Author: Blánaid Sheeran
Blánaid Sheeran is the In House Contributor of the ELSA Law Review Blog. She is a second-year student at the European Law School, Maastricht University. She also participates in the Faculty of Law Honours Programme and inter-faculty Honours+ Programme. She has worked as an editor at ELSA Maastricht Law Review (Emaas) since 2019.
Abstract
All resources have been thrust towards the creation and implementation of measures with pandemic-fighting potential. This includes increased demand for quick and effective technological solutions; however, the actual and potential use of these measures has added fuel to the long-running discussion concerning privacy and personal data protection in the European Union. This is particularly relevant considering the numerous limitations placed on the use of personal data by the European legislator in recent years. Whilst the legislator’s prudence included anticipation of the need for regulated restrictions on the rights of data subjects, the perceived invasiveness of certain measures, such as phone location tracking and contact tracing apps, has led some to question their legality within the current framework for European data protection. Although this post concludes that these measures are unlikely to be inhibited by European data protection law, the potentially wide-ranging societal impact of such an unprecedented surge in technological surveillance begs the question of whether these measures will actually be able to fulfil the task that they have been assigned: effectively fighting the COVID-19 outbreak.
Introduction
As the struggle against COVID-19 continues, governments are scrambling to implement measures that can effectively mitigate the disastrous effects of the virus. In particular, the range of digital tools with pandemic-fighting potential has triggered a contentious discussion. Many of the controversial initiatives, whether planned or already executed, evidence an unprecedented demand for digital health technology, particularly in the areas of planning, tracking, and advising.[1] One popular concern is that, once the virus is under control, measures will not be rolled back, and governments will continue to use surveillance methods and data obtained during the pandemic for other purposes.[2]
What are some of the measures?
The crisis has triggered a broad spectrum of responses from authorities worldwide. In China, it was reported that the coronavirus functioned as an accelerant for the implementation of a host of surveillance measures,[3] including infrared cameras, sometimes in conjunction with facial recognition technology, that scan crowds for high temperatures at airports and train stations.[4]The Israeli cabinet approved temporary laws, bypassing parliamentary approval, that allow cyber-monitoring by its security services: such powers are usually reserved for counter-terrorism operations.[5]
The European Union (EU) Member States have also been active in the creation and adaptation of technological resources: business-to-government sharing of anonymised phone location data is in use in Belgium, Austria, Estonia, France, Germany, Latvia, Greece, Portugal, Italy, and Spain.[6]Laws allowing government access to telecommunication databases are being considered in Lithuania and Slovakia, whilst already in force in Bulgaria.[7]Poland has instituted a mandatory selfie-app for those infected or in quarantine so that the authorities can pinpoint their exact location, and other Member States are in the process of developing apps that use a variety of different approaches.[8]
Following increasing efforts to coordinate diverging approaches across Member States, the European Data Protection Supervisor (EDPS) even called for a pan-European COVID-19 app.[9] This was quickly followed by the Commission’s recommendation to develop a common EU approach for the use of mobile applications and mobile data in response to the coronavirus pandemic.[10] The proposed app may have many similarities to the Singaporean “community-driven contact tracing” app, TraceTogether, which uses Bluetooth to monitor the contacts of COVID-19 cases.[11] Bluetooth-matching methods are one of the least intrusive forms of mobile tracing technologies.[12]
The above are but a few examples of technology’s contribution to combatting COVID-19. Although these measures have drawn considerable criticism, it cannot be denied that technology is a powerful tool when responding to a large-scale health crisis. The European measures in particular exhibit two main waves of technological focus: use of anonymised location data shared by telecommunications companies, and the use of mobile applications for warnings, prevention, and contact tracing.[13] These measures are conducive to social control,[14] and many have voiced concerns surrounding personal privacy, function-creep, and the non-specific timeline for how and when governments will roll back the implemented measures.[15] Within the context of the EU Member States’ fifty-something yearlong effort to increase privacy protection and limit exploitation of personal data, the prospect of a COVID-19 fuelled technology increase is especially relevant.
What is the legal framework for privacy and protection of personal data?
All technological advancements must fulfil requirements laid down by the relevant national, European, and international law (the latter two being subject to the measure’s implementation in a Member State or state party to the relevant treaty). Before delving into the specific legal position of anonymised location data and mobile applications, it is worth providing a brief overview of the right to private life and the right to personal data protection. The focus of this particular post is EU law.
