The Covid-19 pandemic has received its fair share of attention over the past 20 months, and this also includes important legal issues related to data protection and privacy. Indeed, the European Data Protection Board (“EDPB”) has published several relevant guidelines and statements on this subject. Until recently, however, few decisions have been made by national data protection authorities (“DPAs”) regarding the data collected and used in connection with the pandemic.
The three DPA decisions discussed below highlight the tension between privacy and the Covid-19 emergency and address the following questions:
(1) a housing company asking for information on residents who tested positive for Covid-19
(2) a quick test company sharing data on WhatsApp groups accessible by employees
(3) a municipality sharing information on Facebook about two people who tested positive for Covid-19
Housing company plans to collect data on Covid-19 infection (August 6, 2021)
A Finnish limited liability housing company has informed its residents that they are required to notify the property manager if they are diagnosed with a Covid-19 infection. The Deputy Data Protection Ombudsman, the DPA in Finland, has issued a warning to the data controller stating that the processing of this information would be without a legal basis and taking into account data protection principles, in violation of the General Regulation on data protection (“GDPR”).
The Deputy Data Protection Ombudsman noted in general that there is a relationship between residents and the housing company in which the company processes the personal data of residents and that the data can be processed, for example, on the basis of a contract between the parties or to comply with the legal obligations of the company.
However, Covid-19 infection data falls under special categories of data as defined in Article 9 of the GDPR, as it constitutes health-related data. The processing of such data requires a legal basis not only under Article 6 but also under Article 9 and if there is no specific legal basis for the processing under Article 9, the processing of this data is prohibited.
The Deputy Data Protection Ombudsman concluded that the controller had not assessed whether he could collect this data from residents or whether there was a legal basis for processing it under Article 9 of the GDPR . The principle of data minimization or data protection by design and by default had also not been taken into account. As the evidence indicated that no personal data was collected under this plan, other than a warning, the Deputy Data Protection Ombudsman did not consider it necessary to consider other remedial powers available to the supervisory authority.
The DPA’s decision (in Finnish) is available here.
Corporate Tests for Covid-19 Infections Share Sensitive Information on WhatsApp Groups (July 9, 2021)
The Danish Data Protection Agency has determined that one Danish company, among others, failed to implement appropriate security measures when handling information in rapid testing for Covid-19. The Danish Data Protection Agency imposed administrative fines of 600,000 DKK (around 80,500 EUR) on the company.
The company has set up WhatsApp groups for each of its four test centers. Company employees shared information about WhatsApp groups using the employees’ private phones. All employees working in a particular center had access to that center’s group and received all information sent to the group by other employees. This meant that employees who did not need this information also received information such as social security numbers and health related information. In addition, WhatsApp groups also included people who were no longer employed by the company.
As mentioned above, health-related data under Article 9 of the GDPR not only requires a specific legal basis for the processing, but such processing is also considered to pose a high risk to the privacy of individuals. concerned and, therefore, high requirements for safety measures must also be observed.
The decision of the Danish Data Protection Authority (in Danish) is available here.
Municipality shares information on affected people diagnosed with Covid-19 on its Facebook page (April 27, 2021)
A Portuguese municipality shared on its Facebook page information about two people who tested positive for Covid-19 after traveling to France. The information included the day of departure and arrival and the area where the individuals lived. The Portuguese DPA, Comissão Nacional de Protecção de Dados (“CNPD”), considered that the municipality had violated the lawful processing of the data. The CNPD imposed an administrative fine of EUR 2,500 on the municipality.
As in the previous cases, the processed data was considered to belong to special categories of personal data processing which require a specific legal basis under Article 9 of the GDPR. In its response, the municipality argued that it was almost impossible to identify those affected with the information available. According to the CNPD, however, community members would be able to identify the individuals in question from the information provided. As indicated in this decision, personal data may also include data allowing indirect identification of individuals.
The decision of the Portuguese DPA (in Portuguese) is available here.
The above decisions make it clear that a pandemic or other similar exceptional circumstances cannot justify exceptions or allow shortcuts with regard to data protection, in particular with regard to the privacy of individuals as a data subjects under Article 9 of the GDPR. In summary, even in circumstances such as the Covid-19 pandemic where there is an urgent need for information, basic data protection principles and applicable laws and regulations should always be observed.