Data and coronavirus
What do the European data protection authorities say about the exceptional measures of the pandemic?
You might remember that the European General Data Protection Regulation (GDPR) given the avalanche of e-mails you received in around May 2018 when it came into force. Collectives such as the European Digital Rights (EDRi), a federation of digital rights associations from the European Union (UE), considered this a victory for civil society: it was the first time that there was a Community regulation that forced all EU Member States to prosecute the fraudulent use of our data. The spirit of the 11 chapters and 99 articles of the regulation are perfectly summarised in an article by the journalist Karma Peiró.
This is why there was certain concern among the sectors most apprehensive of their privacy when the Italian government announced that it was to use anonymous data from Facebook to track the movements of locals from Lombardy, or when the Italian mobile phone operator Asstel or the Austrian A1 announced that they were to transfer data on their users to their respective executives so that citizens could be geolocated. It did not help when the UK health secretary Matt Hancock reminded the public that the regulation did not prevent governments from using their data for reasons of “public interest”. And this is hardly surprising, considering that, according to the specialist media Golem.de, the app promoted by the German government enables Bluetooth to provide the authorities with information when a person comes into contact with someone who is contagious. This is proof that technology is able to precisely control our movements.
Recently, the Spanish government transferred this apprehension to the Catalan-speaking regions when it was discovered to have commissioned a mobility study from the Health department in order to comprehend the expansion of the pandemic. As a result of the urgency and of the concerns triggered, the European Data Protection Board issued a statement on 19th March signed by its chairman, Andrea Jelinek, establishing what a government strictly applying the GDPR can and cannot do done. Here are some of the most noteworthy points:
– The Member States must explain in detail the use they want to make of this data, including the time during which it can be used. This information must be made accessible and must be written in plain language. Furthermore, the appropriate security measures must be taken to ensure third parties are unable to access the data.
– To avoid stigmatisation, no civil servant may publish the full name of an individual who had contracted the virus without first informing said individual of such and ensuring his or her integrity and dignity are preserved.
– Data processing during the current pandemic is foreseen by the regulation. European law allows for the appropriate health authorities to process data under the obligations of confidentiality that apply to the employees controlling it. This includes geolocation, despite the fact that this must be anonymous. The spirit of the regulation means that the least intrusive option must always take priority. But there are limits: these measures must be in line with the European Convention on Human Rights, can be revoked by the European Court of Justice and the European Court of Human Rights, and their duration must be limited to the period of the state of emergency.
Once we overcome the virus, we must weigh up whether these precepts have been fulfilled.
