The year last went by with most of us trying to grapple with the strings to adapt, improvise and overcome the remnants of the impact of the Covid-19 pandemic. We are far from coming close to managing through this disease. While the governments were trying to bring the best, affordable healthcare facilities close to the end users, the companies who were managing the operations, were faced with challenges around privacy of the individuals. Initially, what started as a way to keep a tab on the number of incidences, amongst wide demographics and closed user groups, by way of contact tracing, soon raised concerns around surveillance, monitoring, and breach of privacy principles. Certain reports have also termed this phase as a ‘stress-test for privacy’1. Incidentally, it is digital surveillance and tracking2 which played a crucial role in containing the spread of the deadly virus, outbreak in China, Singapore, and South Korea, to name a few.
However, as this year comes with some hope with available vaccines and rapid testing, there is a possibility that certain cultural and sporting events, may just come through. This will however, come in the backdrop of the event organizers willing to arranging for rapid tests at the venues, or may be seek a “vaccine passport” or something of the likes. While digital technologies have now become part of the ‘new normal’, wariness amongst the users, the regulators, and the implementors of such technology, has also become part of this ‘new normal’. This article shall explore the interplay of the ‘need for public health and safety measures’, alongside the privacy protocols, or principles that need to be complied with.
Organizing a social event: A quick fix for event organizers?
At the outset, at a time where mostly digital platforms are minting money, for event organizers who are willing to host a physical event or a social milieu, one of the convenient means to ensure public safety, will be to seek information on the vaccination status of the individual, or to possibly arrange for a rapid testing procedure at the site of the event.
This may sound appealing, but it is overwhelmingly difficult for a private entity to enforce a condition like this. Not just that the private entity has to comply with the applicable data privacy laws, the event organizer will also have to factor in the government circulars/ mandates concerning pandemic, disease outbreaks, disaster management, and related laws. There could be prescriptions made by the government which would also require compliance in terms of other laws, and in furtherance of public interest.
It is an openly accepted fact that thermal scans are being widely used to monitor access to public and private premises, increasingly in public places like restaurants and airports. However, the use of the thermal cameras for the purposes of fever detection have triggered reactions from several data protection authorities with Dutch3, and Lithuanian4 authorities stating that the use of these thermal scans by employers is illegal, and the Belgian5 authority questioning the legal basis of such checks at the airports. Certain other countries’ data protection authorities took it upon themselves to issue general reminders on the strictness of the applicable data protection measures on thermal scans6.
While these reminders came in the wake of thermal scanners, which are still not invasive; for where an event organizer wishes to conduct the highly invasive procedures of using biometric samples to detect the health status of the individuals, such a procedure has to tested for its effectiveness first. While there is constant scientific research and development in the sphere, the deployment of such a random test may not be effective in the cases where the virus goes undetected, for the antibodies may take 1-3 weeks to be present after an infection, or where the virus is yet to mature or spread within the individual who is being tested. In assessing proportionality of a particular measure, the true test of random testing will be when its pitted against the actual effectiveness of curtailing the spread of the disease, in such off-chance cases of individuals not showing symptoms, or where the virus is not matured enough to be detected, but where the individual is contagious.
Much similar to this predicament, is the reliance that the scientific community is now placing on vaccination. It is pertinent to note that the effectiveness of vaccination drive is also not clearly established; and it is possible that a vaccinated individual may have no symptoms and still pose as a risk. What happens to the display of a vaccine certificate or a vaccine passport in such circumstances? Does it qualify to be an appropriate measure, and does it meet the test of proportionality then?
Privacy Law and Covid-19
The vast dissemination of sensitive personal data has stressed the importance of protecting personal data during the COVID-19 pandemic.
Article 9(2)(i) of the General Data Protection Regulation7 (GDPR) explicitly allows the processing of sensitive personal data (including genetic data, biometric data, and data concerning health) if it is necessary for reasons of –
- public interest in the area of public health.
- preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Article 89 further provides for safeguards in the event that the personal data is being processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
The GDPR relies upon the definition of ‘public health’ as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council and provides further guidance on the applicability of the provisions under the recitals. Recitals 45, 46, 52, 53, and 54 also explicitly acknowledge the need to sometimes process special categories of personal data for reasons of public interest in the area of public health.
While these provisions have been afforded to enable the governments to be provided with a specific and appropriate legal basis for emergency measures to be adopted, the implementation of these measures must be commensurate with the prescriptions of the state, local authorities. Needless to say, it is paramount for the private entities to comply with the basic privacy principles which are already outlined within the GDPR.
