Europe’s privacy rulebook does not create obstacles to taking action to curb the coronavirus epidemic but mass tracking of people’s movements and contacts using smartphone location data would represent a clear violation.
Technophiles support the use of such data to reconstruct the movements of people exposed to the flu-like virus and identify others at risk of infection. Privacy advocates counter that this approach, used in China, subjects people to the kind of digital surveillance that has no place in a Western democracy.
The General Data Protection Regulation (GDPR), which took effect in the European Union in mid-2018, states that people’s data is their own and requires anyone seeking to process it to obtain their consent.
What do employers have to do?
Companies should take action to minimise both the risk of infection and violations of privacy. They can obtain information on whether an employee has travelled to a region with confirmed coronavirus cases, according to law firm CMS here.
Some systemic data collection may also be required, such as through workplace questionnaires or requiring staff to report their travel plans.
This is covered under Articles 6 and 9 of the GDPR, which cover workplace health and safety, and using preventive or occupational medicine to address serious cross-border health threats.
What can’t they do?
Employers are not allowed to take mandatory readings of the temperature of employees or visitors, nor can they require them to fill out compulsory medical questionnaires, according to French data protection office CNIL.
In practical terms that means a receptionist may only take the temperature of a visitor under certain conditions, as this may require processing of health data that can only be done by a doctor, said Holger Lutz, partner at law firm Baker & McKenzie.
Can national governments override the GDPR?
Italy, the European country hardest hit by coronavirus, has passed emergency legislation requiring anyone who has recently stayed in an at-risk area to notify health authorities either directly or through their doctor.
Germany, meanwhile, recently inserted wording into its GDPR enabling legislation that specifically allows for the processing of personal data in the event of an epidemic, or natural and man-made catastrophes, said Lutz.
Could smartphone tracking help?
The head of the Robert Koch Institute, Germany’s main public health body, caused a stir last week by suggesting that smartphone location data could be used to track people as a tool for curbing the spread of the coronavirus.
The technology exists – Google Maps for example uses smartphone GPS location data to estimate traffic congestion and calculate journey times.
A Hamburg geotracking startup called Ubilabs is working with the Hannover School of Medicine on a data analysis platform that could track people who have tested positive for the coronavirus and their contacts, Der Tagesspiegel reported on Tuesday.
How could tracking comply with the GDPR?
Such smartphone tracking would in all probability require people’s consent to have a valid legal basis, Federal Data Protection Officer Ulrich Kelber told Reuters.
Any tracking-based system would need to undergo detailed analysis to ensure an acceptable level of data protection, Kelber said. It should also be proportionate, both in terms of whether the accuracy of the location data gathered serves the intended purpose and whether a less intrusive method is available.
What are other countries doing?
China, the source of the coronavirus epidemic, has introduced a mandatory traffic-light system here that uses smartphone software to determine whether people can move about or meet.
Individuals rated red or yellow on the Alipay Health Code app are not allowed to travel or visit public places such as restaurants or shopping malls for 14 or 7 days respectively.
In Taiwan, visitors are required here on arrival to download a questionnaire using a QR code and report the airport they came from, their 14-day travel history and health symptoms.
Those assessed to have low risk receive a text message telling them that they are free to travel. Those deemed to pose a risk are required to self-isolate for 14 days, with their compliance monitored using location data from their smartphones.