COVID-19 and privacy in the European Union: A legal perspective on contact tracing

When disease becomes a threat to security, the balance between the need to fight the disease and obligation to protect the rights of individuals often changes. The COVID-19 crisis shows that the need for surveillance poses challenges to the right of privacy. We focus on the European Union (EU), which has a strong data protection regime yet requires its member states to exchange personal data gathered through contact tracing. While public authorities may limit the right to privacy in case of public health threats, the EU provides little guidance when such limitations are proportionate. To define standards, we analyze existing EU case law regarding national security measures. We conclude that on the proportionality of contact tracing in the EU it is difficult to reconcile public health measures and individual rights, but guidance can be taken from understandings of proportionality in the context of security, particularly in the current COVID-19 emergency.