Privacy & Information Security Law Blog

On March 17, 2020, the Executive Committee of the Global Privacy Assembly (“GPA”) issued a statement giving their support to the sharing of personal data by organizations and governments for the purposes of fighting the spread of the COVID-19 pandemic. The GPA brings together data protection regulators from over 80 countries and its membership currently consists of more than 130 data protection regulators around the world, including the UK Information Commissioner’s Office, the U.S. Federal Trade Commission, and the data protection regulators for all EU Member States.

The GPA’s statement recognizes the unprecedented challenges being faced by organizations to address the spread of COVID-19, and how addressing these challenges requires coordinated responses at national and global levels, including the sharing of personal information as necessary by organizations and governments, as well as across borders.

The GPA stated that it was confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle the COVID-19 pandemic. The GPA underlined that the data protection principles in all laws across the globe will enable the use of data in the public interest and still provide the protections the public expects.

In its statement, the GPA confirmed that despite health data being considered sensitive across many jurisdictions, work between data protection authorities and governments means there are already many examples of national approaches to sharing public health messages; of using the latest technology to facilitate safe and speedy consultations and diagnoses; and of creating linkages between public data systems to facilitate identification of the pandemic’s spread.

The statement sets out the GPA’s support for public bodies and health practitioners being able to communicate directly with individuals, and scientific and government bodies to coordinate nationally and globally, to tackle the COVID-19 pandemic.

The GPA statement points to a wider trend of regulators trying to accommodate the COVID-19 pandemic. A number of data protection regulators have already issued specific COVID-19 guidance and the GPA website has a dedicated data protection and COVID-19 resources page that provides the latest guidance and information from GPA members, which includes the latest guidance issued by regulators in Canada, France, Germany, Hong Kong, Ireland, Italy, the UK and the U.S. We expect to see additional guidance issued by regulators as the pandemic progresses. For example, on March 18, 2020, the Greek data protection regulator adopted guidelines for managing COVID-19 and the data protection regulator for the German state of Lower Saxony confirmed that personal data can be collected for various purposes linked to containing the coronavirus outbreak or to protect employees, provided the principle of proportionality is observed and a legal basis for processing is established.