Who of us has expected the coronavirus? In Europe, public life has been reduced to zero, we #stay-at-home, companies are going bankrupt, people are loosing their jobs, hospitals are overloaded and people are dying at the end of the day. Would data protection prevent any measures which would save lives or stabilise our economy?
1.) Does GDPR provide any adequate legal basis?
The first step for DPOs is to check the legal basis for justifying data processing. This procedure does not change in times of corona and will be illustrated here by two cenarios:
Cenario 1: Is is admissable to use private mobile phones of employees?
Cenario 2: Is it admissable to check the temperature of the staff before entering the office?
Cenario 1: In ordinary times GDPR does not provide a legal basis to transfer personal data to private mobile phones. First, a consent of the owner of the mobile phone would not be regarded as freely given since the employee does not solely receive a legal incentive by providing ‘his own device’. Second, the phonenumber of his coworker or the phonenumber of an employee of a third party would be transferred to and stored on the private device. This data transfer cannot be based on legitimate interest while a transfer of this contact details is not necessary in the sence of GDPR. The less infringing measure is the storage the data on the device of the employer.
An exception of this ratio may be admissable for a contact list for emergencies. Companies can ask for private contact details of an employee who has a defined role in an emergency plan. This would be admissable on basis of legitimate interest.
How does the cenario change in times of corona? Sofar, no less infringing measure exists in the use of the private selfphone of all employees would be admissable e.g. to inform the employees during the weekend whether it is still possible to access the office on the following Monday. It follows, that legitmate interest provides a certain flexibility to controllers to process personal data in times of corona.
Cenario 2: To check the temperature of an employee before entering into the office building would require to process health data. The collection of health data is prohibited according to Art. 9 (1) GDPR unless the data subject has given his consent according to Art. 9 (2) GDPR. But the imbalance of power between employee and employer has the effect that such a consent would not be regarded as freely given.1
Nevertheless, Art. 9 (2) GDPR provides several exceptions from the principle that health data may only be processed with consent of the data subject. Health data may be processed
in an employment context,
in case of substantial public interest,
for the purpose of preventive or occupational medicine,
regarding public health, expecially with cross-border threats to health.
But any of these cases require to be regulated by European or Member State law. Sofar, a law in the relevant Member State is missing which enables employers to check the temperature of an employee such processing of health data will not be admissable.
Art. 6 (1) (d) GDPR provides a legal basis sofar a processing is necessary to protect the vital interests of the data subject or of another natural person. The corona virus can be life-threatening and therefore relevant for the vital interest. But Art. 6 (1) (d) GDPR must be interpreted in conjunction with Art. 9 (2) GDPR whereas the processing of health data on the basis of vital interest is only admissable if the data subject is physically or legally incapable of giving a consent. However, that will not be the case in cenario 2, when employees are entering the office building.
The final option to provide a legal basis is to refer to data processing in the employment context. According to Art. 88 GDPR a Member States may provide specific rules to ensure the protection in the employment context especially to health and safety at work. These rules may be based on Member State law or by collective agreements. Sofar, national law is missing collective agreements between the workers council and the board of the controller are no option to justify the measurement of temperature of the staff before entering the office building. Whereas the GDPR does not provide a legal basis for the collection of health data for cenario 2 this principle cannot be circumvented by collective agreements.
It follows, that GDPR does not provide a legal basis to check the temperature of the staff before entering the office in cenario 2. Does this outcome indicate that GDPR is too strict for corona?
2.) GDPR was not designed for a ‘state of pandemic’
Corona puts us in a situation which is comparable to a state of emergency. To be more specific it is preferable to use the term ‘state of pandemic’. This situation has not been expected. Our legal system was not prepared for corona.
Which safeguards would have been reasonable for the Right to Data Protection in case of such a pandemic if we had expected corona?
Since GDPR never was designed for such a state of pandemic we would never have been searching for a sound legal basis in GDPR. GDPR solely opens the way to a specific law according to Art. 6 (1) (c) wheras a data processing is admissable sofar, the“…processing is necessary for compliance with a legal obligation to which the controller is subject;…“.
Therefore, a specific European or Member State law is required. Such a specific law has to weigh the Right to Data Protection against effective measures for health care in case of a pandemic.
3.) Law for the ‘state of pandemic’
This specific law may be called ‘Law of Prevention of an Pandemic’. Besides a part for public health care and health prevention this act would contain a part for companies in their role as employer. In this part a section would weigh the Right to Privacy against the duty to protect the health of the employees of the controller according to the principle of proportionality. This section would provide the following requirement for cenario 2. Sofar, to measure the temperature of the employees first, an effective to identify the infection of the employee with corona and second, no other less infringing action is available and to protect the other employees working in the same office building from beeing infected, such a collection of health data would be justified.
In addition, this specific law would require the Parliament to vote whether a defined state of pandemic has been arising. Eventually, this specific act would limit the measures admissable for a state of epedemic for a certain period of time. After the termination of this period the Parliament would be required to confirm the state of pandemic. Without such a confirmation the state of pandemic would end automatically (sunset legislation).2
Parliaments in Europe are working on such specific law. This legislation is performed under high pressure and will be far from perfect.
What is the advice to a DPO if a measure to restrict the Right to Data Protection seems to be reasonable but a sound legal basis is missing since the Parliament did not provide a specific legislation or such legislation is missing any regulation for private companies?
The DPO has no competence whatsoever to change or to create positive law. The DPAs may give guidelines to controllers and to provide a leeway not to be fined for an extended interpretation of the legal basis of GDPR. But such guidance is in itself valid solely for a limited period. Latest when the Parliament has used its competence to enact a legislation specific for the state of pandemic the guidance of the DPA will become invalid.
The burden of the DPO is to describe the exceptional situation and to provide advice for the controller in elaborating the specific risk level of the processing in question. Eventually, it lies in the competence of the controller to take the final decision on how to act.
Finally, we need to change the initial question („Would data protection prevent any measures which would save lives or stabilise our economy? “) to the following direction: Is any restriction of the Right to Data Protection legitimate to save lives or to stabilize our economy? A ‘state of pandemic’ has to be incorporated in but is not the end of the rule of law.
1Recital 43 GDPR
2Peter Schaar, Mit heißer Nadel gegen das Virus, https://www.heise.de/newsticker/meldung/Peter-Schaar-Mit-heisser-Nadel-gegen-das-Virus-4693535.html