Businesses need to be careful with personal data during pandemic

Methods using to collect customer data by small businesses are of dubious legality

As people continue to come out of lockdown and start using services again, there is an eagerness on the part of authorities to use contact tracing to prevent further outbreaks. While the State is championing the use of tech-based solutions, such as its Bluetooth-enabled app, many small businesses are instead taking it upon themselves to use low-tech solutions, such as paper questionnaires, to track contacts and even run pre-screenings. While perhaps understandable, given the circumstances, such methods are however of dubious legality, and run counter to the painstaking efforts taken by both campaigners and the authorities to get the contact-tracing technology data protection compliant.

Data protection laws aim to support the legitimate use of personal information whilst protecting those to whom the information relates. The protection of personal data is a right in the European Union. One of the rationales for the legal protection of personal data is to address power imbalances between individuals who agree or are compelled to disclose their data, and those who ask for it. The latter can include both global tech giants, many of whom have their EU headquarters in Ireland, and small businesses alike.

The law defines when and how it is legitimate to collect and use personal data, given the complexity of preventing misuse once data have been shared. Some forms of data processing carry greater potential for misuse than others. For example, data collected from mobile phones allow a detailed picture of individual habits to be gleaned, and can spark a feeling of constant surveillance, as the Court of Justice of the EU noted in the context of the Digital Rights Ireland proceedings. The disclosure of medical information can also negatively impact individuals’ lives, and its collection and use is subject to reinforced protection. The potential for misuse in both examples increases the larger the scale.

Efforts to prevent further outbreaks involve all these factors: smartphones, medical data, and large-scale application. The Data Protection Commission, which is the body overseeing the protection of personal data, stresses that data protection laws do not stand in the way of containing the pandemic. Rather, legislation intends to guide which and how much information is needed to support the provision of healthcare and prevent a deluge of data which could then be potentially misused once the emergency is over. This is why a great deal of effort has been put into getting the contact-tracing app right. Its potential for constant surveillance on a mass scale creates exactly the type of power imbalance which the legislation is trying to prevent. Thus, the app is designed to collect proximity instead of location, and is voluntary rather than mandatory. And yet the app, as with other European counterparts, has only just been released and is thus untried.


Pending its wider uptake, individuals are being met with well-meaning but arguably unlawful forms of mandatory data collection. For instance, based on sectoral body guidance, those wanting a much-needed haircut may face medical screening through written questionnaire, seemingly taken from guidance for retail protection released in preparation for phase 3 of the lockdown.

Filling in the questionnaire is presented as a take-it-or-leave-it choice. However, as they currently stand, these questionnaires are failing to meet the basic principles of data protection legislation. Not only do they lack reference to the legislation enabling the collection of the data, they also do not explain how the data will be safeguarded, and for how long it will be kept, nor do they inform individuals about their rights and how to exercise them.

By recommending their members to collect such information, sectoral bodies are potentially sending businesses down a dangerous path, exposing them to the possibility of hefty fines for the unlawful collection of personal data. Even if the manifest faults of these questionnaires were set straight, however, they raise deeper questions owing to the sensitivity of medical information. The Data Protection Commission has not ruled out the use of questionnaires, but clarified that they must be used only when strictly necessary. Is it necessary to be medically pre-screened to have a haircut? And is a salon the best-placed entity to do so?

Taken individually, snapshots about one’s health on a given day are perhaps not as intrusive as information collected by contact-tracing apps. Taken together, however, these DIY contact-tracing and screening initiatives, no doubt well-meaning and meant to reassure the public, may run counter to painstaking efforts to get apps, and other tech-based solutions, right. Moreover, forcing customers to either fill in a questionnaire or not have a haircut reminds us of the take-it-or-leave-it tracking policies that we already encounter daily online. These policies are the object of several legal battles, and there is surely no need to further entrench such toxic practices, and the power imbalances they are based on, in the real world.

At the beginning of the crisis some commentators wondered whether the only way to fight Covid-19 was through surveillance. Yet focussing on surveillance points our attention toward the symptom of the crisis, rather than its cause. During the forced pause of the lockdown, many reflected instead on how unfairness in its many forms, from pollution, to inequality, to lack of public healthcare or appropriate housing, could be contributing both to the spread of the disease and its lethality. If redressing such power imbalances is to be the silver lining of this awful emergency, then we should take this opportunity to also embrace fairer data practices.

Maria Grazia Porcedda is Assistant Professor in IT Law at Trinity College Dublin