Does the fight against coronavirus justify a flexible interpretation of the personal data protection rules? Is it acceptable to refer to the GDPR while hindering initiatives for the health of the individual and society?
During the COVID-19 pandemic, balancing the “public good” and “privacy” requires a broader view of law adopted under entirely different conditions than those which we are currently experiencing.
Has data protection been forgotten?
Digitalization provides many possibilities to gather and process data to gain knowledge about the world, our behaviors, choices, and preferences. Often it is also used to control and monitor people. The COVID-19 pandemic suddenly shuffled many values, requiring rapid adaptation of preventive measures, adjusted to the fast-changing situation. Since people live in constant fear and uncertainty, privacy issues seem to fade away.
Today, some of the digital tools are created in a way that can raise many concerns regarding GDPR (General Data Protection Regulation). Starting from May 2018, this law is to protect Europeans against data abuse. Many solutions – just to mention contact tracing apps – would have been unacceptable a year ago. Public institutions often use the excuse of a higher-order need, such as public health. Thus, many countries quickly introduced compulsory mobile applications for home quarantine or tracking of health and location data in order to determine the risk of infection (contact-tracking).
Large databases are created in a hurry and circulate between different institutions. Big Data analysis of the epidemiological situation is carried out quickly, often provisionally. What has left from the GDPR that states that when processing personal data, a public administration must respect critical principles, such as fair and lawful processing, purpose limitation, data minimization, and data retention?
Malleable GDPR: Right to protect personal data is not an absolute right
Does the end, namely the health of societies and individuals, justify the means interpreted as initiatives undertaken to fight the COVID-19 pandemic? Yes and no.
Today many organizations are forced to make decisions quickly, and they have no time to carry out legal analyses or refine the solutions in order to ensure privacy, which usually takes months. Governments must be agile and react to the instantly changing situation to manage the crisis. A state of emergency has been introduced in many countries, giving additional powers to public administration and restricting individual freedoms. One of the most discussed digital tools are contact tracking apps being developed in many countries. Also, Apple and Google are launching a joint COVID-19 tracing tool. The tech giants plan a system-level contact tracing system that will work across iOS and Android devices. On an opt-in basis, but still, smartphones will be equipped with a new tracking tool.
The European Data Protection Supervisor (EDPS), Wojciech Wiewiórkowski, represents quite a liberal point of view in this matter expressed in the “EU Digital Solidarity: a call for a pan-European approach against the pandemic.” The keyword is “adaptability.”
At the beginning of the statement, we read that although the processing of data entails high responsibility, there is also responsibility for not using tools that could help in the fight against the pandemic. The protection of personal data should not be an argument blocking the implementation of solutions that can save human lives.
The GDPR explicitly states that the processing of personal data should be designed in such a way as “to serve humanity” and that the “right to protect personal data is not an absolute right” and it should be “considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” The processing of personal data – even sensitive health data – is legitimate in those cases when it is necessary due to “substantial public interest” based on the European Union or Member State law, in proportion to the intended purpose. The European Data Protection Supervisor points out that this is not an innovative interpretation of the law or its bending, but a quote from the GDPR text.
The GDPR also allows the processing of sensitive data when it is necessary due to public interest in the scope of public health. An example is protection against serious cross-border threats to health, which the coronavirus pandemic has proved to be. There are also calls for the suspension of the Data Protection Act or its amendment.
Constrained or protected by GDPR?
“Even when we recognize that an unusual way of processing would interfere with the right to privacy and data protection, it may still be necessary in the extraordinary circumstances we are all living over the last few weeks,” emphasizes Wojciech Wiewiórkowski. He points out that the objective of the European Data Protection Supervisor is to ensure that all measures taken at the European and national level, concerning non-standard solutions in the scope of the use of data during the COVID-19 pandemic, are temporary (discontinued when the threat is over), limited (precise determination of the purpose and people having access to data) and purposeful (determination of the use of data collected and processed, but also deletion of these data after the return to normality).
The EDPS also mentions that the GDPR does not prevent the processing of personal data when health care authorities consider it necessary to fight the pandemic. Wiewiorkowski justifies the application of contact tracing apps. According to the EDPS, the use of a temporary transmission identifier and Bluetooth technology to track contacts appear to be a form that allows securing privacy. However, people working on technological tools to fight the pandemic should ensure data protection by applying data protection by design principles.
