by Alessandra Silveira, Editor
Health-related personal data – regarding COVID-19 and digital surveillance
Article 9 of the Regulation (EU) 2016/679 – General Data Protection Regulation (hereinafter, “GDPR”) prohibits the processing of special categories of personal data, amongst them (and the ones relevant for the subject of this essay): genetic data; biometric data for the purpose of uniquely identifying a natural person; and data concerning health. However, this prohibition shall not apply if processing is necessary for the purposes of medical diagnosis; the provision of health care or treatment; the management of health care systems; or pursuant to contract with a health professional, in accordance to point h), of Article 9/2 of GDPR and under the further conditions established in Article 9/3. In particular, the general prohibition shall not apply if the “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices”, under point i), of Article 9/2.
For extreme cases, processing of special categories may also be necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent, under point c) of Article 9/2. Besides, consent is not the proper legal basis for the processing of personal data that is necessary to provide health care. Even the processing of personal data for sending reminders for appointments or to change exam dates should not depend on consent, instead being based on point h), of Article 9/2. This is particularly relevant in the current context, where non-essential appointments and exams are frequently being rebooked or replaced by technology-based alternatives. In fact, if the processing of personal data is necessary to provide health care, GDPR-consent should never be requested as it cannot be freely given. One should always keep in mind that GDPR-consent is different from the medical “informed consent” and, in fact, has stricter requirements.
Rejecting consent as a legal basis for the provision of medical care is in line with the Portuguese Data Protection Authority’s (Comissão Nacional de Proteção de Dados, hereinafter “CNPD”) understanding, namely its Opinion 2019/25, of 10 May 2019, requested by the Portuguese Health Authority (Entidade Reguladora da Saúde, hereinafter “ERS”), regarding a set of cases where access to medical care had been denied on the basis of lack of consent for the processing of personal data by the data subject. In every case, the fact that the data subject had not signed a declaration of consent had served as grounds to deny the provision of health care services, such as medical appointments, medical exams, amongst other. In this context, ERS requested CNPD’s opinion to assess whether the healthcare providers had acted in accordance with the GDPR. Without exception, CNPD decided that the choice of consent as a legal basis was an error and breach of the GDPR.
ERS’ request also related to the capacity to obtain from the data subject a written declaration that attests that the legally required information under Articles 13 or 14 of the GDPR was provided. CNPD considered that the data controller may collect proof that it complied with this obligation in written – as the information should be provided in written form – and, thus, the procedure being used by healthcare providers was in accordance with the GDPR. If data subjects refuse to sign the declaration, the healthcare provider should register this fact, and make sure that there is testimonial evidence of this. In any case, healthcare providers cannot make the signature of the declaration a condition for the provision of medical care, as that would be illegal.
Indeed, one cannot forget that, in accordance with the current data protection legal framework, the rule is the prohibition of the processing of special categories of personal data. Consequently, the limitations regarding to the processing of genetic data, biometric data or data concerning health on the basis of Member State law demand for suitable and specific measures to safeguard the rights and freedoms of the data subject, under Article 9/4 GDPR. Still, compliance with the GDPR is an effort that includes the use of a proper legal basis, compliance with the relevant principles of data protection such as minimization and privacy by design and by the default.
In fact, in Portugal, sanctions have been levied against medical providers for infringement of the GDPR’s principles of minimization and integrity and confidentiality, along with infringements related to the obligation to guarantee the application of technical and organizational measures necessary the security of the data protection operations. In a specific case, which drew significant media attention, the issue was, mainly, the fact that access to the patient’s data was not adequately restricted to the people on a need to know basis. According to CNPD, the healthcare provider allowed profiles that should be registered on the system as “technician” to be registered as “doctor”. In addition, profiles related to healthcare professionals that no longer worked there were still active.
The reason behind our considerations relating to the protection of personal data, and specifically health, biometric and genetic data, is the current COVID-19 global pandemic. To battle against the pandemic, the governments of some Asian countries heavily relied on digital surveillance. In an interview published by the Spanish newspaper El País on 22 March 22 (entitled “La emergencia viral y el mundo de mañana”), the South Korean philosopher Byung-Chul Han considered that data protection does not enable European countries to engage into the same type of battle against the virus as Asian countries do. According to the Author, in the Asian countries there is not critical conscience regarding digital surveillance. Chinese telecommunication providers freely share sensitive personal data of their customers with security services and health authorities. The State knows, therefore, where every individual is, with whom he/she is, what the individual is doing, what is looking for, buying, eating, and thinking. By analyzing the data and building profiles, it was possible to anticipate the potential individuals that would be infected, the ones who needed to be observed and the ones who needed to be quarantined. According to the South Korean philosopher, Asian countries were dealing more effectively with the health crisis when compared to Europeans because they do not know what privacy and data protection is.
These facts awaken us to the possibility of the current pandemics being used as a manner to legitimize and normalize the implementation of mass digital surveillance tools in democratic countries that have, until now, rejected them. In an interview published with the Portuguese newspaper Público (entitled “Parece não haver adultos na sala”), Israeli historian Yuval Harari alerted that even when COVID-19 cases are reduced to zero, some governments can argue that they need to keep the surveillance systems introduced to avoid a second wave of the pandemic or some other threat, because “there is always an emergency in the horizon”. However, there is a false dichotomy between data protection and protecting citizens’ health. It is, in fact, possible to protect our collective health by appealing to the informed citizen’s conscience and knowledge without the need to impose totalitarian surveillance systems. In the end, it is all a matter of proportionality, as it is possible to notice into the GDPR’s regulation of special categories of personal data and also in judgments of the ECJ, such as Digital Rights Ireland and Tele 2.
As we can see from the Opinion of the Advocate-General Miguel Poiares Maduro in Kadi (paragraphs 35 and 45) “certainly, extraordinary circumstances may justify restrictions on individual freedom that would be unacceptable under normal conditions” – in reality, as we have been accompanying in a plethora of Member States during the month of March 2020. However, “the same circumstances that may justify exceptional restrictions on fundamental rights also require the courts to ascertain carefully whether those restrictions go beyond what is necessary”. If we are at war against an invisible enemy – as pointed out by several European political leaders when speaking about the respective State’s declaration of a state of emergency to fight the pandemics – it is important to not forget that “it is when the cannons roar that we especially need the laws”, and to guarantee that “what may be politically expedient at a particular moment also complies with the rule of law without which, in the long run, no democratic society can truly prosper”.
Pictures credits: Pxfuel.