How do data protection rights fare in Corona times?

Data protection versus Corona?

‘How do data protection rights fare in Corona times?’ was the subject of the Privacy Focus Group session on the very day of the GDPR’s third implementation anniversary. Clearly, there have been plenty of sticky situations, but privacy professionals have rising to the challenge and have proven to be able to cope and help!

Not that there weren’t problems galore. Mrs. Alexandra Jaspar, director of the ‘knowledge centre’ of the Belgian Data Protection Authority (DPA) sketched an overview of the often uphill battle to defend the privacy rights of the Belgian citizens against weakly defined and all too broad COVID19-decrees and -measures of governments at all levels. All laws and decrees must be submitted to the DPA’s knowledge centre for mandatory advice, but this was on quite a few occasions evaded. Furthermore, this advice is non-binding, and till today there is no agreement in the management committee of the DPA to launch inquiries into practices of governments that breach the privacy regulation!

Mrs. Jaspar illustrated her frustrated efforts with examples from the 32 pieces of advice on ‘Corona’ draft-bills and –regulations (all of them published on the site of the DPA, along with other key COVID19-privacy information). The DPA also published sorely needed guidelines, without being requested to do so (e.g., the ‘horeca’ contact tracing data gathering). Several examples concern the ‘vaccination’ laws and measures, with among others a one-article law (‘fully delegating powers to the government’ – Antigenics law of December 22nd 2020) and the royal decree of December 24th 2020 (e.g., ‘vaguely defined purpose’, ‘no relation between data and purposes’, ‘no necessity and proportionality test possible’, ‘retention period too long’…). Or consider the objections to the ‘Pandemic’-law. Advice? Do check this presentation for some eye-openers.

Employers, too, had to strike a balance between their obligations regarding the welfare of their employees and privacy protection. In her presentation ‘Data protection in Corona times, an HR perspective’, Mrs. Sara Cockx, partner at Schoups, provided some examples of the tension between these obligations (with potential criminal convictions, if neglected) and privacy. Indeed, processing of health-related data is basically not allowed, and asking employees for consent is not acceptable. That leaves the employer with challenges regarding COVID19-classics as for example taking temperature measurements (a ‘no go’, unless temperature values and other data are not registered/kept), or learning whether an employee has taken ill (no obligatory reporting to the employer, but employees have responsibilities towards their co-workers) and more. Regarding vaccination, employers cannot demand vaccination (fundamental freedom of choice), but they are encouraged to inform employees about the advisability of vaccination. A differential treatment of vaccinated and non-vaccinated personnel is also not allowed (non-discrimination) though possibilities perhaps exist in the realm of absenteeism bonuses. Other COVID19-induced challenges include rules regarding teleworking (e.g., teleworking from somebody’s holiday residence; teleworking from abroad with possible data transfers outside EU), work monitoring (beware of CBA 81), and smart office initiatives (reservation data processing). Nevertheless, “privacy and employer obligations can be reconciled!” Indeed, this was yet another interesting presentation with plenty of practical pointers.

Perhaps the strongest concerns were expressed in the presentation ‘How do data protection rights fare in Corona times’ of Prof. Paul De Hert (VUB/U Tilburg, and co-organizer of the CPDP privacy event). Yes, “the discussion on the COVID19 tracing-app was a golden one for the data protection community, since it allowed to do the things we like to do: checking on legality and appropriate safeguards.” Or, “everybody as DPAs, DPOs, etc. didn’t do too badly.” But…

Laws as the GDPR are too vague about technologies, with plenty of exceptions, particularly favouring all kinds of data processing by authorities. A major danger is governments getting away with the introduction of privacy threatening technologies in a covert way, often without asking for privacy-related advice. That is particularly problematic when done by people with less affinity with privacy laws. As a result, previous technocratic-oriented governments and authorities at all levels have already taken initiatives that create a surveillance architecture in our society. It worries Prof. De Hert that warnings expressed in articles in, for example, Le Soir are barely considered worthy of attention in other parts of the country. While denying intentions for a ‘surveillance society’, authorities at a lower and decentralized level are encouraged to install technology such as cameras through hefty subsidizing (cf. the 2017 Camera Law of Jambon).

How was this possible? Few understand what’s happening, it is a highly technocratic matter, and much is implemented by non-political and little known organizations… Clearly, there is a need for a ‘broader democratic testing’ of what is happening, with more political governance of technology, and laws with less technology-neutral language. Clearly, this is another presentation demanding your attention.

(Visited 36 times, 1 visits today)

Cookie	Duration	Description
cookielawinfo-checkbox	11 months	The cookie is used to store the user consent for the cookies.
cookielawinfo-checkbox-analytical-third-party	1 year	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Analytical Third Party'.
cookielawinfo-checkbox-functional	1 year	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Functional'.
cookielawinfo-checkbox-functional-third-party	1 year	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Functional Third Party'.
cookielawinfo-checkbox-technical	1 year	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Technical'.
viewed_cookie_policy	11 months	The cookie is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
yt-remote-connected-devices	temporary	This cookie stores user video playback preferences for embedded YouTube videos.
yt-remote-device-id	temporary	This cookie stores user video playback preferences for embedded YouTube videos.

Cookie	Duration	Description
GPS	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
VISITOR_INFO1_LIVE	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.
YSC		This cookies is set by Youtube and is used to track the views of embedded videos.

How do data protection rights fare in Corona times?

EDUbox Data en Privacy: de balans tussen delen en beschermen

Cyber Security General Assembly 2024

2023 Member Satisfaction Survey

Chair Jan De Blauwe’s New Year address 2023

You may also like

Sign up for our Cyber Pulse newsletter