The right to respect for private life and the right to personal data protection are distinct rights. The former has its origin as a fundamental human right in the non-binding Universal Declaration of Human Rights (UDHR), followed quickly by its incorporation in the European Convention on Human Rights (ECHR).[16] Article 8 ECHR outlines the right to respect for private and family life, home and correspondence. Interference with this right by a public authority is prohibited, except where the interference is in accordance with the law, pursues important public interests (including protection of health) and is necessary in a democratic society. However, both the UDHR and ECHR were created long before the rise of privacy-threatening technology. The need for specific rules governing collection and use of personal information led to the development of special legal rules providing for personal data protection.[17]
Convention 108,[18] adopted by the Committee of Ministers of the Council of Europe (CoE) with reference to the ECHR, is the only legally binding international instrument in the data protection field. It protects individuals against abuses concerning the processing of personal data, in both the public and private sectors, outlaws the processing of sensitive data in the absence of proper legal safeguards and aims to regulate transborder movement of data. Convention 108 is only binding for the 51 countries who have ratified it (including all EU Member States) however it is open for accession by non-contracting parties of the CoE. Although enforcement of Convention 108 remains unsupervised by the European Court of Human Rights (ECtHR), it has been taken into consideration by the Court within the context of Article 8 ECHR. The Court has acknowledged that personal data protection is an important part of the right to respect for private life thus an establishment of interference may be guided by the principles of Convention 108.[19]
Under EU law, data protection is a fundamental right distinct from the narrower concept of respect for private life. Article 7 of the Charter of Fundamental Rights (the Charter) guarantees respect for private life and family. Article 8 of the Charter enshrines the right to personal data protection. Although legally binding as EU primary law,[20] the provisions of the Charter are only addressed to the EU institutions. and to the Member States when implementing EU law. However, the right to the protection of personal data is also provided for in Article 16 TFEU; thus, granting the European Parliament and the Council legislative competence in all matters concerning the processing of personal data, independent of their relation to the internal market. This contrasts with previous approaches to data protection legislation, notably the Data Protection Directive,[21]for which it was necessary that the approximation of provisions had as their object the establishment and functioning of the internal market (under what is now Article 114 TFEU).
The General Data Protection Regulation (GDPR)[22]is a product of Article 16(2)’s grant of legislative competence. It provides a single set of directly applicable data protection rules across the EU, and also applies to controllers and processors not established in the EU that offer goods or services to data subjects in the EU or monitor their behaviour within the Union (Article 3 GDPR). The GDPR has greatly contributed to the EU’s coherent horizontal framework for privacy; however, commentators have pointed out its relative inflexibility.[23]The current need for quickly implemented, effective measures has made the rigidity of the system as a whole particularly apparent. With this in mind, the legality of many of the above measures has been questioned.
How do the measures fit within the law?
It is unfortunately impossible to examine the lawfulness of each individual technological response in one post; however, academic discussion has already begun regarding the two broad yet controversial dimensions of EU measures noted above.[24] With regards to anonymised phone location tracking, telecom providers ensure that data is anonymised and aggregated (individual identities are scrubbed out) by using a k-anonymity technique: if you display information within a geographical area, you are not allowed to disclose results based on a group of fewer than 30 people.[25] According to Recital 26 GDPR, the principles of data protection do not apply to anonymous information (i.e. that which does not relate to an identifiable natural person or to personal data rendered anonymous in such a way that the data subject is no longer identifiable). By utilising the k-anonymity technique, the anonymised data collected and processed for the purpose of location tracking falls outside of the scope of the GDPR.
The second dimension of the current European technological debate concerns the use of mobile applications. In his call for a pan-European COVID-19 app, Mr Wojciech Wiewiórowski of the EDPS outlined the position of such apps within EU law.[26] The right to the protection of personal data is not an absolute right. Article 9 of the GDPR concerns the prohibition of special categories of personal data, including data concerning health; however, Article 9(2)(i) explicitly exempts data processing that is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health. Processing of this data must be proportionate to the aim pursued, respect the essence of the right to data protection and safeguards the rights and freedoms of the data subject.
