Hogan Lovells’ global Privacy and Cybersecurity team maintains a tracker of guidance from 30+ European data protection authorities related to data processing in the fight against coronavirus.
On April 21, The European Data Protection Board (EDPB) published guidelines related to use of data for fighting the COVID-19 health crisis. The Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak and Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak adopt a similar approach to the EDPB’s previous statement that data protection rules do not hinder measures taken to fight the COVID-19 health crisis as long as controllers ensure the protection of personal data.
The new Guidelines outline obligations for processing data in specific scenarios. The Guidelines on processing health data for the purpose of scientific research highlight that controllers must still rely on a GDPR Art. 6 basis for processing personal data (e.g., consent or legitimate interests) in addition to the applicable exceptions to the prohibition on processing data concerning health regarding public interest particularly in the area of public health, scientific research, or statistical purposes (under Art. 9(i) and (j)). These Guidelines also highlight that Member State derogations related to these exceptions, established as permitted by the GDPR, may also impact the bases for processing available to controllers covered by those local-law derogations. The Guidelines on use of location data and contact tracing state that preference should always be given in this context to processing anonymized data, though consent could also form a basis for processing where location data is not anonymized. These Guidelines also provide further guidance on how to limit the risks to fundamental freedoms that are associated with systematic and large scale monitoring of location and/or contact between natural persons (see relevant entry in the tracker, here). When considering adoption of contact tracing tools, the EDPB expects that controllers carry out a data protection impact assessment (DPIA) and strongly recommend that it is published.
In both Guidelines, the EDPB emphasizes that processing must meet the GDPR principles in Art. 5 (e.g., transparency, purpose limitation, data minimization, and storage limitation).
The EDPB guidelines, as well as the views of over 30 European data protection authorities, are further summarized in our tracker (updated April 23, 2020).