The Coronavirus Crisis and EU Adequacy Decisions for Data Transfers
The coronavirus crisis has given rise to numerous initiatives by governments around the world to combat the pandemic by gathering, sharing, and transferring data, both personal and anonymized. A great deal of attention has been given to proposals for increased data gathering within the EU, and many statements have been issued about them by European institutions, data protection authorities, and academics. However, less attention has been given to the protection that personal data transferred from the EU receive in countries that have adopted such measures.These measures raise questions both about respect for the rights of privacy and data protection within the EU/EEA, discussed below, and about the protection that personal data transferred from the EU receive in third countries that have been found to provide “adequate protection” based on EU standards, which is the subject of this comment.
Under Article 45 of the EU’s General Data Protection Regulation 2016/679 (GDPR), the European Commission may issue a decision that a third country ensures an adequate level of data protection, which was also possible under Article 25 of the EU Data Protection Directive 95/46 (the “Directive”) that preceded the GDPR. Since adequacy decisions allow for an unimpeded flow of personal data from the EU to the third country involved, they may only be issued when the legal system of such country guarantees a standard of protection that is essentially equivalent to that under EU law (see Recital 104 of the GDPR).
Israel and South Korea are among the countries that have announced plans to use aggressive measures to intensify data collection and data sharing to combat coronavirus, and that either (with regard to Israel) received an EU adequacy decision in the past, or (with regard to South Korea) are currently engaged in ongoing decisions with the European Commission concerning the issuance of one. According to news reports, Israeli Prime Minister Benjamin Netanyahu stated in mid-March that he had been allowed by the Justice Ministry to use intelligence tracking tools to digitally monitor coronavirus patients without their consent. Other reports state that the Israeli government has approved the use of new technologies to retrace the movements of coronavirus patients and the people with whom they have been in contact. With regard to South Korea, one report states that “government agencies are harnessing surveillance-camera footage, smartphone location data and credit card purchase records to help trace the recent movements of coronavirus patients and establish virus transmission chains”.
Without meaning to take a position on the level of protection offered by specific measures taken in any third country, these developments raise questions as to their effect, if any, on existing or potential EU adequacy decisions. In particular, one might ask whether EU data protection standards are relevant to data-gathering measures taken in third countries to combat the coronavirus. For example, it has been reported that a European Commission spokesperson has stated the following regarding the measures taken in Israel: “To our knowledge, the measures … involve the collection of location data of persons in Israel from telecom operators. This would therefore not concern data transfers from Europe covered by the Commission’s adequacy finding for Israel” (paywall).
However, measures taken in third countries to expand the processing of data for the purpose of combatting coronavirus may indeed have implications under EU data protection law. Under Article 45(2)(a) of the GDPR, when assessing the adequacy of the level of protection in a third country, the Commission must take account of, among other things, “the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation…” This means that an adequacy decision requires a holistic assessment of the legal system of a third country that goes beyond an examination of its data protection legislation, and may include evaluating data gathering and data sharing measures in an area such as combatting pandemics. Adequacy must also be re-assessed as part of a periodic review by the Commission as circumstances change (see Article 46(3) of the GDPR).
Thus, the measures that a third country takes with regard to data sharing and data collection are not solely a matter for its own law, at least to the extent that it wants to benefit from an EU adequacy decision. Indeed, such measures must form an integral part of the EU’s assessment, both initially and on a continuing basis, as to whether equivalence with EU law exists.
EU adequacy decisions reflect this requirement. For example, Recital 3 of the Commission decision concerning Israel states that adequate protection must be assessed in light of factors listed in Article 25 of the Directive, which include, among others, the nature of the data, the purpose and duration of data processing operations, and legal rules in force in the third country (the Directive was applicable in 2011 when the adequacy decision was issued, but has since been replaced by the GDPR). Article 3(1) of the decision also states that the data protection authorities (DPAs) in the EU may suspend data flows when:
“[T]here is a substantial likelihood that the standards of protection are being infringed, there are reasonable grounds for believing that the competent Israeli authority is not taking or will not take adequate and timely steps to settle the case at issue, the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member State have made reasonable efforts in the circumstances to provide the party responsible for processing established in the State of Israel with notice and an opportunity to respond.”
