Committee on Civil Liberties, Justice and Home Affairs

“Privacy or public health: Where controlling the pandemic in order to protect citizens’ health appears often to come at the expense of those citizens’ privacy, governments must walk a thin line. What should the EU do in order to minimise the impact of the pandemic while taking into account the right to privacy of all citizens?”

By Thijs Verdam (NL)

Relevance of topic

Since the beginning of the coronavirus pandemic, governments have been searching for the best ways to contain the virus. Naturally, they first looked towards traditional measures such as mandatory quarantine and manual contact tracing. However, governments are also looking at more innovative ways to combat the virus. Numerous countries have, for instance, come up with apps to track close contacts of their citizens. These forms of digital surveillance might be essential in winning the battle against the virus, though many civil rights groups, citizens and national parliaments have expressed their concern about the threat to the right of privacy many of these digital surveillance techniques pose.
The area in which governments run the greatest risk of compromising their citizens’ right to privacy in the context of the pandemic is digital contact tracing. Digital contact tracing can be executed through apps working with GPS and/or Bluetooth, and through QR codes that you scan to fill in personal details or to map out your route before leaving the house, as in Moscow. Manual contact tracing presents several issues, including recall bias and delays in communicating with high-risk contacts, not to mention its potential to compromise personal freedom, as we see in France with the attestation form system. Digital contact tracing apps have come under scrutiny with regard to the potential for governments and other groups to access personal information, and use it for other purposes. The lack of confidence in the security of these apps is a crucial challenge, as in order for them to be effective they must reach significant levels of adoption, which requires widespread public trust.

Key actors

The World Health Organization (WHO) is the body of the United Nations (UN) concerned with issues of health. As such, they monitor the development of the pandemic worldwide, undertake research into the virus and give guidance to national Health Departments.
Google and Apple play a major role in the development of contact tracing apps, as software developers for some of the most used mobile phone operating systems. Surprisingly, they have even collaborated with each other in releasing the basic software for Bluetooth-based contact tracing apps. This software could then be used by national Health Departments to develop their own apps.
The Council of Europe (CoE) is the main European human rights organisation. The main achievement of the Council was the establishment of the European Convention on Human Rights (ECHR). The ECHR established fundamental human rights such as the right to freedom of expression, the right of assembly and also the right to privacy. It is also the initiator of Convention 108 on data protection. The Council of Europe has put together a coronavirus toolkit to guide governments as they make difficult decisions with regard to human rights in their responses to the pandemic.
The European Commission, the Council (of Ministers of the EU) and the European Parliament are the principal European lawmakers. The General Data Protection Regulation (GDPR) was instituted by the European Commission, the Council and the European Parliament. Changes to the GDPR would have to undergo the same legislative process again.
The European Data Protection Board (EDPB) is a European body tasked with ensuring consistent application of the GDPR and promoting unity between national Data Protection Authorities (DPAs). DPAs are tasked with ensuring compliance with privacy regulation, especially the GDPR, and provide expert advice on data protection issues. The Chair of the EDPB has said that data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic, and that even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects.National governments are the institutions taking measures to attempt to mitigate the negative impacts of the Covid-19 pandemic. These are often limitations of essential freedoms, such as freedom of movement (e.g. in the form of lockdowns) and, of course, the right to privacy. While public health is a competence shared between the EU and its individual Member States, primary responsibility for health protection and, in particular, healthcare systems continues to lie with the Member States. These healthcare systems are responsible for testing, quarantine and contact tracing policy.

Key conflicts

It is in the interests of all parties to work as quickly as possible to combat the pandemic. Some say that the health data gathered through digital surveillance is essential for fighting the pandemic as manual contact tracing is too slow: once all contacts have been tracked down, they could already have passed on the virus. In South Korea, Singapore and China mobile apps have been used to great effect. However, the used methods of digital surveillance can mean a significant breach of our right to privacy and the apps in South Korea and China have come under data protection scrutiny.