Furthermore, in accordance with Article 23(1) and Recital 73 GDPR, restrictions on the rights of the data subject may be imposed when necessary and proportionate in a democratic society to safeguard important objectives of general public interest, including public health. Mr Wiewiórowski also emphasised the importance of compliance with the ‘European Essential Guarantees’—a list of requirements for surveillance mechanisms that interfere with the right to privacy and data protection, primarily based on the jurisprudence of the CJEU and the ECtHR in cases related to the application of the rights to privacy and data protection in Europe.[27] They are that:
I. processing should be based on clear, precise and accessible rules;
II. necessity and proportionality with regard to the relevant legitimate objective must be shown;
III. there must be an independent oversight mechanism; and,
IV. there must be effective remedies available to the individual.[28]
This framework suggests that neither the use of anonymised phone location tracking nor mobile applications will struggle to fulfil the EU legal requirements. The real impediments to the use of certain technology to combat COVID-19 probably have less to do with the legality of the measures and more to do with potential public reaction.[29]
Are the measures worthwhile?
No matter their position within the above legal framework, the effectiveness of these digital tools is strongly debated, thus begging the question of whether the possible privacy implications are a necessary sacrifice in the name of public health.
In an early review of AI against COVID-19, Wim Naudé concluded that AI had not yet been impactful against COVID-19. Many of the actual and potential contributions of AI are hampered by a lack of data and by too much noisy and outlier data.[30] However, whereas AI’s use for prediction and diagnosis is constrained by a lack of data, Naudé noted that mobile phones with AI-powered apps or wearables that harvest location, usage, and health data of their owners are not.[31] This suggests that mobile applications, employed for specific uses, may be suitable to achieve desired aims. Nevertheless, many challenges remain for the full effectiveness of mobile applications. Within the context of contact tracing apps in particular, at least 60% – 70% of the population must use the app in order to meet the required threshold for effectiveness; considering the widely rejected suggestion of mandatory activation, this threshold is unlikely to be reached.[32] Moreover, there is a significant dependency on the availability and reliability of other factors: coronavirus tests must be available, individuals must enter their test results accurately and quickly, those warned of potential infection must stay at home or be tested.[33]While apps can provide speedy contact history, they cannot influence the chain of uncertain events that lead to the provision of accurate information.
With regards to phone location data, its effectiveness for monitoring movement and responding to serious health threats was tested far before the emergence of COVID-19: in 2007, with a view to eliminating malaria in Zanzibar, the World Health Organization launched an initiative involving the compilation of location data from mobile phones.[34] Such population mapping has proven crucial in assessing the effectiveness of current lockdown measures. For example, the Italian government decided to strengthen its movement policy after mobile data suggested that too many people were still moving around in Lombardy.[35] Conversely, the Belgian authorities decided to continue with existing confinement measures
after data showed that Belgians are spending 80% of their time within their home postal area and that trips of over 40km dropped 95%.[36]
On the other hand, the time required for aggregation and anonymisation of data (24-48 hours) has triggered questions surrounding the usefulness of such data to identify and prevent large gatherings;[37] there is little point in breaking-up a gathering 24-48 hours after it has occurred.
Conclusion
The use of technology to tackle COVID-19 has triggered fears of growing surveillance. From the above discussion, it seems that the use of anonymised location data and contact tracing apps for the purpose of tackling the current health crisis will not be prevented by the current legal framework in the European Union. However, this does not mean that those on whom the measures will be imposed need be comfortable with their imposition. Moreover, whilst digital tools, such as mobile applications and mobile data, have the potential to make significant contributions to human health and a post-pandemic recovery, their actual usefulness at this point in time depends greatly on their exact purpose, as well as factors external to the relevant technology (for example, the availability of testing and public compliance).
Sources:
[1]J. Scott Marcus, ‘Big-Data vs. Covid-19’ (Breugel, 23 March 2020) <https://www.bruegel.org/2020/03/big-data-versus-covid-19-opportunities-and-privacy-challenges/?utm_content=bufferb0eed&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer> accessed 16 April 2020; Departmental News, ‘Digital technology for Covid-19 response’ (WHO, 3 April 2020) https://www.who.int/news-room/detail/03-04-2020-digital-technology-for-covid-19-responseaccessed 16 April 2020.
