The Covid-19 pandemic has received its share of attention over the past 20+ months, and this also includes important legal issues related to data protection and privacy. Indeed, the European Data Protection Board (“EDPB”) has published several relevant guidelines and statements on this topic. Until recently, however, there have been few decisions by national Data Protection Authorities (“DPAs”) related to data collected and used in connection with the pandemic.
The three DPA decisions discussed below shed light on the tension between privacy and the Covid-19 emergency and relate to the following issues:
(1) a housing company requesting information about residents testing positive for Covid-19
(2) a rapid testing company sharing data on WhatsApp groups accessible by employees
(3) a municipality sharing information on Facebook about two individuals testing positive for Covid-19
A Finnish limited liability housing company informed its residents that they were required to inform the property manager if they were diagnosed with a Covid-19 infection. The Deputy Data Protection Ombudsman, the DPA in Finland, issued a warning to the data controller stating that processing such information would be without a legal basis and considering the principles of data protection, in violation of the General Data Protection Regulation (“GDPR”).
The Deputy Data Protection Ombudsman noted in general that there is a relationship between the residents and the housing company in which the company processes residents’ personal data and that the data may be processed, for example, based on a contract between the parties or to comply with the company’s legal obligations.
Covid-19 infection data, however, falls under special categories of data as defined in Article 9 of the GDPR since it constitutes health-related data. Processing of such data requires a legal basis not only under Article 6 but also under Article 9 and if no specific legal basis for processing under Article 9 exists, processing of such data is prohibited.
The Deputy Data Protection Ombudsman concluded that the controller had not made an assessment whether it can collect such data from the residents or whether there was a legal basis for processing it under Article 9 GDPR. The data minimisation principle or data protection by design and by default also had not been considered. Since the evidence indicated that no personal data had been collected under this plan, other than issuing a warning, the Deputy Data Protection Ombudsman did not deem it necessary to consider other corrective powers available to the supervisory authority.
The DPA´s decision (in Finnish) is available here.
The Danish Data Protection Agency determined that a Danish company, among other things, had not implemented appropriate security measures when processing information in connection with rapid tests for Covid-19. The Danish Data Protection Agency imposed administrative fines of 600.000 DKK (about 80.500 EUR) on the company.
The company set up WhatsApp groups for each of their four testing centres. The company employees shared information on the WhatsApp groups using the employees´ private phones. All employees working in a particular centre had access to the group of that centre and received all information sent to the group by the other employees. This meant that employees who did not have a need for this information also received information such as social security numbers and health-related information. In addition, the WhatsApp groups also included people who were no longer employed by the company.
As mentioned above, health-related data under Article 9 GDPR requires not only a specific legal basis for processing but such processing is also considered to be of high risk to data subjects' privacy and therefore correspondingly high requirements for security measures also must be met.
The Danish Data Protection Authority decision (in Danish) is available here.
A Portuguese municipality shared on its Facebook page information about two people testing positive for Covid-19 after travelling to France. The information included the day of departure and arrival and the area where the individuals lived. The Portuguese DPA, Comissão Nacional de Protecção de Dados (“CNPD”), considered the municipality to have violated the lawful processing of data. The CNPD imposed an administrative fine of 2.500 EUR on the municipality.
As in the previous cases, the processed data was considered to belong to special categories of personal data-processing which requires a specific legal basis under Article 9 GDPR. In its response the municipality argued that it was almost impossible to identify the data subjects with the available information. According to the CNPD, however, members of the community would be able to identify the individuals in question from the information provided. As shown in this decision, personal data also may include data that allows indirect identification of individuals.
The Portuguese DPA´s decision (in Portuguese) is available here.
The above decisions make clear that a pandemic or other similar exceptional circumstances cannot justify exceptions or permit shortcuts with respect to data protection especially concerning the privacy of individuals as data subjects under Article 9 GDPR. In sum, even under circumstances such as the Covid-19 pandemic where there is an urgent need for information, the basic principles of data protection and the applicable laws and regulations still must be followed.
Blog writes: Suvi Julin And Atte Karineva