NEWS
COVID-19 emergency: EDPB takes position on the processing of personal data
Prohibition of entry into the EU from outside the Union for at least 30 day; the Stability and Growth Pact’s rules that seem to be heading towards a long suspension; those on state aid that will be reviewed to give flexibility to member countries in the war on the coronavirus[1]: Covid-19[2] has crossed European borders, coming to Italy arrogantly, and has already changed the connotations of the Union.
While governments, public and private organisations throughout Europe are taking measures to contain and mitigate Covid-19, the processing of different types of personal data could be heavily involved[3].
So the European Data Protection Board (EDPB) reminds that efforts to use geolocation data to carry out contact-tracing – indeed in the same way that some countries controversially plans to - would currently be unlawful under the ePrivacy Directive[4]. But in certain circumstances, including matters of national and public security, member states are titled to introduce new laws that would override their existing interpretations of the directive.
In the statement we read: “The national laws implementing the ePrivacy Directive provide for the principle that the location data can only be used by the operator when they are made anonymous, or with the consent of the individuals”.
“The public authorities should first aim for the processing of location data in an anonymous way (i.e. processing data aggregated in a way that it cannot be reversed to personal data). This could enable to generate reports on the concentration of mobile devices at a certain location (‘cartography’).”
In practice, to identify groups of people who were breaking self-isolation rules law enforcement agencies could use aggregated location data, based on individuals’ proximity to cell towers, but they couldn’t use the data to find people who had come into close contact with those who had later tested positive.
The statement continues: “When it is not possible to only process anonymous data, Art. 15 of the ePrivacy Directive[5] enables the member states to introduce legislative measures pursuing national security and public security.
“This emergency legislation is possible under the condition that it constitutes a necessary, appropriate and proportionate measure within a democratic society. If such measures are introduced, a Member State is obliged to put in place adequate safeguards, such as granting individuals the right to judicial remedy.”
Substantially the ePrivacy directive tends to follow a pro-privacy agenda, like EU data legislation in general and similarly it could be allowed to member states to maintain sovereignty when it comes to issues of national security.
About the GDPR[6], it “provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject.”
Andrea Jelinek, EDPB’s chair, adfirms: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
So, apparently the EDPB statement’s main purpose is to remind that GDPR protections cannot simply be swept away even during a public health crisis[7].
“This is a warning to governments, health authorities and employers that while they can process biometric and health data without consent, this must be done proportionately, lawfully, and with safeguards in place.”
Not remarkably, in both the ePrivacy Directive and the GDPR it is emphatized that any exceptions to the general safeguards can only take place by respecting some precise fundamental precautions, among which proportionality stands out.
Effectively, starting from the fact that the huge data processing capacity allowed by technology causes a significant impact on each individual citizen's life and in line with the 2017 Necessity Toolkit[8], which had delimited the scope of the concept of the need for limitations to fundamental rights, the EDPS adopted in December 2019 new «Proportionality guidelines»[9]. Those rules further define the content and purpose of the rights guaranteed by the Basic Charter and by the GDPR, developing a deep legal analysis aimed at creating a real proportionality test and practical tools to help assess the compliance of proposed EU measures that would impact the fundamental rights to privacy and the protection of personal data[10].
One last point: the phase of "proportionality in the strict sense" examines the effects of the legislative act, comparing and weighing the benefits deriving from the pursuit of the objective to which the legislator aims and the costs, that is, the sacrifices that it imposes on others rights and interests at stake[11].
Normally it is the most delicate evaluation, “that which requires the judge to widen the gaze of his assessments, up to projecting himself on the actual impact of the legislation submitted to him: this requires a knowledge of the data of real experience that the law regulates, which far exceeds the positive legal data , strictly intended”[12].
That's why in practice the risk that the necessary serenity of judgment may be affected by the urgency to use as soon as possible pervasive but effective technological tools to limit so contagious pandemics as COVID-19 must be carefully weighed.
Substantially, EDPB seems to want to reaffirm its orientation that “technological design decisions should not dictate our societal interactions and the structure of our communities, but rather should support our values and fundamental rights”[13].
However, it should never be forgotten that "the observation spectrum of legal experience (...) is particularly wide and, therefore, appropriate to the judgment of reasonableness"[14]. And finally "Reasonable does not express just pure rationality, but, as has been effectively said with words pertinent also to the legal universe, it consists in subduing reason to experience"[15].
