European Union which qualifies the rights to privacy, remain valid and the protection of personal data as fundamental rights, as well as European legislation.
This is the necessary and main point of reference which cannot be ignored.
Moreover, the EDPB Chair, with the aforementioned statement, said: “The GDPR is broad legislation and also provides for the rules to apply to the processing of personal data in a context such as the one relating to COVID-19“.
Thus, in the following paragraphs, we will refer to the rules related to specific situations.
3. Data concerning health and its processing in the event of a pandemic.
The GDPR addresses the issue of “Data concerning health” already in the Whereas 35. Still, the definition is in Article 4 (1) (15) and precisely: “means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
Therefore, there is no doubt about the processing, among others, of data concerning health in the case of the COVID-19 pandemic.
There is a general prohibition of processing such data unless in the presence of the conditions provided for by art. 9 (1) of the GDPR.
However, art. 9 (2) specifies in which cases the prohibition does not apply with the consequent processing option and precisely in the letter i) (as expressly referred to in art. 75 of the Italian privacy code):
“processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.”
Therefore, the processing of data concerning health is allowed in the event of a pandemic, even without the data subject’s consent.
Other domestic regulations may introduce additional conditions for the processing of personal data, including those relating to health.
Furthermore, this principle is further clarified by the Whereas 46, 52 and 54; in particular, it is clear the Whereas 46 which states explicitly on this point:
(46) The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. […] Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
But still, Whereas 52 states:
(52) Derogating from the prohibition on processing special categories of personal data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. […]
Finally, Whereas 54 excludes the data subject’s consent:
(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. […] Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies.
The data subject (the patient) has to be still informed about the processing of his/her data concerning health. Article 82 of Italian Legislative Decree 196/2003, as amended by Legislative Decree 101/2018, establishes that the information according to Articles 13 and 14 of the GDPR can also be provided after the health service in the case of health emergencies.
In light of this brief regulatory overview, there is no doubt about the existence of the conditions of lawfulness of processing under Article 6 of the GDPR in situations such as that of the current pandemic from COVID-19, without prejudice to compliance with the principles applicable to the processing of personal data as required by art. 5 of the same GDPR.
4. Electronic communication, geolocation data and metadata
In our previous contribution, the change in communication between people was affirmed through the increasingly widespread and massive use of online resources.
The primary measure of pandemic prevention is social distancing, and this fundamentally entailed to two significant consequences: a) the increase in the use of online resources by those who have remained isolated and b) the public needs to control compliance with the laws that impose social distancing.
Regarding the first point (increase in the use of online resources), the most common needs are related to the working area (e.g. smart-working and communication) and the social one (communication).
Internet traffic has therefore increased considerably since the measure of social distancing was adopted which requires (correctly) to stay at home with a consequent increase in network traffic and, perhaps, critical issues regarding bandwidth saturation, especially in specific time slots.
Regarding smart-working, some activities can be safely carried out from home, but it must also be said that the closure of some offices to the public has, in any case, determined the need to identify the proposing subjects requests in different ways than that commonly known for the identification of person not practicable in pandemic times.
In essence, the effects of the pandemic on communication and digital have been substantial.
Social distancing has determined the need to use suitable digital resources to meet related needs (school, university, offices, meetings, lectures, etc.).
Also, in this area and although due to a pandemic health emergency, the change in personal, work and social habits with the consequent use of technological resources cannot jeopardise the correct processing of personal data. The conduct of meetings or activities that virtually encourage the meeting between people or the use of goods or services in innovative ways must not be at the expense of users’ personal data, but the current regulations must always be respected.
Awareness is always valid both for the interested parties and for those who offer – but in a sustainable and ethical way – technological and innovative services.
However, although work and social habits have changed, nothing has changed regarding the correct processing of personal data.
The controller and the processor must, each for their own role, comply with the provisions of the GDPR and the privacy code and, where applicable, the specific European regulation on e-privacy (Directive 2002/58 / EC, better known as the e-Privacy directive).
Moreover, this approach is contained in the “Shared protocol of regulation of measures to combat and contain the spread of the Covid-19 virus in the workplace” of March 14, 2020, where it is stated that the employer can submit the staff, before accessing the workplace, checking body temperature, correctly specifying that “The real-time detection of body temperature constitutes a processing of personal data and, therefore, must take place by current privacy regulations”.
In this case, however, the data subject (the patient) has to receive the information provided by the healthcare service.
Regarding, instead, the public needs to monitor compliance with the law that impose social distancing, the use of systems that allow controlling the movements of citizens must be subject to explicit regulatory provisions in advance.
The Directive mentioned above 2002/58/EC, which concerns – among other things – the processing of personal data in the electronic communications sector, applies to the processing of personal data connected to the provision of electronic communication services accessible to the public on public communication networks (art.3, par.1).
The data subject’s consent is required for the processing of data relating to geolocation, otherwise, they can be processed only anonymously but without the possibility of “reverse” operations useful for disclosing any personal information.
The use of the data attributable to each citizen, outside these cases, is allowed only for extraordinary and particular needs, the relative competence remains with the State and, in any case, only under the law pursuant to art. 15 of the aforementioned e-privacy directive.
Precisely in this sense is the statement of the EDPB chair, already mentioned, according to which
When it is not possible to only process anonymous data, Art. 15 of the ePrivacy Directive enables the member states to introduce legislative measures pursuing national security and public security1. This emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society. If such measures are introduced, a Member State is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.”
Otherwise, it would lead to an absolute exercise of digital sovereignty by the State through which to unconditionally exercise power over citizens’ data with the result of indirect but full control over each individual: this seems quite unacceptable.
5. Pandemic, apps and personal data
Technological development highlights the proliferation of applications in different areas and, recently, solutions – even based on Artificial Intelligence (AI) – to combat coronavirus have come to the headlines.
It is not the place to investigate the phenomenon of artificial intelligence (AI), but an attitude of caution regarding this technology is desirable.
There is talk of Artificial Intelligence to refer to advanced algorithmic solutions that have little to do with the definition and etymology of the term “intelligence” which is proper and exclusive to the human being. Moreover, in the field of AI, the limit determined by human biases which can lead to inaccurate or unreliable algorithmic results is known.
Returning to the apps against coronavirus, unfortunately, from the press (national and international) it was learned how far these solutions were far from favouring the contrast or prevention of coronavirus, in reality concealing a ruthless collection of personal data and geolocation, probably to without users’ knowledge.
The pandemic has not suspended or cancelled the current principles and rules regarding the protection of personal data.
In addition to respecting the “Data protection by design and by default” principle (under Article 25 GDPR), app developers are nevertheless obliged to comply with the rules on the protection of personal data.
The data subjects must always have full control of their personal data with adequate awareness, especially when accessing resources or services both through the app and via the web, paying attention to what has been declared regarding the processing of personal data.
Article by Nicola Fabiano, President of the San Marino Data Protection Authority