COVID-19 as a Threat to Personal Data Rights
COVID-19 as a Threat to Personal Data Rights
Personal data rights during a state of emergency – Justifiable exception or a convenient excuse for overreach?
As COVID-19 disease spreads throughout the globe, governments and competent authorities have instituted various measures to prevent or curb the raging pandemic. Most of the countries that are severely affected by this disease have resorted to declaring the state of emergency. In some cases, that means that governments will severely limit or outright suspend our fundamental rights, such as the freedom of movement, traveling, purchasing groceries in certain quantities, etc. Although justified or some would even argue, noble, in their pursuit of preventing a broad scale disaster, it remains questionable how far can governments go in limiting the rights of its citizens.
We should bear in mind that this pandemic is unlike anything we have seen before, not because of the severity of the consequences it may have on our lives, but for the sheer fact that we now have the technology to track the movement of every citizen and easily access personal data, including data about health. However, does that mean that our rights regarding the protection of personal data can be taken away?
Legislative protection and government intrusion
In the Republic of Serbia, personal data is protected by the Personal Data Protection Act (“PDPA”) which is modeled after the General Data Protection Regulation of the European Union (“GDPR”). Both PDPA and GDPR classify data concerning the health of the data subject as a special category of personal data, which puts them under special protective measures as their processing is permitted only in special (enumerated) circumstances. One of these circumstances relates to the processing being necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices, in accordance with the law that provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular, professional secrecy (see Art. 9 (2)(i) of GDPR and Art. 17 paragraph 2 point 9 of PDPA).
Although this provides for the lawfulness of processing, it does not in any way circumvent or suspend rights of the data subject or the obligations of the controller or the processor under GDPR and PDPA. In absence of the decision that would suspend certain rights guaranteed under PDPA (which has not been enacted or even announced as of this day), the government is obliged to abide by the provisions of PDPA, including transparent processing, informing data subjects about the processing of their data, conducting a data protection impact assessment, etc.
Taking the route of outright publishing personal data about those infected by COVID-19 disease or tracking their movement through mobile phone locators or apps would be, all things considered, in breach of PDPA and GDPR provisions. Nonetheless, competent authorities announced publicly on national television that the Serbian government is tracking the location of its citizens regardless of whether they are infected by COVID-19 disease or not, claiming that it has nothing to do with personal data protection.
Serbian Commissioner for Information of Public Importance and Personal Data Protection
The Commissioner for Information of Public Importance and Personal Data Protection (“the Commissioner”), as the competent authority for personal data protection in Serbia, published a notice regarding the processing of personal data during the state of emergency.
This notice addresses the most prevalent concerns about personal data protection, namely:
- Publishing of personal data of the persons infected by COVID-19 disease
- Employers rights to process data about the health of its employees
- Processing of data about health for the purpose of scientific research
- The rights of data subjects during the state of emergency
The Commissioner emphasized the importance of protecting personal data during the pandemic and that the processing, collecting and publishing of personal data must be conducted in accordance with the provisions of PDPA.
Data of the persons infected by COVID-19 disease that reveal their identity or make such person identifiable should not be made publicly available.
Employers are allowed to process data about the health of employees in accordance with the decisions of competent authorities. On the other side, if any processing of data is conducted by the employee on behalf of the employer from home (taking into account that one of the measures during the state of emergency is remote working), employers must implement appropriate safeguards in order to prevent potential security breaches.
Additionally, it was stated that the processing of data about health for purposes of scientific research is lawful if conducted by registered scientific institutions.
Data subjects must be allowed to achieve their rights under PDPA even during the state of emergency. However, the Commissioner is considerate of the fact that it may not be possible for the employers to respond to requests of data subjects in a timely manner. The Commissioner does not have the authority to alter deadlines for responding to requests of data subjects, but PDPA does allow for the extension of such deadlines from 30 to 90 days (30 days + 60 days). This does not mean that the employers or any other controller or processor of personal data are absolved from obligations set forth in PDPA.
