17th April 2020
COVID-19 Pandemic and the Data Privacy Implications
The year 2020 has not unfolded as envisaged for many people, businesses, companies and governments of the world. It has not been business-as-usual for most. The disruption occasioned by the health pandemic, COVID-19, has adversely affected various aspects of global activities. It is changing the world as we know it. The world is fighting for her life and the data privacy space is not excluded in this unfolding drama.
In a bid to effectively combat this pandemic, various governments have resorted to location data analytics, surveillance of its citizens, facial recognition technology and biometrics, thermal cameras and disclosure of health and travel records. On the other hand, the world is working remotely and virtually everyone is on the internet either working or scouring social media. The pandemic has seen a spike in the use of several apps for video conferencing like Zoom and entertainment apps, like TikTok and Triller.
A lot of personal information are obtained and processed on the internet at a much higher rate and frequency than the pre-pandemic era. Governments are forced to overlook several data privacy concerns; private businesses are very much concerned about adequately servicing the populace than addressing privacy concerns in the name of fighting COVID-19. The conundrum now is: what will happen after the pandemic is over? In this paper, the author examines data privacy implications amid the COVID-19 outbreak.
Surveillance as a Weapon Against COVID-19
COVID-19 is a member of a family of viruses called coronaviruses. It has left over Two million people infected and resulted in over 120,000 deaths globally. It is highly contagious and spreads by respiratory droplets from a sick person when they cough or sneeze. The virus is capable of surviving on surfaces for hours and maybe days. The most damning aspect of the virus is the ability of an asymptomatic infected person to infect another person.
As a result of its rapid transmission rate, governments and organisations have turned to contact tracing and surveillance as an effective means of tracking infected persons and curbing its spread. A lot of countries now employ real-time phone location data, credit-card transaction records, mobile apps, and CCTV footage to track the movements of virus carriers and persons they may have encountered. South Korea, China, Hong-Kong, Israel and Taiwan are employing similar measures. For instance, Hong Kong and China have employed drones to monitor excessive social interaction and connected wristbands to ensure patient compliance.
Lately, western countries have joined the party. France recently passed a law empowering the government to control the movement of its residents. The UK and the US are using geo-location data from the mobile ad industry to track the movement of their citizens. Furthermore, in many countries, network operators are sharing customer data with health authorities. Nigeria, in her fight against the virus has also towed this path.
So far, these measures have been effective. For instance, in South Korea, about 400,000 people have been tested in less than two months. Morally, the employment of such measures may seem the right way to go in combating this virus but is it, legally, right?
GDPR, Arts. 6 and 9 dealing with lawful processing, prescribe one of the conditions for lawful processing to include:
“processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
Despite the absence of the data subject’s consent, where the processing of their data is essential for the performance of a task carried out in the public interest, such processing is deemed lawful under the GDPR. Therefore, obtaining and processing of people’s data for contact tracing in order to combat COVID-19 may be deemed to fall within the confines of public interest. On the other hand, the government and National Health Agencies are official authorities within the provision of Art. 6 vested as controllers of such data.
In order to clarify the legality of obtaining and processing data for contact tracing without the data subject’s consent, the European Data Protection Board (EDPB) on March 19, 2020 released a Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak. Section 1 of this statement provides that:
“The GDPR allows competent public health authorities and employers to process personal data in the context of an epidemic, in accordance with national law and within the conditions set therein. For example, when processing is necessary for reasons of substantial public interest in the area of public health. Under those circumstances, there is no need to rely on consent of individuals.”
The EDPB went further to set guidelines for the government’s use of mobile location data by prescribing that Public authorities should first seek to process location data in an anonymous way (i.e., processing data aggregated in a way that individuals cannot be re-identified), which could enable generating reports on the concentration of mobile devices at a certain location (“cartography”). And where processing of anonymous data is not possible, member states can introduce legislative measures to safeguard public security.
Returning home, the Nigerian constitution in section 45 provides exceptions to the rights to privacy of citizens contained in section 37. One of the exceptions includes derogation from compliance in the interest of defence, public safety, public order, public morality or public health; or for the purpose of protecting the rights and freedom of other persons.
