Privacy and Data Protection

in the age of COVID-19

By now, unfortunately COVID-19, better known as the Corona virus, has become invasive controls impacting the privacy of
a household name. The sudden global outbreak of COVID-19 has brought individuals. This last consideration should
tremendous challenges to our day-to-day lives. In order to contain and mitigate serve as a catalyst for organisations to
the threats of this virus, governments, public and private organisations have refute the idea of the inevitable trade-off
taken several measures. These measures include among others, imposing social between privacy and data protection on
distancing, (where possible) mandatory teleworking, discontinuing nonessential the one hand, and effective measures
physical meetings and promoting hand hygiene protocol. protecting public health on the other. The
data protection principles and the technical
As this health crisis evolves, many countries and keeping health records together with tools that allow striking the right balance
are hesitantly resorting to measures such information about the possible contact with are available to privacy professionals. Data
as the lock-down of certain cities/countries, infected individuals outside the workplace. protection is not a “yes” or “no” exercise but
the suspension of flights and the closing rather a “how to” exercise.
of borders. Private organisations are Since these measures involve the processing
creating their own plans by introducing of different types of personal data -including To address these issues and to guide
further controls in order to comply with health data-, privacy and data protection governments and private organisations,
government measures and to protect is critical in their rollout. Meaning that, numerous national Data Protection
their workforce. The overall enforcement organisations should be aware that certain Authorities (DPAs) worldwide as well as
thereof entails invasive privacy measures measures do have an impact on the privacy the European Data Protection Board
such as questioning individuals about of individuals and that they have a choice have published guidelines on the limits
their professional and private travel where to draw the line between safety of collecting, sharing and using personal
plans, performing temperature checks measures benefiting public health and data especially relating to health in these
Privacy and Data Protection in the age of COVID-19

situation in Belgium does not justify a

broad and systematic application of this
paragraph. The DPA also mentioned that
companies and employers may not rely
on the public health processing ground
ex Article 9(2)(i) GDPR with regard to
processing of health data, unless they
are executing explicit instructions issued
by the Belgian authorities. Organisations
are thus advised against “systematic and
generalized” monitoring and collection of
data related to health of their employees
outside official requests and measures
of public health authorities. Secondly,
the DPA expressed that the processing
of personal data collected through the
measures implemented to prevent the
spreading of COVID-19 must comply with
all the fundamental principles of data
processing of Article 5 GDPR. Thirdly,
the DPA answered to frequently asked
questions in relation to the processing of
employee health data by employers. The
exceptional circumstances. In what follows, the worker and his or her closest contacts, publication of these guidelines was followed
to help our clients comply with often times or anyhow regarding areas outside the work by the publication of resembling statements
conflicting rules, we zoom in on a few environment.” Despite the aforementioned, by other EEA regulators, including those of
fundamental questions and considerations employees still have the obligation to inform Finland, France, Czech Republic, Denmark,
that rise on the interplay between privacy their employer of any danger to health and Germany, Hungary, Iceland, Ireland,
and data protection on the one hand and safety at the workplace. Lithuania, Luxembourg, the Netherlands,
the protection of public health on the other Norway, Slovakia, Slovenia, Spain, Sweden,
hand. It is important to note that after the United Kingdom and Poland.
Garante published these guidelines, the
Does Data Protection hinder the situation in Italy worsened. Therefore, the At EU level, Andrea Jelinek, the chair of the
measures that need to be taken for Government took very strong measures European Data Protection Board (EDPB)
public health? to further contain the infection, rendering adopted a formal statement on March 16th
Within Europe, Italy was the first country the Garante’s guidelines outdated. The on the processing of personal data in the
to be severely impacted by the virus. measures included the signing of protocols context of the COVID-19 outbreak. She
Therefore, the Italian DPA (the Garante) between Industrial Associations and Trade emphasized that data protection does not
was the first one to deliver guidelines Unions in order to protect workers’ health. form a barrier to public health.
concerning COVID-19 on the 2nd These urgency provisions allow employers
March 2020. According to the Garante, to submit workers and visitors to the control The EDPB updated this statement on
public health authorities are the only of body temperature at the entrance by March 19th, underlining that even in these
organisations that are mandated to collect non-healthcare personnel, authorized exceptional times, the data controller and
and manage data about health related to by the company and without recording processor must ensure the protection of
the virus’ spread. It states: “The investigation the data. In addition, it is also allowed to the personal data of the data subjects. The
into and collection of information on the identify and record data subjects who EDPB also stated that “emergency is a legal
symptoms typical of Coronavirus and on exceed the threshold of temperature when condition which may legitimise restrictions
the recent movements of each individual are access is prevented to company premises of freedoms provided these restrictions are
the responsibility of healthcare professionals and a reason should be mentioned. In this proportionate and limited to the emergency
and the civil protection system, which are case, an adequate privacy notice on the period”.  For this reason, a number
the entities tasked with ensuring compliance processing of personal data is required. of considerations are necessary to assure
with the public health rules that were recently the lawful processing of personal data.
adopted.” The key takeaway from the The Belgian Data Protection Authority Regarding the legal basis, employers and
Garante was that “employers must refrain (DPA) delivered its own guidelines on the public health authorities do not have
from collecting, in advance and in a systematic 13th of March. First, the DPA mentioned to rely on the individual’s consent to
and generalised manner, including through that companies and employers may not process personal data within the scope of
specific requests to the individual worker or rely on the vital interest of the data subject a pandemic but can rely on Article 6 and
unauthorized investigations, information ex Article 6(1)(d) GDPR as a legal ground 9 of the GDPR. The EDPB points out that
on the presence of any signs of influenza in for processing. The current COVID-19 when telecom data is being processed,
Privacy and Data Protection in the age of COVID-19

