GDPR turns two at the time of the coronavirus privacy dilemma
The EU DPAs made it clear early on that the general GDPR principles of effectiveness, necessity, and proportionality must guide any measures adopted by Member States when processing personal data relating to the coronavirus epidemic. They are keen to enable governments’ responses to the pandemic and subsequent recovery whilst continuing to protect citizens’ personal data and privacy. At this toddler birthday, it can be said that the GDPR has had a huge impact but clearly much work remains to be done. Data breaches are still far too common, and the SME community has not fully embraced the regulation.
Slovenia has yet to bring the provisions into national legislation and is the last EU Member State to do so. Given the COVID-19 related priorities on parliamentary time, it is not known when the Bill will be debated. For other countries, much of the discussion now centres around fines – or the lack of large ones. This is partly due to the hoops that DPAs sometimes have to go through due to national legislation, as is the case in Ireland. It remains to be seen whether the fining procedure will be addressed in the EU’s GDPR review, which has been delayed and is now promised for 24 June.
Covid-19 has caused delays not just in Slovenia, but also in Thailand, Brazil and South Africa. All of these countries have postponed the coming into force of their data protection laws.
In this issue, we bring you a summary of contact tracing app developments in some EU countries, and an in-depth analysis of the law behind Australia’s CovidSAFE app.
In the EU, there is not much progress regarding the e-Privacy proposal. There were mixed reactions from Member States on revised aspects on legitimate interests, and this, together with delays caused by the pandemic, means that the current presidency of the EU Council, Croatia, will roll over many unresolved issues to the next presidency, Germany, starting on 1 July.
Other noteworthy EU developments are a controversial fining decision from Belgium on DPOs, and another much debated decision, from the Netherlands DPA, on marketing and legitimate interests.
Editor, Privacy Laws & Business