Published online by Cambridge University Press: 06 December 2017
The article tackles the issue of personal data protection in case of tracing (looking for) individual persons who have been exposed to health risks pursuant to the EU Decision 1082/2013 on Serious, Cross-border Health Threats. This problem exemplifies just one among many challenges of the health-security nexus in the EU. That is, it regards a certain trade-off between the limitation of individual rights and securing populations’ safety. The text appraises the safeguards for the (lawful) limitation of the right to data protection after an in-depth examination of the provisions of the Health Threats Decision, its implementing measures, the reports on its operation, and in light of the general EU data protection laws. In conclusion, it claims that a number of improvements are needed because of the incompleteness, and the insufficient coherence and transparency of the EU regime for health threats. The established shortcomings are, at least in part, caused by the new EU “integrated approach” to health and security. In effect, an overall philosophy of reforms of public health policy in the name of “all-hazards security” applied in the Health Threats Decision can result in a reduction of the adequate level of protection of individuals’ personal data.
PhD, Assistant Professor at the Centre for Europe, University of Warsaw. I am grateful to an anonymous reviewer for the helpful comments on an earlier draft. All omissions remain mine.
1 See Report on Operation of the Early Warning and Response System (EWRS) of the Community Network for the epidemiological surveillance and control of communicable diseases during 2006 and 2007 (The 2009 Report) (COM(2009) 228 final) 5–6.
2 Fallow, H, “Reforming Federal Quarantine Law in the Wake of Andrew Speaker: ‘The Tuberculosis Traveller’” (2008) 25 Journal of Contemporary Health Law & Policy 83 Google Scholar.
3 Proposal for a Decision on serious cross-border threats to health (COM(2011) 866 final) point 5.4.
4 See also Mariner, W, Annas, G and Parmet, W, “Pandemic Preparedness; A Return to the Rule of Law” (2009) 1 Drexel Law Review 341 Google Scholar; Goold, B and Lazarus, L, Security and Human Rights (Hart Publishing, 2007)Google Scholar.
5 See further Hylke Dijkstra and Anniek De Ruijter in this issue of EJRR.
6 See de Ruijter, A, “Mixing EU Security and Public Health in the Health Threats Decision” in A de Ruijter and M Weimer (eds), EU Risk Regulation, Expert and Executive Power (Hart Publishing, 2017)Google Scholar.
7 Decision 1082/2013/EU on serious cross-border threats to health [2013] OJ L 293/1, which repealed Decision 2119/98/EC setting up a network for the epidemiological surveillance and control of communicable diseases in the Community [1998] OJ L 268/1 (Old Surveillance Decision).
8 Flear, M, Governing Public Health: EU Law, Regulation and Biopolitics (Bloomsbury Publishing, 2015) 144 Google Scholar. See also F Bombillar, “The Case of Pandemic Flu Vaccines: Some Lessons Learned” (2010) 1 EJRR 427.
9 Recital 3 and 6 of the Preamble, Health Threats Decision. See also Council Conclusions on lessons learned from the A/H1N1 pandemic – health security in the European Union (doc ref 12665/10, 13 September 2010) and Presidency Conclusions on Bioterrorism (doc ref 13826/01, 15 November 2001).
10 Cf Lakoff, A, “Two Regimes of Global Health” (2010) 1 Humanity 59 CrossRefGoogle Scholar; and Fidler, D, “From International Sanitary Conventions to Global Health Security: The New IHR” (2005) 4(2) Chinese Journal of International Law 325 Google Scholar.
11 Opinion of the European Data Protection Supervisor on the proposal for a decision of the European Parliament and of the Council on serious cross-border threats to health, Executive summary [2012] OJ C 197/21, point 4.
12 Art 2 para 1; Art 3 point g), Health Threats Decision.
13 See point 4 of the Preamble, Health Threats Decision; Kuhlau, F, “Countering Bio-Threats: EU Instruments for Managing Biological Materials, Technology and Knowledge” (2007) 19 SIPRI Policy Paper 1 Google Scholar.
14 Art 2 para 1, Art 4 para 2, Health Threats Decision, in relation to Art 1, para 1, International Health Regulations, available at <www.who.int/emergencies/en> accessed 18 October 2017.
15 See Brem, S and Dubois, S, “Different perceptions, similar reactions: Biopreparedness in the European Union” in P Katona et al. (eds), Global Biosecurity Threats and Responses (Oxford University Press, 2010) 137–156 Google Scholar.
