Due to the COVID-19 pandemic, many countries declared a state of emergency. On 24 June 2020, the Luxembourg legislature adopted a law establishing a statutory framework to continue the fight against coronavirus after the end of the "state of crisis" (état de crise) on midnight of that day.
The new law, covered in an earlier article (available in French), established a system to monitor personal data (in particular health data) relating to both infected individuals and individuals at high risk of infection. As the system would entail significant processing of personal data, the Luxembourg data protection authority (Commission nationale pour la protection des données or "CNPD") issued an opinion (available in French) on the proposed monitoring system and its compliance with the General Data Protection Regulation (2016/679/UE) (the "GDPR").
On 17 July 2020, the aforementioned law was repealed and replaced with a new law introducing a series of measures to fight Covid-19 (the "Covid-19 Act"). The monitoring system set up under the previous legislation was however left untouched for the most part.
Below, we summarise the data protection aspects of the Covid-19 Act, Section 4 of which (mainly Article 10) contains the provisions on data processing.
1. Purposes of the processing of personal data and categories of personal data processed by the monitoring system
Under the GDPR, personal data must be collected for specified, explicit and legitimate purposes. The Guidelines of the European Data Protection Board ("EDPB") on the use of location data and contact tracing tools in the context of the COVID-19 outbreak emphasise the need to carefully define the purpose(s) for which personal data are processed.
Pursuant the COVID-19 Act, the monitoring system (and the data processing it entails) is intended to:
- detect, assess, monitor and acquire knowledge about the spread and evolution of COVID-19;
- guarantee citizens access to care and means of protection against the disease;
- create organisational and professional frameworks;
- answer requests for information and comply with obligations to provide information from European or international health authorities.
Although the CNPD stated in its opinion that the abovementioned purposes ought to be more detailed in order to ensure GDPR compliance, no amendments were made to the initial bill in order to provide further clarification in this regard.
Nevertheless, regarding the categories of personal data processed in the context of the monitoring system, the legislature followed the CNPD's advice. Article 5 of the Covid-19 Act now expressly lists various categories of data collected from infected individuals and individuals at risk of infection, including health-related data, which benefit from special protection under the GDPR. It should be noted that personal data relating to individuals who have tested negative (i.e. name, gender, identification number or date of birth and municipality of residence or address) are also collected by healthcare professionals and transmitted to the Health Directorate of the Ministry of Health.
The aforementioned provision also governs the transmission of personal data to the Ministry of Health, in order to ensure adequate monitoring of the evolution of the pandemic, and obliges infected individuals to inform the Health Directorate or its representative and certain designated civil servants or government employees of their status and provide them with the names of all individuals with whom they were in contact within the 48-hour period prior to the appearance of symptoms or the receipt of a positive test result.
2. Data retention period
Under the GDPR, the period for which personal data may be stored must be proportionate. The EDPB considers that an economic, political or sanitary crisis must not be used to justify a disproportionate data retention period.
Although the Covid-19 Act does not indicate a specific retention period for the data processed in the context of the monitoring system, it does state that:
- the data will be anonymised upon expiry of a three-month period as from the end of the state of crisis, thus in principle on 24 September 2020. However, this period will almost certainly be extended in the coming weeks by legislation amending the Covid-19 Act (a new bill No 7645 was introduced on 3 September for this purpose). Moreover, there are discussions in Parliament that personal data should undergo pseudonymisation and not anonymisation at the end of the retention period (which, may ultimately be at the end of March 2021 depending on whether and in what form the aforementioned bill is adopted by Parliament);
- the data may be processed for purposes of scientific or historical research or for statistical purposes subject to certain conditions, including pseudonymisation;
- the data are anonymised before being transmitted to European or international health authorities pursuant to the Covid-19 Act;
- data regarding individuals who tested negative are anonymised three days after their receipt by the Health Directorate or its representative.
3. Safeguards to prevent the abuse of and unlawful access to and transfer of data
The Covid-19 Act contains a number of safeguards to protect the vast quantities of personal data collected. Pursuant to Article 10(5), access to the monitoring system and actions performed in the system are recorded and dated. Moreover, the system allows the identification of persons who access the data contained therein and the context in which access occurs.
Only doctors, healthcare professionals, and civil servants empowered by the Health Directorate or its representative, all of whom are subject to a duty of professional secrecy, may access the data of infected individuals or individuals at high risk of infection, and only for the purpose of fulfilling legal or contractual duties entrusted to them.
4. Rights of data subjects
Given the purposes of the monitoring system, the Covid-19 Act imposes certain restrictions on the rights of data subjects. Indeed, infected individuals and individuals at high risk of infection are not able to object to the processing of their personal data in the absence of a negative Covid-19 test. The law specifies that data subjects may exercise their rights under the GDPR against the Health Directorate of the Ministry of Health, which acts as controller for most personal data processed in the context of the monitoring system.
The Covid-19 Act's monitoring system is almost identical to that set up by the repealed Act of 24 June 2020. Given the monitoring system's continued relevance due to a "second wave" of infections, the Covid-19 Act will, in all likelihood, be extended in the coming weeks. A new bill was indeed introduced on 3 September to extend and adapt the Covid-19 Act. A crucial issue in this respect is whether the adoption of this bill will result in the personal data collected being pseudonymised at the end of the retention period (as opposed to anonymised as is provided in the current version of the Act). This will have an effect on the application of the GDPR to the processing made after the pseudonymisation or anonymization process is carried out (with the GDPR applying in case of pseudonymisation and not applying to the processing of truly anonymised data). Be sure to check our website for updates.
Would you like to stay up to date of our publications regarding COVID-19? Register here. We will send you a weekly update with the latest publications.