Op-Ed: “Lost in Translation: an Analysis of the COVID-19 Case Másdi (C-169/23)”

During the COVID-19 pandemic, a public health emergency collided with the datafication of society. While the hasty introduction of phone-based tracing apps and digital COVID certificates allowed to draw some parallels to past public emergencies, legal frameworks regulating the unprecedented collection and use of personal data – most notably the 2016 EU General Data Protection Regulation 2016/679 (GDPR) – were heavily tested by the desire of policymakers to use highly sensitive health data to tackle the crisis.

On 28 November 2024, the Third Chamber of the Court of Justice delivered its judgment in Másdi (C-169/23). The case concerns the issuance of COVID-19 certificates in Hungary, based on the European Digital Covid Certificate (EUDCC) framework, and in particular the requirements for public authorities to disclose which personal data has been collected and used to generate such certificates. For the first time, the judges in Luxembourg had to interpret an important exception to a data controller's obligation to provide information under Article 14(5)(c) of the GDPR. From the outset, this case seems relevant to understanding the nuances and technicalities of data processing in a pandemic. Looking beyond that, it may contain relevant information that speaks more broadly to the delicate exercise of reconciling national interests with higher European standards when it comes to the collection and processing of personal data in extraordinary times.