[1] Cf. “the International Committee on Taxonomy of Viruses (ICTV) announced ‘severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2)’ as the name of the new virus on 11 February 2020. This name was chosen because the virus is genetically related to the coronavirus responsible for the SARS outbreak of 2003. While related, the two viruses are different. (…) WHO announced “COVID-19” as the name of this new disease on 11 February 2020” in https://www.who.int/emergencies/diseases/novel-coronavirus-2019/technical-guidance/naming-the-coronavirus-disease-(covid-2019)-and-the-virus-that-causes-it.
[2] Cf. “Since 2 January 2020, the three levels of WHO (China country office, Regional Office for the Western Pacific and headquarters) have been working together to respond to this outbreak of COVID-19. On 30 January, WHO declared the outbreak a Public Health Emergency of International Concern (PHEIC). On 11 March, WHO Director General characterized COVID-19 as a pandemic.” In https://www.who.int/westernpacific/emergencies/covid-19.
[3] Here and after I refer to the ‘Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak’ in https://edpb.europa.eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak_en.
[4] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). “Known as the ePrivacy Directive, it sets out rules on how providers of electronic communication services, such as telecoms companies and Internet Service Providers, should manage their subscribers' data. It also guarantees rights for subscribers when they use these services.” (…) “In June 2013, the Commission has put in place new specific rules to ensure that personal data breaches in the EU telecoms sector are notified in the same way in each Member State.” in https://ec.europa.eu/digital-single-market/en/news/eprivacy-directive.
[5] The consolidated text says “Article 15 Application of certain provisions of Directive 95/46/EC - 1. Member States may adopt legislative measures to restrict the scope of the rights and obligations provided for in Article 5, Article 6, Article 8(1), (2), (3) and (4), and Article 9 of this Directive when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.” – “1b. Providers shall establish internal procedures for responding to requests for access to users' personal data based on national provisions adopted pursuant to paragraph 1. They shall provide the competent national authority, on demand, with information about those procedures, the number of requests received, the legal justification invoked and their response.” in https://eur-ex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2002L0058 :20091219:EN:HTML.
[6] As we know, “the EU General Data Protection Regulation (GDPR) ensures that personal data can only be gathered under strict conditions and for legitimate purposes. Organisations that collect and manage your personal information must also protect it from misuse and respect certain rights.” in https://ec.europa.eu/digital-single-market/en/online-privacy.
[7] Cf. “Strong data protection rules are essential to guarantee the fundamental right to the protection of personal data. They are central to a democratic society4 and an important component of an increasingly data-driven economy. The EU aspires to seize the many opportunities that the digital transformation offers in terms of services, jobs and innovation, while at the same time tackling the challenges these bring.” in Communication from the Commission to the European Parliament and the Council Data protection rules as a trust-enabler in the EU and beyond – taking stock, Brussels, 24.7.2019, page 1, https://ec.europa.eu/info/sites/info/files/aid_development_cooperation_fundamental_rights/ aid_and_development_by_topic/documents/communication_2019374_final.pdf.
[8] Cf. EDPS Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit, 11 April 2017 in https://edps.europa.eu/sites/edp/files/publication/17-04-11_necessity_toolkit_en_0.pdf.
[9] Cf. EDPS, Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data, 19 December 2019 in https://edps.europa.eu/data-protection/our-work/ publications/guidelines/edps-guidelines-assessing-proportionality-measures_en.
[10] See also S. Guida-D. Tozzi, La valutazione della proporzionalità delle misure che limitano i diritti fondamentali della privacy nelle nuove linee guida del garante europeo della protezione dei dati in European Journal of Privacy Law & Technologies, ISSN 2704-8012, ISSN 2704-8012.
[11] Cf. M. Cartabia, I principi di ragionevolezza e proporzionalità nella giurisprudenza costituzionale italiana, Conferenza trilaterale delle Corte costituzionali italiana, portoghese e spagnola, Roma, Palazzo della Consulta 24-26 ottobre 2013, Working Papers, pag.5.
[12] Ibidem.
[13] Cf. EDPS, Opinion 4/2015 Towards a new digital ethics Data, dignity and technology 11 September 2015, page 10.
[14] Cf. M. Cartabia, I principi di ragionevolezza e proporzionalità nella giurisprudenza costituzionale italiana,Conferenza trilaterale delle Corte costituzionali italiana, portoghese e spagnola, Roma, Palazzo della Consulta 24-26 ottobre 2013, Working Papers, cit., pag.19.
Il Comitato europeo per la protezione dei dati
ha adottato la seguente dichiarazione in tema di
trattamento dei dati personali nel contesto dell’epidemia di COVID-19
