Is privacy at risk during the Covid-19 crisis?

There are many doubts about how the state of alarm imposed by the government affects citizens’ rights.

As if it were a chapter in the best fiction series, today we are experiencing an exceptional and unprecedented situation that affects every area of ​​our daily lives, including the area of ​​fundamental rights, and that is why we all ask ourselves: mine rights are suspended by the alarm state? o Will public and private entities be able to process my personal data without my prior consent? While this depends on the specific circumstances of the case, authorities and employers can generally process personal data of citizens or employees, including health data, without their consent, although this does not mean that fundamental rights are suspended and now we will see why.

There are many doubts about how the state of alarm imposed by the government affects citizens’ rights. It must be taken into account that, as established in article 55 of the Spanish Constitution, the state of alarm does not suspend the rights, as it can occur during the declaration of a state of emergency or siege, therefore, the right to personal data protection remains fully effective throughout the situation, but with some peculiarities.

The Spanish Data Protection Agency (AEPD) has prepared a Legal Report and a document answering the questions it has been receiving most frequently in the past few days, in order to clarify all these doubts. The aforementioned report contemplates that the General Data Protection Regulation (GDPR), through its recital 46; its article 6, regarding the legality of the treatment and; Article 9, which deals with the processing of special categories of data, establishes several options where the processing can be protected without the prior consent of the data owner.

It is worth mentioning that, when treating health data, knowing the special nature that they have, it is not enough that there is a legitimacy basis for the treatment of such data, but that there must be a legal figure that eliminates the prohibition of their data. treatment; there, article 9 comes into the picture.

Specifically, the grounds for legitimacy and exceptions to which the EDPS refers are as follows:

Recital 46 and Article 6 consider the possibility of processing personal data when there are important reasons of public interest, such as the protection of the vital interests of the data subject, for example, when treatment is necessary for the control of epidemics and their spread or when treatment is needed. as an objective the fulfillment of a legal obligation (for example, according to the regulation of prevention of labor risks, the employer has a legal obligation to guarantee safety and health in the work environment); y
Article 9 contemplates the possibility of processing health data when there are reasons of public interest in the field of public health, such as protection against serious threats to health across borders or when treatment is necessary for an employer to fulfill his work obligations.
Considering the above, we can obviously say that, during the health crisis that the whole world is facing, there are sufficient bases to carry out a legitimate treatment of health data.

On the other hand, in both exceptions there is talk of public interest, so there is a collision of rights between the public interest in the field of public health and the privacy of citizens, a collision that is resolved by considering both rights. . In other words, an analysis of what should be considered most important during the health crisis. To solve this problem, we went to the GDPR itself, because the legislator, when explicitly establishing the two exceptions in the rule, makes it clear that the protection of all citizens, in the field of health, has more weight than privacy. individual citizen.

In addition, the EDPS recalls that the fundamental principles must continue to be respected, therefore, the minimum possible data must be processed, only for the purposes pursued and for the necessary time, without exceeding them.

Like the EDPS, many European data protection authorities have endeavored to issue opinions on data processing, more or less restrictive, depending on the country, during the situation we are facing, all agreeing that the treatment may be legal. Specifically, that of the United Kingdom (OIC) and that of France (CNIL) emphasized the need to respect the principles mentioned through recommendations like this, instead of collecting information about symptoms, it is recommended that, for example, If you have been in risk areas or symptoms, you should seek medical attention.

In conclusion, the processing of health data will be legal, but less invasive means must be used to protect the privacy of the holders and, in any case, respect the principles of data protection.

Comment here