The potential tension between the protection of public health and the fundamental right to personal privacy is being tested on an unprecedented scale in the global coronavirus (COVID-19) pandemic. The European Data Protection Board (EDPB) adopted guidelines on 21 April 2020 on the processing of health data as part of research efforts to respond to the COVID-19 pandemic (Research Guidelines) and on geolocation, and other tracing tools, in the context of the pandemic (Tracing Guidelines).
The Research and Tracing guidelines follow the EDPB’s broad statement, adopted on 19 March 2020, regarding the processing of personal data in the context of the COVID-19 pandemic. This guidance comes at a time when many countries are rolling out location tracking and contact tracing apps, including a new National Health Service (NHS) app that is being trialled in the United Kingdom. The UK’s Information Commissioner’s Office (ICO) has also published guidance on these apps.
The EDPB highlights that data protection rules do not hinder measures taken in the fight against the COVID-19 pandemic. The aim of the guidelines is to explain why this is the case and to offer guidance on how the collection of location data to enable contact tracing can be lawful and proportionate. The EDPB emphasises that the apps should be voluntary, albeit that the key to their efficacy in the COVID-19 pandemic relies upon a significant proportion of a country’s population downloading and using the app and the quality of the information users submit to the app regarding their health.
Specifically, the Research Guidelines clarify that data protection laws do not prohibit the processing of health data for the purpose of scientific research in connection with the fight against the COVID-19 pandemic, provided that such processing complies with the fundamental right to privacy and personal data protection. The GDPR contains a specific lawful processing ground allowing the processing of special categories of personal data, such as health data, where it is necessary for the purposes of scientific research or for public health reasons. Further, the Tracing Guidelines explain that the GDPR and ePrivacy Directive contain measures allowing the use of personal data collected through the apps to support public authorities in monitoring and containing the spread of COVID-19 because of the contact tracing aspect to the apps.
The Research Guidelines aim to clarify the legal basis upon which such data is used, what safeguards should be implemented, the extent to which data subjects may exercise their rights, and whether and how international data transfers can occur in the context of scientific research.
The data subject must be informed of the processing and that his or her data is being processed for scientific purposes. The Research Guidelines acknowledge that researchers often process health data they have not obtained directly from the data subject and the focus of the Research Guidelines is therefore on the implications of Article 14 of the GDPR, which governs information obligations where personal data is not collected directly from the data subject.
Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The Research Guidelines clarify that further processing for scientific research purposes shall not be considered incompatible with the initial purposes.
The Research Guidelines emphasise the importance of the data minimisation principle. They suggest that due consideration should be given to both the nature of the research questions, and the type and amount of data necessary to properly answer those questions. Data should be anonymised where it is possible to perform the relevant research with anonymised data.
The Research Guidelines suggests that such measures should include the following as a minimum: pseudonymisation, encryption, nondisclosure agreements and strict access role distribution, restrictions as well as logs.
Data protection impact assessments must be carried out when such processing is likely to result in a high risk to the rights and freedoms of natural persons. Further, the Research Guidelines underline the importance of data protection officers and the need for them to be consulted if any health data is processed. Any measures which are adopted must also be properly documented.
International cooperation on a large scale is likely to be required in order to coordinate effective research into how to curtail the spread of COVID-19. This may result in the international transfer of health data outside the EEA. The Research Guidelines clarify that the GDPR does not preclude international cooperation in the field of research.
Where this occurs, however, additional obligations beyond those already discussed apply to the data exporter. These include an obligation on the data exporter to inform data subjects of its intention to transfer personal data to a third country or international organisation. This obligation includes informing data subjects about the existence or absence of an adequacy decision by the European Commission of the country to which their personal data has been exported, or whether the transfer is based on a suitable safeguard or derogation pursuant to the GDPR. Data exporters should favour solutions that guarantee the rights of the relevant safeguards. This is likely to be satisfied, according to the Research Guidelines, where the country to which the data is exported has been deemed by the European Commission to have an “adequate” level of data protection, or instead where safeguards are relief upon, that would ensure data subjects have enforceable rights and effective legal remedies.
