Many privacy-related questions have arisen as a result of the unexpected and persistent global health crisis triggered by the COVID-19 pandemic. However, all these uncertainties seem to have one point in common, at least in a primordial way. Indeed, they stem from a series of questions that, even today, do not appear to have uncontroversial answers, at least in all their extremes, such as whether it is possible to process the health data of people who are infected or at risk of being infected, and whether the fundamental right to data protection represents an obstacle to the defence of citizens’ health by public authorities.

My study published in the special issue of the Revista Catalana de Dret Públic (November 2020) focuses its analysis on the Spanish legal system in this respect, which is unquestionably dominated by Community legislation derived from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, the General Data Protection Regulation or GDPR), and, complementing and developing it in certain respects, the subsequent Organic Law 3/2018, of 5 December, on personal data protection and the guarantee of digital rights (hereinafter, LOPDGDD). Thus, it could be argued that the first fundamental sequential milestone was the initial state of emergency declared by the Spanish government in light of the COVID-19 outbreak, embodied in Royal Decree 463/2020, of 14 March, declaring the state of emergency for the management of the health crisis caused by COVID-19, which was extended by means of Royal Decree 926/2020, of 25 October, declaring the state of emergency for containing the spread of infections caused by SARS- CoV-2.

Having reached this point, and having justified the constitutional framework and approach to the fundamental right to data protection, the next step lies in articulating the processing of citizens’ personal and sensitive information that government agencies (on a public level) and companies (on a private level) may carry out as a way to control, prevent and solve this widespread health emergency. To this end, it is of priority importance to investigate the lawfulness of the processing of this data, which we do by analysing the legal bases of Article 6.1 GDPR, first, and the exceptional circumstances of Article 9.2 GDPR, which allows the general rule prohibiting the processing of specially protected data to be infringed; something that, a priori, seems contrary to the ultimate aim of processing of this nature, on a par with the fundamental constitutional value of guaranteeing human life, health and dignity and, therefore, far removed from any discriminatory aim that inspires the prohibition of Article 9.1 GDPR [Martínez, R. (2020). Los tratamientos de datos personales en la crisis del COVID-19: un enfoque desde la salud pública. Diario La Ley, 38, 1].

To this end, throughout the article the concordance of each of the authorising legal bases is established with its corresponding exception, and it may be concluded that the legal justifications that allow the processing of health data in the aforementioned critical context are the following:

Firstly, the consent of the data subject [articles 6.1.a) and 9.2.a) GDPR and 6 LOPDGDD], which will allow the use of technological solutions and mobile applications for data collection with the aim of improving the health services’ operational efficiency and providing better care and accessibility to citizens, and, furthermore, the development of a conversational assistant/chatbot, to be used by means of instant messaging applications, which will provide official information. These functions will be voluntary, so that any data subject who wishes to submit to them must give their explicit consent [Spanish Data Protection Agency, Informe del Gabinete Jurídico núm. 0017/2020. In the same line, Spanish Data Protection Agency, Comunicado de la AEPD sobre apps y webs de autoevaluación del Coronavirus”, 2020].

Secondly, compliance with a legal obligation applicable to the data controller (Articles 6(1)(c), 9(2)(b) and (h) and 9(3), all of the GDPR, and 8 LOPDGDD). Here we find the duty of the employer to protect its workers against occupational risks and to guarantee the health and safety of all those who are under its service in aspects related to work, on the basis of Article 20 of Royal Legislative Decree 2/2015, of 23 October, approving the revised text of the Law on the Workers’ Statute, and of Articles 2.1 and 14 and following of Law 31/1995, of 8 November, on the prevention of occupational risks. Focusing on the specific processing of health data, and thanks to the authorisation provided in the seventeenth additional provision of the LOPDGDD, Article 33 of Law 33/2011, of 4 October, on public health, which regulates health action in coordination with employers and workers’ representatives, shall also be applicable.

Thirdly, the protection of the vital interests of the person concerned or of another natural person [Articles 6.1.d) and 9.2.c), both of the GDPR]. This extension of processing to third parties implies, in the words of the Spanish Data Protection Agency (AEPD) itself, that “[…] such a legal basis for processing (the vital interest) may be sufficient for the processing of personal data intended to protect all those persons likely to be infected in the spread of an epidemic, which would justify, from the point of view of the processing of personal data, in the broadest possible manner, the measures adopted to that end, even if they are intended to protect unnamed persons or in principle unidentified or identifiable persons, insofar as the vital interests of those natural persons are to be safeguarded” [Spanish Data Protection Agency, Informe del Gabinete Jurídico núm. 0017/2020].

Finally, as an expression of the principle of data minimisation, those personal data processing operations that will not require the identification of the data subject are analysed, in an attempt to comply more satisfactorily with the principle of proactive responsibility demanded by the GDPR. In these cases, if the purposes for which the controller processes personal data do not require or no longer require the identification of the data subject, the latter will not be obliged to maintain, obtain or process additional information with a view to identifying the data subject for the sole purpose of complying with the regulation on data protection, and it will be the data subject who decides to provide this information in exchange for the ability to exercise the rights that correspond to him.

 

Juan Francisco Rodríguez Ayuso
PhD assistant professor and academic coordinator of the University Master’s Degree in Data Protection. International University of La Rioja (UNIR)

 

This post is a review of the paper Protección de datos personales en el contexto de la COVID-19: legitimación en el tratamiento de datos de salud por las Administraciones públicas published by the same author in the special issue on the law in times of health emergency, Revista Catalana de Dret Públic – Catalan Journal of Public Law (November 2020).