Rest of the world
Much like Serbian authorities, other states have issued guidelines, statements, and opinions on the topic of personal data protection during the pandemic disease. Even the European Data Protection Board adopted the Statement on 19 March 2020, in which it outlined the importance of abiding by provisions of GDPR and national data protection regulation when assessing the measures introduced to combat the corona virus. Italian Civil Protection Department adopted Civil Protection Ordinance as an urgent measure to combat the spread of COVID-19. This Ordinance gives civil protection personnel in Italy extensive powers to process personal data related to the COVID-19 crisis, while German and French authorities published notices urging complete GDPR compliance, notwithstanding the lawfulness of the processing of personal data.
The nation that went furthest in collecting, processing, and publishing of personal data of its citizens and using modern technology to curb the spread of COVID-19 is South Korea, albeit its practices would be incompatible with personal data protection legislation of most jurisdictions.
What about employers?
Employers do not have the same power and authority that the government has but are affected by COVID-19 nonetheless as are their employees. Additionally, employers have an obligation to maintain a safe working environment and comply with health and safety regulations. However, they should be wary of the methods used to achieve this goal.
PDPA and GDPR still apply to employers and both contain provisions allowing processing of personal data to be conducted if necessary for preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services based on law or pursuant to contract with a health professional and subject to the conditions and appropriate safeguards. Additionally, employers in Serbia are required to apply the Act on Protecting the Population from Infectious Diseases, which constitutes their obligation to undertake all general, particular and emergency measures to protect their employees from the pandemic diseases. Therefore, PDPA and GDPR allow processing of personal data when necessary for the purposes of fulfilling the statutory obligations.
With that in mind, employers should introduce the least intrusive measures first and strive to minimize the collection of data that is incompatible with the purpose of processing, along with introducing safeguards and making sure that proper security measures are implemented. Commonly introduced measures such as body temperature monitoring are permitted, conditioned on compliance with health and safety regulations while disclosing personal data of employees that are suspected or confirmed to have COVID-19 disease or inquiring about recent personal travel history should be avoided.
Competent authorities in other jurisdictions have issued opinions and guidelines specifically addressing the employers’ rights and obligations under personal data protection laws in those jurisdictions. For example, Belgian data protection authority issued guidance in which it highlighted that employers may not disclose personal data about the health of its employees to other employees and personnel nor can they inquire about recent travel history, while the authorities of Singapore, Hong Kong, and the United Kingdom determined that employers have a legitimate interest to acquire personal data to ensure that health of employees remains uncompromised.
Should we be worried?
Even though South Korea has successfully implemented its measures with decent results in curing COVID-19 disease, undertaking any wide-scale collection of data to prevent a pandemic cannot serve as an excuse for government or employers’ overreach. The importance of preserving the privacy of personal data must not be neglected, as those data can be misused long after the state of emergency had ended. The parameters in which government and employers should operate are enshrined in PDPA and GDPR and should present a clear guideline on how to conduct all operations concerning personal data during this period. Under principles set out in the aforementioned acts, all personal data collected and processed to stop COVID-19 from spreading should be erased after the state of emergency has ended. Their retention could expose employers to liability for personal data breach and significant monetary fines. The greater threat, however, comes from the government using pandemic as an excuse to circumvent laws and regulations that protect our privacy. Suffice it to say, trust in our governments will be tested in times to come.
This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.
Miloš Velimirović , Partner
Katarina Živković, Senior Associate
At the end of 2021, a public debate was held in the National Assembly on the Draft Law on Work Practice. The Draft itself is a reaction to relatively unfavourable basic labour market indicators, which predict that young people in Serbia lag behind their peers in...
Recently, non-fungible tokens (“NFTs”) have become the subject of significant public attention, primarily due to the high amounts of money allocated for their purchase. For example, it is estimated that the worth of the global NFT market in 2021 was about 41...
Data Protection Officer (“DPO”) is a person overseeing a company’s data protection strategy and implementation in order to ensure compliance with General Data Protection Regulation (“GDPR”) requirements. Any company that processes or stores personal data is...
Let us know how we can help you and your business.