In March 2020, when companies all over the world found out that they were to send all their collaborators and employees to work from home, they thought it would be a matter of months before everyone was back at their offices. Companies never thought that the daily collection of personal data from their collaborators and employees, as well as the implementation of online strategies that demanded a significant increase in the collection of personal information from clients and users of webpages, was going to become an issue for the past year and this year.
In the case of Colombia, since day one of the pandemic, when the State of Social, Economic and Environmental Emergency was declared, and all the different local authorities started issuing local mandates and regulations, the requirement to obtain significant amounts of personal data, including sensitive data, from everyone became a must; a must not specifically regulated that was initially a waiver for everyone to collect information without clear rules on possible exceptions to such a collection. Authorities considered that having everyone register their daily symptoms would help to control the existence of conditions associated to Covid-19 to stop or reduce the spread of the pandemic. However, because the regulation was issued at such short notice and lacked any studies in relation to the impact that it may have, certain aspects, such as the study of the application of principles like data minimisation or storage limitation, where not specifically considered when the regulations established the need to collect personal data to verify the existence of symptoms associated to Covid-19. In addition, regulations did not establish specific limitations on third parties collecting personal information to comply with the law, causing a huge collection of unnecessary personal and sensitive data by different entities.
Resolution 666 of 24 April 2020 issued by the Ministry of Health and Social Protection established the general requirements on biosafety protocols. Within the said requirements, it established the need to collect certain personal information from people in order to prevent the spread of the virus. This caused several local authorities to create apps or webpages in which information was registered; thus, information was not centralised in a single app or page. There was a lack of uniformity in the collection of such information, and the privacy policies, as well as the authorisations to handle personal data, did not comply with local requirements. However, it was not until 18 August 2020, once the restrictions and lockdowns were being eased, that the Superintendence of Industry and Commerce (SIC), the authority in charge of controlling and supervising the data protection regulation, issued a circular in which it explained and implemented principles such as data minimisation and limited storage. In Circular 005 of 2020 the SIC clarified that:
- Personal data collected in compliance with Resolution 666 of 2020 should and could only be collected and processed to verify the existence of symptoms related to Covid-19;
- Personal data could only be collected for the purpose of complying with the biosafety protocols issued to contain Covid-19; thus, the only purpose to handle personal data was compliance with the biosafety protocol;
- Data controllers or processors were only allowed to collect personal data specifically required by the Ministry of Health and Social Protection in Resolution 666; and
- Personal data may only be handled and stored if the biosafety protocols were in force; after such time, personal data should be erased.
However, the collection of information that was not necessary for compliance with the said protocols still took place. For instance, malls decided to implement the protocols and include pictures of the people who entered their facilities, which certainly violated the data minimisation principle, thus violating the aforementioned circular. Malls, supermarkets and other stores only stopped collecting information after almost a year passed because local authorities eased measures on how to prevent Covid-19 and established that it was no longer necessary to collect information upon arrival to a facility because such information was not going to help prevent Covid-19, and not because controllers and/or processors became aware of the need to protect information or because of the need to minimise the collection of unnecessary information.
Besides the unnecessary collection of information to comply with regulations, the fact that the pandemic increased electronic transactions and the use of web-based applications or websites to allow the performance of commercial activities also increased the collection of personal data, which again was sometimes unnecessary. In July 2020, when the Colombian Government, trying to provide some ease to consumers and activate commerce, announced VAT free days in which not only was VAT waived on onsite purchases but also purchases on websites, different platforms took it as an opportunity to collect personal data for different purposes. This is why the SIC issued another circular reminding data controllers and processors about the need to comply with general regulations on privacy, which included, among others, the need to have in place adequate privacy policies, obtain previous and express authorisation, and only collect information necessary to perform activities related to the purchase of the goods.
The fact that web-based activities are gaining more importance, and we are using more and more apps and communication platforms in our day-to-day activities means it was obvious that the SIC would start to investigate different providers, including Zoom. By November 2020, an order was issued by the SIC requiring Zoom to reinforce its security measures in order to make them compliant with Colombian regulations and protect the information of Colombian users.
Authorities have been prone to require the collection of unnecessary personal data due to the pandemic. However, it is also clear that due to sanitary regulations, there was initial unnecessary data collection inherent to systems like ours in which there are different levels of health authorities. Was it really contained by the circulars and clarification documents issued by the relevant data protection authority with the purpose of protecting information? Were those clarification documents and circulars adequate and sufficient? These are questions that are only going to be clarified in the future, once it is clear how processors and controllers have been using the information collected due to the new reality of the pandemic.
Author: María Alejandra De Los Ríos I [email protected] I Data Privacy & Protection