There has been plenty of media coverage regarding the novel uses of data to assist in the fight against the spread of COVID-19. Such ingenuity may be a help in combating the spread of the disease, but could they also have darker dystopian consequences?
Despite official recommendations to limit travel and practice social distancing, this weekend the UK’s public parks, beaches and beauty spots remained busy. Walkers, runners and cyclists were also out in force, some solo and some in groups. At the end of the weekend, social media and fitness app profiles proudly displayed who had been where and with whom.
While this may appear no different to normal, we are now in a new normal. Guidance sent out last week by the European Data Protection Board and a number of national EU data protection authorities made clear, even if not always harmonized in approach, that data protection in the time of coronavirus must remain GDPR-compliant, and for the most part focused on transparency, purpose limitation and security.
This may sound reassuring to some, but the GDPR may not give individuals the control over their personal data they think it does.
It is often thought that under the protection of GDPR an individual must consent to the processing of their personal data, including data about their health. However, this is not the case, and as noted by the EDPB in its recent guidance there are a number of legal bases that may be relied on for processing personal data in the context of the COVID-19 pandemic. These bases include the processing of special category data on the basis of Union or Member State law where it is necessary for reasons of substantial public interest in the area of public health (Article 9(2)(i)).
If the public do not abide by the official recommendations to limit travel and following social distancing guidelines it is possible that, as we have seen in some EU countries already, more drastic and emergency legal measures will need to be taken to ensure public compliance.
In such instances it may be much easier to support the argument that the access and monitoring of social media feeds and fitness app feeds is needed under Article (9)(2)(1) to allow officials to monitor and enforce social distancing rules on public health grounds.
So, a very careful balance will need to be made between the rights of the individual and the needs of public protection for these purposes, with a clear focus on the narrow limitation of necessity under Article 9(2)(i) and the other safeguards on the use of personal data provided by the GDPR. If not, it is easy to see a blurred line allowing officials to collect and track the movement and interactions of individuals on a very broad and invasive basis.
As we move through this coronavirus crisis, the novel analysis of personal data has the ability to be a real help to society, but it also has the potential to be used in a dystopian manner. The message is simple: we have to ensure the fundamental protections enshrined in the GDPR are not watered down unnecessarily and without proper thought or debate.
And for those fitness trackers keen on staying fit in the current climate, you may want to consider a little solitary running on the spot.