What Does COVID-19 Mean For Data Protection Under GDPR?

Data protection in the time of the coronavirus is a tricky proposition.

Although health data is considered extremely sensitive under the General Data Protection Regulation and usually requires explicit consent, a subsection of the law includes a clause within Article 9 that allows for the processing of personal information without consent if it’s necessary to protect “against serious cross-border threats to health.”

In other words, there’s a carve-out in case of a crisis, and COVID-19 more than fits the bill. In essence, the crisis becomes the legal basis for collection and processing.

But that doesn’t mean the basic requirements of the law fly out the window. The need for confidentiality, data minimization, purpose limitation and data security all still apply.

“There are exceptions to make sure that the law doesn’t stand in the way of something that could be helpful to the public interest,” said Alice Lincoln, SVP of data policy and governance at MediaMath. “The law is the law, though, and you can’t ignore it.”

Pandemic pragmatism

The coronavirus is the first time that GDPR is being tested by a wide-scale public health crisis, said Alex van der Wolk, a partner at Morrison & Foerster LLP in Belgium. What happens over the next few months will help shape the law in case of future events.

Over the last few weeks, regulators across Europe have been issuing guidance to help companies understand the delicate balance between protecting consumer privacy and protecting public health.

They acknowledge that “privacy laws are not here to interfere with public safety and public health,” van der Wolk said, and stress that companies should “consider what are appropriate actions.”

The data protection authorities are mainly concerned with how employers should interact with their employees. Can you ask an employee about where they’re planning to travel or where they’ve recently been? Can you require an employee to fill out a medical questionnaire, have their temperature taken or undergo a medical examination?


One might think that the answer is clearly “yes” to all of those things, but it’s not as simple as that.

“Just because collecting data to help stem the spread of COVID-19 is in the public interest does not mean that privacy and data security concerns evaporate,” said Gary Kibel, a partner at Davis & Gilbert LLP.

Most data protection authorities, including the Commission nationale de l'informatique et des libertés (the CNIL), France’s data protection authority, say, for example, that it’s not okay to take an employee’s temperature upon entering a building or office space, because it would go beyond their duty of care as an employer, van der Wolk said, not to mention that it could subject the company to liability if the temperature is recorded incorrectly or the data isn’t conclusive.

The data protection authorities generally agree, however, that it is permissible to ask employees whether they’ve been infected, whether they’ve recently visited high-risk areas or whether they’ve been in contact with or exposed to people infected with the virus.

If an employee does report to their employer that they’ve tested positive, the employer can notify other people of the potential risks but is barred from mentioning the employee by name.

Companies also have to consider how long to store any additional data they collect, who has access to that data and how long it will be retained, Kibel said.

“Just by way of example, if an office receptionist is being charged with asking visitors about their recent travel and recording that information in a log, the receptionist may not have been trained on proper data security procedures for such information,” he said.

Other than in their capacity as employers, ad tech and media companies aren’t directly affected by the carve out. If you’re already in compliance with GDPR, then just “keep doing what you’re doing,” Lincoln said.

It’s also unlikely that ad tech companies would have cause to collect COVID-19-related data or that it would be useful in fighting the disease.

“The scale of the data being processed by a mobile ad company is big, but it’s nothing compared to the what the major first-party device manufacturers, like Apple or Google, or a telco, has access to,” Lincoln said.

Where are you going, where have you been

But what about tracking people’s movements as a method for recording and curbing the spread of the disease?

Although scientists at the Robert Koch Institute (basically, Germany’s version of the Center for Disease Control) are reportedly considering using cell phone signals and location data to track infections, the legal basis just isn’t there, at least under GDPR.

There is no exception in the law for the use of location tracking information, which does require specific consent, van der Wolk said.

When the crisis is over

It’s unclear when the coronavirus situation will truly begin to resolve, but once it does, businesses will have to figure out what to do – or not do – with the data they collected without consent during this time.

The best practice is to properly dispose of data when it’s no longer needed.

Companies require a really “compelling justification” for keeping data, van der Wolk said, and “once that justification is no longer applicable, data should indeed be purged.”

GDPR encourages businesses to delete data when it’s no longer needed. Data deletion is also one of the individual rights under the law.

But it is also possible for companies to contend that they still have a legal basis even after COVID-19 is under control, said MediaMath’s Lincoln.

“If keeping the data is in the public interest – perhaps you’re able to draw additional lessons from it – you could argue that you have a legal basis for keeping it,” she said. “But the general rule is this: The more sensitive data is, the greater the incentive you have to get rid of it and, honestly, the more regulators would want you to get rid of it.”


By Allison Schiff, March 17th, 2020