August 11, 2020

Volume X, Number 224

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

EDPB Announces Scope of COVID-19 Guidance

Following its 20th plenary session on April 7, the European Data Protection Board (EDPB) selected geolocation and health data to focus on in its upcoming COVID-19 guidance. This follows in response to the EDPB’s earlier broad statement on the processing of personal data in the context of COVID-19.

In its March statement, the EDPB made clear that the GDPR does not hinder measures taken in the fight against the current coronavirus pandemic, but that businesses are not exempt from complying with the GDPR and ensuring the protection of personal data “even in these exceptional times.” The EDPB emphasized that the GDPR allows certain public health authorities and employers to process personal data in the context of an epidemic, provided a lawful basis is met such as necessary for reasons of substantial public interest in the area of public health. The EDPB also reminded that when processing location data, national laws implementing the ePrivacy Directive must be followed. In principle, location data can only be used by the operator when the information is made “anonymous” or with the consent of individuals.  While the EDPB’s statement provided some answers to questions on processing of data in the context of COVID-19, there are few concrete recommendations. The authorities of nearly all EU member states have issued supplemental guidance.

As businesses and public agencies grapple worldwide with how to better understand COVID-19 and the pattern of its outbreak and spread, organizations are looking to use and analyze certain personal data in new ways. For example, will analyzing geolocation data help to assess efficacy of social-distancing? How can medical data collected in the context of COVID-19 be re-used and shared? EDPB’s impending guidance is intended to focus on these two topics: geolocation and health data.

The guidance on geolocation and other tracing tools is expected to address: (1) the use of aggregated / anonymised location data (e.g. provided by telecom or information society service providers) and the effectiveness of such techniques; (2) the application of GDPR’s principles to the different ways available to gather location data or trace interactions between people; (3) a legal analysis of the use of apps and collection of personal data by apps to help contain the spread of the virus; (4) the required safeguards to protect geo-location or other tracing tools; (5) recommendations or functional requirements for contact tracing applications; and 6) a potential pre-defined timeframe for the processing of such data limited to what is strictly necessary to tackle the emergency situation.

The guidance for the processing of personal health data for research purposes will address: (1) the fundamental aspects of processing of health data, such as legal basis, data subject rights, and retention; (2) re-use of medical research data connected to the COVID-19 crisis and data sharing; and (3) exercise of data subject rights in an emergency situation.

The EDPB decided to postpone the guidance work on teleworking tools and practices, instead focusing on the above topics for the time being.

Putting it Into PracticeWhile organizations in various sectors are actively working to better understand COVID-19 and the pattern of the outbreak, regulators are signaling reminders that such efforts must be conducted within the framework of existing privacy laws. We expect the EDPB’s forthcoming guidance to provide more specific recommendations.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 106


About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...


Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional services agreements, and other commercial agreements involving technology. Julia advises on strategic and operational decisions involved with conducting internal investigations in response to government investigations or for purposes of corporate compliance.