It might be argued that EU data protection standards should not apply unless it can be proved that data processing in the third country involves data transferred from the EU, since the protection of data transfers is the purpose of an adequacy decision. However, this contention is undercut by the 2003 judgment of the Court of Justice of the EU in Case C-101/01, Bodil Lindqvist, a case that raised the question of whether putting personal data on an Internet page was covered by the Directive. In Lindqvist the Court held that the Directive was applicable even in cases where there was no actual link with free movement between the Member States (the regulation of which was one of the purposes of the Directive), because it would not be appropriate to determine in each individual case whether the specific activity at issue directly affected freedom of movement (see paras. 40-42 of that judgement). This point is also supported by the Court’s judgment in Joined Cases C-465/00, C-138/01 and C-139/01, Österreichischer Rundfunk and Others (see paras. 41-43).
The same rationale would seem to apply to the data transfer rules under both the Directive and the GDPR. As the Court affirmed in its 2015 judgment in Case C-362/14 Schrems, the DPAs and national courts should have broad powers to examine the compatibility of Commission adequacy decisions with the rights and freedoms of individuals (see para. 63). The GDPR also creates a high standard for Commission adequacy decisions, which would surely be undermined if a potential violation of the rule of law and fundamental rights in third countries was found to be an internal matter. Thus, the relevant considerations with regard to adequacy decisions are not whether third country measures involve data transfers from the EU, but rather what is the level of data protection in the third country and what are the impact of such measures on data subjects.
This does not mean that the gathering and processing of data to combat the coronavirus by third countries benefitting from an EU adequacy decision must necessarily result in the limitation or suspension of data transfers to them. Adequacy is judged based on essential equivalence with EU law, and EU data protection law allows considerable leeway for data transfers that are necessary for important reasons of public interest or to protect the vital interests of data subjects or other persons. For example, Recital 46 GDPR states that “some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters”. This flexibility has also been affirmed by the European Data Protection Board (EDPB) in a statement adopted on 19 March.
It does mean that the data collection and processing measures taken in third countries to combat the coronavirus are relevant to an evaluation of the continued validity of existing adequacy decisions and the potential conclusion of new ones. This is important not only to ensure that data transfers from the EU receive adequate protection, but also to require that data collection and processing measures in the EU itself meet applicable data protection standards. Dismissing initiatives in third countries as purely internal matters could take pressure off the EU and the Member States to adhere to data protection and fundamental rights standards in the measures that they themselves have already adopted or are considering.
Within the EU, Articles 7 and 8 of the EU Charter of Fundamental Rights govern secondary EU law and national law falling within the scope of EU law, such as legislation restricting rights under the GDPR and the ePrivacy Directive. The case law of the CJEU in this respect has vigorously applied the principles of necessity and proportionality, which will have to be respected by the EU legislator and by Member States when providing for surveillance, in particular, of mobile phone users.
The standards that EU law requires in this regard have been summarised as follows by the EDPB and the European Data Protection Supervisor (EDPS): lawfulness of processing; transparency; proportionality; effective data anonymization; data security; limitations on data access; and deletion of data when the emergency has come to an end (in a nutshell, the familiar requirements of necessity and proportionality). If properly implemented, they can even facilitate the use of data processing to fight the pandemic, and help ensure that data gathering and processing are invoked not as a reflexive action by politicians, but as fully effective, evidence-based measures. Observing the basic principles of data protection will also help ensure buy-in from individuals and prevent public backlash against data gathering and processing measures.
Applying data protection standards to adequacy decisions is mandated by EU law, and the Court of Justice will insist on it. The debate on reconciling public health exigencies with the rights of privacy and data protection is in the front line of the broader debate on the respect for fundamental rights generally and the principle of democracy itself. This is an issue where the EU – particularly the Commission, the EDPB and the EDPS, acting in their respective competences – can provide much-needed leadership, both in Europe and worldwide. The current crisis is an opportunity to show that data protection can be a win-win that holds crucial benefits for fundamental rights, the public interest, and the vital interests of individuals.