By the Decision of 24 March 2020, Personal Data Protection Agency (“DPA”) in Bosnia and Herzegovina banned state-level and local authorities in the country from releasing the data of individuals who test positive for coronavirus. The Agency also prohibited making publicly available the data on isolated and self-isolated persons who adhere to the imposed measures. Information on those who breach isolation measures may be lawfully published.
The DPA decision is grounded in the Agency’s negative appraisal of fairness and lawfulness of the processing. The Agency did not examine in an explicit manner either the purpose or proportionality of the processing.
The strong reliance of a decision-making body in a data protection matter on the fairness analysis is unusual. Data protection authorities and courts as a rule engage in an elaborate analysis of other principles relating to data processing, most importantly the principles of specificity and legitimacy of the purpose, lawfulness (existence of a legal basis for the processing), and proportionality (adequacy, relevance and non-excessiveness of the data). That standard method requires analytical rigor and minimizes the risks of subjectivity and arbitrariness. It is in any event not clear that “fairness” has a distinct substance that would not already be “covered” by the other, more specific, principles of data processing. If all other principles are satisfied, it does not seem possible for processing to be “unfair”.
Fairness and lawfulness of the processing
In its analysis, the Agency invoked Article 4(1), point (a) of the Bosnian Data Protection Act (2006) (“DP Act“). That provision obliges data controllers to process personal data in a fair and lawful manner.
The Agency considers that the publishing of data of all isolated individuals, including those who do not breach any rules, is not fair. According to the Agency, revealing the data of the law-abiding persons may lead to their unjustifiable stigmatization and even provoke violence or attacks on their lives.
As for the principle of lawfulness, the Agency concluded that processing of the data at issue may not be justified by the public interest. There are no other potential grounds on which the data controllers could plausibly rely as the legal basis for the processing, so the Agency did not examine them.
The Agency determined that health information falls within special categories of personal data. Special categories, according to Article 9(2), point (g) of the DP Act, may be processed if a specific public interest requires so. The Agency asserted in the Decision that processing of the data that a person tested positive for coronavirus, under the circumstances at hand, may not be justified by the public interest.
As for the data on isolated individuals, the Agency did not take a stance on whether such data are sensitive or not. Nevertheless, the Agency considers that public interest cannot serve as a legal basis for the processing of those data either. This is so because publishing such data may weaken the confidence of the citizens in the health protection system and discourage those who are potentially infected from seeking medical assistance, which is contrary to the public interests.
(In the event that the data of a person in isolation are not considered to be sensitive data, the Agency could state that the processing cannot be based on Article 6, point (d) of the DP Act, which recognizes the public interest as one of the generally applicable lawful bases for the processing of personal data).
Missing analysis of the purpose and proportionality of the processing
The Agency did not explicitly address the purposes and proportionality of the processing. The Agency did not deal with the goals which the relevant authorities intended to achieve by releasing the data about the infected and isolated individuals. Instead, the Agency wrote in the press release of 23 March 2020 that it was not in possession of information about the purpose of processing of the data concerning all isolated persons.
Because an analysis of proportionality requires the purpose of processing to be identified, the absence of the purpose analysis from the Agency’s decision meant that the Agency could not deal with proportionality either – certainly not in a structured manner.
On the other hand, the Agency did in a certain way touch upon the proportionality of the processing, through the analysis of fairness and lawfulness of the processing. When invoking Article 4(1), point (a) of the DP Act, the provision laying down the principles of fairness and lawfulness, the Agency stated that the principle of fairness and lawfulness of processing “entails…that the processing is necessary for achieving of the purpose that is to be reached”. This might not be the most precise recitation of the DP Act, because the law – same as the relevant EU legislation (Directive 95/46/EC and now GDPR) – refers (in Article 4(1), point(c)) to the principle of proportionality as standalone data processing principle, distinct from the principles of fairness and lawfulness.
If the Agency had analyzed the purpose and proportionality of the processing as standalone principles, it would have had to identify a specific aim which the processing was supposed to achieve, and then weigh that aim against the considerations which include the following: number of individuals likely to be affected by the publishing of the data; likelihood of the expected benefits; potential negative effects (including the effects on the confidence in the health system, which the Agency addressed in the analysis of public interest as the potential basis for lawfulness of the processing); and availability of alternative, less intrusive, measures to achieve the purpose of processing.