Coronavirus and privacy – finding the middle ground

In typical 21st century fashion, the value of data has become patently obvious in the current fight against the spread of the Covid-19 coronavirus. However, as extreme measures have become the new normal to tackle this global crisis, so have the approaches to data collection and dissemination among governments and employers.

Some of those measures have a very direct impact on people’s privacy. In some places, the whole population is being subject to intense surveillance while the medical data of those infected with the virus is widely shared within organisations.

This is all in the name of saving humanity from a deadly pandemic, but in the same way panic should be avoided, it is crucial to know how to make the most of data in a responsible and privacy-conscious way.

In other words, what data collection and sharing activities are appropriate to control the spread of coronavirus, and where does data protection law fit in? 

Data protection authorities across the world are stepping in to provide their input and guidance. Perhaps not surprisingly, given Italy’s position as the epicentre of the European outbreak, the Italian data protection authority was the first to issue a statement pointing out that employers should refrain from collecting health data in a systematic and generalised manner, including through specific requests to individual workers.

On a similar note, the French regulator stressed that the assessment and collection of information relating to coronavirus symptoms and people’s movements is the responsibility of health authorities, not of employers.

“The different emphasis among the data regulators’ guidance suggests that the right approach must lie in finding a balanced middle ground”

Other authorities have focused on reminding businesses of important considerations when handling personal data. The Irish Data Protection Commission, for example, has listed the key obligations in this respect, while the UK Information Commissioner’s Office has provided very practical FAQ-style advice.

The different emphasis among the regulators’ guidance suggests that the right approach must lie in finding a balanced middle ground. The right to privacy is not an absolute right, even in Europe. Regulators and courts know that, and their decisions reflect the reality that some interferences with the right to privacy are compatible with the law.

The decisions in cases involving the ability of public authorities to interfere with the fundamental right to privacy in the interests of national security or public safety have consistently demonstrated that it is possible to find a reasonable balance.

The numerous and complex rulings of the Court of Justice of the European Union (EU) on these types of cases tend to focus on two concepts: necessity and proportionality. So these parameters will also be applicable to the sharing and dissemination of coronavirus-related personal data.

Where does this leave us in practice? Here are the essential data protection obligations to bear in mind:

• Legal justification: In an employment context, there is likely to be a strong legal justification for proportionate data collection and dissemination, as employers have an obligation to ensure that places of work are safe. That will also apply to the necessary collection of health data for that purpose.
• Transparency: Information provision to those whose data is being collected or disseminated is key and a primary condition irrespective of the purpose. Therefore, employers must always provide a privacy notice explaining why coronavirus-related personal data is required and the extent to which it may be disclosed.
• Purpose limitation: This is particularly obvious, but data practices relating to the fight of the coronavirus should be restricted to that and any secondary uses of data collected in the context of the coronavirus crisis should be strictly avoided.
• Data minimisation: The law makes it very clear that before collecting and using any personal data, it is essential to consider if it is truly adequate, relevant and limited to what is necessary. For this reason, organisations should be especially careful about not disseminating information – such as the identity of an employee infected with the virus – unless is strictly necessary for the purpose of protecting others.
• Cyber security: Given the changes in working practices that the coronavirus is causing – from remote working to virtual meetings – it is essential that employers pay special attention to cyber security risks and prepare their staff for them.
• Privacy impact assessment: In many instances – particularly when new technologies are being deployed or tracking mechanisms are used – it will be necessary to undertake a swift but comprehensive privacy impact assessment and to document any conclusions and recommended data protection measures.

Data gathering and data sharing in the context of the fight against the coronavirus presents a global test for privacy frameworks around the world. Privacy and data protection laws cannot and should not get in the way of a common-sense approach to saving lives. For that reason, all such frameworks allow the use and sharing of data when necessary for that purpose.

At the same time, the parameters set out in the law cannot be ignored – even at times of crisis. Disproportionate decisions and measures are often the result of knee-jerk reactions, and when that happens at a global scale, everyone is at risk – no matter how often you wash your hands.

Eduardo Ustaran is a partner at transatlantic law firm Hogan Lovells.