We expect national and international privacy regulators to take a pragmatic and reasonable approach to helping organisations navigate data protection compliance during the current COVID-19 crisis. This week, both the European Data Protection Supervisor (the “EDPS”) and the UK’s Information Commissioner’s Office (the “ICO”) have shown that expected pragmatism.
Regulatory Pragmatism From the EDPS
The EDPS wrote a letter to the European Commission giving guidance on how to ensure crucial sharing of data to combat COVID-19 can proceed without a complete disregard for privacy rights.
The letter to the European Commission concerned the sharing of data by major telecoms providers in response to the COVID-19 crisis and asserted that the “data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics“. The letter went on to explain that the planned sharing of location data by major telecoms providers to European Regulators is permissible on the condition that they comply with a number of protections before any proposed sharing of data, namely:
- The data must be adequately anonymised. The letter reminded organisations that effective anonymisation often takes far more than the simple removal of unique identifiers such as telephone numbers.
- Transparency to the public is key. The letter emphasised “the importance of full transparency to the public on the purpose and procedure of the measures to be enacted”.
- In a situation where the data is adequately anonymised and therefore falls outside of privacy legislation, the sharing must still comply with national and international security and confidentiality requirements.
Finally, the EDPS stressed that these are exceptional times and this processing must end and the data must be deleted at the end of this crisis. Organisations should reflect on this practical approach from privacy regulators, and ensure that they adopt the same balance and pragmatic approach. While the use of data will be key to tackling COVID-19, it is important that the risk to rights and freedoms of data subjects are considered, and, where possible, mitigated. It is both possible and preferable for COVID-19 data-sharing technology to operate within the boundaries of the existing regimes.
Regulatory Pragmatism From the ICO
The ICO has, helpfully, created a “Data protection and coronavirus Information Hub” in response to the increasing number of queries related to data protection and COVID-19. The Information Hub aims to help individuals and organisations navigate data protection during this unprecedented time. This resource is easily accessible, up to date and contains both advice for community groups, business owners and organisations that are using people’s data during the coronavirus pandemic and advice for individuals about how and when organisations can use their data during the coronavirus pandemic and how to keep their data safe.
Notably, the ICO points out to individuals that they should expect delays in organisations’ responses to Freedom of Information (“FOIA”) requests from a public body or subject access requests (“SAR”). The ICO recognises that this is because organisations are diverting their resources to help with other challenges. This means that any data subject complaining to the ICO about a short delay in response times during the COVID-19 crisis will likely receive little sympathy from the ICO and, companies will be unlikely to face sanctions for reasonable delays in responding to SARS and FOIA requests during this time.
The ICO will add new information to the Information Hub as the COVID-19 pandemic continues. We recommend this as a first port of call for UK organisations dealing with privacy issues related to COVID-19.
Flexibility and Boundaries
There is comfort to be taken from the reasonable approach from the EDPS, the ICO and other regulators. Clear, concise and up-to-date information is what is needed in times of crisis. While a pragmatic and helpful approach continues to be adopted by EU and UK regulators, that approach will continue to operate within the boundaries of existing laws and regulations. If organisations fail to put in place the reasonable safeguards advocated by the regulators when using potentially personal and sensitive data to address the COVID-19 crisis, regulators will likely come down on them particularly hard.