Corona Virus: Whatever Happens, the Crisis Has an Impact on Data Protection Rights
German attorney-at-law (Rechtsanwalt)
Dr. Axel Spies is a German attorney (Rechtsanwalt) in Washington, DC, and co-publisher of the German journals Multi-Media-Recht (MMR) and Zeitschrift für Datenschutz (ZD).
How will data protection rights fare in times of a crisis? What happens with the gathered information once the crisis is over? The EU General Data Protection Regulation (GDPR) contains various complicated provisions that protect “sensitive” data. Such “special categories of data” are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation. The processing of these data sets is generally prohibited, unless there are specific exemptions in the GDPR or national laws. One of the exemptions is that the individual (data subject) has given “explicit consent” to the processing (Art. 9 (1) and (2a) GDPR). The legal hurdles for obtaining an explicit consent are high—not to mention the documentation and notification requirements under the GDPR.
More on the Coronavirus
Massive Data Collection by the Government Likely
Will Europe throw some or all of these safeguards overboard because of the Corona virus? The German legal heath care expert Prof. Ulrich Gassner describes the probable scenarios for Germany in a recent interview. The stages are likely similar in other EU member states. First stage: the government can prohibit events or other gatherings of a larger number of people and close facilities where predominantly children or young people are cared for. The second stage would be imposing quarantine measures on individuals and small groups. The local administrative authorities—i.e., local health authorities or state departments of health—will be responsible. If such primary measures are not sufficient, a pandemic (third stage) would qualify as natural disaster within the meaning of Article 35 (2) of the German Basic Law. Dealing with natural disasters is primarily the responsibility of the states. For this purpose, the affected state can request police forces of other states and federal police units, among others. If a German state is unwilling or unable to combat the virus, the federal government with its police force and additional police forces of other states may step in. The federal government could also deploy units of the federal police (Article 35 (3) Basic Law). If the epidemic extends beyond a state, the federal government may issue instructions to the state governments in the states affected by it. In extreme cases, localities, towns, and cities could also be sealed off.
While this description sounds like a horror scenario that will hopefully never materialize, it is clear that all of these measures will trigger massive, probably already ongoing, data collections on all stages. The collections may cover personal data of any persons suspected to be infected including his/her health data, location data, probably email and telephone connections. The individuals may not be aware of the collection. The data collection could snowball if the crisis progresses. Italy recently demonstrated that key data protection rights could be suspended when (OCDCP) Decree No. 630 was adopted by the Italian Data Protection Agency on February 3, 2020, as an urgent measure to combat the spread of the Corona virus.
The collections may cover personal data of any persons suspected to be infected including his/her health data, location data, probably email and telephone connections.
In particular, this Italian decree gives civil protection personnel, a government body directly under the prime minister, extensive powers to process data on the occasion of the Corona virus crisis. Currently, it is only valid until July 30, 2020, but it could be extended.
Their data processing may, for example, include the communication between employees in accordance with Article 5 of the regulation. Article 5 also and specifically covers data processing in accordance with Art. 9 and 10 of the GDPR and therefore personal data relating to
- racial or ethnic origin,
- political opinions, religious or philosophical beliefs,
- union membership,
- genetic data, biometric data for the purpose of unambiguously identifying a natural person,
- health data,
- data concerning health or data concerning sexual life or sexual orientation (Art. 9), and
- data on criminal convictions and offenses (Art. 10), etc.
The prerequisite is that access to the data is “necessary for the performance of the civil protection function,” which is a very broad term. It is not clear where the data are stored and for how long.
What Happens with the Data after the Crisis?
Art. 9 (2) (i) GDPR allows the processing of special categories of data if the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. Similarly, Section 22 (1) of the new German Federal Data Protection Act states that a processing of special categories of personal data under Art. 9 DS-GVO can occur “for reasons of public interest in the field of public health, such as protection against serious cross-border health risks” under the conditions of para. 2. Germany has the “Infection Protection Act” (IFSG), which replaced the Federal Law on Diseases in 2002, which also applies to the Corona virus. As Prof. Gassner explains in his interview, the measures must follow the legal principle of proportionality, but in times of a national crisis, it may be difficult—if not impossible—for the judicial branch to step in. Not only government entities may collect and disclose data, but also private institutions. Angry parents in many schools are already demanding that the school discloses who among the students (or their parents) has traveled to “China” and make this information available.
Reliving the German AIDS Debate under Chancellor Kohl
While it is reasonable that a public health emergency, such as a pandemic, requires exceptional measures (including data access) to contain the outbreak, the long-term consequences of such measures should not be underestimated. The data collections will remain, which can lead to various unwanted consequences. For instance, people on the list who caught the virus may fear being blacklisted, even if they have fully recovered. Individuals may not even know that they are on these lists. Connections and movements of individuals could be tracked that have nothing to do with the virus. Could insurance companies get access to the data and raise individual insurance premiums?
Germany may relive a debate that Helmut Kohl’s Cabinet faced in 1987 on registers for AIDS, when foreign minister Hans-Dietrich Genscher pinpointed the problem: “And when you know who has AIDS—what do you do then? What happens then?” No one had an answer. Kohl had previously said to close confidants: whatever hysteria may be brewing in the population, it will be “worse than Chernobyl.” He feared that a party to the right of the Union could be given a strong boost, demanding a government crackdown on people with AIDS. Kohl supported then-federal health minister Rita Süssmuth’s “No” to the obligation to register AIDS-infected persons. However, if the situation had deteriorated dramatically, Kohl believed this position would be hard to defend for the CDU; in the end the CDU would have to “give in,” he believed. Years later, the German government “gave in,” in part due to pressure from the EU, and established an AIDS register. The database can be used to inform a police officer on the street, for instance, if a person is “infectious” (Code “ANST”). The state of Berlin wanted to opt out of this register in 2016, but ran into resistance from the police and other obstacles. Given the likely pressure from concerned citizens, police, and politicians, the same political debate as with AIDS could come back to life for Corona infections.