EU Data Protection Authority’s response, balancing data protection against public health, economic concerns and official global pandemic.
By now we are all aware that we are living in unprecedented times across social, economic, and political spheres. Aside from emergency laws, legal obligations remain consistent, with the General Data Protection Regulation (GDPR) being no exception.
While there are exceptions for use of data for public interest, the scientific and health research which will be leveraged during these times to enable governments, medical bodies, and the public sector assist the public, the obligations and processing safeguards contained within the GDPR remain law. During these challenging times, this can and should provide a level of comfort to us all. Your data subject rights remain just that – your rights.
While our medical professionals are working tirelessly and selflessly on the frontline, the majority of us are working from home on a scale we are unfamiliar with, without the comforts, social norms, and routines we have become accustomed to. The social distancing benefits that come with working from home during a pandemic are clearly needed but working remotely is not without its challenges. This can come from a cybersecurity point of view including VPN vulnerabilities, increase in phishing and malware attacks, and an increased likelihood of a data breach occurring. Meanwhile, companies are grappling to enact their business continuity plans and ensure everyone that it is “business as usual”.
We have witnessed a number of government agencies worldwide enact emergency laws that set aside national laws to combat COVID–19. The majority of data protection authorities (DPAs) in the EU have released statements stating that data protection rights within the GDPR and national data protection laws still stand and remain in full force. However, in line with the community spirit, a number of DPAs have stressed that the GDPR does not and will not hinder our responses to COVID-19. Complaints from data subjects will be reviewed on a case by case basis, especially where the process of complying with the law could require significant resources and time. Data Subject Requests (DSR) requires that companies comply within the prescribed one-month time period, being the most obvious set of obligations under the GDPR.
While DPAs have mentioned that there may be a case by case review of non-compliance regarding response times to Data Subject Requests, they have also made it clear that the law still stands and principle valued obligations. For example, the processing of data without considerate safeguards in place to protect the rights and freedoms will not be tolerated.
Therefore, it is important for organizations to ensure their privacy programs are maintained and enforced. Furthermore, organizations should review and enhance their cybersecurity programs due to the predicted and, unfortunately, the actual increase in cyber and malware attacks at present.