16 See Art 4-12, Health Threats Decision. See also Lentzos, F and Rose, N, “Governing insecurity: contingency planning, protection, resilience” (2009) 38(2) Economy and Society 230 Google Scholar.
17 The text focuses on the measures which may involve personal data exchange. The tools which collect anonymised data for mandatory reporting are of no direct concern here.
18 See also Frischhut, M and Greer, S, “EU public health law and policy – communicable diseases” in T Hervey et al. (eds), Research Handbook on EU Health Law and Policy (Edward Elgar, 2017) 315–331 Google Scholar.
19 Point 5 of the Preamble, Art 6 and 9, Health Threats Decision; and Art 8, para 1, Regulation (EC) No 851/2004 establishing a European Centre for Disease Prevention and Control (ECDC Regulation) [2004] OJ L 142/1. See <https://ecdc.europa.eu/en/threats-and-outbreaks/outbreak-tools>, accessed 31 October 2017.
20 Art 9 para 1, Health Threats Decision. See also Art 4, Regulation 851/2004.
21 Art 2, para 1, Commission Implementing Decision (EU) 2017/253 laying down procedures for the notification of alerts as part of the early warning and response system established in relation to serious cross-border threats to health and for the information exchange, consultation and coordination of responses to such threats pursuant to Health Threats Decision [2017] OJ L 37/23 (Implementing Decision on Alerts).
22 Art 9 para 1, points a–c, Health Threats Decision.
23 Art 9, para 3, Health Threats Decision.
24 Art 9 para 3, points i–j. See EU Agency for Fundamental Rights and Council for Europe, Handbook on European Data Protection Law, 2nd edn (Luxembourg Publications Office of the European Union, 2014) 92 Google Scholar.
25 See <ewrs.ecdc.europa.eu/>, accessed 18 October 2017.
26 See Commission Recommendation 2012/73/UE on data protection guidelines for the Early Warning and Response System [2012] OJ L 36/31, point 5 (Old Commission Data Protection Guidelines).
27 Art 16 para 3, Health Threats Decision.
28 See Art 8 and 20, Health Threats Decision, and the EU implementing legislation available at <ec.europa.eu/health/communicable_diseases/early_warning/comm_legislation_en.htm>, accessed 18 October 2017.
29 Art 8 para 2 and Art 10, para 1, ECDC Regulation 851/2004; and Report on the implementation of Decision No 1082/2013/EU of the European Parliament and of the Council of 22 October 2013 on serious cross-border threats to health and repealing Decision No. 2119/98/EC (The 2015 Report) 9. See further Kittelsen, S, “Conceptualizing Biorisk: Dread Risk and the Threat of Bioterrorism in Europe” (2009) 40 Security Dialogue 51 Google Scholar.
30 Art 7 para 1, Health Threats Decision.
31 Conclusions, European Data Protection Supervisor Opinion on the proposal for a decision of the European Parliament and of the Council on serious cross-border threats to health (28 March 2012) 7, (EDPS Opinion 2012) <edps.europa.eu/sites/edp/files/publication/12-03-28_threats_health_en_0.pdf>, accessed 18 October 2017.
32 Art 3f, and also, recitals 25–27 of the Preamble, Health Threats Decision.
33 Art 17, Health Threats Decision and Art 4, Implementing Decision on Alerts. See also Elbe, S, Security and Global Health (Polity Press, 2010) 1–66 Google Scholar.
34 Art 9 para 3 i) and Art 16 para 2, Health Threats Decision.
35 Cf Old Commission Data Protection Guidelines, point 4 and Report from the Commission on the operation of the Early Warning and Response Systems (EWRS) of the Community Network for the epidemiological surveillance and control of communicable diseases during years 2004 and 2005 (The 2007 Report) (COM(2007) 121 final) 8.
36 The 2007 Report 5-6; the 2009 Report 3; and the 2015 Report 9. See also Report on the Operation of the Early Warning and Response System of the Community Network for the Epidemiological Surveillance and Control of Communicable Diseases during 2002 and 2003 (The 2005 Report) (COM(2005) 104 final).
37 The 2007 Report 5 and the 2009 Report 6.
38 Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31; Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data [2001] OJ L 8/1.
