Docket Entries Since Last Update
NOTE: This court's RSS feed does not list MOTION entries, so Bloomberg Law cannot detect them and thus they will not be listed here. However, motions will be included if you update the docket.
The Covid-19 crisis has sparked implementation of unprecedented measures around the world, and the Republic of Bulgaria is no exception. In response to the rapid spread of Covid-19 in Bulgaria, the national assembly declared a state of emergency in March 2020 and adopted the Law on the Measures and Actions During the State of Emergency, expanding the government's powers with regard to individual privacy. Its measures limit certain basic rights and individual freedom of—including right of privacy and personal data protection.
During the state of emergency, special checkpoints were built at the exits of every district city.
In order for a person to enter or leave a district city, a special declaration must be provided to the police officers guarding the checkpoints. The declaration includes specific identification data such as names, personal identification number, address, place of work, actual place of living, etc.
The document may also contain health status of the person or the health status of a close relative as a reason to request to leave or enter a district city. In addition to the declaration, documental proof must also be shown at the checkpoints. The document may include personal data related to third parties, or financial information (in case a person shows an employment agreement), etc.
The high amount and potential sensitivity of the personal data that must be disclosed for the purposes of traveling raised certain concerns with regard to its lawfulness and the observance of the principle of proportionality as set out in the General Data Protection Regulation. Also, questions were raised with regards to the purposes for which the police will or may use the data due to the risk that it may be used for profiling and for purposes other than just passing through checkpoints.
From a legal perspective, the GDPR (in art. 23) foresees certain situation in which the rights of individuals in terms of personal data processing may be limited through legislative acts, which in the present situation would be Bulgaria's law declaring a state of emergency. Such cases include measures related to protection of public health, prevention of criminal acts and others. The said provision is also replicated in the national law implementing the GDPR—in art. 37a of the Bulgarian Personal Data Protection Act.
Further to the above, information provided at checkpoints may be treated as data processed for the purposes of preventing the spread of Covid-19 with the aim of protecting public health. Also, as per art. 61 of the Bulgarian Health Act, people diagnosed with Covid-19 may be subject to quarantine, and breach of quarantine is considered a criminal offense in accordance with art. 355 of the Bulgarian Criminal Code. This would mean that when a quarantined person tries to leave or enter a district city, the authorities may use the information provided at the checkpoints in order to investigate a potential criminal act.
The fact that personal data may be lawfully processed at checkpoints does not release the authorities from their obligation to limit their use of personal data and ensure sufficient and appropriate technical and organizational measures under the GDPR. In case of a breach of the personal data protection rules by the authorities, a fine may be imposed in accordance with the GDPR. It should be noted that the CPDP already has a history of imposing fines to public authorities (including 2.5 million EUR fine imposed on the National Revenue Agency).
Bulgaria's Commission for Personal Data Protection also shares the above position and issued an official statement on the interpretation of lawful data processing at checkpoints.
Under Bulgarian law, employers must ensure a safe environment for employees whose nature of work does not allow working from home. The requirement for employers to ensure safe environment for employees is not a new one, as it is part of the general principle as per art. 273 of the Bulgarian Labor Code that employers should be aiming to prevent any risks for employees or to mitigate such risks to the maximum extent possible.
Considering that Covid-19 is highly contagious, collecting information on symptoms of employees may be justified given employers’ legal obligation to ensure a safe work environment. However, this right is not absolute, meaning that the principle of proportionality and data minimization must be observed, and employers must ensure they are in compliance with the law. In terms of technical and organizational measures, it should be taken into account that health data constitutes a “special category of data”, meaning that corresponding security measures must be implemented.
With regard to employers conducting medical check-ups, the European Data Protection Board has noted that such an act may be lawful only in cases where employers are legal obligated to do so. Considering the fact that Bulgarian law does not authorize employers to conduct random testing, it may be considered that such data processing would be excessive and unjustified.
Another sensitive matter in question is related to whether employers have the authority to disclose the name of the employee in case he/she is identified having tested positive for Covid-19. Indeed, notifying other employees of the possibility that some of them have been in contact with a Covid-19 patient is crucial for limiting the spread of the virus. However, considering the right of individual privacy, an evaluation should be made if the same notification may be done by providing information which is less intrusive to the respective individual's privacy.
