Summary: Introduction. 1. European framework: premises. 2. Member States approaches. 3. Asian approach. Conclusion.
In the past few days the ongoing debate on Coronavirus, especially after the measures adopted by Governments across Europe, highlighted several problems on data protection’s processing. The issue came to the attention of the most the moment that the effects of States’s actions affected particularly the job market.
What should be the right approach from a democratic point of view of data protection processing? What is the proper balance between a superior public interest, public health, and the individual’s right to protect his personal data? These are few of the questions scholars are trying to answer to.
It can be demonstrated that there is not a lack of protection, but it is clear that it is difficult to adjust the regulatory framework to the state of emergency’s condition. It is interesting how the Italian Government set out a ‘model’ for European member states in terms of adopting restrictive measures for preventing Coronavirus’s spread. Indeed, China represented the only State that had to deal with the virus’s implication before Italy. It is not difficult to affirm that China does not have a lot of points of juncture in terms of data protection processing with the ‘European model’. Because of that, it is relevant to look at the different approaches engaged in the prevention and, moreover, in the fight against COVID-19.
- European framework- premises
The main purpose for setting the European framework in relation to data protection processing is purely economical. The constitution and, consequently, the development of a regulatory framework, that set the rule for a democratic free movement of personal data in the European Union’s area, has always been characterised by a solid economical nature.
This kind of approach can be detected in the Directive 95/46/CE. More specifically, the right to privacy represents the only limit to the scope of the Directive. It is important to refrain that the free movement of personal data constitutes one of the most relevant freedom for the European Union single market since 90’s.
Within the moment the Charter of fundamental rights of European Union came into force it could be stated that personal data protection is expressed by a regulation in the Treaty on the functioning of the European Union (TFUE). Article 16 of TFUE represents the starting point of the data protection processing which leat to the adoption of Regulation UE 2016/679.
More specifically Article 8 of the Charter of fundamental rights of European Union embodies the right to the protection of personal data concerning an individual. The personal data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by the law. Compliance with these rules shall be subject to control by an independent authority.
The EU Regulation also knows as GDPR, General Data Protection Regulation represents the ‘data protection kit’. This whole package, proposed by the European Commission in 2012, aimed to create a solid framework in order to guarantee an high level of certainty and coherence in the application of the Regulation itself. In particular, the package proposed by the Commission, proposed to regulate the data protection in the private and public sector.
- Member States’ approaches
Since the EU Regulation is part of European Union law, the GDPR has general application, it shall be binding in its entirety and directly applicable in all Member States. In order to comprehend what has been the approach adopted by what has become the ‘European model’, it is relevant to differentiate the communication and the disclosure of personal data in China.
On 11th of March the Italian decree signed by the Prime Minister Giuseppe Conte entered into force. The decree imposed a lockdown that will be in place until April 3. The scope of the decree extents entirely to public and private individuals who have to deal with the Health National System. In addition, the decree allows the personal data processing among public individuals and public service officers only if it is necessary according to Article 9 GDPR, that process specific categories of personal data, including health data, and Article 10 GDPR, treating personal data in relation to criminal convictions and offences. Moreover, the personal data which are not part of those listed at Article 9 and 10 can be disclosed only in case it is necessary for carrying out certain activities related to the managing of the health emergency. In order to clarify the treatment of personal data in respect of “Principles relating to processing of personal data” according to Article 5 GDPR, there is a direct reference to the process that must be carried out in respect of “lawfulness, fairness and transparency”. In particular, companies and employers shall inform employees and visitors about the purposes for which their data are processing and the period for which their personal data will be retained. Although there is not a legal vacuum, it is controversial to fully comply within the rules for personal data processing.
At this occurrence it is proper to recall the exception to Articles 8 to 11 of the Convention of Human Rights. Indeed, a wide range of specific restrictions, or ‘legitimate purposes’, of a public and private interest kind are attached to Articles 8 to 11 of the Convention. One of them it’s Public safety as well as the protection of the rights and freedoms of others, and the protection of health or public order/ordre public can justify infringements of the right to respect for private and family life, home and correspondence. It is well known that the private interest to not have their own personal data disclosed can be compressed for the Public safety to be ensured for the community. About that, it is interesting to focus on the common approach adopted by European Union Member States.
Spain clearly stated that “The GDPR provides the regulatory framework that disciplines the personal data treatment which has to comply with the principle of lawfulness entailed in Article 5 GDPR.” Moreover, it is expressed that ‘the personal data protection should not obstacle neither limit the effectiveness of the measures adopted by the health authorities, especially when those are engaged to fight the pandemic.’ The legal basis for personal data’s treatment in exceptional circumstances is Article 46 GDPR. In those cases the actions must be carried out in order to guarantee Public Safety in terms of protecting the vital interest of the subject or of another person (Art. 6 .1 (d)) as well as in terms of enhance the public interest or the respect of the exercise portrayed by an official authority (Art. 6 1. (e)).
This very legal basis allows the treatment of personal data without the consent of the subjects involved. Data concerning the health condition are labelled in the Regulation as ‘special categories of personal data’. In such a manner a statement has been made in terms of prohibiting the treatment of such data unless there is any kind of exception listed at Article 9.2 GDPR. More specifically it is relevant to outline the referral to ‘the obligations and exercise of specific rights of the controller or of the data subject in the field of employment and social security and social protection law’ as well as ‘processing is necessary for reasons of public interest in the area of public health’. Moreover, it is proper to recall the ‘Ley 33/2011 General de Salud Pública’ which affirms that, in order to stop the virus’s spread, the health authorities can adopt all the measures necessary to avoid the transmission of the virus.