Two main methods are in use for contact tracing: GPS and Bluetooth. Users’ GPS data is collected by apps or is provided by telecom providers. While all EU governments claim that the data is anonymised, it can be quite easy to attach a person’s name to anonymised data. Bluetooth contact tracing is more anonymous and seems to be more effective and precise too, but can provide a malicious government with even more valuable information about a person’s close contacts. Even in the case of a benevolent government, there is still a risk that the data will be used for other purposes than to fight the pandemic. How can we ensure that citizens’ movement data is kept anonymous, while the data essential to digital contact tracing is collected to help monitor and control the spread of the virus? 

The EU has released an interoperability gateway (see under Measures in place) in order that digital contact tracing apps can work across borders. This gateway now works for the German, Irish and Italian apps. However, this platform may risk citizens’ data falling into the hands of national health departments or governments that are not their own. Could this risk decrease citizens’ willingness to use such apps?
A breach of the right to privacy via these tracing apps may pose future risks to other rights, such as the right to freedom of expression and the freedom of assembly. Montenegro, which is a candidate Member State, is a good example of the possible effects of the breach of privacy. There, the government puts up listson the internet of people who are or should be in quarantine, asking citizens to help enforce it. ‘People whose health status, identities and location are publicly exposed are at greater risk of stigma and discrimination, which can have detrimental effects on their private and family lives and social and professional situations’, according to the United Nations Development Programme. While the UN states that tracking without violating the right to privacy is possible, the topic is controversial and public trust in the concept of mobile tracing apps has already been eroded. This poses a significant threat to the success of digital tracing apps, as it is important for their efficacy that they are used by a large part of the population.

Measures in place

The first measures on a European level on the topic of data protection were taken by the Council of Europe in the form of Convention 108. Because this Convention was instituted by the Council of Europe, it is binding for more countries (47 countries) than the law of the European Union discussed below. The Convention is an elaboration on the right to privacy laid down in Article 8 of the ECHR.
In 2018 the EU launched the General Data Privacy Regulation (GDPR). Its main goal is to give individuals control over their personal data and simplify the regulatory framework for international business by unifying privacy regulation in the EU. Under the GDPR, data controllers must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the European Economic Area (EEA). Public authorities, and businesses whose core activities consist of regular or systematic processing of personal data, are required to employ a Data Protection Officer (DPO), who is responsible for managing compliance with the GDPR. There are provisions in the GDPR that allow for the collection, use and necessary sharing of personal data related to health in the context of an epidemic. However, these provisions are vague, while the GDPR as a regulation is quite rigid. This means it is very difficult to balance the provisions with the requirements of the fight against a pandemic.
The WHO has released a guide on essential and recommended surveillance. It lists several key actions for COVID-19 surveillance. Among them are the use of surveillance and contact tracing systems, expanding testing capacity and the implementation of immediate reporting (of statistics).
The European Commission has published guidance for the data protection standards of apps fighting the pandemic. This guidance sets out various standards, including that the use of the app should be voluntary; that data is not kept longer than necessary; that data should be stored on an individual’s device and encrypted; and that DPAs be consulted in the development of an app.
The European Data Protection Board (EDPB) and the Council of Europe have released similar statements on the question of privacy in the times of the pandemic. They state that the GDPR and Convention 108 do not pose a restriction to measures taken to fight the coronavirus. They do emphasize that these measures are proportionate and limited to an emergency period.
Many national Health Departments have now already introduced apps which trace your close contacts. For instance, the German ministry of Health launched their app in June. The Belgian app was launched in September and the Dutch launched their app in October. All three of these apps work with Bluetooth technology. The European Commission has also brought out an interface so that national contacting tracing apps could work cross-border.

What now?

It is clear that it is and it will be difficult to strike a balance between individuals’ rights and health surveillance. Some questions we could pose in this regard are:

– Should we go back to or stay with manual contact tracing to maintain the right to privacy?
– Should digital contact tracing track movements in more detail and notify people further down the contact chain in order to to further improve its efficacy?
– If implemented, how long should digital surveillance measures stay in place and could these measures not pose a risk to our privacy after the pandemic?
– Should it be monitored more carefully (possibly using location data) that people are observing quarantine rules, and how will this impact the mental welfare of citizens?

Links for further research:

Your Data Privacy During a Pandemic – The Medical Futurist
Ensuring data privacy as we battle COVID-19 – OECD
In a global pandemic, do we still have a right to privacy? – United Nations Development Programme