Cross Border Data Processing In The EU During COVID-19

Cross Border Data Processing

Cross border data processing is a big problem nowadays, the scale of the collection and sharing of personal data has increased significantly due to technological developments, globalisation and the high number of companies and public bodies which operate in different countries and the personal data they collect has a connection to more than one Member State of the European Union, which have entailed to new challenges for the protection of personal data, the thing that makes us doubt about the protection of our privacy and request a real, effective and more consistent data protection measures in the European Union.

The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that “everyone has the right to the protection of personal data concerning him or her”.

However, it is true that this right is not absolute. In case of conflicts among rights, we need to prioritize one over the other one, and for that, we need to use the principle of proportionality, a principle that sometimes discriminates the right to personal data protection, even though that this fundamental right is closely connected with the right to respect for private and family life enshrined in the Article 7 of the Charter and also the article 52(1) of the Charter of Fundamental Rights of the European Union, which provides that: “Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.” But, who determines this proportionality and based on what criteria? What should we understand by general interest?

To protect our personal data, the European Union must provide detailed regulation of the rights of data subjects and the obligations of those who process and determine the processing of this data to control and ensure compliance with the rules in all Member States and sanction the infractions committed by them. The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), from now on GDRP, it is the one that takes charge of this, in order to strengthen that fundamental right and to harmonize an equal regulation in all the Member States for efficient protection and to facilitate the work of companies and public bodies, especially during this digital boom.

The personal data processed should be, as provided in article 5(1) of GDRP:

• processed lawfully, fairly and in a transparent manner in relation to the data subject;

• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes; (here also, I should question the same thing, like what we should understand for the public interest?)

• adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed; (Sometimes the personal data they collect can be considered that exceeds the minimum necessary).

• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to the implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject, and;

• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Moreover, article 7(1) list a number of cases where the data processing can be considered lawful:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

• processing is necessary for compliance with a legal obligation to which the controller is subject;

• processing is necessary in order to protect the vital interests of the data subject or of another natural person;

• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

We should not forget that even though, the health crisis we are living now during this pandemic, it is prohibited to process data concerning health, unfortunately, we find one more time that this does not apply if the processing “is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.

The GDPR recognizes that in exceptional situations such as the current one, “the legal basis for processing can be multiple, based on both the public interest and the vital interest of the interested party and another natural person.”

And it is precisely by recognizing the protection of that “other natural person” that the processing of personal data of the individual is being legitimized in order to protect against contagion from third parties. Consequently, the clash of collective and individual rights is resolved in favour of the protection of public health. The GDPR allows the information of an infected person to be known for the sake of the health and safety of the group, so we can see perfectly that, the health authorities of the different Member States cross the information of personal data, as they can communicate to friends, family or co-workers that someone is infected by Covid-19.

Now, almost all the Member States requires as a requirement to enter their country, for the ravelers to fill a form with their personal data, such as, all your personal information, contact method, number of flight, seat number, place of stay during the trip, the reason why you are travelling, as well as questions related to the possible risk: if you have been in contact in the last 14 days with someone who has had Covid-19; if you have a cough, …; if you have been to a hospital in the previous two weeks or in which countries and cities you have been before.

This form is also a sworn declaration, which sometimes oblígate you to quarantine and notify the health authorities if you present any symptoms after. Undoubtedly, this is generating fear in travellers regarding the treatment of their personal data, about the risk of security and the possibility that their data may be known by other country´s Public authorities. It also, makes them wonder if all this personal data is limited to the purpose for which it is collected.

I believe that a detailed study of those forms is needed to ensure that they do not include additional questions, beyond those strictly necessary and related to the symptoms, the thing that makes me think if those measures to protect personal data were reviewed, as paragraph 1 and 2 of the Article 24 of the GDPR, provides that:

“1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.”

The European Data Protection Board (EDPB) is an independent European body that shall ensure the consistent application of data protection rules throughout the European Union, and now more than ever, It needs to ensure that such data is protected and that is only used for the purpose for which it was collected.

It is true that the GDRP comes to help further ensure data protection, and help the users to be more aware of the rights they have in terms of defending them.

Notwithstanding the above, there are still many aspects of pending developments and concretion. The Member States, control authorities, the European Data Protection Committee and the Commission must specify a multitude of elements that appear in the GDPR that are too ambiguous or incorrect, and moreover, taking into account, the legal complexity, Member States, companies and Public bodies are still struggling to meet the legal requirements, so at the end, the injured party are the users whose data is processed and even transferred to the other Member States, the thing that makes us doubt if that host country or public body are complying with the necessary measures to protect our personal data since with the exception of the principle of the general interest or public health, we can find some ambiguities.