Written by Jose Belo, Co-chair of the IAPP Luxembourg Chapter
Hayek once said that “’Emergencies’ have always been the pretext on which the safeguards of individual liberty have been eroded”. We have seen this on many occasions in the past years.
For example, the PATRIOT Act and FISA Act were both enacted to protect the USA, while limiting the rights and liberties of US and foreign citizens.
It was through Section 215 of the PATRIOT Act that the NSA found its legal basis for mass surveillance of millions of citizens through their phones. The ACLU has stated that the data collected by the NSA “include the numbers dialled and received, the dates and times of those calls, and their duration”. It is not a farfetched to believe that geolocation and the actual conversations were also collected and processed.
In the EU, things weren’t that different, even with Directive 95/46/EC, not providing any legal basis for mass surveillance. For example, many EU countries, in the aftermath of the Atocha, Brussels and London attacks, enacted laws that were, in practice, mass surveillance enablers. These laws are still in place today and the mass surveillance of citizens, whatever their nationality is, is ongoing on a daily basis.
A good illustration of this erosion of fundamental rights in the EU for all, using an ‘emergency’ as a pretext, are the laws of many EU countries where there is a legal requirement to provide law enforcement daily the names of all the guests that are staying in hotels and similar accommodation, even though there is no prior evidence that the guests whose personal data is transferred to law enforcement are involved, in any way, with terrorist activities.
With these historical examples of emergency-related legal solutions going beyond their initial scope of action, one has to wonder if the measures we take within the context of COVID-19 aren’t going to become the new normal.
That is why privacy professionals from around the Globe are monitoring what Governments and private companies are doing, in terms of data processing activities, using the containment of outbreaks of COVID-19 as a basis for those data processing activities.
The supervisory authorities have, many of them, provided their interpretation of the GDPR towards answering the need to process health and location data in these unusual times. Although such national guidelines may be justified due to Member-State specific labour laws, some of them are not in-line with the EDPB’s own guidelines when it comes to data processing at work, in teleworking and location data.
It is clear, following the Barbulescu decision by the European Court of Human Rights, that prior information to employees is paramount to comply with art. 12 of the GDPR and art. 7 and 8 of the Charter of Fundamental Rights. Also clear is the fact that employers should not use this time to place further monitoring of its employees than is strictly necessary.
Even if straightforward, the differences of opinion of many Member-State supervisory authorities on the same topic leads to an unwanted legal uncertainty by employers. Also relevant is the fact that there seems to be an inconsistency of the consistency principle, which raises questions regarding what guidelines to follow – national guidelines or the EDPB recommendation.
Another relevant aspect of the relationship between privacy and the public interest that is clear when fighting a pandemic, is the fact that many Government and health institutions are proposing monitoring apps to control the coronavirus.
This monitoring not only processes health data but allows the Government to understand the location of each individual. With heath data being a special category of data and location data being a constant monitoring system that may go against the principles of the GDPR, it has been a trend with these apps that all these data are processed in a fair and transparent way.
The fact is that the dire need of these apps and the data they collect should be used to help fight the pandemic. However, it is also important to understand that the collection of these data should be done with the proper safeguards in place and following the principles of the GDPR.
In many cases, and taking the Catalonian Government STOP COVID-19 app as an example, the apps are developed using Google Firebase. Such information is not given to the data subject and little is known on the role of Google in all this, and if any further processing of the collected data happens or if controls are in place to prevent Google from using this information on their group of companies.
However, both Google and Apple have started to remove from their app stores any COVID-19 app that is not endorsed by a Government or the relevant health public body. There is no information, nonetheless, if this was a position that Google and Apple have undertaken by themselves, or if it was a demand from Member-States Governments or by the EU.
Another issue that is relevant is the fact that any data subject access requests (DSARs) are now difficult to answer in the art.12-set deadline of one month. An analysis of art.12 finds that, to use the two-month extension, the requisites are complexity and number of requests.
Even though the Irish DPC provided guidance towards using complexity and number of requests as a way to extend the answering of the data subject request to two more months, the fact is that this is done through a very extensive interpretation of the art.12.
Even though it is true that answering data subject requests is complex in the context of a pandemic, the fact remains that, taking into consideration that this is an Irish DPC interpretation, nothing guarantees that other supervisory authorities understand this in the same way. So, the same issue arises: if other supervisory authorities interpret the GDPR differently, what should we do?
What results in all of these situations is that, even though the GDPR has the answers regarding how to process data in a context as harsh as the one we are living in, the truth is that a more consistent approach, following art.63 of the GDPR, should have been evident.