Covid-19: European rules for using personal data
What existing national security legislation, new bulk analysis efforts, and emergency measures have different states deployed to curb the spread of Covid-19?
4 June 2020
Authors: Professor Elspeth Guild, Queen Mary University of London and Dr Elif Mendos Kuskonmaz, University of Portsmouth
Every day the media reveals yet another way information technology is used by European states in their efforts to contain the Covid-19 pandemic. Many of the tools now utilised engage both the state and the private sector. State authorities have recently employed existing and exceptional powers on the basis of the public health crisis to obtain a range of personal data, such as geolocation data, from telecommunications companies. This information is collected on the basis of contractual arrangements between consumers and those companies (covered by the EU’s General Data Protection Regulation (GDPR)). Companies which operate various online services (email, VoIP, etc.) have also been called upon to provide personal data to state authorities against the backdrop of the pandemic.
In this article we will examine the European legal background for using state authorities’ powers under exceptional public health circumstances. To that end, we will examine both the GDPR and Data Protection Directive to clarify exactly what these two EU laws permit states to do in light of the current crisis. We will also look at how the European Convention of Human Rights and the European Court of Human Rights limit states in their use of public health exceptions. Our conclusion is that the development of any new technological tools needs to strictly comply with EU and Council of Europe rules on privacy. Covid-19 must not be an excuse to ride roughshod over the legal rules which have been put in place to protect human rights, including in times of public health emergencies.
GDPR and DPD - What are the EU Rules on the Health Exception?
The two key EU legislations on the protection of personal data are the GDPR and the Data Protection Directive (DPD); both of which are relevant when determining the extent to which personal data is allowed to be processed for the purpose of containing, responding to, and preventing the Covid-19 pandemic. We will give a brief overview of the extent to which either of these legislations allow for the processing of personal data in the context of public health.
A number of actors who may be involved in the processing of personal data for reasons of public health — such as online services, companies, public health authorities, and government bodies — must rely on legal grounds provided under the GDPR. One such ground is, for example: data subject’s consent (Arts 4(11) and 7 GDPR). However, in the context of the Covid-19 pandemic, consent may not provide a sound legal ground for online services to collect data for public health reasons. This is especially the case if their consumers do not have a real choice to object to the processing of their data under the contractual arrangements (C-291/12 Michael Schwarz v Stadt Bochum). This means that providers of contact tracing applications may not be able to rely on users’ consent even if the use of the application is voluntary.
Apart from consent, processing of personal data as part of public health strategy can be based on two grounds. First, processing can take place if it is necessary to protect the vital interest of the data subject or another person (Art 6(1)(d) GDPR). This would allow processing of personal data of the person who tested positive for Covid-19 and is unconscious or unable to give consent to the processing of their data, in order to trace who may have made contact with them. However, because it requires a legal incapacity on the part of the person whose data is collected, it is unlikely to serve as an appropriate legal ground for wider public health purposes. Second, processing of data can be carried out for reasons of public interest (Art 6(1)(e) GDPR), which includes reasons of public health (Recital 45 GDPR). This means that authorities can rely on the public interest reason when collecting data to contain and trace Covid-19, provided that the collection is authorised by law (EDPB, Guidelines 04/2020). However, this legal basis is only relevant so long as the public health crises continues.
If processing of health data is at stake, authorities will have to rely on appropriate legal grounds specific to the processing of sensitive data (Art 9 GDPR). The following legal grounds provide appropriate legal basis for processing data related to health as part of responding to the Covid-19 pandemic:
- data subject’s explicit consent (Art 9(2)(a))
- health-care reasons, such as medical diagnosis and provisions of health services in order to address Covid-19
- pandemic (Art 9(2)(h))
- wider public health strategy, such as allocation of resources and healthcare needs (Art 9(2)(i));
- protecting the vital interests of the data subject or other natural persons (Art 9(2)(c));
- and general medical research, such as clinical trials for Covid-19 treatments (Art 9(1)(j)).
The other EU data protection legislation we mentioned above is the DPD. This legislation governs processing of personal data for policing and criminal justice purposes (Art 1(1) DPD). Because its application is limited to police and criminal justice issues, the DPD might have limited relevance in comparison to the GDPR, with respect to processing personal data for reasons of public health. One dystopian scenario could be the sharing of information relating to a person’s Covid-19 status with the police, who might then be able to detect if the individual has violated the quarantine process and might be authorised to impose administrative sanctions. Nevertheless, this sharing of personal information could be challenged according to the legal ground for which the data is initially collected (e.g. for reasons of public interest as provided under the GDPR), because it could potentially be a violation of the purpose limitation principle.
The European Court of Human Rights and the public health proviso
The rights set out in the European Convention on Human Rights (ECHR) are binding on its signatory states (the 47 member states of the Council of Europe). Some rights are absolute (like the prohibition on torture, Art 3), while others are qualified, permitting states to limit the right on the basis of the grounds set out therein and also to derogate from those qualified rights when the situation is sufficiently grave as to require it. In this section we will examine which rights are qualified on the grounds of health, what relevant case law exists on state use of the exception, and what this may mean for privacy.
Five provisions of the ECHR permit qualification on the basis of health. These are:
- Article 8, the right to privacy;
- Article 9, the right to freedom of thought, conscience, and religion;
- Article 10, freedom of expression;
- Article 11, freedom of assembly;
- and Protocol 4 Article 2, freedom of movement.
In every case the exception is worded the same way - states are permitted to interfere with the right on the ground of the protection of health [or morals].