In similar vein, Section 26(2) of the National Health Act 2014 provides that a person may disclose a patient’s information where a court order or law requires or where non-disclosure represents a serious threat to public health. Also, where it is within the ordinary course and scope of their duties, a health worker or healthcare provider may disclose such personal information to any other person, healthcare provider or health establishment in the legitimate interest of the user. Basically, screening, testing and diagnostic information can be revealed to government agencies in the interest of public health.
Ultimately, the NDPR also stipulates public interest as an exception to processing data without the data subject’s consent. Article 2.2 provides that it is lawful processing where:
“Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public mandate vested in the controller.”
Data Privacy Concerns
Flowing from the foregoing, the government and organisations can process the data of her residents and citizens (without their consent) under the safety net of public interest. However, this raises concerns as to how much data is collected and processed as opposed to how much is required? How long will these data be stored? To what purposes will these data be employed? Which persons have access to these data? After the pandemic, will surveillance still be employed, and if so for how long? How well are these data safeguarded from breaches and leaks?
These are crucial questions that need to be answered whether now or in the future. Apart from these questions, there are other privacy concerns.
Participation of Private Companies
It is evident that the usual aim of establishing a business is profit-making. As a result, a lot is to be dreaded with the participation of private companies in the development of technologies to help with contact tracing and obtaining and processing the location data of individuals. For instance, in China, the government worked with a number of tech giants to track the population at the inception of the COVID-19 outbreak. These raise concerns as to whether the data obtained and processed would not be employed for commercial gain by these private interests when the pandemic is over. Guidelines should be established and strictly enforced to ensure these companies do not misuse or abuse the data obtained and processed during this crisis period.
Mass Citizens Surveillance
The pandemic has witnessed many countries aggressively employing mass citizens surveillance methods to curb the spread of the virus. There’s no guarantee these governments would not continue to engage in such high-level surveillance in order to control and dictate the lives of her citizens once the pandemic is over. This may especially be the case with respect to communist states where human rights and press freedoms are relaxed.
Disclosure of Suspected Virus Carrier’s Personal Data
In places like Hong-Kong and South Korea, the personal data of suspected infected persons are permitted to be disclosed on social media and third parties for the purpose of tracking infected persons. In South Korea, members of the community of the infected person are alerted via text message. These raises issues of stigmatisation and invasion of privacy of affected individuals.
The Proliferation of Personal Information Online
Due to the remote nature of work and activities during the various lockdowns, a lot of sensitive personal data that could be transmitted in person are transmitted over the internet, thereby increasing the likelihood of privacy breaches. It is therefore important that companies, government agencies and individuals employ strong cybersecurity measures during this period. Furthermore, because of increased online activities, a lot of personal data will be accumulated and processed by online media platforms. As a consequence, it is important for data privacy regulatory authorities to ensure strict compliance with data privacy laws during this period.
Inasmuch as data is collected, disseminated and used in combating COVID-19, we need to ensure these are done while respecting ethical best practices and complying with data privacy laws. The world is currently fighting a pandemic and it is necessary for the government to do its best using all the resources and technologies within its grasp to win this war. Nonetheless, it is important to note that there will be an aftermath to the COVID-19 outbreak. The safety measures governments put in place right now will determine this aftermath.
Governments and data privacy regulatory agencies should formulate guidelines to guide the collection, processing, use and disclosure of personal information in this delicate time. They should also ensure strict compliance with such guidelines. Data privacy rights and principles should also be adhered to as much as possible.
Data collected and processed should be the requisite ones to combat COVID-19 and should be disclosed solely to persons directly involved in the fight. It should be safeguarded effectively and erased as soon as it is no longer needed. These data should not be monetised as well. Hence, private companies partnering with the government in fighting COVID-19 should be prohibited from commercialising data obtained and processed during this period.