In the face of the pandemic, countries who are parties to Convention 1088, adopted emergency measures which restricted fundamental rights. It is enshrined within Convention 108 that it is lawful for the governments to rely upon exceptions in cases of emergencies, however such exceptions are required to be provided for by law9. Further, as per the European Data Protection Board’s guidance provided with respect to the GDPR in the context of Convention 108, any measure undertaken by the governments need to be precipitated and necessitated by an important objective of public interest and must preserve the essence of the individual’s fundamental rights, especially the rights relating to access, opposition and the deletion of the data.10
In terms of processing of the personal data in the context of the pandemic, and to combat the spread of this deadly virus, while the exceptional circumstances can find a legal basis within the Convention 108, they must be backed by specific and additional regulation at the national level. This will allow for a legal certainty to be established in law and will support compliance with the principles set out in the Convention.
In addition to providing for a legal basis, the specific regulation would also bring in a level of trust amongst the individuals by providing for a sunset clause and limiting the scope and applicability of such emergency measures. An additional rider could also be set out in the form of mandating specific advice to be sought from the data protection authority, and also setting out the additional or the minimum data protection safeguards which are prescribed for carrying out such effective public health measures.
Does consent matter?
Consent has a very limited role to play, where a person intends or hopes to be admitted into a public place, a public event, and has to subject themselves to invasive procedures. While one could say this can be rectified by giving sufficient notice, at the time of purchase of the tickets, or at the entrance to the event, but is that a real and true choice that is being afforded to the individual? Where the individual has paid for an event (assuming no one really reads the privacy notice), he or she would rarely protest at the venue against underdoing the rapid testing measures. There is no true choice, and so consent can definitely not be treated as an optimal legal basis and will not hold good in a court of law, for that matter, not even pass through the lenses of the supervisory boards, data protection authorities.
Who is confirming the retention schedule?
In wake of this chaotic environment, while personal data is being churned and consumed by the second, does anybody really know if the data is being re-purposed? It is not incorrect to assume that even the state authorities are baffled by this deadly virus and are continuously adapting to new means and methods. When this happens, it is likely that there will be new use cases, and purposes for which the data sets will be processed, in the hope that a cure is found, a safety latch is put in place. Compliance with this principle is a challenge, however, increasingly measures to use this data in anonymized format are also being accepted.
The Dutch authority which strongly favored of separate legislation to implement such emergency measures, played a different tune later. The Dutch authority11 now allows for rapid testing during Corona, when:
- the test results are only read;
- rapid test does not take place automatically;
- processing has no automated consequences.
The Authority has indicated that when the entity does not record the result in a file (such as an Excel list with names and the measured test results), or when it does not take place automatically or when the processing does not have an automated consequence, the GDPR shall not apply in such cases.
The explanation goes on to state that when the result of the rapid test can be traced back to a specific person, it shall qualify as health data. Also, when cotton swab is being used to collect a sample from the nose and/or throat, as the same contains genetic data, which can be traced back to an individual, it is usually not allowed to process these data. Similar conditions apply to measuring temperature12 prior to allowing entrance to a building. However, the guidance also states that there is limited effectiveness of measuring body temperature. Again, where there are no records created, and the measurement is not taking place automatically (thermal camera), or where the processing does not have an automated consequence (for example, gates that open automatically or a light that automatically turns green if the temperature is not too high), GDPR shall not apply.
While this could be an accepted practice for access control to an event, building, venue, even the guidance note acknowledges the fact that the lack of application of GDPR does not do away with the privacy concerns. Additionally, these measures necessarily need to adhere to the requirements for safe testing outside the Munipicial Health Service’s test lanes13 . One of the essential conditions being, that the private entity uses a reliable test, and the test is always voluntary. The authority also acknowledges the inadequacies with respect to seeking consent in hierarchical relationships, like that which exists between the employer and an employee.
How to move forward?
For most state authorities, companies, employers around the world, this past year has been riddled with unforeseen, unreliable, and uncertain circumstances. While the entities (public and private, alike) have adopted lifebuoy approaches, the real concerns have had to be addressed by the privacy teams. While new means and modes to converse, communicate, and socialize have been prescribed and adopted, the compliance requirements which persisted before, in terms of complying with the GDPR, the California Consumer Protection Act, the Health Information Portability and Accountability Act, continue.
While most businesses continue to make attempts to stay afloat, it will be important to see how these organizers of public events stay away from consuming, processing personal data, and how they navigate through the compliance requirements which would otherwise continue to be applicable to them, in terms of preserving physical integrity of the individuals, while deploying access control measures.
While authorities have earlier alluded to the fact that norms around GDPR compliance be relaxed, it would be counterproductive to allow similar exceptions to entities managing vaccination drives. This would be different from an event organizer seeking the expected admittee to flash a vaccine certification to gain entry. Taking a leaf out of the Dutch book, something like an identification card being presented at pubs to prove age for consumption of alcohol, or to gain entrance at an airport should satisfy the event organizer, in gaining admittance to the individual.
