Steven De Schrijver, Astrea
“With great crisis comes great responsibility,” would be a valid alternative to the famous proverb. The covid-19 pandemic again shows the difficult exercise of weighing important principles against each other. The essential protection of public health intrudes on the privacy and data protection of citizens. While it may be tempting for (certain) authorities to put one above the other, such thinking cannot be accepted. Rather, a balance must be found to protect both these human rights. This is what European authorities have been trying to do since the SARS-CoV-2 virus hit the Old Continent.
In order to trace the spreading of the virus, governments have installed contact tracing teams which contact infected citizens to ask about their whereabouts so that potential infected persons can preventively be identified and, if needed, quarantined. In addition, many apps have been developed which trace citizens’ contacts too and warn them when they may have come across an infected person. Other apps come into play at a later stage by monitoring quarantine measures.
As one could argue, the current pandemic has become the biggest challenge that the framework of the GDPR has encountered since its entry into force in 2018.
Contact tracing must be seen as a well-established process used by authorities, as part of the strategy to combat the further spread of the pandemic, whereby the contacts of citizens are traced in order to know which persons may have come across a case of infection and to contact these persons to have them tested, and/or quarantined if necessary.
Some countries have installed special call centres which use contact tracers to collect information from an infected citizen on his or her whereabouts and a list of persons seen. This information is then used for further tracking purposes stored in a database. While this may seem more privacy friendly, this is not necessarily the case. As governments rushed into establishing such call centres at the beginning of the crisis, the creation of proper regulations often only followed later. The principle of data minimisation was difficult to implement in some instances: which data are really necessary to be collected and stored? As contact tracing primarily involves processing sensitive data on health, a strict adherence to the GDPR is even more important. After all, such processing is only allowed when necessary for reasons of public interest in the area of public health or for health care purposes, and subject to certain conditions. In organising this system, people were often hired who had little to no knowledge of the GDPR and/or lacked experience in the health sector. Training these contact tracers on privacy matters has posed further challenges for authorities.
Another form of contact tracing is the use of forms by restaurants, hairdressers, bars, gyms and similar places whereby clients are required to write down their name and contact details (telephone number, e-mail or both). Usually, these personal data are stored for a term of 14 days (a generally accepted period of time wherein symptoms of an infection may appear or not). According to the GDPR, personal data that are being processed must be protected against unauthorised access. Nevertheless, it is still very common to come across a list of clients laying openly on the counter of a local restaurant or bar.
Businesses may also become tempted to collect masses of personal data of their clients to use them for other purposes than contact tracing such as direct marketing. Hence, entrepreneurs must know and understand the aim of the system and be aware of their obligations as data controllers. Of course, the GDPR foresees inadequate sanctions if despite all measures its principles are breached.
However, these principles may not always be clear to businesses as their wording is very general. Hence, the local bakery shop (with no employees), which has three tables and a corresponding number of chairs outside his store to let clients enjoy their morning croissant, will not immediately have understood what is required from him he was when suddenly required to collect data of clients. After all, he may have never even been collecting personal data and knows little about the GDPR. This is precisely where one of the important privacy-related conclusions of this pandemic appears: we must not underestimate the importance of Data Protection Authorities (DPAs) in providing hands-on information and advice to data controllers, data processors and citizens in general. In a crisis like this, where the privacy of citizens is endangered, DPAs must be the first to step in and provide clear guidelines to society. Legal terminology must be set aside. Instead, questions of those involved must be collected, FAQs must be drafted, standard forms must be created, media channels must be used for general communication to the public and YouTube must be flooded with short videos which explain what certain obligations and procedures are really about.
The lack of public trust in providing (sensitive) data to businesses and authorities may even be mitigated if society sees the efforts made to protect privacy as much as necessary in the effort of pursuing other goals to protect the public’s wellbeing.
In times where there is an app for (nearly) everything, it should not astonish that governments quickly came to the conclusion that technological solutions such as proximity tracing and home quarantine apps could complement traditional manual contact tracing. The development and use of such digital solutions have resulted in further privacy risks as well as cybersecurity concerns.
Often when discussing covid-19 apps, the term ‘contact-tracing apps’ is used. Most of the time, however, what is being referred to as ‘contact tracing’ in this context is actually ‘proximity tracing’ since apps only alert users who have been in close proximity to an infected user. The biggest hurdle of these type of apps is to collect information on an exposed user who has been in contact with an infected user without revealing their identities.
Many risks are associated with proximity-tracing apps, such as stigmatisation of infected people, the possibility of mapping social circles and behavioural patterns of users, abuse of technology for movement tracking and mass surveillance.
