Article by Nicola Fabiano, President of the San Marino Data Protection Authority
- 1. Chronology of events and documents
During the last month, i.e. since the focus has increased on the incidence of the COVID-19 pandemic concerning personal data protection, we have witnessed the publication of the following main measures issued by some institutional bodies:
- On 16/03/2020 the document entitled “Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak” was published with which the Chair of the European Data Protection Board (EDPB), Andrea Jelinek, he declared “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.“
- On 19/03/2020 the EDPB document entitled “Statement on the processing of personal data in the context of the COVID-19 outbreak. Adopted on 19 March 2020“ was published. In this document, the EDPB takes a formal position on the issue, which seems to be an expanded clarification and fully in line with what its Chair, Andrea Jelinek, has already expressed in the previous statement.
The statement exposes the following four points: 1. Lawfulness of processing; 2. Core principles relating to the processing of personal data; 3. Use of mobile location data; 4. Employment.
In summary, the previous contributions show that both in the light of the GDPR (Regulation (EU) 2016/679) and under the rules of Directive 2002/58/EC (better known as the “e-Privacy Directive” – Currently under discussion is the “Proposal for a Regulation of the European Parliament and of the Council on privacy and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on privacy and electronic communications)”, COM/2017/010 final – 2017/03 (COD), available here: https://eur-lex.europa.eu/legal-content/IT/ALL/?uri=CELEX%3A52017PC0010) personal data protection rules cannot be disregarded and any restrictive measures as a consequence of the pandemic should be adopted by ad hoc legislation.
- On 30/03/2020 the Council of Europe (CoE) published the document entitled “Joint Statement on the right to data protection in the context of the COVID-19 pandemic by Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe“. The central point of this statement is as follows: “According to Convention 108+ (see Article 11) exceptions shall be “provided for by law, respect the essence of the fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society“. Basically, referring fundamentally to Convention 108+, it insists on the need for legislative action for possible restrictions in pandemic times. In addition, the document in question highlights 5 points: 1. Processing of health-related data; 2. Large-scale data processing; 3. Data processing by employers; 4. Mobile, computer data; 5. Data processing in educational systems.
- 6/04/2020, Wojciech Wiewiórowski, European Data Protection Supervisor (EDPS), published a speech (in video and text) on the subject of “EU Digital Solidarity: a call for a pan-European approach against the pandemic” with which, by the way, he states: “Therefore, we are going to work with the European Commission to make sure that any measures taken at European or national level are:
- Temporary – they are not here to stay after the crisis.
- Their purposes are limited – we know what we are doing.
- Access to the data is limited – we know who is doing what.
- We know what we will do both with results of our operations and with raw data used in the process – we know the way back to normality.“
Furthermore, we read “Given these divergences, the European Data Protection Supervisor calls for a pan-European model “COVID-19 mobile application”, coordinated at EU level. Ideally, coordination with the World Health Organisation should also take place, to ensure data protection by design globally from the start.”
Clearly, the focus shifts to the need for a pan-European approach.
The EDPS, therefore, suggests national measures that are temporary, with limited purpose and access to the data, awareness of what will be done with both the results of our operations and raw data. Finally, a call for a pan-European app is suggested.
- On 7/04/2020 the EDPB assigned a mandate to the technology expert subgroup with the document “Request for mandate regarding geolocation and other tracing tools in the context of the COVID-19 outbreak – Technology ESG“.
- On 7/04/2020 the Secretary General of the Council of Europe, Marija Pejčinović Burić, published a document entitled “Respecting democracy, rule of law and human rights in the framework of the COVID-19 sanitary crisis – A toolkit for member states” for governments across Europe on respect for human rights, democracy and the rule of law during the COVID-19 crisis.
- On 8/04/2020 the European Commission published the “COMMISSION RECOMMENDATION of 8.4.2020 on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data“.
The aims of the recommendation are stated in the following terms:
“This recommendation sets up a process for developing a common approach, referred to as a Toolbox, to use digital means to address the crisis. The Toolbox will consist of practical measures for making effective use of technologies and data, with a focus on two areas in particular:
(1) A pan-European approach for the use of mobile applications, coordinated at Union level, for empowering citizens to take effective and more targeted social distancing measures, and for warning, preventing and contact tracing to help limit the propagation of the COVID-19 disease. This will involve a methodology monitoring and sharing assessments of effectiveness of these applications, their interoperability and cross-border implications, and their respect for security, privacy and data protection; and
(2) A common scheme for using anonymized and aggregated data on mobility of populations in order (i) to model and predict the evolution of the disease, (ii) to monitor the effectiveness of decision-making by Member States’ authorities on measures such as social distancing and confinement, and (iii) to inform a coordinated strategy for exiting from the COVID-19 crisis.”