Removing the need to retain such records, and de-automizing the process, as well as the consequence, could be a possible solution. This will let the event organizer adhere to their commitment of a [possibly] safe and secure environment to the individuals, and also let the individual know that no new data trail is being created, or is being shared at large, in exchange for attendance at a public, social event.
Authors: Abhishek Malhotra and Bagmisikha Puhan
Abhishek Malhotra, Founding Partner
Abhishek Malhotra, Founding Partner, TMT Law Practice (having offices in Delhi, Mumbai and Bangalore), has two decades of experience in the primary areas of expertise, including intellectual property, commercial dispute resolution, technology, media and telecommunications. Mr Malhotra is a member of the Bar Council of Delhi and the State Bar of California, and also holds memberships of national and international professional associations. He has contributed to the policy realm by providing inputs to the Governments and think tanks on copyright issues, sports and fantasy gaming, Digital Health; and as a Principal Advisor to the Broadband India Forum on issues relating, inter alia, to satellite communication and data protection. Mr Malhotra is a guest lecturer at Indian Institute of Information Technology, the National Law School of India University, NUJS, Kolkata.
Bagmisikha Puhan, Associate Partner
Bagmisikha Puhan, Associate Partner, TMT Law Practice, is a technology lawyer and privacy practitioner. She is a member of the Bar Council of West Bengal. Her primary areas of focus include technology, telecommunications, and healthcare. She advises new age technology institutions in the healthcare, fintech and space communications sectors on general corporate advisory, statutory compliance, foreign direct investment, and also focuses on implementing privacy measures at an enterprise level. She has contributed to books and papers on telehealth, data privacy and protection, cybersecurity, and commercial space and policy. She is the legal advisor to the Telemedicine Society of India and has assisted the society in collaborating with the government/s for policy implementation. She is also a member of the Ethics Committee (Academic) of Mohan Foundation, which is a leading organization in the field of deceased organ donation and transplantation in the country.
 Laura Bradford, Mateo Aboy, Kathleen Liddell: Covid-19 contact tracing apps: a stress test for privacy, the GDPR, and data protection regimes. Journal of Law and the Biosciences, 1–21 doi:10.1093/jlb/lsaa034 Advance Access Publication 28May 2020, Original Article.
 Euronews, Coronavirus Conundrum: COVID-19 Tracking Apps That Do Not Breach Privacy (television broadcast, Apr. 9, 2020), https://www.youtube.com/watch?v=_goD-J96br0&feature=youtu.be; see also Jennifer Valentino-DeVries, Translating a Surveillance Tool into a Virus Tracker for Democracies, NYTimes, Mar. 19, 2020.
 Statement of the Dutch supervisory authority on thermal scans, April 24, 2020, available at: https://autoriteitpersoonsgegevens.nl/nl/nieuws/ap-temperatuur-meten-mag-niet-zomaar; last accessed on March 11, 2021.
 Statement of the Lithuanian DPA on Personal Data Protection and Coronavirus COVID-19, available at: https://vdai.lrv.lt/en/news/personal-data-protection-and-coronavirus-covid-19; last accessed on March 29, 2021.
 Statement of the Belgian supervisory authority on the legal basis for thermal scans in Brussels airport, available at: https://www.autoriteprotectiondonnees.be/citoyen/controles-detemperature-lapd-prend-contact-avec-brussels-airport; last accessed on March 29, 2021.
 Spain: https://www.aepd.es/es/prensa-y-comunicacion/notas-de-prensa/comunicado-aepdtemperatura-establecimientos; France: https://www.cnil.fr/fr/la-cnil-appelle-la-vigilance-surlutilisation-des-cameras-dites-intelligentes-et-des-cameras?; last accessed on March 29, 2021.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, accessible at: https://eur-lex.europa.eu/eli/reg/2016/679/oj; last accessed on March 21, 2021.
 Convention for the Protection of Individuals with regard to automatic processing of personal data: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108; last accessed on March 11, 2021.
 Joint Statement on the right to data protection in the context of the COVID-19 pandemic by Alessandra Pierucci, Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Chair of the Council of Europe, available at: https://www.coe.int/en/web/data-protection/statement-by-alessandra-pierucci-and-jean-philippe-walter; last accessed on March 21, 2021.
 EDPB statement on the restrictions to data subjects rights in connection to the state of emergency in Member States, 2 June 2020, available at https://edpb.europa.eu/our-work-tools/our-documents/autre/statement-restrictions-data-subject-rights-connection-state_en; last accessed on March 24, 2021.
 https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/corona/sneltestentijdens-corona; last accessed on March 21, 2021.
 https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/corona/temperaturentijdens-corona; last accessed on March 21, 2021.