Turkish Law Blog
The Approaches of the Countries to Covid-19 Considering Data Privacy
Founding Attorney Hatice Zümbül – Legal Intern Mehmet Turgut
Public Health V. Data Privacy
Coronavirus named “COVID-19” which has appeared for the first time in the 1960s has occurred in December 2019, the region of Wuhan, China. The virus has spread so fast and now, the 118 countries are struggling with this epidemic. In the world, the number of people who died because of the virus has exceeded 4.500 and the number of confirmed cases has been more than 125,288. The world, recently, shares the same concern which is related to COVID-19.
The virus also affected economies and the world economy is facing the global crises; particularly China and the USA, all state’s economy in the world has been shrinking. It is discussed that the economic loss for the world economy may reach 8 Trillion Dollars at the end of 2020 considering that China comprised around 16% of global output and is the backbone of global manufacturing supply chains.
There is also an important matter to consider that has occurred between data protection and the virus. Governments, as well as public, private, and voluntary organizations are taking necessary steps to contain the spread and mitigate the effects of COVID-19. Many of these steps will involve the processing of personal data (such as name, address, workplace, travel details) of individuals, including in many cases sensitive, ‘special category’ personal data (such as data relating to health). Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health. It is also a particular concern for employers that they can legally take to monitor the health of their employees, as well as the collection of health data by the government agencies.
In this article, the measures and approaches of the countries to COVID-19 will be handled briefly. In this article, we will examine respectively the situation in Italy, Ireland, France, Denmark, the United Kingdom, Poland, Germany, Spain, the United States, Russia, China, Hong Kong, and Singapore. While some of these countries have published guidance providing the measures and approaches related to the concern between data privacy and health crisis, some of them have not published any guidance.
In practice, companies can obtain information on whether an employee has traveled to a region with confirmed coronavirus cases. On the basis of the GDPR, the employer can process data on an employee travel if it is necessary to protect his legitimate interests or the interests of its other employees. Under certain circumstances, the GDPR provides scope for the processing of data on the nature and cause of an employee's disease, if it is necessary to protect the vital interests of the employee. Overall, regulators highlight that data protection law is by no means a barrier to public health, but advise organizations against “systematic and generalized” monitoring and the collection of data related to the health of their employees outside official requests and measures of public health authorities. The privacy of infected individuals is important but given the serious implications of COVID-19, most companies should not be deterred from taking reasonable steps to protect the health of their employees and others.
There are provisions in both Article 6 (the general lawful grounds for processing personal data), and Article 9 (the prohibition to process sensitive data and the exceptional circumstances in which they can be processed) of the GDPR that allow for collection, use and necessary sharing of personal data related to health in the context of an epidemic. For example, “reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health” are specifically mentioned as a permissible use of sensitive data, including data related to health, under Article 9(2)(i), if provided by the Union or Member State law. Article 6 of the GDPR states that “ the processing of personal data without consent is lawful where it is necessary for compliance with a legal obligation to which the controller is subject, to protect the vital interests of the data subject or of another natural person, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. Article 9, which prohibits the processing of special categories of personal data (including biometric and health data) without explicit consent, also has similar exceptions, including where processing is necessary:
“- to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- for reasons of substantial public interest; for the purposes of preventive or occupational medicine. . . medical diagnosis. . . [or] the provision of health or social care or treatment;
- for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health …."
Managing the COVID-19 outbreak and stopping its spread is now a global challenge. In addition to the significant health and medical responses underway around the world, governments and public health officials are focused on how to monitor, understand and prevent the spread of the virus. Data protection and privacy laws, including the EU General Data Protection Regulation and various U.S. laws, are informing these responses.
The EU Countries collecting personal data as part of their COVID-19 response will be required to comply with the GDPR (as well as their own laws). For example, Italy’s Data Protection Authority, the Garante, adopted a decree addressing the intersection between the GDPR and COVID-19, the need for processing special categories of personal data, and how some data protection rights could be suspended to combat the virus. The Garante has issued further guidance prohibiting “do-it-yourself” data collection. The DPAs in France and Ireland have likewise taken positions on the handling of personal data in the context of responding to COVID-19.
