Privacy And Covid-19: It’s All About Proportionality!


Privacy And Covid-19: It’s All About Proportionality!

Vanessa Deschênes [1]
Lawyers, Patent and Trademark Agents

In this time of pandemic, questions about data collection and privacy are more present than ever. While many businesses are normally quite familiar with the rules that need to be followed in this area, this unprecedented situation can bring its share of challenges and questions.

Around the world, we are now seeing new forms of data sharing as companies and authorities do their best to stem the transmission of COVID-19, measures such as checking recent travel history, taking body temperature and locating the population using cellular data now appear to be acceptable.

But how far can or should organizations go? Is it really essential or mandatory to share the name or other personal information of an infected person? What responsibility do you have as an organization under data protection and privacy laws?

What is the watchword? Proportionality!

You Are Not Alone

If you currently have these concerns, know that you are not alone and the authorities responsible for enforcing these laws are there to shed some light. Indeed, a lot of legal guidance has been issued in the last few days in this regard. Take Quebec, for example.

On March 25, the Commission d’accès à l’information du Québec (“CAI”) issued a press release[2] reminding us of the rules applicable in times of crisis, and therefore in times of pandemic. It mentioned, among other things, that the Government of Quebec declared a state of health emergency on March 13, which allows the government to collect and communicate the personal information required to protect the health of the population.

In this regard, section 123(3) of the Public Health Act provides as follows:

123. Notwithstanding any provision to the contrary, while the public health emergency is in effect, the Government or the Minister, if he or she has been so empowered, may, without delay and without further formality, to protect the health of the population,


(3)  order any person, government department or body to communicate or give to the Government or the Minister immediate access to any document or information held, even personal or confidential information or a confidential document;


Incidentally, the National Director of Public Health may disclose information if he or she has reasonable grounds to believe that its disclosure would protect the health of the public. But what about corporations?

As the CAI reminds us, the usual provisions relating to the protection of personal information remain applicable. For example, the Act respecting the protection of personal information in the private sector already provides for exceptions to obtaining consent in certain situations, such as if the disclosure of personal information is made to a person to whom such disclosure must be made because of an emergency situation endangering the life, health or security of the person concerned (s. 18 para. 1 (7)). The same applies at the federal level[3].

Elsewhere on the Planet

But what about elsewhere in the world?

In Europe, the GDPR specifically contains a mention of epidemics. In addition, it is stated in recital 46 that:

The processing of personal data should also be regarded lawful where it is necessary to protect an interest which is essential to the life of the data subject or of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on any other legal basis. Some types of processing may serve both on important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters

As it is the case here in Quebec and Canada, European regulations require that data processing be done lawfully. Whether in France, Italy or elsewhere in Europe, the proportionality test remains. However, in order to avoid ambiguity, some countries hit hard by COVID-19, such as Italy, have adopted emergency laws confirming the possibility of communicating certain information such as the personal data of any person suspected of being infected, including health, location and connection data by e-mail and phone.

Given all these special measures, it is not surprising that the Global Privacy Assembly has declared:

We are confident that data protection requirements will not stop the critical sharing of information to support efforts to combat this global pandemic. Universal data protection principles in all our laws will allow data to be used in the public interest and will always provide the protections that the public expects. Data protection authorities stand ready to help facilitate the rapid and secure sharing of data to combat COVID-19. 

As we see from this statement, and as it is the case around the world, there is a consensus among authorities responsible for privacy and data protection matters that these laws are in no way an impediment to public health. Authorities, however, strongly caution organizations to systematically and broadly monitor and collect employee health data outside of official requests and actions by public health authorities.

In order to help its members, the International Association of Privacy Professionals has compiled a list of the different approaches taken by the authorities in each country. Here is an excerpt.

CountryCOVID-19 Orientations
Canada (fed)
British Columbia  
Newfoundland and Labrador  
United States                      
European Union 
European Data Protection Committee

Beware of Cyber Fraud!

As the CAI and the headlines in some media in recent weeks have reminded us, some malicious people are unfortunately taking advantage of the current situation to try to obtain personal information or to commit other types of fraud that exploit citizens’ fears.

It is important to make your employees aware of these risks and to remind them to be vigilant, especially against phishing attempts by phone, e-mail or text message.

For more information in this regard, you can consult the CAI website or theCanadian Anti-Fraud Centre, which lists the main frauds related to COVID-19.

If you have any questions regarding personal data or your obligations as a business in today’s unique context, do not hesitate to contact the members of our Data Protection, Privacy and Cyber Security team.

© CIPS, 2020.

[1] Vanessa Deschênes is a Lawyer for ROBIC, LLP, a firm of Lawyers, Patent and Trademark Agents.

[2] Commission d’accès à l’information du Québec (2020). COVID-19 : Protection des renseignements personnels et sécurité de l’information, Commission d’accès à l’information du Québec. Retreived on April 2, 2020 from
[3] Office of Privacy Comissionner of Canada (2020). Privacy and the COVID-19 outbreak, Office of Privacy Commissionner of Canada. Retraived on april 1st 2020 from