such as localisation data, national laws In this context, several privacy activist organisation that defends and promotes
implementing the ePrivacy Directive groups have voiced their concerns about the right to privacy across the world,
must also be respected. To conclude unprecedented levels of public surveillance. mentions on its website that governments
its statement, the EDPD highlights that Access Now warns for the potential and international agencies are deploying
national legal restrictions have to be consequences of processing sensitive extraordinary measures that might impose
considered when processing personal data information: “it can identify individuals and severe restrictions on people’s rights and
in the employment context. reveal highly personal details of people’s lives freedoms. Therefore, they have installed a
… Collection and processing of health data, tracker that gives an overview of all current
Finally, the European Data Protection including the publication of information online, measures that are being taken.
Supervisor (EDPS) also issued a statement poses risks to the safety of affected persons
in response to a query from DG CONNECT and their communities. Health authorities As the pandemic claims human lives and
of the European Commission on monitoring should strictly adhere to a legal basis for these hospital capacities are severely tested, it
of the spread of the COVID-19 outbreak on activities.” Privacy International, another calls for even more drastic measures that
March 25. The EDPS commented on ‘data
anonymization’, stating that effectively
anonymised data fall outside of the scope
of data protection rules. Regarding ‘data
security and data access’, the Commission
was advised, when relying on third parties,
to apply equivalent security measures
and be bound by strict confidentiality
obligations and prohibitions on further
use as well. Finally, on ‘data retention’, the
EDPS stressed that the data obtained from
mobile operators should be deleted as
soon as the current emergency comes to
an end.

Does the processing of health data by

public authorities open the door to
surveillance?
According to the guidance from the
different DPAs, private companies are not
allowed to process data relating to the
COVID-19 virus. However, public institutions
have the possibility to rely on the legal basis
from article 9 §2 i) of the GDPR. Article 9
§ 2 i) allows the processing of health data
when the “processing is necessary for reasons
of public interest in the area of public health,
such as protecting against serious cross-border
threats to health”.