2. The Approaches and Measures in Italy
The European country hardest hit by coronavirus, passed emergency legislation requiring anyone who has recently stayed in an at-risk area to notify health authorities either directly or through their doctor. The Italian Data Protection Regulator (Garante per la protezione dei dati personali) responded to steps taken by companies to prevent the spread of the virus within their business premises and issued guidance. The Authority highlights in the early guidance that public health authorities are the organizations mandated to collect and manage data about health-related to the virus’ spread.
In light of the legal duty on Italian employers to take all appropriate measures necessary to protect employees and prevent risks to their physical integrity, companies have launched internal awareness campaigns and adopted dedicated support hotlines. On the other hand, employers must refrain from collecting, in advance and in a systematic and generalized manner, including through specific requests to the individual worker or unauthorized investigations, information on the presence of any signs of influenza in the worker and his or her closest contacts, or anyhow regarding areas outside the work environment.
Additionally, the Authority imposed the obligation on the employee to inform the employer of any danger to health and safety at the workplace is left unprejudiced. In this regard, the Minister for Public Administration recently provided operational instructions concerning the obligation for every civil servant and for those who work in various ways in the public administration to report to the respective administration that they have traveled to a risk area.
3. The Approaches and Measures in Ireland
The Irish Data Protection Authority (“DPC”) issued guidance stating that Data Protection Law does not stand in the way of the provision of healthcare and the management of public health issues; nevertheless, there are important considerations which should be taken into account when handling personal data in these contexts, particularly health and other sensitive data.
It is clarified that in circumstances where organizations are acting on the guidance or directions of public health authorities, or other relevant authorities, it is likely that Article 9(2)(i) of the GDPR and Section 53 of the Data Protection Act 2018 will permit the processing of personal data, including health data, once suitable safeguards are implemented. Such safeguards may include limitations on access to the data, strict time limits for erasure, and other measures such as adequate staff training to protect the data protection rights of individuals.
Employers also have a legal obligation to protect their employees under the Safety, Health, and Welfare at Work Act 2005. This obligation together with Article 9(2)(b) of the GDPR provides a legal basis to process personal data, including health data, where it is deemed necessary and proportionate to do so. Any data that is processed must be treated in a confidential manner i.e. any communications to staff about the possible presence of coronavirus in the workplace should not generally identify any individual employees.
The DPC highlights particularly relevant aspects for compliance, such as transparency about the measures taken, in house confidentiality in handling information about possible infestations with COVID-19 of specific employees, ensuring appropriate data security, processing the minimum amount of personal data to achieve the purpose of implementing measures to prevent or contain the spread of the virus, as well as keeping track of all decisions made with regard to the collection of such data and safeguards implemented, as part of accountability obligations.
4. The Approaches and Measures in France and Denmark
In France, the French Data Protection Authority ("CNIL") published a notice summarizing what employers can and cannot do regarding the monitoring of COVID-19. According to the notice, employers are responsible for the health and safety of their staff and must implement appropriate measures. However, employers cannot take measures which could infringe the privacy of the data subjects, in particular by collecting health data that goes beyond the management of suspected exposure to the virus. However, employers may record the identity of a person suspected of having been exposed to the virus, the date of exposure, as well as the measures taken as a consequence (such as confinement, work from home or referral to a doctor). The CNIL considers that the assessment and collection of further information relating to the virus is the responsibility of public authorities, which may contact employers directly should they need to obtain more information about possible causes.
In Denmark, The Danish Data Protection Authority ("DPA") issued brief guidelines on the employer's possibilities to collect and disclose information on its employees in relation to the corona outbreak. Its guidance acknowledges that in some cases personal data, including sensitive personal data, may be collected and disclosed but stresses the importance of assessing whether the processing is legitimate and limited to what is necessary. The Danish DPA, therefore, recommends employers to consider:
- whether there is a good reason to collect or disclose the personal data in question;
- whether the specific personal data is necessary, including whether the employer's purpose can be achieved by collecting less;
- whether it is necessary to name names - e.g. the name of the person infected or quarantined.
5. The Approaches and Measures in the United Kingdom
The UK Supervisory Authority (“ICO”) issued a statement on data protection and coronavirus. The statement makes clear that the ICO will take a “reasonable and pragmatic” approach regarding compliance with the GDPR in light of the current health emergency. Similar to the Irish Supervisory Authority, the ICO stressed that data protection law does not stand in the way of addressing the challenges posed by the COVID-19 pandemic. It also emphasized that, in light of the severity of the present crisis, the ICO will adopt a pragmatic approach regarding enforcement, and will not “penalise organisations that need to prioritise other areas or adapt their usual approach during this extraordinary period”.
