As in previous years, the Gibraltar Regulatory Authority (“GRA”), as the Information Commissioner, has taken part in the annual Global Privacy Enforcement Network Sweep (the “GPEN Sweep”). GPEN was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development (OECD). Its aim is to foster cross-border co-operation among privacy regulators in an increasingly global market, with members seeking to work together to strengthen personal privacy protections in this global context.

Data protection authorities (“DPAs”) from across the globe participated in the GPEN Sweep, which aimed to examine, at a practical level, how privacy considerations have been taken into account by organisations responsible for COVID-19 solutions and initiatives, and what level of engagement DPAs have had with such organisations.

The GPEN Sweep explored how the global DPA community engaged with local governments, to identify and understand the risks associated with COVID-19 initiatives, and to make recommendations to improve compliance with privacy and data protection laws. It also sought to understand what, if any, enforcement action DPAs might be considering, and what education and outreach activities DPAs have conducted.

Global Findings

The GPEN Sweep found that all DPAs who responded have been actively involved in assessing the privacy implications of COVID-19 solutions and initiatives. In addition, the results show that organisations have generally displayed significant awareness of the privacy risks associated with COVID-19 solutions and have set clear rules surrounding the treatment of personal data that is involved.

[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"> <v:stroke joinstyle="miter"/> <v:formulas> <v:f eqn="if lineDrawn pixelLineWidth 0"/> <v:f eqn="sum @0 1 0"/> <v:f eqn="sum 0 0 @1"/> <v:f eqn="prod @2 1 2"/> <v:f eqn="prod @3 21600 pixelWidth"/> <v:f eqn="prod @3 21600 pixelHeight"/> <v:f eqn="sum @0 0 1"/> <v:f eqn="prod @6 1 2"/> <v:f eqn="prod @7 21600 pixelWidth"/> <v:f eqn="sum @8 21600 0"/> <v:f eqn="prod @7 21600 pixelHeight"/> <v:f eqn="sum @10 21600 0"/> </v:formulas> <v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/> <o:lock v:ext="edit" aspectratio="t"/> </v:shapetype><v:shape id="Picture_x0020_25" o:spid="_x0000_i1025" type="#_x0000_t75" style='width:63pt;height:1pt;visibility:visible;mso-wrap-style:square'> <v:imagedata src="file://localhost/Users/giordanodurante/Library/Caches/TemporaryItems/msoclip/0/clip_image001.png" o:title=""/> </v:shape><![endif][if !vml][endif] 

The GPEN Sweep also discovered that the chief preoccupation of responding DPAs related to COVID-19 contact tracing mobile apps, although other initiatives included electronic wristbands, COVID-19 vaccine registers and national border registers. Notably, almost all responding jurisdictions have a COVID-19 contact tracing mobile app, using Bluetooth technology to alert users if they have been near another app user who tests positive for COVID-19, and whether they have visited a venue around the same time as another person who was reported as positive.

With regards health authorities, most of these were reported to have carried out Data Protection Impact Assessments (DPIAs) and engaged their local DPA at an early stage to mitigate identified privacy risks. For instance, key concerns were identified regarding the identification of individuals from personal data collected by contact tracing apps, which differed across jurisdictions, and the retention of personal data collected. DPAs recommended some of the following good practices: that personal data be stored locally on users’ devices rather than on centralised servers; and that personal data collected to fight against COVID-19 be securely destroyed as soon as reasonably practicable once it is no longer needed.

Several DPAs undertook compliance and enforcement actions in response to complaints received.

All DPAs, including the GRA, produced guidance and/or educational materials relating to privacy issues arising from COVID-19 health measures. The GRA’s guidance on this topic, as well as other privacy-related matters, is available at www.gra.gi.

For further information please contact the GRA by telephone on +350 200 74636 or by email on [email protected].