Critical pillars of privacy
Despite these indications, the use of arguments based on “public interest” may potentially lead to lodging of appeals against solutions or decisions which, at first sight, seem to be in contradiction with the GDPR. Therefore, choosing the balance between measures and objectives should be the general rule.
At this point, it is worth quoting the President of the Court of Justice, judge Koen Lenaerts, who stated that the law “restricts the authorities in the exercise of their powers by requiring a balance to be struck between the means used and the intended aim (or result reached).” In 2016, the European data protection authorities developed a list of requirements concerning supervisory mechanisms that interfere with privacy and data protection law. The subsequent judgments of the Court of Justice of the European Union confirmed the reasoning used by the data protection authorities and, as a result, four critical pillars of accepted actions were identified. They are as follows:
- the requirement that the processing should be based on clear, precise and accessible rules;
- demonstration of the necessity and proportionality concerning the legitimate objectives pursued;
- existence of an independent oversight mechanism as well as
- the availability of effective remedies to the individual.
However, this list does not appear to apply to contact tracking apps. All currently implemented technological solutions meet the requirements of “the necessity and proportionality with regard to the legitimate objectives pursued.” They are based on clear, precise, and accessible rules. But they also acquire new information about every human being with a smartphone in hand. And this power might be misused.
Is the opt-in option sufficient for success?
European Commission seems to support the idea of contact tracing. So far, there are no critical offensive opinions to hear regarding the joint COVID-19 tracing tool by Apple and Google. Their API can be integrated into public health agencies’ own apps that secures a full adoption. Tech giants have an irrefutable argument: contact tracing to flatten the COVID-19 curve will be successful only if more than 50% of the population uses the app.
“Digital tools will be crucial to protect our citizens as we gradually lift confinement measures. Mobile apps can warn us of infection risks and support health authorities with contact tracing, which is essential to break transmission chains. We need to be diligent, creative, and flexible in our approaches to opening up our societies again. We need to continue to flatten the curve – and keep it down. Without safe and compliant digital technologies, our approach will not be efficient,” said Commissioner for Health and Food Safety, Stella Kyriakides, introducing the “EU toolbox for the use of mobile applications for contact tracing and warning in response to the coronavirus pandemic.”
The toolbox sets out the essential requirements for these apps:
- They should be fully compliant with the EU data protection and privacy rules, as put forward by the guidance presented today following consultation with the European Data Protection Board.
- They should be implemented in close coordination with and approved by public health authorities.
- They should be installed voluntarily and dismantled as soon as no longer needed.
- They should aim to exploit the latest privacy-enhancing technological solutions.
- Likely to be based on Bluetooth proximity technology, they do not enable tracking of people’s locations.
- They should be based on anonymized data: They can alert people who have been in proximity for a certain duration to an infected person to get tested or self-isolate, without revealing the identity of the people infected.
- They should be interoperable across the EU so that citizens are protected even when they cross borders.
- They should be anchored in accepted epidemiological guidance, and reflect best practice on cybersecurity, and accessibility.
- They should be secure and effective.
The guidelines published by the European Data Protection Supervisor clearly show that the COVID-19 pandemic cannot lead to the circumvention of the currently applicable law. Still, at the same time, the applicable law should not hamper initiatives important from the point of view of social interest, in this case – health. The right to the protection of personal data is not an absolute right, and the processing of personal data must serve the people.
One can get the impression that although data security is often emphasized, the GDPR interpretation itself is not as restrictive as it was a few months ago. Is that right? We will certainly be able to evaluate this only after the COVID-19 pandemic.
Anyway, without transparency and trust in data security, it will be difficult to convince citizens to use COVID-19 related digital tools and contact tracing apps. New digital, large-scale initiatives will also be a test for the acceptance of new technologies and the condition of digital literacy. What still can worry are the joint plans of Apple and Google. Having a tracing tool on the system level across iOS and Android raises many questions. What’s even worse, this may undermine trust in public health institutions creating their own applications.
Graphic credit: Artur Olesch / aboutDigitalHealth.com
I have a small favour to ask…
This content is free of charge. This website is free of commercials. Please support aboutDigitalHealth.com (€1+). It only takes a minute. Thank you!