[2]Wim Naude, ‘Artificial Intelligence Against Covid-19: An Early Review’ [2020] IZA Discussion Paper No 13110, 7 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3568314> accessed 16 April 2020.
[3]For further information see: Lily Kuo, ‘The new normal: China’s excessive coronavirus public monitoring could be here to stay’ (The Guardian, 9 March 2020) https://www.theguardian.com/world/2020/mar/09/the-new-normal-chinas-excessive-coronavirus-public-monitoring-could-be-here-to-stayaccessed 16 April 2020; Samuel Woodhams, ‘Covid-19 Digital Rights Tracker’ (Top10VPN, 20 March 2020) https://www.top10vpn.com/news/surveillance/covid-19-digital-rights-tracker/accessed 16 April 2020.
[4]Wim Naude, ‘Artificial Intelligence Against Covid-19: An Early Review’ [2020] IZA Discussion Paper No 13110 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3568314> accessed 16 April 2020, 6.
[5]Joe Tidy, ‘Coronavirus: Israel enables emergency spy powers’ (BBC News, 17 March 2020) https://www.bbc.com/news/technology-51930681accessed 16 April 2020.
[6]Klaudia Klonowska, ‘The COVID-19 pandemic: two waves of technological responses in the European Union’ (HCSS Snapshot, HCSS, 2020) https://hcss.nl/sites/default/files/files/reports/COVID-19%20pandemic%20technological%20responses%20EU.pdfaccessed 16 April 2020.
[7]Ibid, 3.
[8]Mark Scott and Zosia Wanat, ‘Poland’s coronavirus app offers playbook for other governments’ (Politico, 2 April 2020) https://www.politico.eu/article/poland-coronavirus-app-offers-playbook-for-other-governments/accessed 16 April 2020; Vincent Manancourt, ‘EU data regulator calls for pan-European Covid-19 app’ (Politico, 6 April 2020) https://www.politico.eu/article/coronavirus-europe-data-regulator-calls-for-pan-european-covid-19-app/accessed 16 April 2020.
[9]Wojciech Wiewiórowski, ‘EU Digital Solidarity: a call for a pan-European approach against the pandemic’ (EDPS, 2020) <https://edps.europa.eu/sites/edp/files/publication/2020-04-06_eu_digital_solidarity_covid19_en.pdf> accessed 16 April 2020.
[10]Commission, ‘Coronavirus: Commission adopts Recommendation to support exit strategies through mobile data and apps’ (Press Release, 8 April 2020) https://ec.europa.eu/commission/presscorner/detail/en/ip_20_626accessed 17 April 2020.
[11]‘How Trace Together Works’ (TraceTogether.gov, n.d.) <https://www.tracetogether.gov.sg> accessed 16 April 2020.
[12]Klaudia Klonowska, ‘The COVID-19 pandemic: two waves of technological responses in the European Union’ (HCSS Snapshot, HCSS 2020) https://www.who.int/news-room/detail/03-04-2020-digital-technology-for-covid-19-responseaccessed 16 April 2020, 8.Mark Scott and Zosia Wanat, ‘Poland’s coronavirus app offers playbook for other governments’ (Politico, 2 April 2020) https://www.politico.eu/article/poland-coronavirus-app-offers-playbook-for-other-governments/accessed 16 April 2020.
[13]For further information on these two waves, see: Klaudia Klonowska, ‘The COVID-19 pandemic: two waves of technological responses in the European Union’ (HCSS Snapshot, HCSS, 2020) https://hcss.nl/sites/default/files/files/reports/COVID-19%20pandemic%20technological%20responses%20EU.pdfaccessed 16 April 2020; Commission, ‘Coronavirus: Commission adopts Recommendation to support exit strategies through mobile data and apps’ (Press Release, 8 April 2020) https://ec.europa.eu/commission/presscorner/detail/en/ip_20_626accessed 17 April 2020.
[14]Social control is one of the six actual and potential contributions of AI noted in, Wim Naude, ‘Artificial Intelligence Against Covid-19: An Early Review’ [2020] IZA Discussion Paper No 13110 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3568314> accessed 16 April 2020.
