Issues of personal data processing: Religious gatherings and Covid-19. The Kansas case.

George Galanopoulos – Maria-Oraiozili Koutsoupia - Eleni M. Palioura, 

Attorneys at Law, PhD Candidates in Law (University of Athens)

Religious gatherings, including but not limited to, weddings, funerals, memorial services, and wakes, of ten (10) persons inside or ten (10) present of building occupancy (whichever number is greater) and fifty (50) people outside may resume, provided social distancing is maintained. In the interest of public health and to avoid a Covid-19 outbreak in the community, event organizers should consider maintaining a record of attendees where appropriate. Attendees are not required, however, to provide their names or contact information at any religious gathering. In the event of a Covid-19 outbreak connected to a religious gathering, a religious gathering may contact those potentially exposed and, subject to confidentially, provide their names and other relevant information voluntarily provided at the gathering to the Department of Public Health. Any information collected under this subsection by the religious gathering or the Department of Public Health shall remain confidential to the extent allowed by law and be utilized only for public health purposes or to address public health concerns.

The regulation above is a part of the measures taken by the Kansas City to reduce the possibility of exposure to Covid-19, and in our view is a great motive to deal with issues of personal data processing regarding the collective aspect of religious freedom. This article briefly examines the concept of the “controller” under the GDPR using the Kansas regulation as an example, which could also apply to European regions. In this context, we should notice that we use Kansas example without referring another similar practice, because we had access to the  official document  of the measures, which is available online.

Following the above it is also essential for anyone to observe the exact wording of the regulation when it comes to the “list issue”. More specifically, the provision stipulates that: “……of ten (10) persons inside or ten (10) percent of building occupancy (whichever number is greater) and fifty (50) people outside may resume, provided social distancing is maintained. In the interest of public health and to avoid a Covid-19 outbreak in the community, event organizers should consider maintaining a record of attendees, where appropriate. Attendees are not required however to provide their names or contact information at any religious gathering…”. It is clearly noticed that the wording of this regulation doesn’t appear in the usual form of an “obligatory” instruction, since the addition of the words “should consider” and “not required” provide a quite optional character. Both the Church and the attendees are given an option: The Church may or may not hold a list of the people attending the relevant ceremonies and the decision shall be the result of the balancing between the choice to (potentially: in a case of an epidemic incident) protect the general right of public health and the right to protect the Churches’ core, its independence (autonomy) against the State and the very concrete rights to privacy of the religious beliefs of the attendees. It might seem like an easy choice for a Church to protect the privacy of its believers, however, what would be the cost in case of an incidence, especially since this choice will be a risk to be taken for an indefinite number of people (the attendees in each ceremony). On the other hand, neither the choice of listing the attendees’ information is without serious consequences for the Church, since this would automatically create a document full of sensitive religious data ready to be processed by the Church itself or by the State with numerous results on the attendees, even obligating them not to attend ceremonies anymore. And this is a huge risk for a Church. Whatever the choice of each Church might be, in this case, or in any case that could follow the example of this regulation, the final choice is given to the attendee who is “not required” to provide their information in case the Church holds a list. The question, however that arises here is, whether this is a real option or not? What would a religious man do, if someone asks their information in order to prevent a potential spread of a pandemic? Protect the general public? Or protect their religious beliefs? Although, as already stated above, the regulation wording seems to provide options both to the Church and to the attendees related to the particularly sensitive nature of the religious freedom right, when the state authority puts such ethical dilemmas to the recipient of a regulation, one might consider that the freedom of the given choices, is always limited since you only get to choose from what is provided to you as, the options.

