Supplement #33

Sent to subscribers in September 2020

The COVID pandemic has drastically changed the way each of us lives, works or communicates. Less than a year into it, and with dim prospects for the months or years to come, businesses are struggling to respond to conditions and restrictions that are unlike anything else they anticipated or experienced previously. Entire industry segments, such as travel, hospitality, food or entertainment are more-or-less in a state of coma. Employers who used to discourage telecommuting are now requiring their staff to work from home. Businesses are trying to reinvent themselves. Little by little, each country is attempting to adapt to the new reality, and address the variety of issues presented by the havoc caused by the magnitude and intensity of the attack on people’s health and condition. 

Personal data has not been spared by the pandemic. In a world knocked down by a powerful, destructive virus, sensitive personal information is relevant and necessary (or is it really?) to almost every aspect of a person’s public and personal life. Very sensitive information about each individual is often a key element in addressing the care of that person, in avoiding contagion, in analyzing the effects of a drug, in gathering data about the death toll or other statistics, and much more. Governments and their agencies, at time too slowly, are realizing that in the fight against the virus, privacy and the protection of privacy rights are at risk if limits are not set to how much information can be collected and what can be done with that information. 

In this Supplement #33, you will find out, among other things, how some countries have reacted to the effects that the pandemic is having on the use and potential misuse of personal data. As is often the case, there are times where privacy rights and security and safety end-up on opposite sides, and both aspects must be balanced. In this case, the privacy and data protection laws and principles may serve to guide governments, legislators and other who collect, use or share personal data.  

In the past few months, numerous countries have recognized this tension and developed guidelines for their constituencies on different aspects of the response to the pandemic as it relates to the protection of personal data.  For example, in this Supplement #33 you can read about:

Government Regulations

• Israel passed temporary, emergency regulations to permit the tracking of data that in other circumstances would be considered extremely sensitive, such as people’s names, identification number, health status and location.  These measures were justified to the extent that they meet the principles of good faith, reasonability and proportionality.

Guidelines

• In Greece, the data protection authority published guidelines regarding the use of personal data by employers.
• In Slovakia, the data protection authority published a series of opinions and guidelines regarding the measurement of temperature for employees and visitors to the workplace, guidelines for ensuring the security of employees’ laptops used when working from home, and guidelines on the use of location data and contract tracking tools in the context of the COVID outbreak. 
• In the Philippines, the data supervisor authority issued guidelines regarding the collection of personal data, to ensure that only data that was “necessary” be collected, and that it be disclosed “only to the proper authority”. It also issued guidelines for health institutions and their data protection officers regarding the use and disclosure of sensitive data.  The data protection authority also published guidelines on general security measures to organization operating under a Work from Home arrangement (WFH), to be applied both during the pandemic and whenever any telecommuting arrangement is implemented.

Enforcement Actions

• In Norway, the data protection authority blocked the use of a contact tracing app launched by the Norwegian Institute of Public Health, which required users to provide personal data both for contact tracing and for analysis and research without giving the opportunity to consent to only one of the purposes separately.
• In Chile, the Ministry of Health and the Ministry of Transport and Telecommunications announced that the use of GPS technology on cellphones would be analyzed to observe the population’s mobility during the pandemic.  However, the Transparency Council stated that it wants to review the detail of the initiative because it may be inappropriate. As of the date of this writing no rules on the subject has been published. 

Legal Moratorium

• Brazil postponed the date of entry into force of its new data protection law, the LGPD.  The entry into force of the law is postponed to May 3, 2021 and the administrative penalties provisions will enter into force in August 2021.

Despite the grim times, Supplement #33 also brings good news.  

After 7 years in a holding pattern, the data protection law of South Africa is now in effect!  Enacted by the South Africa Parliament in July 2013, the Protection of Personal Information Act (or POPIA) was approved by the President and became a law in November 2013.  After many years of waiting and pressure from the Information Regulator for the commencement of the law, the South Africa President proclaimed the commencement date of POPIA to be July 1, 2020.  The law is now fully in effect and organizations have a one-year grace period (computed from July 1, 2020) to ensure that all of their processing of personal data comply with the new law.  Thus, on July 1, 2021, all processing of personal data in South Africa must comply with POPIA.

To our subscribers:  Thank you for subscribing to this treatise

To all contributors to this Supplement #33:  Thank you for your timely reports.

To the Wolters Kluwer and CCH  teams who make this treatise happen and work tirelessly to deliver each supplement on time: Thank you for your hard work.

To everyone:  Keep safe! Keep healthy!