A similar approach has been portrayed by the Polish authorities since it has been affirmed by Personal Data Protection Office (UODO) that the provisions on personal data protection cannot be considered as an obstacle to conducting the activities with regard to fighting the virus.
Luxembourg authorities provide that if private and public actors can implement measures to limit the spread of the virus, such measures must take into account respect for the privacy of persons concerned. Actors must therefore refrain from collecting in a systematic and generalised manner, or through individual inquiries and requests, information relating to the search for possible symptoms presented by an external employee / person as well as their relatives. For confidentiality purposes, any data processing carried out in the context of preventing the spread of the virus must be carried out in such a way as to guarantee the security of the data, in particular with regard to health data. Thus, the identity of the persons concerned must not be disclosed to third parties or to their colleagues without clear justification. Anyway, the present recommendations are communicated by the CNPD, without prejudice to any more restrictive state measures, which could be taken in the context of aggravated scenarios. In this way it is clear that the European model shows a common model embraced by the whole Union.
- Asian approach
It is pretty clear that the issue at the core of the debate about privacy and coronavirus relates to the prevention of personal data to be disclosed in order to guarantee Public Safety. The European approach seems to be way more caring about the respect of the Regulation even though it must comply with the emergency condition going on those days.
South Corea along with Taiwan, Israel, Singapore and China adopted the ‘contact tracing’ technique for the prevention of the virus. It has been shown that this particular method has been a precious alliance. Tedros Adhamon Ghebreyesus, WHO director general, made it clear that the only lock-down measure could not be sufficient and effective for the prevention of the virus. Indeed, South Corea had very similar results to Italy in the last week of February. The difference lies in the fact that while in Italy the number of people positive to Coronavirus increased, Seul showed how the number stayed stable. In order to understand the different results in those two areas of the world it is important to recall the experience South Corea had when facing in 2015 Mers epidemic. The authorities were allowed to have access to a wide range of personal data such as webcam scan, credit card transactions, smartphone tracking location. All those informations turned out to be useful
to track the movements of citizens so that it was not difficult to detect who may have get exposed to the virus.
Although the results were outstanding, the technique is highly invasive since there is no limit to the disclosure nor access to relevant information of the individual. Mr Antonello Soro, President of the Italian DPA, made clear that those actions may be portrayed by authorities but they must be proportionate to the effective prevention of the virus’s spread. Anyhow, Soro affirmed that he does not believe in a strict surveillance that is not followed up by an efficient or transparent manage of personal data. However, Hubei inhabitants did not struggle to comprehend the invasive instruments the Government adopted for the prevention of the virus. Those measures have been already used for the control of people’s activities in order to check whether the lockdown is respected. Those activities can be tracked through the scan of their personal QR code plus a declaration of their own personal movements.
It is not controversial that European and Asian framework show different kind of approach when it comes to adapt a model in order to prevent the virus’s spread. European model describes how Member States adopted a common interaction whilst the Asian solution is way more practical although more intrusive when it comes to the core value of data protection.
 G.F. Ferrari (a cura di), La tutela dei dati personali in Italia 15 anni dopo. Tempo di bilanci e bilanciamenti, Collana di Diritto dell’Economia a cura di P. Marchetti, Egea, Milano, 2013.
 S.Sica, V.D’Antonio, G.M Riccio, La nuova disciplina europea della Privacy, Wolters Kluwer Italia, 2016, p.271.
 European Union, Charter of Fundamental Rights of the European Union, 26 October 2012, 2012/C 326/02, available at: https://www.refworld.org/docid/3ae6b3b70.html [accessed 22 March 2020].
 C. del Federico,Il trattamento dei dati personali dei lavoratori alla luce del nuovo Regolamento UE 2016/679 implicazioni e prospettive, Zanichelli, 2019.
 G. Finocchiaro, La protezione dei dati personali in Italia. Regolamento UE n. 2016/679 e d.lgs. 10 agosto 2018, n. 101, Zanichelli, 2019.
 C. Pivato, Il metodo coreano per il contenimento del coronavirus: impatti privacy se venisse applicato in Italia, https://www.cybersecurity360.it/legal/privacy-dati-personali/il-metodo-coreano-per-il-contenimento-del-coronavirus-impatti-privacy-se-venisse-applicato-in-italia/ [accessed 22 March 2020].
 EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.
 Above 6.
 La AEPD publica un informe sobre los tratamientos de datos en relación con el COVID-19, Agencia Española de Protección de Datos, https://www.aepd.es/es/prensa-y-comunicacion/notas-de-prensa/la-aepd-publica-un-informe-sobre-los-tratamientos-de-datos-en [accessed 19 March 2020.]
 Above 7.
 Personal Data Protection Office, https://uodo.gov.pl/en/553/1103 [accessed 18 March 2020.]
 CoronaVirus(Covid-19): Reccomandations de la CNPD relative à la collecte de données personnelles dans un contexte de cris sanitaire, La Commission nationale pour la protection des données (CNPD) https://cnpd.public.lu/fr/actualites/national/2020/03/coronavirus.html [accessed 22 March 2020.]
 B. Simonetta, Così big data e intelligenza artificiale stanno battendo il coronavirus in Cina, ilSole 24 ore. https://www.ilsole24ore.com/art/la-macchina-tech-xi-jinping-cosi-big-data-e-intelligenza-artificiale-stanno-battendo-coronavirus-cina-ADsL0XB [accessed 10 March 2020.]
 Above n 6.