COVID-19 seems to rule our everyday life and has set solid grounds for huge digital steps in every aspect of social, labor, educational and commercial level. It is true, though, that the recent digitalization of procedures and the technological revolution that occurred in the past three months, all of which in the name of extraordinary health conditions and public security, highlighted numerous hidden risks that should be seriously taken into consideration. It is a fact that individuals are asked to offer their personal data online for various reasons: to offer students online school courses, to work from home, to do all purchases, to apply for allowance aid etc.
However, in the fight against this unprecedented communicable disease, while all joined forces of governments, transnational cooperations, private and public sector, have merged into the battle to monitor, contain and mitigate the COVID-19 common threat, there have been cases where spasmodic reactions and careless decisions have been observed, with no risk or damage estimation. Usual victims are the fundamental rights to privacy and data protection. Yes, there is no doubt that GDPR principles shall not prevail over public health issues and general public safety. But, what if the measures taken to fight the pandemic and maintain business and education sectors put at total risk the right to privacy and data protection? How should the geolocation through mobile phones and applications policy be criticized in terms of data protection rules? What happens when no balance among the interests at stake exists? Indeed, there have been cases that sadly prove that personal data have not only been disrespected, but also greatly violated against, putting in jeopardy both the mental and physical integrity of the victimized data subjects. For instance, one country in the European continent has published online the name list of all COVID-19 patients of its territory, accompanied by their diagnosis, age, gender, residence and other strictly personal information. The data is published on its official governmental webpage and is accessible by all internet users, while no explicit consent has been received by the data subjects at all! The alleged grounds for this action is to “secure healthy citizens from getting in contact with the patients and being infected themselves”, however it is more than obvious that there is no lawful excuse for such a violation of fundamental human rights.
As is well known, according to GDPR provisions, health-related data is considered “sensitive” and is subject to specific processing conditions, as the latter contains significant risks to the data subject’s rights and freedoms (article 4, recital 51 of the Regulation). For this reason, the processing of this data is prohibited (article 9 par. 1). Exception to this general rule is introduced, among others, by purposes of health or social care or treatment or the management of health or social care systems and services on one hand, and for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices (article 9 par. 2 (h – i)) on the other. “Well, this is it!”, someone might rush. Indeed, our case seems to be ad hoc. Though, both the Regulation itself and numerous others rights’ oriented legislative documents, tone every processor’s obligation to be subject to enhanced scrutiny and safeguards to ensure the respect of data protection principles. Recognizing how critical the current situation is, the Council of Europe with its “Convention 108+” and the European Data Protection Board with its “Statement on the processing of personal data in the context of the COVID-19 outbreak”, adopted on 19th March 2020, have developed a series of recommendations and guidelines to help all interested parties to “survive” the pandemic with the less possible losses in relation to data protection and its key principles.
Here are some indicative examples:
- data subjects should receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. The information provided should be easily accessible and provided in clear and plain language.
- adequate security measures and confidentiality policies should be adopted, ensuring that personal data are not disclosed to unauthorised parties.
- measures implemented to manage the current emergency and the underlying decision-making process should be appropriately documented.
- individuals of electronic communication services should be provided the right to a judicial remedy.
- the proportionality principle should be safeguarded. Namely, the least intrusive solutions should always be preferred, taking into account the specific purpose to be achieved.
Nevertheless, it is needless to say that the most effective defence against any violation of our personal data, especially in the digital world, is the golden rule: before sharing any information online, make sure you understand the answer to the following questions: WHO? WHY? FOR HOW LONG?
Good luck and…stay safe!
Secretary General – CONNECT International
Attorney at Law