39 References to the repealed Directive will be construed as references to the Regulation, the Regulation on Data Protection 2001/45 will still apply to EU institutions, Art 2, 94 and 99, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”) [2016] OJ L 119/1. In the text, I provide references to both acts as necessary.
40 See generally Lynskey, O, The Foundations of EU Data Protection Law (Oxford University Press, 2015)Google Scholar.
41 See also McDermott, Y, “Conceptualising the right to data protection in an era of Big Data” (2017) January-June Big Data & Society 1 Google Scholar; Van der Sloot, B, “Do data protection rules protect the individual and should they? An assessment of the proposed General Data Protection Regulation” (2014) 4 International Data Privacy Law 307 Google Scholar.
42 Art 7(c, d, e), Directive 95/46, Art 6(c, d, e), GDPR in connection with the provisions of Health Threats Decision. See Old Commission Data Protection Guidelines, point 4.
43 Art 6, para 1(a–b), Data Protection Directive, Art 4, para 1(a–b); and cf Art 5, para 1(a–b), GDPR.
44 See C-101/01 Bodil Lindqvist [2003] I-12971.
45 See C-404/92 P X v Commission [1994] I-04737 and Handbook on European Data Protection Law, supra, note 22, 42–45.
46 Art 8, para 2(a)(c–d), and paras 3–4, Directive 95/46 which are in principle reflected in Art 6(a), (d) and (e), Art 7 and 9 GDPR.
47 Art 9, para 2(i) GDPR.
48 See also Handbook on European Data Protection Law, supra, note 22, 92–93.
49 See also C-92/09 and C-93/09 Volker and Markus Schecke GbR and Hartmut Eifert v Land Hessen [2010] ECR I-11063 and C-293/12 Digital Rights Ireland and Seitlinger and Others [2014] ECLI:EU:C:2014:238.
50 See F-46/09 V v PE [2011] ECLI:EU:F:2011:101, para 112-113, C-404/92 P X v Commission, para 18; and by analogy joined cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk [2003] ECR I 4989, paras 73–75.
51 F-46/09 V v PE, para 123, referring to European Court of Human Right, Z v Finland, 1997-I, § 95. See also De Hert, P and Gutwirth, S, “Data Protection in the Case Law of Strasbourg and Luxemburg: Constitutionalisation in Action” in S Gutwirth et al. (eds), Reinventing Data Protection? (Springer Science, 2009)Google Scholar.
52 See eg F-46/09 V v PE, paras 121–150.
53 See Koblentz, G, Living Weapons: Biological Warfare and International Security (Ithaca, 2009)Google Scholar; and eg ECDC, Rapid Risk Assessment – Zika virus disease epidemic (May 2016); EUobserver, “Tuberculosis – an old plague comes back stronger” (February 2013).
54 See recitals 5–8 of the Preamble, Commission Decision 2009/547/EC of 10 July 2009 amending Decision 2000/57/EC on early warning and response system for the prevention and control of communicable diseases [2009] OJ L 181/57 (Old EWRS Decision).
55 See generally Gostin, L, Global Health Law (Harvard University Press, 2014)CrossRefGoogle Scholar.
56 See Gutwirth, S et al. (eds), Reforming European Data Protection Law (Dordrecht, 2015)Google Scholar.
57 See de Ruijter, A, A Silent Revolution: The Expansion of EU Power in the field of Human Health (PhD thesis, University of Amsterdam, 2015)Google Scholar; Hervey, T and McHale, J, European Union Health Law: Themes and Implications (Cambridge University Press, 2015)Google Scholar.
58 Now Art 16, Health Threats Decision includes explicit references to the EU Data Protection Laws.
59 The 2007 Report 7–8.
60 Commission Decision 2009/547/EC of 10 July 2009 amending the Old EWRS Decisions 2000/57, supra, note 51.
61 Art 2a, paras 1–5, Old EWRS Decision 2000/57 as inserted by Art 1, Decision 2009/547.
62 See Annex III, Old EWRS Decision 2000/57 as amended by Decision 2009/547.
63 See European Data Protection Supervisor, Prior checking opinion on the Early Warning Response System (“EWRS”) notified by the European Commission on 18 February 2009 (case 2009-0137) (Brussels, 26 April 2010), <www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Supervision/Priorchecks/Opinions/2010/10-04-26_EWRS_EN.pdf>, accessed 18 October 2017.
