Following its 20th plenary session on April 7, the European Data Protection Board (EDPB) selected geolocation and health data to focus on in its upcoming COVID-19 guidance. This follows in response to the EDPB’s earlier broad statement on the processing of personal data in the context of COVID-19.
In its March statement, the EDPB made clear that the GDPR does not hinder measures taken in the fight against the current coronavirus pandemic, but that businesses are not exempt from complying with the GDPR and ensuring the protection of personal data “even in these exceptional times.” The EDPB emphasized that the GDPR allows certain public health authorities and employers to process personal data in the context of an epidemic, provided a lawful basis is met such as necessary for reasons of substantial public interest in the area of public health. The EDPB also reminded that when processing location data, national laws implementing the ePrivacy Directive must be followed. In principle, location data can only be used by the operator when the information is made “anonymous” or with the consent of individuals. While the EDPB’s statement provided some answers to questions on processing of data in the context of COVID-19, there are few concrete recommendations. The authorities of nearly all EU member states have issued supplemental guidance.
As businesses and public agencies grapple worldwide with how to better understand COVID-19 and the pattern of its outbreak and spread, organizations are looking to use and analyze certain personal data in new ways. For example, will analyzing geolocation data help to assess efficacy of social-distancing? How can medical data collected in the context of COVID-19 be re-used and shared? EDPB’s impending guidance is intended to focus on these two topics: geolocation and health data.
The guidance on geolocation and other tracing tools is expected to address: (1) the use of aggregated / anonymised location data (e.g. provided by telecom or information society service providers) and the effectiveness of such techniques; (2) the application of GDPR’s principles to the different ways available to gather location data or trace interactions between people; (3) a legal analysis of the use of apps and collection of personal data by apps to help contain the spread of the virus; (4) the required safeguards to protect geo-location or other tracing tools; (5) recommendations or functional requirements for contact tracing applications; and 6) a potential pre-defined timeframe for the processing of such data limited to what is strictly necessary to tackle the emergency situation.
The guidance for the processing of personal health data for research purposes will address: (1) the fundamental aspects of processing of health data, such as legal basis, data subject rights, and retention; (2) re-use of medical research data connected to the COVID-19 crisis and data sharing; and (3) exercise of data subject rights in an emergency situation.
The EDPB decided to postpone the guidance work on teleworking tools and practices, instead focusing on the above topics for the time being.
Putting it Into Practice: While organizations in various sectors are actively working to better understand COVID-19 and the pattern of the outbreak, regulators are signaling reminders that such efforts must be conducted within the framework of existing privacy laws. We expect the EDPB’s forthcoming guidance to provide more specific recommendations.