The anonymisation of the collected data is therefore one of the top priorities set out by the EU Toolbox designed to support the common standard in contact-tracing apps. Although gathering proximity data through Bluetooth is by far the most privacy-compliant option, it does not make the data of users completely anonymous. These apps are still vulnerable to encryption key extraction and thus are not cyberattack-proof. For that reason, the use of location data for these apps is also discouraged.
While the use of location data could make it easier for health authorities to conduct contact tracing, the use thereof makes the data subject much more vulnerable in case of a cyberattack. It can also be questioned whether such use would comply with the principle of data minimisation. If other valid alternatives exist to trace one’s contacts, then why should geolocation data be considered?
It has been debated whether covid-19 apps must be compulsory. This could lead to stigmatisation, whereby persons would not be allowed to enjoy certain individual freedoms (e.g., a limited right to free movement) in case they would not be using an app on their mobile device. The European Commission has, however, recommended that covid-19 apps be a mechanism of empowering people rather than repressing them, meaning that they would not become compulsory in the European Union. After all, data subjects must at all times maintain full control over their data.
The European Commission has been highly involved in ascertaining the privacy and cybersecurity aspects of covid-19 apps. Its recommendations and guidelines focus on preventing a lot of the potential risks and privacy concerns. Fundamental rights of the EU residents are the cornerstone of the documents in which the Commission outlines the recommendations for privacy-conscious apps. Among the necessary safeguards that need to be taken in order to release a covid-19 app: are pseudonymisation and anonymisation of data, ensuring storage of data only for the duration of the crisis after which it must be erased or anonymised and an obligation to perform a DPIA before the adoption of the app. Some DPAs also recommended to make the source code of the apps public so that experts would verify its performance and security.
Although there are still many concerns linked to privacy and cybersecurity of contact tracing and covid-19 apps, legislators and stakeholders keep finding more secure ways to handle private data and at the same time ensure effective measures for the protection of public health. This is especially evident when looking into new research and initiatives on covid-19 apps.
A clear example is a noticeable shift from the PEPP-PT protocol (Pan-European Privacy-Preserving Proximity tracing), which uses a centralised reporting server to process personal data and notify users of potential contact with infected persons, to a decentralised DP-3T protocol (Decentralised Privacy-Preserving Proximity Tracing), where the central server never has access to contact logs nor is it responsible for processing personal data or informing users, for processing personal data. The centralised approach has been associated with more privacy risks. Moreover, the EU Interoperability Gateway aims to harmonise covid-19 apps throughout the EU and create a common framework for a safe exchange of personal data between national apps, which can then also interplay with each other.
The measures to be implemented when introducing such technology can also be very simple: citizens must be informed of the correct download link for the respective covid-19 app in order to avoid that they download third-party (lookalike) apps which would be collecting their data for other purposes.
Certain countries have also chosen to introduce covid-19 apps which monitor quarantine measures in which users under mandatory quarantine enter their personal details and allow their location to be traced by the authorities to ensure that they indeed stay home. While first introduced on a voluntary basis, in Poland, for instance, such app became mandatory for quarantining residents and went as far as to oblige them to send selfies within 20 minutes after being asked to do so confirming that they had not left home.
Using people’s personal data, such as their name, location and photos of their face, poses an even greater risk to privacy and cybersecurity. Mass surveillance and reusing of selfies by the authorities is one of the privacy drawbacks of these apps, especially as the police may have access to the data in order to enforce quarantine. At least governments must make sure that once the obligatory quarantine is over, the data (including pictures) are erased as soon as possible.
While it may be understandable that these types of apps have been introduced so that, for example, law enforcement must not carry the burden of checking quarantine measures, it is questionable whether a monitoring app is the right way to proceed. Its privacy-intrusive nature is enormous, and it may be a step too far by allowing a high degree of surveillance. The fact that it collects a lot of personal data (among these location data and photographs) raises questions on the correct adherence to the principle of data minimisation. This is why governments should rather focus on proximity tracing apps instead, while relying on common sense with regard to the respect for quarantine measures (and effective penalties as an aid hereto).
Governments must understand that in the fight against the covid-19 pandemic privacy is not an obstacle, but a strong weapon! After all, a system of contact tracing can only perform well if people are either not afraid to share personal data on their whereabouts to the authorities or feel comfortable enough to download covid-19 apps to trace their risk of becoming infected. To ensure this, authorities must be able to present strong privacy, data protection and cybersecurity measures to their citizens, which also have to be clearly highlighted and explained. It is precisely that gaining of trust by building strong privacy safeguards that governments must pursue in order to avoid that their legitimate efforts to fight the pandemic are seen as another step towards Orwell’s 1984. Privacy must not become another victim of covid-19.