For our purposes, Article 8, the right to respect for privacy, is the most important, as it restricts states’ interference with telecommunications - including VoIP and internet-related communication. Any interference with the right must fulfil three criteria. First, it must be in accordance with the law, which means there must be a legal provision that fulfils the conditions of a law; that is, it is sufficiently accessible to the public and foreseeable, so that people can modify their behaviour accordingly. Secondly, the interference must have a legitimate purpose. These purposes are set out in each of the provisions (and are the same) and include the protection of health. Finally, the interference must be necessary in a democratic society - this assessment incorporates the requirement that the interference is proportionate. Generally, the European Court of Human Rights states that what is at stake here is striking a balance between the competing interests of the individual and the society as a whole. It includes a requirement that there is a pressing social need.
Article 8 has been interpreted as including both positive and negative obligations on states. They must secure the right to effective respect for the physical and psychological integrity of the individual as well as refrain from interfering with the right. States’ positive obligations include prevention of the spreading of contagious disease (Poghosov v Georgia and Ghavtadze v Georgia). The Court’s decisions in this regard were in the context of prisons where people were at risk of contagious disease because of the failure of the state to provide screening systems and to guarantee prompt and effective treatment. However, there is no general rule of what preventative health policy a state must take in the face of a contagious disease. While a positive obligation might arise in the case of an epidemic, unless there was a potential threat to health that engaged Article 2 (the right to life) or Article 3 (the prohibition on torture, inhuman or degrading treatment or punishment), there is not necessarily a positive duty on states to take specific preventative measures (Shelley v UK).
The Court has been clearer regarding the protection of personal medical data, which has arisen in a number of cases. Respect for the confidentiality of health data is, according to the Court, a vital principle in the legal systems of all Council of Europe states (I v Finland). In one case, a state required all medical institutions to report refusals of blood transfusions by a specific religious sect to the criminal justice authorities, notwithstanding that the refusal was not a criminal offence. The Court found that there was no pressing social need to request this disclosure (Avilkina and Others v Russia).
In the context of the right to respect for privacy in Article 8, the exception on grounds of protection of health has not been tested before the Court on the wider general preventaive ground of an epidemic. The principle, however, that the protection of privacy is a right against which state interference must be justified, remains central. An inversion of the relationship between the right and the exception to it is not lawful. It is likely that the Court will admit a margin of appreciation to states as regards the means which they use to comply with their positive duty to take general preventative measures to protect the society from infectious disease. But those measures must be necessary in a democratic society - they must have a clear purpose, be set out in law, and publicly available.
The purpose must be concrete and not only related to the objective but also limited to its achievement. The exception must not go farther than what is necessary to achieve the objective, including in the areas of preventative health measures. This is critical as regards the expanding use of the technical tools described in the first section of this article. Intrusions into people’s privacy (Art 8 ECHR), coupled with limitations of movement (Protocol 4 Art 2 ECHR) based on health imperatives, must, at the very least, be part of an effective public health strategy. Further, the identification of potentially ill individuals through the use of their personal data must be necessary to the strategy. The obligation to destroy personal data as soon as the purpose for which it was collected has been achieved must also be strictly complied with. This personal data must not be detached from its purpose and used later for entirely different objectives.
A number of European states have exercised their right to derogate from some rights under the ECHR in accordance with Article 15 of the ECHR (Albania, Armenia, Estonia, Georgia, Latvia, Moldova, North Macedonia, Romania, San Marino, and Serbia, with Hungary passing an emergency law which effectively derogates). Most of these countries specified that they were derogating from Article 8. The use of derogations in the time of a pandemic has been criticised by some observers as an overreaction and inconsistent with the objective of Article 15 - a measure necessary in a public emergency threatening the life of the nation.
The measures taken in some states, which interfere with the right to privacy, undoubtedly present questions about their necessity to fight the pandemic and more importantly whether they actually are designed to do so within a coherent and realistic general preventative plan, based exclusively on health considerations.
The Oviedo Convention
The Council of Europe’s Oviedo Convention (Convention for the Protection of Human Rights and Dignity of the Human Being with regard to the Application of Biology and Medicine: Convention on Human Rights and Biomedicine) complements the ECHR, specifically Article 8. Article 10 of the Oviedo Convention states that everyone has the right to respect for private life in relation to information about his or her health and is entitled to know any information collected about his or her health. However, the wishes of individuals not to be so informed shall be observed.
Only in exceptional cases, “restrictions may be placed by law on the exercise of the rights contained in paragraph 2 in the interests of the patient”. A joint statement on the right to data protection in the context of the Covid-19 pandemic by the Chair of the Committee on Convention 108 and the Data Protection Commissioner of the Council of Europe, issued on 14 April 2020, states “the threat resulting from the Covid-19 pandemic [has to be addressed] in respect of democracy, rule of law and human rights, including the rights to privacy and data protection”.
The temptation in Covid-19 times is to search for technological solutions to contain the pandemic. While we are in favour of using every tool available to fight the pandemic, those tools must conform with European human rights standards. This must not become a free-for-all where the hard-won rights of all Europeans are overturned because some actors believe that they are not necessary in time of a medical emergency.
European human rights standards have been carefully crafted and designed to be applicable even in times of public health emergencies. There is sufficient flexibility to allow states to take measures which are genuinely necessary for the purposes of public health. The possibility to use exceptions to those human rights which are not absolute, such as the right to privacy, are contained in our human rights instruments. But the relationship between the right and the exception must never be reversed. The protection of the right to privacy is the norm and its violation - for instance the use of personal data without the consent of the data subject and for purposes for which it was not collected - must be the exception. Our rights must remain rights and not be transformed into paper tigers to be torn up when deemed inconvenient.