The ICO took the view that an employer may inform its staff that there has been a case, or suspected case, of COVID-19 in its organization in order to discharge a duty of care and protect their health and safety, but it advised that it is “probably” not necessary to name the affected individual(s), suggesting that organizations will need to consider whether actually sharing a person’s name is strictly required to protect the well-being of others.
The ICO held that, while it is unlikely that companies will be asked to share information about specific individuals with public authorities, data protection law would not prevent that.
6. The Approaches and Measures in Poland, Germany and Spain
In the Poland, the Polish Data Protection Authority (“DPA”) issued a high-level statement in relation to the COVID-19 outbreak. The Polish DPA discusses the recent “anti-virus” statute and stated that “the provisions on personal data protection must not be viewed as an obstacle to the implementation of actions in connection with the fight against the coronavirus”. The DPA does not directly indicate what actions the employers may take on their own initiative. However, the DPA states that in accordance with recital 46 of the GDPR, processing of personal data should be considered lawful also where it is necessary for the protection of an interest which is essential for the life of the data subject, e.g., where processing is necessary for humanitarian purposes, including monitoring of epidemics and their spread.
In Germany, The Federal Commissioner for Data Protection and Freedom of Information ("BfDI") issued guidance concerning data protection and Covid-19 in the employment sector, compiled by the German Data Protection Conference ('DSK'). In particular, the guidance provides that even if the processing of health data is in general only possible in a restrictive manner, data can be collected and used for various measures to contain Covid-19 pandemic or to protect employees if the principle of proportionality is respected and there is a valid legal basis. Moreover, the guidance states that to contain and combat the pandemic, employers can collect and process personal health data of employees, as well as of guests and visitors if they are infected with the virus, were in contact with a person that was proven to be infected with the Covid-19, or if they stayed in a classified risk area during the relevant period.
In Spain, The Spanish Supervisor Authority (“AEDP”) issued a statement and a report on data protection and COVID-19. The AEPD highlights that controllers processing personal data in the context of their effort to prevent COVID-19 must comply with the GDPR, the Spanish Data Protection Law and the Spanish sectorial health laws. However, the AEPD underlines that these laws do not stand in the way of addressing the challenges posed by the COVID-19 epidemic. The guidance specifically addresses the following two data protections aspects:
- The legal basis for processing personal data;
- The requirement to only process personal data that is adequate, relevant and limited to the processing purpose (data minimization).
7. The Approaches and Measures in the United States and Russia
In the United States, data privacy regulators have not issued any guidance either permitting or restricting the collection of personal data for purposes of identifying Covid-19 cases. The US authorities have not released guidance specific to the collection of personal data for purposes of identifying COVID-19 cases. The Office of Civil Rights, Health & Human Services, issued guidance stating that federal health privacy law authorizes employers to request protected health information from health care providers without employees’ consent, if necessary, to “prevent a serious and imminent threat.” The guidance makes clear, however, that health care providers are not required to provide the information, and should use their own professional judgment in deciding whether to do so.
Russia has taken a range of steps to curb the spread of COVID-19. The Mayor of Moscow ordered all companies operating in Moscow to take their employees’ temperatures and send the employees home if they have a fever. The Russian Data Protection Authority (Roskomnadzor) issued guidance stating that companies do not need their employees’ consent for these checks. Instead, they can rely on an exemption that allows the processing of health data, such as body temperature, where necessary to comply with their legal obligations as employers. Also, the Roskomnadzor’s guidance states that temperature checks on others, such as visitors, can only be carried out with consent. This is potentially difficult as Russian data protection law imposes a high standard of consent for the processing of health data; it must be in writing and contain, among other things, the data subject’s passport details.
8. The Approaches and Measures in Asian Countries
Within the EU, the collection of information about infected individuals will contain health information and so be special category data under the GDPR which means it is subject to additional protection. However, this health information can still be used in a range of situations, including where there is a public interest in protecting public health, such as protecting against serious cross-border threats to health. So far, only a limited number of the EU data protection regulators have raised concerns about COVID-19, likely because they recognize the seriousness of the outbreak and EU Member States are not making the intrusive disclosures seen in some Asian jurisdictions.
