The coronavirus outbreak is set to test the limits of institutions and organisations the world over – including data watchdogs.
As the coronavirus crisis rapidly escalated over the last few days, data protection authorities have sprung into action. The EDPB published guidance for organisations yesterday on data processing rules – particularly those relating to health data – while authorities try to mitigate the Covid-19 outbreak.
The statement came after several national authorities published data protection advice. The EU’s own data watchdog, the European Data Protection Supervisor, has been working remotely as of last Friday.
Observers – some working from home themselves – have said the lack of EU-wide guidance has led to member states’ regulators offering diverging guidance, creating confusion for organisations across the bloc. Many also said the virus and its impact on society will stress-test the regulators, particularly as many authorities have limited resources.
Regarding the processing of electronic communication data, such as mobile location data, additional rules apply, the regulator said. The ePrivacy Directive – which ensures location data can only be used when anonymised or with consent – can allow member states to introduce legislation pursuant to national security and public safety that allows them to process data that has not been made anonymous.
Jesús Yáñez, a partner at ECIJA in Madrid, told GDR that Spain’s state of emergency – effective from 14 March – means all administrative deadlines are suspended, allowing some breathing space for any ongoing investigations the Spanish AEPD must carry out, and also to companies that must provide documentation to the regulator.
As Spanish citizens liaise with their authorities using digital channels, Yáñez said this novel situation should not have a “great impact” on the AEPD’s operations, but the main issue is that not all administrative workplaces are ready for remote working, “which is a very different thing”.
“I’m sure the internal effectiveness inside the AEPD will be impacted. The implementation of the GDPR back in May 2018 already showed that more resources were needed, and of course these needs are going to become even more obvious over the coming days and weeks, Yáñez said.