On Monday, the Chair of the European Data Protection Board (EDPB) issued a statement on the processing of personal data in the context of the COVID-19 outbreak. In that statement, the Chair acknowledged that although the EU General Data Protection Regulation (GDPR) provides broad and comprehensive privacy rights to individuals, it does have mechanisms in place that allow certain data collectors/processors, such as employers, as well as competent public health authorities, to process personal data in the context of epidemics without the need to obtain the consent of the data subject. Articles 6 and 9 of the GDPR, for example, permit the nonconsensual processing of personal data where it is necessary for reasons of public interest in the area of public health or to protect vital interests.
The statement also addressed the fact that additional rules apply to the processing of electronic personal data, such as geolocation data, even during a pandemic. Per national laws implementing the ePrivacy Directive, if a data operator cannot obtain the consent of a data subject to the use of his or her personal geolocation data, the operator should do everything possible to only use the data in an anonymous format (e.g., aggregating location data to get a general sense of how many people are in a given location, with no possibility of reverse tracing that data). If anonymous collection is not possible, a government can invoke Article 15 of the ePrivacy Directive and introduce legislation pursuing national or public security (a pandemic could qualify as either) if it constitutes “a necessary, appropriate and proportionate measure within a democratic society.” If a member state does this, it must provide adequate safeguards, such as allowing a judicial remedy to aggrieved data subjects.