The new Slovak Act for COVID-19 emergency measures authorises the Public Health Authority to collect, process, and store data from mobile phones of residents of the Slovak Republic, even without their consent. This measure means unprecedented interference into personal privacy by the state, but responds to an unprecedented situation.
In order to ensure that the processing of personal data fulfils its purpose and, at the same time, cannot be misused by authorities, strict rules will apply. The Act itself specifies that the Public Health Authority will be able to process only basic identification data such as the user's first and last name, address, and telephone number, as well as information about where the user is located.
The purpose of processing this data is to:
- prevent and model the development of threats to life and health;
- identify those who should receive notifications about the special measures of the Public Health Authority; and
- identify users for the purpose of life and health protection.
In addition, according to the Act, personal data will be processed only until the end of this year. After that, all personal data collected in this way is to be deleted – provided, of course, that the coronavirus pandemic is under control by then.
Although the state has the authority to access each mobile phone user's data, this does not mean that the Public Health Authority will necessarily have to process the personal data of all Slovak citizens. It is possible to monitor the movement of people according to location data from phones based on anonymised data. Personal data protection regulations emphasize minimal data processing. Therefore, if tracking people to prevent health threats can be achieved without processing personal data, the provider is obliged to refrain from doing so.
In this context, however, it should be added that the European Data Protection Board (EDPB) said in its statement on the processing of personal data in the context of the COVID-19 outbreak that when it is not possible to process only anonymous mobile location data, member states should seek to introduce legislative measures to process non-anonymised location data.
In the case of monitoring specific people – to see whether they are complying with a quarantine order, or to send SMS messages to persons infected with the virus, for example – personal identification and localisation data will be processed. It is for this purpose that the new Act will apply. The Public Health Authority is required to ensure that the processing of personal data takes place transparently, only for the specific necessary purpose, and within the necessary scope of time and content.
The EDPB has conveyed that European data protection rules should not hinder measures taken in the fight against the coronavirus pandemic because it is in the interest of humanity to curb the spread of the disease. However, the EDPB underlined that, even in these exceptional times, the data controller and processor must ensure the protection of personal data, and any action taken by member states in this context must respect general legal principles and be temporary.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.