Despite a legal basis being at hand

underpinning the processing activities of
public institutions, one might not forget
that the spine of data protection, more
specifically, the spine of the GDPR consists
of other equally important principles. Next
to lawfulness, fairness and transparency,
proportionality, purpose limitation, data
minimisation, accuracy, storage limitation,
integrity and confidentiality need to be
taken into account. However, even then
there is widespread worry whether privacy
and data protection will prevail in times of a
health crisis.
Privacy and Data Protection in the age of COVID-19

further limit many fundamental human mobile phones. Singapore implemented

rights and freedoms, among which the right TraceTogether, a consent-based app to Conclusive Remarks
to privacy. Authorities worldwide seem facilitate tracing efforts. South Korea During a pandemic, it is to be
to be relaxing their approach to privacy has limited the spreading of contagion expected that fundamental rights
in view of the health emergency to limit by extensive testing, monitoring and will have to be balanced against each
contagion counting on new technologies publicly sharing detailed information on other. The question is whether the
and big data to combat the outbreak of the the movements of infected citizens. outcome of the balancing exercise
COVID-19 virus. Outside of the territorial between the right to health and
scope of the GDPR, countries such as Israel Given the effectiveness of implementing the right to privacy needs to be a
are leveraging existent counterterrorism such intrusive measures and the massive limitation of the latter and if so,
cyber technologies for COVID-19. These impact of the virus in Europe with Italy whether this limitation is necessary,
measures include the monitoring of as the epicentre, countries within the proportionate and restricted in time.
citizens’ mobile phone location data territorial scope of the GDPR are rapidly In any case, public authorities will
without their consent to track the precise following behind. In hard-hit Italy, an need to be able to prove that they
movements of people infected with the anonymously monitoring solution (by have answered those questions ex
virus, alert people of new cases near them using aggregated location data) was ante and not ex post. This means
and enforce quarantine measures. In implemented, but its transparency was that even when privacy and data
fact, the Supreme Court had to intervene questioned. Many EU countries have protection rules are being stretched
deciding that only those citizens who tested sought collaboration with Telco’s to several obligations cannot be
positive to the virus can be subject to a monitor citizen movements and to push abolished. Think of the fact that
digital review of their movements and can notifications to its citizens’ mobile phones. health data can only be processed
receive quarantine orders from the Ministry In Spain the government has launched for the purpose(s) for which it has
of Health. In China, citizens are required a free app to track COVID-19 cases similar been collected. By issuing guidance
to download government issued health to the applications developed in Asian on the processing of personal data
applications that generate a score based on countries. In Poland, the government has in the context of COVID-19, the DPAs
contagion risk and share that information developed an app that forces COVID-19 emphasize the importance of the
with the police. The Chinese Ministry of patients to take regular selfies, to prove GDPR as an aspiring worldwide data
Public Security has also bought a facial that they are in quarantine. The German protection standard. However, the
recognition technology that can identify federal government’s disease prevention current global health crisis is the
individuals, even when they are wearing a agency is considering using the mobile first real obstacle the GDPR has to
(surgical) mask. In Russia, facial recognition phone data of people diagnosed with overcome since it came into force.
is being used to check whether people COVID-19 to find potential contacts and This is an “excellent” opportunity, not
are breaking quarantine. When looking at predict the spread of the disease. Lastly, only to exhibit its flexibility to harbour
Taiwan, the government has integrated the in Belgium, some technology companies the needs of the public interest,
national health care database with customs are developing a health code app similar to but also to manifest its resilience
and travel records and is tracking whether China’s health tracking application hoping to bounce back from temporary
citizens are abiding by their quarantine to sell the solution to the government. limitations. Privacy professionals all
orders through government-issued over the world will have to bring all
their knowledge and creativity when
advising on these matters.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their
related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide
services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

Deloitte provides audit, tax and legal, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected
network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to
address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence.

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte
Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances
or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any
person who relies on this publication.

© March 2020 Deloitte Belgium