Covid-19 crisis had a strong knock-on-effect on the whole European space as well. It is obvious that governments with a view to flattering the curve of Covid-19 infections responded to this pandemic with drastic measures. However, it begs the question; should public health set aside the protection of personal data? In the context of EU law, the European Data Protection Board stated that, “when processing of personal data is necessary for managing the Covid-19 pandemic, data protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures.” Besides, the right to the protection of personal data is not an absolute right. Examining the record of attendees under the European legal order, even if this measure is taken in a voluntary basis, it has to be compliant with the key principles of art. 5 of GDPR. How long are these data being stored? Which is the legal ground of the collection? Consent? Is this consent valid for a disclosure to third parties in case of Covid-19 outbreak or is there any other specific provision? These questions indicate the necessary framework of transparency. A deeper insight to this approach, should evaluate all the technical and organizational measures as well as the impact assessment on adults’ and children’s rights. On the contrary, it is believed that data can save lives. Does this order imply actually a shift from a reasonable expectation of privacy to an indirect revelation of religious beliefs? Listing someone in a religious record of presence does not declare essentially that he or she is a member of this community as anyone can be an attendee; even a non-religious person. Nevertheless, religious communities as data controllers may have to process information of high risk, except for names or contact data. In an escalating Covid-19 crisis, health and religious data may be potentially under unlawful processing, without specific and transparent procedures. This is why governments have to ensure that believers will not be in the threshold of reasonable expectation of privacy and stigmatization.

Regarding the issue of personal data processing and religious beliefs, one has to deal with the concepts of “community”, “member of a community”, and the nature of religious beliefs itself. First of all, Kansas regulation for religious gatherings defines as controller of the processing of personal data the “event organizer”. However, due to the fact that the scope of this article is to use Kansas regulation as an example, in order to analyze the issue of personal data and Churches in Europe, one should take into account the role and the legal and canonical position of the community within the data processing procedure. More analytically, religious beliefs are data related to religion, which is considered as sensitive under the GDPR. In case of a need of maintaining a record of members of a religious group or in general a record which contains religious beliefs of citizens of a secular state, the processing should be very specific and proportional due to the protection of the freedom of and from religion. Therefore, when such processing is performed in the context of a religious denomination, the controller of the processing of personal data is of course the denomination itself. The claim above is based on the fact that a religious community is protected within a region as a whole. Freedom of worship is closely connected with the freedom of conscience. Consequently, it is impossible for a state to guarantee religious freedom while ignoring its collective aspect. An important definition of controller of the processing of personal data in such cases is contained in the ECJ judgment C‑25/17. The par. 21 of the judgment, one can claim that generally analyses the main characteristics of a religious group as a controller according to the GDPR. More specifically, the par. 21 claims that:  “If the data processing at issue in the main proceedings falls within the scope of Directive 95/46, the referring court notes that the question then arises as to whether the Jehovah’s Witnesses Community must be regarded as a controller of that processing within the meaning of Article 2(d) thereof. The case-law of the Court deriving from the judgment of 13 May 2014, Google Spain and Google (C‑131/12, EU:C:2014:317), broadly defines the concept of ‘controller’ within the meaning of those provisions. Furthermore, it is clear from Opinion 1/2010 of 16 February 2010 on the concepts of ‘controller’ and ‘processor’ produced by the Working Group set up pursuant to Article 29 of Directive 95/46, that, in particular, the ‘effective control’ and the conception that the data subject has of the controller must be taken into account”. Additionally, according to the par. 64 of the judgment: “ In the present case, the Data Protection Board, in the decision at issue in the main proceedings, found that the Jehovah’s Witnesses Community is a controller, jointly with its members who engage in preaching, of the processing of personal data carried out by the latter in the context of door-to-door preaching. In so far as only the responsibility of that community is challenged, the responsibility of the members who engage in preaching does not appear to be called into question”. Hence, a religious community is a group, and each time the group itself or its members process personal data for its scopes, the controller is mainly the religious community.  

In conclusion, issues of personal data processing regarding Churches and other religious groups, highlight the concept of religious self-organization under the secular law. For example, one of the questions which arise, is the dependence of the legal basis of consent on the legal form of a religious community or entity. Accordingly, in cases of extraordinary measures, the proportional treatment of the fundamental rights of health, religion and privacy becomes an escalating issue of paramount importance for the State, the Church and the individuals.