As the world witnesses a health crisis and human lives are on the line, the protection of personal data is not the primary concern for most people, and it is understandable. Nonetheless, democratic values, and especially the rights and freedoms of every citizen, cannot be disregarded, even in troubled times. Data protection laws are no obstacles to the fight against the coronavirus as they include provisions that are meant to process necessary information to confront the pandemic while respecting privacy.
Health information is sensitive data
A crisis like the one the international community is facing now leads to the processing of a large number of health-related data by employers, health practitioners, public bodies, or researchers. They must be processed in accordance with the provisions of the General Data Protection Regulation (GDPR) within the European Union.
Health data are defined as “personal data related to the […] health of a natural person, including the provision of health care services, which reveal information about his or her health status
”1. The GDPR basically tells us that health data are data related to health, which is kind of tautological. What personal data should be considered health data according to this definition in the context of the actual coronavirus crisis?
Information about testing positive to Covid-19, conducting tests on individuals, recording body temperature or tracking down symptoms of the disease (fever, coughing, breathing problems, etc.) definitely qualifies as health data. That kind of information is directly “related to the health of a natural person
”.
Details about places of stay and locations a person visited during a trip constitute personal data, but should they be considered sensitive data? Supervisory authorities of some Member States do not classify them as such because they do not directly reveal information about a person’s health status.
The bare fact that someone is in quarantine is more difficult to qualify. It may be considered as health data depending on the additional information existing about the quarantine (cause, goal, place, etc.), according to some Member States’ supervisory authorities.
The legal regime applicable to health data
The qualification of health data is not a theoretical exercise. It has a direct and practical impact on the legal regime applicable to these data and, therefore, on how the data should be processed.
Data informing on a person’s health condition belong to special categories of personal data2, according to the GDPR, and are treated with particular consideration due to their sensitive nature. Processing such data poses indeed “significant risks to the fundamental rights and freedoms
”3 of an individual.
The sensitive nature of the data has prompted the European legislator to enact a special legal regime to deal with any health-related information. Processing of this type of data is prohibited as a general rule4, unless there is an explicit derogatory provision applicable under the GDPR5.
It is clear now that some information falls under the general legal regime of data protection, while others follow special rules. We will concentrate on these rules applicable to special categories of personal data for the rest of the article and how employers, health practitioners, public bodies, and researchers may legally handle them in a context requiring speedy actions and decisions.
Health data and the protection of vital interests
The processing of special categories of personal data, including health data, is allowed if it is necessary to protect a person’s or third parties’ vital interests6. The vital interests exception is similar to the vital interests lawful basis7 to process data except that it applies only if you cannot obtain a person’s consent (cf. Contact Tracing, Data Tracking, Coronavirus, and Law for the processing of health data based on consent).
The scope of the exception is limited as it concerns only the protection of a person’s “vital interest
”, that is to say, “an interest which is essential for [her/his] life
”8. It includes threats to the physical integrity or life of a person or a third party. In other words, it must be a matter of life and death even though recital 46 GDPR widens the scope of the exception. It also applies to humanitarian situations such as monitoring epidemics, which is of particular interest here.
The second condition limits drastically the scope of the vital interests exception: it may be invoked only if the individual is physically or legally incapable of giving consent. It can be the case if the person is unconscious, for example, or is unable to consent because of her/his legal status, like a minor or an adult under guardianship or trusteeship. Explicit consent must be sought after whenever it is possible9. It is not possible to rely on the vital interests exception as an alternative option if a person is able to consent and has refused to.
Essentially, the vital interests exception is useful for medical emergency situations. If a person suffers from acute respiratory distress syndrome, for example, the medical staff may need her/his recent medical history to decide on the proper treatment. As the person is unable to offer her/his consent, the hospital needs a legal basis to process her/his health data and the vital interests exception might prove useful. It can also be convenient in cases of epidemics like the one the world is confronted with right now. It is obviously impossible for all infected individuals to consent in a timely manner to allow medical staff to gather data in order to prevent the spread of the virus and, in doing so, to protect third parties’ vital interests.
Sensitive data and the protection of public health
The European legislator could not have foreseen the scale of the coronavirus epidemic, but it has adopted an exception to the prohibition of processing sensitive data to face situations like these. Epidemics have existed and will exist in the future, that is why the GDPR empowers public authorities to collect health data during a virus outbreak.
Article 9 (2) (i) GDPR provides for an exception to process sensitive data – without the explicit consent of an individual10 – that are necessary for reasons of public interest in the area of public health.
Public health is generally defined as “all elements related to health
”11. The terms are exemplified in article 9 (2) (i) GDPR itself. They comprise explicitly the protection against “serious cross-border threats to health
”, which include “communicable diseases
”12 among other categories of threats. The statutory exception encompasses, therefore, data necessary to study or fight epidemics like the current one which forces hundreds of thousands of people around the world into confinement.
Public interest refers to the public good and what is in the best interests of a group of individuals or the society as a whole13. A personal, corporate, or financial interest is not enough to justify the application of this exception. Once data have been processed under the public health exception, they cannot be shared with third parties14.
“Emergency is a legal condition which may legitimise restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period”15, reminds the European Data Protection Board. It is in everybody’s interest to slow down the epidemic and enroll technology in the fight against the coronavirus. Nevertheless, it must be done in a manner that preserves personal rights and freedoms. Handling of sensitive personal data in the context of a crisis should be necessary, proportionate, and temporary. The compelling public interest to eradicate pandemics requires a reasonable and pragmatic approach, but also the respect of the rule of law.
* Une version française de ce texte a été publiée sous le titre Les données de santé au temps du coronavirus.
1 Art. 4 (15) GDPR.
2 Art. 9 (1) GDPR.
3 Recital 51 GDPR.
4 Art. 9 (1) GDPR.
5 Art. 9 (2) GDPR.
6 Art. 9 (2) (c) GDPR.
7 Art. 6 (1) (d) GDPR.
8 Recital 46 GDPR.
9 Art. 9 (2) (a) GDPR.
10 Recital 54 GDPR.
11 Regulation (EC) No 1338/2008 of 16 December 2008 on Community Statistics on Public Health and Health and Safety at Work, OJEU L 354, 31 December 2008, p. 70, art. 3 c).
12 Decision No 1082/2013/EU of 22 October 2013 on Serious Cross-Border Threats to Health, OJEU L 293, 5 November 2013, p. 1, art. 1 (a) (i).
13 Recital 53 GDPR.
14 Recital 54 GDPR.
15 European Data Protection Board, Statement on the Processing of Personal Data in the Context of the Covid-19 Outbreak (19 March 2020).