64 EDPS, Prior checking opinion on the Early Warning Response System (26 April 2010) 7–17.
65 The Old Commission Data Protection Guidelines 2012/73, n 24 above.
66 Old Commission Data Protection Guidelines, point 6, 38–39.
67 Old Commission Data Protection Guidelines, point 6.4, 39.
68 Health Threats Decision repealed the Old Surveillance Decision in 2013. The next two acts, the Old EWRS Decision as amended by Decision 2009/547, are now repealed by the Commission Implementing Decision on Alerts. See below.
69 Recital 27 of the Preamble, Decisions 1082/2013.
70 See eg Art 6(1)(b–e), 16, 17, Directive 95/46 and 4(1)(b–e), 21, 22 Regulation 2001/45.
71 Art 16, para 3 and 9(a), Health Threats Decision.
72 Art 16, para 7 and 8, Health Threats Decision.
73 Art 16, para 1, Health Threats Decision. See also the Old Commission Data Protection Guidelines, points 7 and 9 and EDPS Opinion of 26 April 2010.
74 Art 15 para 1, Health Threats Decision. See the 2015 Report, p 8.
75 Art 16 para 6, Art 9.3 and Art 9.3(i).
76 Art 16, para 1, Health Threats Decision; cf the Old Commission Data Protection Guidelines, point 4.
77 See eg Arts 10–11, Directive 95/46 (GDPR) and Arts 11–12, Regulation 2001/45.
78 Cf the Old Commission Data Protection Guidelines, points 8–9 and 11.
79 The 2015 Report 7.
80 The 2015 Report 3.
81 Cf the Old Surveillance Decision 1–7; the 2015 Report 8, point 2.5.
82 A de facto transitory period has been lasting for too long now – since 2013 one implementing act has been issued: Implementing Decision on Alerts of 2017, supra, note 21.
83 See eg the controversy between the Polish Data Protection Authority and Publish Health Authority regarding whether the exchange of information on “nationality of data subject” is necessary for contact tracing purposes, <www2.mz.gov.pl/wwwfiles/ma_struktura/docs/chorobotworz_20121206_odp_04.pdf>, accessed 18 October 2017.
84 EDPS Prior checking opinion on the Early Warning Response System (26 April 2010) 4–5 and 16; EDPS Opinion (28 March 2012) 7.
85 ibid.
86 EDPS Opinion (28 March 2012) 7.
87 Art 3 and Annex listing EU level alert systems, Implementing Decision on Alerts.
88 See also Brem and Dubois, supra, note 15.
89 See Art 4, Implementing Decision on Alerts.
90 C-101/01 Bodil Lindqvist, para 96.
91 The Old Commission Data Protection Guidelines, point 4.
92 Based on own research, see <ec.europa.eu/health/preparedness_response/policy/decision/index_en.htm> and <ec.europa.eu/health/communicable_diseases/early_warning/comm_legislation_en.htm>, accessed 18 October 2017.
93 Even the Eur-lex database contains a mistake that the Old EWRS Decision (2000/57/EC) is still in force, and the link provided from the page of Implementing Decision on Alerts, which repealed that act, directs us to the Directive 2000/57 on pesticides residue limits, accessed 23 September 2017.
94 The Old Commission Data Protection Guidelines, point 8; cf <ewrs.ecdc.europa.eu/>, accessed 18 October 2017.
95 EDPS, Prior checking opinion on the Early Warning Response System (26 April 2010) 16.
96 Commission staff working paper Impact Assessment Accompanying the document Decision of the European Parliament and of the Council on serious cross-border threats to health (SEC (2011)1519 final) 48.
97 See Murphy, T and Whitty, N, “Is Human Rights Prepared? Risk, Rights and Public Health Emergencies” (2009) 17 Medical Law Review 219 CrossRefGoogle Scholar.
98 Parmet, W, “Dangerous Perspectives. The Perils of Individualizing Public Health Problems” (2009) 30 Journal of Legal Medicine 1 Google Scholar.
99 See also Hickox, K, “Caught Between Civil Liberties and Public Safety Fears: Personal Reflections from a Healthcare Provider Treating Ebola” (2015) XI JHBL 9 Google Scholar.
100 Cf Mariner, W, “Medicine and Public Health: Crossing Legal Boundaries” (2007) 10 Journal of Health Care Law & Policy 121 Google Scholar.