Among countless other disruptions, COVID-19 has raised important questions about the limits of data collection and highlighted the shortcomings of both the European Union’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). The pandemic has proven to be a black swan for which neither law nor its enforcement bodies are prepared—and which carries privacy-law implications that will persist long after the health crisis ends. Consequently, governments and businesses must work without meaningful existing guidance to strike a delicate balance between gathering the critical information needed to manage the virus and honoring the GDPR’s and CCPA’s stringent requirements.
Data Collection in Europe
The European Data Protection Board’s general guidance on how to collect data, in the context of COVID-19, leaves much room for interpretation. GDPR Articles 6 and 9 permit data collection without consent if the processing is necessary for the performance of a task carried out in the public interest. Although combating COVID-19 qualifies as a public interest need, it is unclear whether the collection methods employed, which vary by country, qualify as “necessary” under GDPR, or whether or to what extent those processes can sustain after the pandemic without violating the law. Each member state decides for itself how much intrusion is necessary, which invites comparisons to determine how far is far enough when gathering data in the public interest.
Continue Reading The Crisis Beyond the Crisis: How Data Tracking for COVID-19 Creates Privacy Issues That Will Persist Once the Pandemic Is Over