European data protection regulators have been quick to publish statements emphasising that data protection laws do ‘not hinder measures taken in the fight against the coronavirus pandemic’. Instead, regulators have stressed that the EU GDPR, and the ePrivacy Directive, provide appropriate frameworks for data processing in the context of pandemics.
However, the European Data Protection Board has also recognised that Member States may need to introduce new legislative measures to allow certain data processing activities. Such activities may well include asking telecoms operators for mobile location data which has not been anonymised without asking individuals for consent in order to track individuals who test COVID-19 positive.
It is unclear how long COVID-19 will require emergency measures to remain in place, with some specialists estimating 24 months. Measures implemented to enable data processing during the COVID-19 pandemic could change the privacy landscape for a significant period of time. Further, if the UK implements such emergency measures, this could render an adequacy decision by the EU Commission less likely in the current timeframes as it moves the UK position away from that set out in the GDPR.
Looking beyond the EU, some states’ use of existing data sets for new purposes, or collection of additional data, are causing concern among privacy advocates.
For example, last week, as part of a range of measures to combat COVID-19, the Israeli Government authorized the Internal Security Agency to use mobile location data to track individuals who have tested COVID-19 positive, and warn those they were in contact with to self-isolate. The use of this data, reportedly collected for counter-terrorism purposes, to combat COVID-19 has sparked concern among national privacy advocates, who fear it constitutes a step in the long-term erosion of individuals' right to privacy.
South Korea, whose COVID-19 response has been widely lauded, triangulated data from credit and debit card transactions, mobile phones, and CCTV to track and contain the outbreak. The Government also amended legislation to enable it to access individual medical records and share them without a warrant. ‘Safety guidance texts’ sent to the public provide the gender, age range and recent movements of individuals who test COVID-19 positive. This has reportedly rendered a number of individuals identifiable.
Some governments that did not already possess the necessary data are now collecting it. On 3 March Iran’s Government asked all citizens to download the AC19 app to ‘determine if you or your loved ones have been infected with the coronavirus.’ AC19 asks individuals to answer ‘yes’ or ‘no’ to a range of symptoms, and generates an automatic diagnosis. It also collects the name, address, date of birth, and geo-location of individuals who download the app.
States passing such laws have argued they are time-limited and required to combat COVID-19, however concerns remain about their long-term implications for privacy. The privacy landscape will no doubt be one of many to be different in the post COVID-19 world.
The Economist, ‘Closed’, March 21-27th 2020
Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the coronavirus pandemic