The ongoing health emergency and the governmental measures undertaken in an attempt to contain it have been posing questions about processing of personal data. At this juncture, several fundamental rights, including the right to protection and confidentiality of data, conflict and inevitably need to be balanced.
According to recital 4 to Regulation n. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter GDPR), the right to the protection of personal data is not an absolute right, but it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.
In this emergency situation the right to protection of personal data conflicts with the right to public security and protection of health. The protection of the latter can lead to the restriction of the first one, to the extent that this is strictly necessary and proportional to achieve the objective of limiting contagion and, therefore, it is also temporarily limited to the state of emergency associated with it.
The European Data Protection Board has stated that “emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period” and also that data protection rules (such as the GDPR) cannot hinder measures taken in the fight against the coronavirus pandemic.
Furthermore, according to recital 46 to the GDPR the processing of personal data should be deemed lawful where it is necessary for “monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters”. In these cases, therefore, the data subject’s consent is not necessary in order for processing to be lawful.
However, the balance between the abovementioned fundamental rights is not always easy in practice. Evaluate how legitimate a restriction of a fundamental right is in order to safeguard another one is extremely complex and it will surely lead to disagreements.
Balancing issue is one of the reasons why some measures proposed in order to contain the contagion – also on the basis of the measures adopted by other countries affected before Italy – have been adopted sooner (despite some opinions to the contrary) and others have been evaluated for longer time and have been the subject of debate.
Among the first kind of measures, it is:
- the obligation (in force until 17th May 2020) of providing public security authorities with self-declarations on the purpose of the movement whenever you left home;
- the obligation for workers to inform the Personnel Department if typical symptoms of Covid-19 arise or whenever they have been in contact with virus positive subjects;
- the possibility for employers to measure workers’ temperature and/or to acquire information about their movements and/or their social contacts, before letting them access the work place;
- the possibility for employers to ask workers to undertake serological tests (provided it is ordered by the competent doctor);
- remote student control during online lessons.
Instead, the use of drones for tracing people’s movements has raised doubts as to the compatibility of this measure with the principle of proportionality. This because of the huge quantity of data recorded by drones, most of which are unhelpfull in the fight against the coronavirus pandemic.
The development of contact tracing applications is one of the most interesting and, at the same time, controversial measures.
To this regard, on 29th March 2020 the President of Italian Data Protection Authority, like the European Data Protection Board before him, stated that contact tracing could be introduced in order to prevent the spread of the contagion. But, at the same time, he underlined that the operational conditions for contact tracing should comply with the principles of proportionality, reasonableness and temporariness in relation to the objective pursued, preferring less intrusive solutions when sufficient for the purpose of prevention.
On 21st April 2020 the European Data Protection Board adopted the Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak, which state that contact tracing applications need to be part of a comprehensive public health strategy to fight the pandemic (local solutions should be avoided then) and the use of them should be voluntary in order to be lawful. This would imply, in particular, that individuals who would not or could not use such applications should not suffer from any disadvantage at all. Moreover these applications should not require tracking the location of individual users, but only proximity data should be used. These guidelines emphasise also that when it comes to use data localization, preference should always be given to the processing of anonymised data rather than personal data.
Notwithstanding the abovementioned recommendations, on 1st June 2020, the Italian Data Protection Authority authorized the Ministry of Health to start the data processing concerning the Covid-19 warning system (so-called “App Immuni”), for the sole purpose of alerting people who have been in close contact with virus positive subjects and safeguarding their health. For these reasons and since measures aimed at guaranteeing subjects’ freedoms and rights have been implemented, the data processing was considered legitimate and proportionate. Nevertheless, since the abovementioned data processing involves high risks, the Italian Data Protection Authority has advised to improve these measures by suggesting to adopt further actions in order to guarantee app users’ data security.
In conclusion, quoting the President of the Italian Data Protection Authority, restrictions on the right of confidentiality of such data are the inevitable price to pay in order to protect the safety of the whole community, as long as they do not result in unjustified forms of control of population. However, it is clear that we are dealing with an open evolving situation of emergency that requires quick and complex decisions (that cannot be left to single subjects – consequently, “do-it-yourself” solutions should be opposed), as well as constant monitoring and revaluation of the data related to the infection. This means that the balance between fundamental rights and the consequential measures affecting the people privacy must be promptly revised, in order to avoid that measures, reasonable and acceptable in a specific context, could persist beyond what is strictly necessary and, therefore, become unreasonable and inacceptable.
Hence, every initiative, even private, dealing with data processing and designed to fight against the infection, should be seriously and professionally evaluated, with particular attention to the decisions of both National and Supranational Data Protection Authorities, in order to avoid that the confidentiality of personal data would be limited in an unjustified – and, for this reason, illegitimate – manner.
Author: Avv. Anna Tarasco
ph: Designed by rawpixel.com/ Freepik