Privacy is a fundamental human right. However, the right to privacy is by no means absolute. It has to be balanced against other human rights and public interests.
The COVID-19 has spread over 200 countries and territories. As of 20 April 2020, over 2.2 million people have been infected and over 150,000 died as a result worldwide. Given its novel, contagious and potentially deadly nature, this pandemic continues to pose a grave danger to global public health. At a media briefing on 16 March 2020, the World Health Organisation stated there needed to be more technological measures for tracking the coronavirus outbreak - “You cannot fight a fire blindfolded. And we cannot stop this pandemic if we don’t know who is infected.” This begs nevertheless the question on how far we can go to compromise privacy for public health.
Right to privacy is not absolute
In Hong Kong, privacy right is guaranteed by Article 30 of the Basic Law and protected generally under Article 14, section 8, Part II of the Hong Kong Bill of Rights Ordinance (Chapter 383 of the Laws of Hong Kong, BORO). The latter is a mirror image of Article 17(1) of the International Covenant on Civil and Political Rights (ICCPR). Unlike the right to life, which according to the General Comments of the Human Rights Committee of the United Nations (published in November 2018) is a supreme right and a prerequisite for the enjoyment of all other human rights, privacy right is not absolute but subject to restrictions. Article 4(1) of the ICCPR provides that “In time of public emergency which threatens the life of the nation and the existence of which is officially proclaimed, the States Parties to the present Covenant may take measures derogating from their obligations under the present Covenant to the extent strictly required by the exigencies of the situation”. Similar provisions are also found in section 5 of the BORO.
In times of a life-threatening pandemic, privacy right comes second to protecting public health. This view is echoed by data protection authorities around the world. On 17 March 2020, the Global Privacy Assembly (a global forum for more than 120 data protection and privacy authorities) expressed in a statement that data protection requirements shall not hinder efforts tackling the COVID-19 pandemic, but instead shall enable the use of data in the public interest while providing the protection as the public expects. In Hong Kong, section 59 of the Personal Data (Privacy) Ordinance exempts the use limitation requirement of personal data if such use is necessary for safeguarding the health of the data subjects or other individuals. Further details can be found in the media statement https://www.pcpd.org.hk/english/media/media_statements/press_20200226.html. Similar exemptions are also found in data protection law of other jurisdictions, such as Articles 6(1)(d) and 9(2)(c) of the EU’s General Data Protection Regulation and Schedule 3, Part 2 of the UK Data Protection Act 2018. In the US, penalties for violating certain provisions of the Health Insurance Portability and Accountability Act (the law protecting patients’ medical data) have been waived by the government amidst the COVID-19 pandemic to enable more effective treatment and control of the disease.
Proportionality, Transparency and Explainability
Although privacy is a qualified right, derogation from this fundamental human right shall only be “to the extent strictly required by the exigencies of the situation” as required by section 5 of the BORO. In other words, all privacy-intrusive measures shall be necessary for and proportionate to the legitimate purpose they seek to achieve. The Court of Final Appeal (CFA) in Hysan Development Company Limited v Town Planning Board (2016) 19 HKCFAR 372 amended the proportionality test whereby public authorities will have to decide “(i) whether the intrusive measure pursues a legitimate aim; (ii) if so, whether it is rationally connected with advancing that aim…; (iii) whether the measure is no more than necessary for that purpose”; and (iv) “whether a reasonable balance has been struck between the societal benefits of the encroachment and the inroads made into the constitutionally protected rights of the individual”. The CFA revised the test by including the fourth question by weighing the detrimental impact of the decisions against the societal benefits gained.
In Hong Kong, the devices and measures used by the Government for enforcing quarantine and tracking the whereabouts of the infected are examples of the need to strike a proper balance between privacy protection and public health. That said, the Government still needs to comply with other personal data protection principles including minimum data collection, retention of which should not be longer than necessary and no unauthorised disclosure or loss of the personal data collected and kept.
In order to dispel doubts and build trust, organisations (employers alike) should be transparent about and be able to explain the proposed measures, spelling out whether and what personal data will be collected, how the personal data will be used, shared and transferred, as well as adopting the kinds of data security measures in the combat of the virus and for homeworking.
I would like to repeat what the UK Information Commissioner’s Office rightly stated in that the fight COVID-19 strategies should be proportionate and avoid any measures that may be seen as extreme from the public’s point of view.