As part of my blog series on #PublicHealthANDprivacy in light of the COVID-19 pandemic, this short reflection will focus on digital surveillance. There is no doubt that data and technology have the potential to aid in the fight against the spread of the coronavirus (both in containing the spread and in finding future treatments) and this potential cannot and should not be ignored. However, the use of data and any technology for surveillance purposes must be lawful and adequately uphold the fundamental rights that we commonly value as Europeans. 

In my first post on data protection in relation to the crisis, I argued that it is more important than ever to place privacy and data protection at the center of public discourse and that the dangerous dichotomy of public health versus privacy and data protection should instead be framed in a way that promotes “public health and privacy” working together in a balanced way. Public health and privacy rights indeed can, and I argue, must, coexist in the fight against COVID-19. In the name of democracy and for long-term societal wellbeing, however, it is paramount that fundamental rights are equally protected in emergency situations. 

This means that any data processing in the context of the fight against COVID-19 should be necessary, secure, lawful, proportionate, transparent, respect the principle of purpose limitation and be limited temporally (data retention). In other words, for any data processing in this context, it should be clear and easy for the data subject to understand what data is being processed and by whom, the purposes and means (the why and how) of the processing, being as specific as possible. Furthermore, it is important that the confidentiality and integrity of any data shared across systems and applications are ensured by way of adequate data and cybersecurity measures.

Potentially privacy-intrusive technology is being used in a number of ways to fight the spread of COVID-19. These include diagnostic and screening apps; tracing and tracking apps (which may also play an important role after the peak of the virus); and monitoring and quarantine enforcement apps (as we have seen, for example, in Poland); and more generally, government/health authority access to telecommunications data provided directly by telco operators. According to Human Rights Watch, in fact, “24 countries are undertaking telecommunications location tracking and 14 countries are using applications for contact tracing or quarantine enforcement.”  

On 2 April 2020, together with 103 organizations, Human Rights Watch, Amnesty International, Access Now, and Privacy International issued a joint statement urging “governments to show leadership in tackling the pandemic by respecting human rights when using digital technologies to track and monitor people.”

With respect to the use of telecommunications data, as the EDPB has pointed out, “In principle, location data can only be used by the operator when made anonymous or with the consent of individuals. However, Art. 15 of the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security.” The EDPB Furthermore stressed in its Statement that, “Such exceptional legislation is only possible if it constitutes a necessary, appropriate and proportionate measure within a democratic society. These measures must be in accordance with the Charter of Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms. Moreover, it is subject to the judicial control of the European Court of Justice and the European Court of Human Rights. In case of an emergency situation, it should also be strictly limited to the duration of the emergency at hand.”

As mentioned by the EDPB, the ePrivacy Directive calls for location data to be made anonymous or to only be used by operators with the consent of data subjects. As obtaining valid consent from an entire country would hardly be feasible, the preferable approach to the lawful use of such data would therefore be to anonymize it and to only process aggregated data. To this end, see Article 29 Data Protection Working Party Opinion 05/2014 on Anonymisation Techniques. 

In this respect, Internal Market Commissioner Thierry Breton has asked EU telecom operators to join forces in sharing anonymised metadata, which could have a significant potential to develop models and predictions of the virus’ spread. In cases, however, when the use of anonymized data does not adequately meet the needs of the authorities in the current situation (as may well be the case in contagion tracking), leading to the processing of mobile location data that has not been anonymized, it is essential that adequate safeguards are put in place and enforced in order to ensure the rights of individuals whose data are being processed. 

As the Italian DPA Antonello Soro has stressed, tracking, in fact, should be carried out only temporarily, with foresight, and in a proportional and reasonable fashion. Less privacy-intrusive measures should always be considered first. Along these lines, the Dutch DPA is of the opinion that “The use of location data of citizens by the government is very drastic. In any case, such a measure must be clear, proportionate to its purpose and must contain sufficient guarantees.” 

On 8 April 2020 the European Commission published its Recommendation on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data  which underlines the fact that “a fragmented and uncoordinated approach risks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing serious harm to the single market and to fundamental rights and freedoms.” In fact, a common approach is necessary in this context to ensure that the fundamental rights to data protection and privacy are upheld. The publication of this Recommendation is therefore very welcomed, as will be further forthcoming guidance such as that which will be issued by the EDPB. 

Tracing technologies together with other surveillance measures have the potential to assist in the fight against COVID-19, but must not take place at the expense of our fundamental privacy and data protection rights. Hopefully COVID-19 will be gone at some point, but tracking technologies may stay for longer and permanently hamper the rights and freedoms of individuals.