For further information on this article and area of law, please contact
Francis Ololuo at: S. P. A. Ajibade & Co., Lagos by
Telephone (+234.1.270.3009; +234.1.4605091-2)
Mobile (+2348112491286) or
 Bryan Walsh, “The Pandemic’s Coming Health Surveillance State” (21st March 2020) available on <https://www.axios.com/coronavirus-brings-a-future-of-health-surveillance-82c7788b-ba30-4f4b-a5fb-a863273b3b88.html> accessed on 7th April 2020.
 In March, Zoom reached over 200 million daily meeting participants. Available on <https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/> accessed on 7th April 2020.
 2020 has seen the number of tiktok users grow from 37 million users to over 45 million. Available on <https://www.emarketer.com/content/tiktok-to-surpass-50-million-users-in-us-by-2021> accessed on 7th April 2020.
 Other members of this family include the Severe Acute Respiratory Syndrome (SARS) and Middle East Respiratory Syndrome (MERS).
 Yasemin Saplakoglu, “Here’s How Long the Coronaviruswill Last on Surfaces, and How to Disinfect those Surfaces” (16th March 2020) available on <https://www.livescience.com/how-long-coronavirus-last-surfaces.html> accessed on 8th April 2020.
 Nebraska Medicine, “How Does the Virus Spread?” available on <https://www.nebraskamed.com/patients/covid19/how-it-spreads> accessed on 8th April 2020.
 Venture Africa, “Smartphones, Surveillance and the Fight against COVID-19 Pandemic” available on <http://venturesafrica.com/smartphones-surveillance-and-the-fight-against-covid-19-pandemic/> accessed on 8th April 2020.
 France 24, “French National Assembly Greenlights Coronavirus Public Health Emergency Bill” (22nd March 2020) available on <https://www.france24.com/en/20200322-coronavirus-french-national-assembly-greenlights-public-health-emergency-bill> accessed on 8th April 2020.
 Elvira Pollina and Douglas Busvine, “European Mobile Operators Share Data for Coronavirus Fight” (18th March 2020) available on <https://www.reuters.com/article/us-health-coronavirus-europe-telecoms/european-mobile-operators-share-data-for-coronavirus-fight-idUSKBN2152C2> accessed on 8th April 2020.
 Tomiwa Onaleye, “Hoe FG Could Breach Privacy Laws in a Bid to Curb the Spread of Coronavirus Using Phone Data” (18th March 2020) available on <https://technext.ng/2020/03/18/how-fg-could-breach-privacy-laws-in-a-bid-to-curb-the-spread-of-coronavirus-using-phone-data/> accessed on 8th April 2020.
 Art. 6 GDPR.
 Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak. (Adopted on 19th March 2020) available on < https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf> accessed on 8th April 2020.
 Section 3 of EDPB Statement.
 Section 27 NHA Act 2014.
 This is like the provisions of Art.6 of the GDPR.
 Felicity Burling, “Data Protection in a Time of COVID-19: Guidance and Privacy Concerns during a Pandemic” available on <https://www.hfw.com/Data-protection-in-a-time-of-COVID-19-guidance-and-privacy-concerns-during-a-pandemic> accessed on 8th April 2020.
 The activity of hackers will be on the rise at this period.
 Recently Zoom has been facing huge privacy and security backlash as security experts, privacy advocates, lawmakers, and even the FBI warn that Zoom’s default settings aren’t secure enough. Available on <https://www.theverge.com/2020/4/1/21202584/zoom-security-privacy-issues-video-conferencing-software-coronavirus-demand-response>.
 Rositsa Zaimova, “How Data can Help Fight a Health Crisis Like the Coronavirus” (31st March 2020) available on http://www.weforum.org/agenda/2020/03/role-data-fight-coronavirus-epidemic/ accessed on 8th April 2020.
 Estelle Masse, “Recommendations on Privacy and Data Protection in the Fight against COVID-19” (March 2020) available on <https://www.accessnow.org/cms/assets/uploads/2020/03/Access-Now-recommendations-on-Covid-and-data-protection-and-privacy.pdf> accessed on 8th April 2020.