[15]Arjun Kharpal, ‘Government surveillance is rising globally as the coronavirus crisis unfolds’ (CNBC, 26 March 2020) https://www.cnbc.com/video/2020/03/27/government-surveillance-is-rising-globally-as-the-coronavirus-crisis-unfolds.htmlaccessed 16 April 2020.
[16]European Union Agency for Fundamental Rights and Council of Europe, Handbook on European data protection law(2018 Edition, Publications Office of the European Union 2018), 18.
[17]Ibid, 19.
[18]Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (opened for signature 28 January 1981, entry into force 1 October 1985) ETS No.108.
[19]European Union Agency for Fundamental Rights and Council of Europe, Handbook on European data protection law(2018 Edition, Publications Office of the European Union 2018), 25.
[20]Consolidated Version of the Treaty on European Union [2008] OJ C115/13, art 6(1).
[21]Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281.
[22] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) [2016] OJ L119/1.
[23]J. Scott Marcus, ‘Big-Data vs. Covid-19’ (Breugel, 23 March 2020) < https://www.bruegel.org/2020/03/big-data-versus-covid-19-opportunities-and-privacy-challenges/?utm_content=bufferb0eed&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer> accessed 16 April 2020.
[24]Klaudia Klonowska, ‘The COVID-19 pandemic: two waves of technological responses in the European Union’ (HCSS Snapshot, HCSS, 2020) https://hcss.nl/sites/default/files/files/reports/COVID-19%20pandemic%20technological%20responses%20EU.pdfaccessed 16 April 2020.
[25]Ibid, 3.
[26]Wojciech Wiewiórowski, ‘EU Digital Solidarity: a call for a pan-European approach against the pandemic’ (EDPS, 2020) <https://edps.europa.eu/sites/edp/files/publication/2020-04-06_eu_digital_solidarity_covid19_en.pdf> accessed 16 April 2020.
[27]Article 29 Data Protection Working Party, ‘Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring’ (2016) https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2016/wp237_en.pdfaccessed 18 April 2020, 6.
[28]Ibid.
[29]J. Scott Marcus, ‘Big-Data vs. Covid-19’ (Breugel, 23 March 2020) https://www.bruegel.org/2020/03/big-data-versus-covid-19-opportunities-and-privacy-challenges/?utm_content=bufferb0eed&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer> accessed 16 April 2020, 8.
[30]Wim Naude, ‘Artificial Intelligence Against Covid-19: An Early Review’ [2020] IZA Discussion Paper No 13110 <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3568314> accessed 16 April 2020, 9
[31]Ibid, 7.
[32]Klaudia Klonowska, ‘The COVID-19 pandemic: two waves of technological responses in the European Union’ (HCSS Snapshot, HCSS, 2020) https://hcss.nl/sites/default/files/files/reports/COVID-19%20pandemic%20technological%20responses%20EU.pdfaccessed 16 April 2020, 9.
[33]Ibid.
[34]Nic Filde and Javier Espino, ‘Tracking Coronavirus: Big data and the challenge to privacy’ (Financial Times, 8 April 2020) https://www.ft.com/content/7cfad020-78c4-11ea-9840-1b8019d9a987accessed 18 April 2020.
[35]Jeremy Hsu, ‘Coronavirus Pandemic prompts privacy-conscious Europe to collect phone data’ (IEEE Spectrum, 3 April 2020) https://spectrum.ieee.org/tech-talk/telecom/security/how-coronavirus-pandemic-europe-collecting-phone-dataaccessed 18 April 2020.
[36]Nic Filde and Javier Espino, ‘Tracking Coronavirus: Big data and the challenge to privacy’ (Financial Times, 8 April 2020) https://www.ft.com/content/7cfad020-78c4-11ea-9840-1b8019d9a987accessed 18 April 2020; Klaudia Klonowska, ‘The COVID-19 pandemic: two waves of technological responses in the European Union’ (HCSS Snapshot, HCSS, 2020) https://hcss.nl/sites/default/files/files/reports/COVID-19%20pandemic%20technological%20responses%20EU.pdfaccessed 16 April 2020, 6.
[37]Nic Filde and Javier Espino, ‘Tracking Coronavirus: Big data and the challenge to privacy’ (Financial Times, 8 April 2020) https://www.ft.com/content/7cfad020-78c4-11ea-9840-1b8019d9a987accessed 18 April 2020.
