On 19 March 2020, the European Data Protection Board ("EDPB") issued a statement concerning the lawfulness of personal data processing resulting from the emergency measures taken by governments, public and private organisations throughout the European Union to contain and mitigate COVID-19.
It clarifies that the EU General Data Protection Regulation ("GDPR")1 does not hinder the implementation of special measures to fight the pandemic. The protection of personal data must be considered where adopting such measures though. Any restriction on the freedom of individuals caused by emergency measures must remain proportionate and limited in time.
The EDPB reiterates that the GDPR provides specific legal bases for competent public health authorities and employers to process personal data, including special categories of data (such as health data), in exceptional circumstances, such as in the context of an epidemic. It is also important to take measures in accordance with the core principles of the personal data protection law, such as purpose limitation, data minimisation, storage limitation, transparency in the provision of information, and having adequate security measures and confidentiality policies in place.
As regards the processing of telecom data, such as location data, operators must continue to comply with the Luxembourg Law of 30 May 2005 on the protection of personal data in the electronic communications sector, as modified (implementing the e-Privacy Directive2). Operators may only process location data insofar as such data are anonymous (i.e. aggregated data from which individuals cannot be re-identified) or with the data subject's consent.
Exceptionally3, where it is not possible to process only anonymous data and subject to the implementation of adequate safeguards, Member States may introduce legislative measures allowing the processing of location data to safeguard public security. If such measures are taken in the event of an emergency, they should be strictly limited to the duration of the emergency at hand.
The processing of location data may for instance enable the authorities to geolocate individuals and/or send public health messages to individuals based on the concentration of mobile devices in a specific area. Luxembourg has not yet adopted such legislative measures.
3. If it constitutes a necessary, appropriate and proportionate measure within a democratic society and comply with the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Originally published 20 April, 2020