It is crucial to balance security and the safety of the health of the public and the right to privacy of citizens.
The proclamation of COVID 19 as a global health pandemic by the World Health Organization, as well as a nationwide state of emergency, means limiting the right to the protection of personal data to the data subject, and increasing the right of the controller, especially the public institutions for the protection of human health for the purposes of the public interest, i.e. data processing in favor of public health. And it more than certainly affects the right to privacy of citizens.
The right to privacy stems from the processing of personal data, as well as the processing of metadata and data sets that can provide information that can identify a particular individual.
Fundamental Human Right
Privacy is one of the fundamental human rights, established and regulated by the most important international legal acts , among which : the Universal Declaration of Human Rights , the European Convention on Human Rights and the International Covenant on Civil and Political Rights.
There is no separate privacy law in our legislation that further regulates this matter from the point of view of the right of privacy of individuals.
Privacy is broad, complex concept, or sublimate of several individual rights in our system. In the Republic of North Macedonia the right to privacy is standardized in Articles 17, 25 and 26 of the Constitution , in the section dedicated to Civil and Political freedoms and rights .
- The freedom and secrecy of correspondence and all other forms of communication are guaranteed. This right may be waived only on the basis of a court decision and in appropriate legal proceedings (Article 17).
- Every citizen is guaranteed the respect and protection of the privacy of his or her personal and family life, dignity and reputation (Article 25).
- Every citizen is guaranteed inviolability of their home. The right to inviolability of home can be restricted only by a court decision when it comes to detecting or preventing crimes or protecting human health (Article 26).
The Council of Europe, as the most important international organization in the field of promoting and protecting human rights and freedoms, provides a similar definition in Article 8 of the European Convention on Human Rights, according to which: “Everyone has the right to respect for his private and family life, the home and the correspondence. Public authority must not interfere with the exercise of this right unless such interference is provided for by law and is a necessary measure in a democratic society, which is in the interests of national and public security, of the economic well-being of the country, to prevent the riot or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. "
Raising the right to privacy as a constitutionally guaranteed human right indicates the enormous significance of this right for the individual, which carries with it certain rights / powers but also obligations / responsibilities for both the individual right holder and other individuals, but also for the state and its institutions.
Exceptions to the right of privacy
The legislator in our country has foreseen deviations, i.e. limitation of the right to privacy in cases arising from the processing of personal data. The new law on personal data protection, adopted just two months ago, is in line with EU Regulation on personal data protection 2016/679, which further regulates the issue of information security and security, resulting in the protection of privacy of users. the data we have / process.
"Health-related data" (definition of law) means personal data relating to the physical or mental health of the natural person, including data on the health care received that discloses information about his or her health;
Bearing in mind that this section concerns the collection of medical data which is treated as a separate category of personal data, Article 13 regulates the processing of specific categories of personal data and the exception to the prohibition on the processing of such data is in paragraph 9:
- "treatment is necessary for public interest purposes in the field of public health, such as protection against serious cross-border health threats or the provision of high standards of quality and safety of health care and medicines or medical devices, by law, in which provides for appropriate and specific measures to protect the data subject's rights and freedoms, in particular the protection of business secrets;
Article 27 regulates situations where the scope of obligations undertaken to protect the personal data and rights of an entity is restricted, where such limitation is in accordance with the essence of fundamental rights and freedoms and is a necessary and proportionate measure in order to ensure:
- paragraph 5) "other matters of general public interest to the Republic of Northern Macedonia, and particularly important economic or financial interest of the Republic of Northern Macedonia, including monetary, budgetary and tax matters, public health and social protection;"
Challenges from “Profiling”
Regarding the impact of COVID 19 on the protection of personal data, the regulator says that the Law on Personal Data Protection is in no way an obstacle to implementing public health protection measures.
But they did not identify the major challenges to privacy protection arising from profiling. "Profiling" (definition of law) is any form of automatic processing of personal data, which consists of the use of personal data for the assessment of certain personal aspects related to the individual, and in particular for the analysis or prediction of aspects relating to enforcement of the professional obligations of that individual, his or her economic status, health, personal preferences, interests, confidentiality, behavior, location or movement; And what is it that epidemiologists do if it is not profiling, or so on mapping potential patients / persons who came in contact with the infected?! In such situations there is an increased processing of personal data, but the volume of data may be greater than is necessary to fulfill the purpose for which it is processed. Therefore, very carefully with the collection and processing of personal data. At the very least, minimize volume and not collect unnecessary data.
It also would disagree with the regulator when it says that confidentiality should prevent the employer from disclosing to other colleagues that a particular employee has a virus. In this regard, however, we would further respect the recommendations made by the Office of the Commissioner for Data Protection in the UK who recommend that this information should be disclosed for the purpose of informing employees of the organization, but not beyond, and in this case we would add more effective work of the Commission on Infectious Diseases and epidemiologists' mapping. In this respect, the public interest defined by the protection of public health and employee health over the right to privacy at work arising from the processing of the employee's personal data prevails.
Is the Law applicable in a state of emergency?
This virus also changes the way we communicate with personal data subjects in the health field. Thus, the Health Insurance Fund has undertaken a number of activities in the direction of the way health institutions operate. In such circumstances, the transmission of data relating to the health of the person by electronic mail to the person designated by that institution shall be carried out. In such circumstances, we can only ask ourselves whether the technical measures of network security applied by this controller, and similar ones, are sufficient to protect that data?!
It remains to be seen how Article 84 of the Law on Personal Data Protection will be applied, which states that "only after prior approval by the Agency shall be processed data relating to human health". It remains unclear whether this article still applies in a state of emergency.
The case of Montenegro
In the region, the decision of the Government of Montenegro, with the consent of the Agency for Personal Data Protection, which tweeted the public and published the list of people in isolation, is bizarre. Not only did it encourage lynching and hate speech, but it gave the public the role of the one who should enforce the right, that is, the public to take justice into their own hands. This decision is wrong for several reasons:
- unconstitutional - as presented there is no clear justification for such a radical measure with regard to the right to privacy.
- illegitimate processing, as this does not refer to data on the health status of a natural person. This is the personal data of people who are in self-isolation (name, surname and address), but it does not mean that they are infected.
- The limitation envisaged by the legislator does not justify the disclosure of data at all costs to all persons, in which situations it can be taken into account. There is no separation of different groups of people, nor are the basic principles of legitimacy and minimization respected.
- Indefinite timeframe for storing / publishing this data - even though the date is when the person is in self-isolation, this data can still be downloaded, screen-printed and thus misused. Any further processing without a legitimate purpose would also be illegal.
The call from the media to adopt a decree in our country, which contains two proposals, is also aimed at repeating Montenegro's mistakes. Of course, publishing ONLY the regions / location data of those in self-isolation, unless tied to personal data / individuals / names / addresses, as in the case of Montenegro, is not a violation of the right to privacy. We have a map with information, but for people infected by locations / cities, it already exists. There is even information on gender and age. And that is enough, there has to be a minimization of the data needed for the general public, that is, to respect the public's right to know.
After all, the European Personal Data Protection Board issued a public statement with recommendations on the legitimacy, information and untimely processing of personal data at the time of the COVID virus 19.
COVID 19 not only changes the rules of the game, it also affects the protection of privacy through the limitations that the legislator has made in the area of protecting public health. It is more than obvious that in such situations, the consent of the entities is no longer required to process their personal data for the purposes of more extensive processing of medical data. The restriction is only for the safety and protection of public health, but that does not mean that the right to privacy per se should be restricted. There must be a constant balance and it must to some extent affect the right to privacy, keeping in mind the principle of legality and legitimacy in the processing of personal data.