Stronger surveillance measures have been taken in other jurisdictions, such as China. The Cyberspace Administration of China (the main privacy regulator) has actively encouraged private companies and large state-owned enterprises, such as the big three telecoms operators, to provide data for detailed analytics to track the virus. For example, providing location information for individuals infected or suspected of inflection.
The National Health Commission of China issued a notice outlining the personal data protection requirements in the context of the prevention and control of Covid-19. Additionally, the PRC Cyberspace Administration of China ("CAC") issued a circular to provide detailed guidance on protecting personal data in the current circumstances.
The Cyberspace Administration of China has actively encouraged private companies and large state-owned enterprises, such as the big three telecoms operators, to provide data for detailed analytics to track the virus. For example, providing location information for individuals infected or suspected of inflection. Transport operators have also been directed by emergency notices to collect and provide information on passengers to the relevant health departments.
There have been several data breach incidents that have given rise to concerns over privacy and potential discrimination against people from Wuhan and Hubei Province.
In order to respond to these breaches and concerns, the Authorities published the circular and notice. The CAC Circular emphasizes the importance of protecting personal data in accordance with Chinese laws and regulations governing cybersecurity and the prevention of public health emergencies. Unless otherwise authorized under those laws and regulations, no individual or entity may collect or use personal data, without the consent of the data subjects
It was stated that where personal data is collected and used for the prevention and control of epidemic diseases, organizations that collect such personal data must adhere to the Personal Data Specifications. The principles of necessity and minimum collection should be followed and personal data collected for the purpose of preventing or treating epidemic diseases cannot be used for any other purpose.
Moreover, companies with big data expertise and capabilities are encouraged to work with the government to use big data for the prevention and control of diseases. Non-compliance with Chinese laws and regulations in relation to the collection and use of personal data is subject to administrative sanctions, civil liability and even criminal penalties in case of severe violation.
Additionally, it was mentioned that no personal information that has been collected for such use can be made public without the consent of the data subjects, unless this is necessary for the prevention of an epidemic and the information is redacted or anonymized.
b. Hong Kong and Singapore
The Hong Kong government has a detailed local situation dashboard showing the sex, age and residential location of infected cases.
In Hong Kong, it is permissible for an employer to request its employees to submit health declaration forms, especially in the event of an outbreak of an infectious disease such as COVID-19. In collecting and using the personal data of employees, the employer should be careful not to contravene the provisions of the Personal Data (Privacy) Ordinance (PDPO) and its own personal data policy (if such a policy exists).
The Privacy Commissioner acknowledges this data collection is subject to privacy legislation but considers that other important rights (e.g. right to life and public interest) prevail over the right to privacy. In particular, Hong Kong privacy law contains express health-related exemptions which permit timely access to personal data (identity and location), so that healthcare services can be provided to prevent the individuals concerned, or the community at large, from being subjected to serious harm to their physical or mental health.
In Singapore, similarly to Hong Kong, the Ministry of Health has provided detailed information about infections such as gender, age, nationality and information about their historic location prior to infection
In Singapore, asking employees to complete a health declaration does not constitute a breach of the Singapore Data Protection Law. Pursuant to their obligations under the Singapore Employment Act, employers are required to maintain the employment records of their employees and therefore the collection of employees’ national identification numbers is already required, and so authorized, by law. Accordingly, employers can collect their employees’ national identification information as part of the health declarations.
The Personal Data Protection Commission has recently issued an advisory statement permitting organizations to collect, use and disclose personal data without the consent of individuals, to carry out contact tracing and other response measures. Organizations may even collect visitors’ passport numbers for this purpose - the collection, use and disclosure of which were specifically limited under advisory guidelines issued as recently as September last year.
As Covid-19 quickly spreads across the globe and has now been officially declared a pandemic, many companies are facing difficult business and legal challenges and are required to make some urgent decisions in order to keep their workforce safe and ensure business continuity. Data plays a crucial role in containing the spread of the virus but not every data processing can be justified on that basis. A balance must be found between protecting public health and privacy.
 Italy COVID cases reached 24,747 on 15 March, marking the biggest coronavirus outbreak outside Asia. COVID-19 Italy death toll reached 1,809, witnessing a sharp increase in the last few days.