Importantly, however, in the absence of an adequacy decision or appropriate safeguards, the Research Guidelines explain that data exporters may be able to rely on the public interest derogation under Article 49(1)(d) of the GDPR. The EDPB clarifies that the fight against COVID-19 has been recognised by the EU and most of its member states as an important public interest, which may require urgent action in the field of scientific research, and may also involve transfers to third countries or international organisations. The Research Guidelines clarify that the derogation may justify the initial transfer of personal health data that is urgently needed to carry out necessary research, while repetitive and longer-term COVID-19 research projects will need to be based on appropriate safeguards under Article 46 of the GDPR.
Governments and businesses are using, or are in the process of developing, data driven solutions to respond to the COVID-19 pandemic. For example, the aim of contact tracing apps is to allow smartphones to determine automatically whether a person has been in contact with, or in close proximity to, an infected person or someone with symptoms suggesting an infection of COVID-19 and notify him or her accordingly that a test should be undertaken or he or she should self-isolate.
The Tracing Guidelines clarify that data protection laws are flexible and are therefore able to achieve both an efficient response in fighting the pandemic while protecting the fundamental human right to privacy. The EDPR does stress, however, that we should not put ourselves in a position where we have to choose between an efficient response to the crisis and the protection of our fundamental rights. Instead, the EDPR states that we can achieve both, and importantly, that data protection principles can and should play an important role in the response to the pandemic.
The Tracing Guidelines explain the data protection principles and conditions that need to be followed when:
The data privacy implications depend on the source of the location data. Where electronic communication providers collect location data as part of their service, such data may only be transmitted to authorities, or other third parties, if:
Where location data is collected by information society service providers whose functionality requires the use of such data (e.g., navigation and transportation services), then the storing of information on the user’s device or gaining access to the information that is stored therein is allowed only if:
There is a clear focus in the Tracing Guidelines on the need for data anonymisation. Whenever possible, the processing of anonymised location data is preferred over the processing of identifiable data. The EDPB acknowledges that adequate anonymisation may be difficult. For data to be truly and irrevocably anonymised, the user must not be able to be identified.
The Tracing Guidelines state that the extent of location monitoring and/or contact tracing required to implement these types of solutions could be a significant intrusion into individuals’ privacy. Accordingly, strict measures will need to be adopted to ensure the legitimate and proportionate use of these types of applications. Such measures include the following:
The Tracing Guidelines make a number of recommendations for how tracing applications should be developed and used. For example:
In an Annex to the Tracing Guidelines, the EDPB has also adopted a guidance for designers and implementers of contact tracing applications. In the guide, the EDPB encourages publishers of these apps to take account of a number of principles including the following:
The UK has launched a trial of NHSX, a contact tracing app for users in the UK, operated by a joint venture with the NHS. The ICO has announced it is working with NHSX on privacy issues and has published a blog on contact tracing apps in general. We understand that NHSX uses anonymous data, albeit with location information (but, notably, not location tracking data) and this would mitigate against privacy concerns where the data collected is no longer identifiable to the user. The ICO advises that the key privacy considerations in designing and operating tracing apps is:
The COVID-19 pandemic has given rise to a myriad of unprecedented challenges for governments, businesses, organisations and individuals alike. Privacy and data security concerns are a central issue given the importance of health data in the fight against the virus.
The EDPB has gone to great lengths to explain that existing data protection laws should not stand in the way of finding a vaccine, and that the existing legal framework allows the use of anonymised personal data to support governments and businesses in their attempts to monitor and contain the spread of COVID-19. The guidelines helpfully explain how lawful processing can be maintained in this context by setting out a number of recommendations (e.g., contact tracing apps should use proximity data rather than the individual’s actual location) to ensure that individual privacy rights are protected and exemptions upon which organisations may rely (e.g., clarification that organisations may rely upon the Article 29 derogation concerning international data transfers for scientific purposes) when processing health data.
Trainee solicitor William Mallin contributed to this LawFlash.
For our clients, we have formed a multidisciplinary COVID-19 Task Force to help guide you through the broad scope of legal issues brought on by this public health challenge. We also have launched a resource page to help keep you on top of developments as they unfold. If you would like to receive a daily digest of all new updates to the page, please subscribe to receive our COVID-19 alerts.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Washington, DC
Dr. Axel Spies
Philadelphia
Gregory Parks
Ezra Church
Kristin Hadgis