The EU General Data Protection Regulation allows the temporary suspension of some data-protection rights in times of crisis, such as the outbreak of the 2019 Novel Coronavirus. This installment of The eData Guide to GDPR discusses the nature of those suspensions, and how the need to address the ongoing health crisis is being balanced with data-protection rights in Italy, France, and Germany.
The primary goal of the EU General Data Protection Regulation (GDPR) is protection of the personal identifying information of data subjects. Use of such personal information, including the transfer of data, is specifically limited by the GDPR’s enumeration of data subject rights. These rights, however, are not unconditional, and the regulation’s drafters contemplated that under circumstances of civil crisis, some of these protections and rights might be suspended or restricted.
The global spread of the 2019 Novel Coronavirus (COVID-19) presents the first instance of GDPR’s suspension in the face of civil crisis. Most prominently, Article 9 (2) (i) of the GDPR allows the processing of these special categories of data if the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
The Italian Civil Protection Department adopted Civil Protection Ordinance No. 630 on February 3, 2020, as an urgent measure to combat the spread of COVID-19. This ordinance gives civil protection personnel in Italy extensive powers to process personal data related to the COVID-19 crisis. Currently, it is only valid until July 30, 2020, but it could be extended.
The ordinance lifts restrictions on, among other things, sharing of personal data “necessary for the performance of the civil protection function” that could include sensitive personal information such as
In France les Agences régionales de santé (ARS) addressed the pending health crisis by issuing an information notice on February 28, specifically regarding the processing of personal data throughout the investigation of COVID-19. The ARS spells out the protections it expects health authorities, businesses, and individuals will carry out to reflect those of the GDPR. The notice permits the transmission of data to “any partner involved in the control, prevention and evaluation of the epidemic, in particular the General Directorate of Health.” ARS confirms that data subjects will continue to have the rights to object, access, rectify, and seek erasure of the information shared.
In order to preserve these rights, ARS states that “[o]nly the data strictly necessary for the accomplishment of the mission of said partner will be transmitted in conditions preserving their confidentiality and security,” thereby reflecting the general concept of data minimization in the GDPR. In addition, indefinite data sharing is prohibited because the ARS provides that the data may only be retained for the duration of the investigation, and thereafter, anonymized data should be held for a “maximum of one year after the end of these investigations.”
Limiting data protection for a public good is not a novel concept. Section 22 (1) of the new German Federal Data Protection Act permits processing of special categories of personal data under Art. 9 “for reasons of public interest in the field of public health, such as protection against serious cross-border health risks...” under certain conditions to protect the integrity of the data. Sec. 22 (2) of the German Federal Data Protection Act obliges the parties involved to protect these data sets by specific security measures, depending on the particular circumstances, such as encryption, data separation, data access controls, and specific storage backups.” Germany’s "Infection Protection Act", which replaced the Federal Law on Diseases 2002, contains numerous data processing authorization for local state and national health departments and agencies, even in cases of suspicion, and includes extensive reporting obligations by doctors, etc. to these agencies.
In the United States, which does not have a uniform federal data protection regulation, the Census Bureau has developed an HIV/AIDS surveillance database that tracks information on infected individuals to assist government response. In contrast, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not provide for suspension of its protections of provider collected health information, but suggests that fines and penalties resulting from compliance with health emergency directives may be suspended upon review from the Office for Civil Rights.
While it is reasonable to assume that a public health emergency requires exceptional measures to contain the outbreak, the consequences to exposed data subjects of such measures is less clear. Relevant agencies may track data subjects where an infection is suspected using mobile device data, email, and geolocation information to evaluate the risk. The amount of data collected through these measures could be substantial, and the collection could be performed without the knowledge of the data subject. It is also not clear what happens with the data collections once the crisis is over and who has access to them.
GDPR’s Article 9 authorization of suspension in times of crisis addresses how long the information can be stored and where, who has access to it, and when the data should be purged after the crisis passes. Awareness and vigilance are required to ensure that individual countries and their data protection authorities abide by the limitations of GDPR’s authorization and reapply the requisite data protections when the crisis passes. Otherwise, COVID-19 and the civil crisis suspension could lead to a weakening of the entire regime.
 Regional Agencies of Public Health
 For guidance to US Employers on responding to COVID-19 concerns, please see our Lawflash, Responding to the 2019 Novel Coronavirus: Guidance for US Employers.
 See “Is the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) suspended during a national or public health emergency?”