Such approaches may include simple notification that an employee of the company has been identified as a carrier of Covid-19, or in case not all employees are concerned, to notify certain departments or divisions. The decision not to identify an employee may be offset by the fact that the authorities have the power to identify persons the respective patient may have been in contact with in order to test them for Covid-19.
Processing of location data of individuals through mobile devices is a widely discussed measure for control of the prohibition for individuals to gather together in public places or observing other quarantine measures. The EDPB noted that before trying to identify an individual's location, it is recommended that authorities should consider the use of reports on the concentration of mobile devices at a certain public place, without the need to identify specific persons (a.k.a. “cartography”), while applying appropriate anonymization mechanisms.
The EDPB further elaborates on the requirements for identification of individuals through their mobile devices by stating that the EU member states must implement adequate safeguards when such data is being processed—e.g., to provide individuals with right to a judicial remedy.
Amendments have also been introduced in the Bulgarian Electronic Communications Act that allow authorities to request access to certain aspects of users’ traffic data from TelCo operators. Prior to the amendments, traffic data or certain parts of it were accessible only to certain authorities and for limited purposes, namely:
• For the purposes of national security
• For investigation of crimes for which the punishment is imprisonment for more than five years, or
• For the purposes of tracking and searching of persons whose life is in danger
Under the state of emergency law and the latest amendments in the Electronic Communications Act, the national police, the ministry of interior, and the district divisions of that ministry were given authority to request access to identify cellular devices of those who may have breached quarantine. In order to do so, there must be sufficient data that the said individual has refused to comply with the quarantine or does not observe the limitation for any other reason whatsoever.
The director of the respective authority empowered to obtain access to the location information must submit a request to the respective TelCo operator, providing:
• The legal grounds for the request
• The type of data being requested
• The time period of the requested information
• The specific individuals who will receive the information
TelCo operators are obliged to have a person available 24/7 who is duly authorized to handle requests for access to traffic data. The information of the said contact person must be made available to the police in order to ensure operational swiftness.
The state of emergency law and the Electronic Communications Act foresee a judicial remedy aiming to ensure that the information required by the authorities is lawfully requested and will not be misused. Immediately upon submission of a request to the TelCo operator, the director of the respective authority must also notify the chairman of the respective regional court or a duly authorized court panel/judge by laying out the respective arguments for which the access has been requested.
The courts are not bound in any way by the motives of the authority which has requested the information. They have the right to their own discretion when resolving whether the request is lawful. In case the respective court holds that there are no sufficient arguments for requesting/granting access to traffic data, the information must be deleted immediately by the authority and the TelCo operator must be promptly notified.
Any further use of traffic data, which also may constitute personal data within the meaning of the GDPR, would be unlawful and may be subject to a fine. Even before the amendments introduced by the law, access to traffic data was also subject to judicial control. Both situations were possible—judicial control, which is exercised in advance, and judicial control exercised after the access to traffic data has been granted. The reason that the access to traffic data is exercised after submission of the request to the TelCo operator is the presumption of urgency of the situation, which requires immediate action from the authorities in order to protect public health.
Apart from the judicial control of the traffic data requests, the Bulgarian Electronic Communications Act foresees another, rather indirect control measure, which may be exercised by the CPDP. Namely that all TelCo operators have the obligation to periodically provide statistical information to the CPDP on the data access requests from authorities which have been received. The statistical overview which is received periodically by the CPDP would provide sufficient information whether sector (i.e., the public sector) data protection checks should be conducted.
In response to a widespread public health crisis, the government of Bulgaria has curtailed privacy and personal data protection rights. Nevertheless, when it comes to personal data processing, the main principles imposed by the GDPR are still in force and should be observed by the authorities, or a fine may follow as a consequence.
The balance between the aim to mitigate the spread of Covid-19 and the right to privacy may be found in the implementation of sufficient safeguards from the respective authorities (including technical and organizational measures) of data protection and in active controls exercised by the local data protection authorities.