photo
18.07.2024

Opinion of the Polish SA on the deputies' draft law on civil protection in times of natural disaster

The draft needs clarification and a privacy test. The current version uses unclear constructs and ambiguous wording. 

The draft law on civil protection and on the state of natural disasters was submitted to the Marshal's of the Polish Sejm by Prawo i Sprawiedliwość party members(the rapporteur is Paweł Szefernaker). Political party members’ drafts are not subject to such consultations as those provided for government drafts. However, in this term, the Marshal of the Sejm has adopted the principle of collecting comments on all projects. The Deputy Head of the Chancellery of the Sejm of the Republic of Poland, Dariusz Salamończyk, presented the draft act on civil protection and natural disasters to the President of the Personal Data Protection Office for his opinion.

The President of the Personal Data Protection Office has no objection to the purpose of the regulation, which is to help the state respond and protect the population in the event of emergencies, including natural disasters. However, he points out that the draft implies the processing of various types of information, including personal data, in order to facilitate the response to the effects of a natural disaster. A very wide range of subjects would have access to this data. However, the draft does not specify what data will be collected and how it will be processed.

The regulation, due to the proposed solutions involving new technologies - on a large scale allowing data processing under exceptional conditions - requires the conduct of a so-called privacy test - i.e. a personal data protection impact assessment (as indicated by Article 35 GDPR).

The conduct of the indicated privacy test is justified by:

  • the data processing models adopted in the draft act,
  • the new emerging risks of a specific nature in case of the occurrence of the events described in the draft act,
  • identification of new categories of persons,
  • coverage of special categories of data by the regulation,
  • amount of data being processed,
  • processing it by the new technologies.

The draft provisions should also not create constructions that do not take into account the correctness and security of personal data processed, as required under the GDPR. One of the assumptions of the draft is the creation of contact points performing tasks in the area of civil protection or crisis management centres in the event of a natural disaster. However, it is not clear from the wording of these provisions whether crisis management units will process personal data - and if so, what kind of data it will be. The draft does not specify whether the so-called special categories of personal data, as defined in Article 9 of the GDPR, may be processed in the course of operations. Therefore, the President of the Personal Data Protection Office doubts whether the draft provides adequate safeguards with regard to compliance with the principles of the processing of personal data.

State and local government authorities responding to a natural disaster are to exchange information. The draft provisions do not specify whether this exchange will take place in a data-secure manner.

The draft also provides that civil protection authorities may demand from the heads of government and local government units the immediate provision of information, as well as the collection and processing of data necessary for the performance of the tasks set out in Article 9. It is unclear what information is involved and whether the guarantees for personal data will be sufficient. The provision is bland. It refers in general to the tasks specified in the act, but there is no specification within the framework of which tasks what personal data (which categories of data) will be processed.

The draft also provides for solutions in the form of issuing acts of executive rank by authorised governmental or local authorities, about which there is a doubt whether they should not be regulated at the statutory level. For example, the doubt relates to Article 51 of the draft, which provides for the possibility of introducing ‘necessary limitations on human and civil liberties and rights’ during a natural disaster. It should be emphasised that, regardless of the assessment of the compatibility of such solutions from the perspective of the constitutional test of proportionality and legalism, the introduction of such restrictions by order or decision may not lead to a disproportionate lowering of the standards of protection of the rights and freedoms of data subjects.

For similar reasons, the President of the UODO also has doubts about solutions that provide that, in justified cases, binding decisions may be issued and communicated orally, by telephone or by means of electronic communication or other means of communication. The adoption of such solutions should be preceded by a proportionality test and an assessment of the risks for the processing of personal data.

The content of the opinion of the President of the Personal Data Protection Office on the parliamentary draft act on civil protection in times of natural disaster can be found in the document attached below.

Attached files

Pobierz plik DOL.401.158.2024