19 March 2020

COVID19 and Data Protection

The Covid19 Pandemic has everyone worried, and the EU has warned against use of smart phone data tracking….what is acceptable in this crisis?

The question we are trying to answer here is whether the pandemic means the enforcement or understanding of data laws alters. Our headline advice is no, because for all the commentary by regulators seeking to assure people, that has you thinking the law is in some way softened, the under lying message is clear – the law stands, the obligations remain. An example of the true position comes from European Union’s committee of data protection regulators, which states that use of mobile location data, to aid in the tracking of the spread of the coronavirus outbreak, is not permitted under the ePrivacy Directive. They are right, and the pandemic is not a legal reason to ignore the law and its safeguards.

Many are understandably confused by the European personal data regulators indicating that rules are being loosened, when in fact they are not. Take as an example the European Data Protection Board’s (EDPB) Chair Andrea Jelinek who said this week that: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

Yet laws like the General Data Protection Regulation (GDPR) are actually well crafted and already have provisions to help in these exception times. The GDPR provides legal grounds to enable employers and public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. This applies for instance when the processing of personal data is necessary for employers for reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR) or to comply with another legal obligation. It is therefore disappointing that the messages coming from regulators are not clearer at this time. The main point that businesses should be wary of is thinking they are able to act without concern for data protection rights. You should always ask yourself whether your actions of say processing without consent, can be justified. It is clear that a doctor dealing with an outbreak can, but if you are a school or small business, can you really justify a change of approach? Can you clearly tie it to need in light of a pandemic that is in the ‘vital interests of the data subject’?

For the processing of electronic communication data, such as mobile location data, additional rules apply. The national laws implementing the ePrivacy Directive provide for the principle that the location data can only be used by the operator when they are made anonymous, or with the consent of the individuals. When it is not possible to only process anonymous data, Art. 15 of the ePrivacy Directive enables the member states to introduce legislative measures pursuing national security and public security;

“…democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified….”

Some say this is what Governments should be thinking about, but does it clearly cover a health crisis? It is unambiguously focused on national security, defence and crime, not health. In fact no where in the ePrivacy Directive does it mention the word ‘health.’ However, this should not concern the UK, because having left the EU, the UK clearly has autonomy to pass legislation to make such measures legal, but will they?

There is also a serious question of how would our geo-location data from mobile devices be used? Are we as a society happy with how it will be used?  It may be there is no time for such a debate, but protecting people’s rights should never be far from the Government’s thoughts, even as they weigh up how to protect our health.

For example if law enforcement agencies use aggregated location data, based on individuals’ proximity to cell towers, to identify groups of people who were breaking self-isolation rules, would we be happy about that? If the information is used to send the police or military to those locations, is that appropriate? Once law enforcement is present they will be dealing with real people, found via a data solution, so are we side stepping the law?

As reported in our data blast series the UK Information Commissioner has issued guidance on the data protection implications of responding to the COVID-19 coronavirus pandemic, answering important questions for organisations, businesses and employers, yet they have not commented on mobile tracking data. The UK ICO is often vague in its guidance while sounding superficially helpful, for example their main statement to data controllers reads  –

“We know you might need to share information quickly or adapt the way you work. Data protection will not stop you doing that. It’s about being proportionate – if something feels excessive from the public’s point of view, then it probably is.”

Rather like a horoscope you can read that with comfort or alarm, given its lack of clarity as to what you can and cannot do. The reality is the law remains, the obligations have not changed, and you need to be considering the impact of the decisions you take and how changes to the way you process data might affect data subjects. Generally there is little reason to change your practices if you were compliant before the crisis, why should you not be now? If in genuine doubt about an action then take advice, but always start from asking yourself what would the court of public opinion think? If your action can be justified within the UK Data Protection Act/GDPR, and other data protection laws you will have no issues, if you feel there is ambiguity, then conduct your mental exercise on privacy impact, and think about the public view point, can you justify your actions? If you are still unsure call us we will be happy to guide you.

James Tumbridge – Barrister, Partner