In essence, not only is the suggestion of the EPDS that a pan-European approach is needed, but also the development of a common scheme for the use of anonymous and aggregated data on the mobility of populations taken on board.
- On 8/04/2020 the Committee of Ministers of the Council of Europe published the “Recommendation CM/Rec(2020)1 of the Committee of Ministers to member States on the human rights impacts of algorithmic systems (Adopted by the Committee of Ministers on 8 April 2020 at the 1373rd meeting of the Ministers’ Deputies)“.
This recommendation, short but with a very extensive annex (Guidelines), obviously highlights human rights aspects.
- On 14/04/2020 the EDPB published the text of the letter to Olivier Micol, Head of Unit European Commission DG for Justice and Consumers, Unit C.3 – Data protection, with which it basically shares the pan-European and coordinated approach. The points can be summarized as follows: a) the Commission sought the EDPB for its advice on the draft Guidance on apps supporting the fight against COVID-19 pandemic; b) the EDPB welcomes the Commission’s initiative in developing a pan-European and coordinated approach; c) the EDPB believes that it is a step in the right direction to highlight the essential need to consult with data protection authorities to ensure that personal data is processed lawfully, respecting the rights of the individuals, in accordance with data protection law; d) the development of the apps should be made in an accountable way, documenting with a data protection impact assessment all the implemented privacy by design and privacy by default mechanisms, and the source code should be made publicly available for the widest possible scrutiny by the scientific community; e) at this stage, and on the basis of the information provided by the Commission, the EDPB can only focus on the overall goal of the envisaged apps, to verify whether they are in line with data protection principles, and on the mechanisms provided for the exercise of the rights and freedoms of the population; f) the EDPB strongly supports the Commission’s proposal for a voluntary adoption of such apps, a choice that should be made by individuals as a token of collective responsibility; g) The EDPB notes that the mere fact that the use of the contact tracing takes place on a voluntary basis, does not mean that the processing of personal data by public authorities necessarily be based on the consent. When public authorities provide a service, based on a mandate assigned by and in line with requirements laid down in law, it appears that the most relevant legal basis for the processing is the necessity for the performance of a task for public interest; h) the EDPB strongly supports the concept in the Recommendations that once this crisis is over, such emergency system should not remain in use, and as a general rule, the collected data should be erased or anonymised.
- On 15/04/2020 the European Commission announces and publishes the “Joint European Roadmap towards lifting COVID-19 containment measures”. This joint document by the European Commission and the Council of Europe, among the accompanying measures, indicates under point 2 “Create a framework for contact tracing and warning with the use of mobile apps, which respects data privacy” specifying – among other things – that “The use of such mobile applications should be voluntary for individuals, based on users’ consent and fully respecting European privacy and personal data protection rules”.
- On 16/04/2020 the European Commission announces and publishes the document “EU toolbox for the use of mobile applications for contact tracing and warning”. In this document, regard privacy, we read: “The common approach aims to exploit the latest privacy-enhancing technological solutions that enable at-risk individuals to be contacted and, if necessarily, to be tested as quickly as possible, regardless of where she is and the app she is using. It explains the essential requirements for national apps, namely that they be:
- approved by the national health authority;
- privacy-preserving – personal data is securely encrypted; and
- dismantled as soon as no longer needed.
The added value of these apps is that they can record contacts that a person may not notice or remember”.
The long and articulated list of institutional documents denotes a gradually increasing awareness by all institutional bodies on the subject of contact tracing and the impact on the rules on the protection of personal data. It seems that those above public institutions have acquired an awareness of the real impact of contact tracing solutions on personal data and privacy of individuals, as well as the existence of related risks.
The position of the European Commission is dominant on this issue, probably also reinforced by the active involvement of the European Council, which intervenes in the joint roadmap. Equally important on the one hand is the institutional role of the EDPS and the other side the same EDPB’s position on the specific topic of personal data protection.
It is clear that there is a concern about the protection of personal data and that institutional bodies cannot disregard compliance with the GDPR, Convention 108+, the Charter of Fundamental Rights of the European Union, the Treaties and soft law. The European Data Protection Board (EDPB) and national data protection authorities – supervisory authorities – play a decisive role in helping institutional bodies to provide adequate support in this area.
The topic of contact tracing and apps to be developed for the containment of the COVID19 pandemic, specifically regarding the impact on individuals’ personal data, is extremely delicate, and here we do not intend to propose technical solutions or comment on those known.
On the one hand, and precisely from what emerges from the numerous documents published, it is clear that there is an awareness of the impact that the issues of contact tracing can have with regard to the privacy and the protection of personal data.
On the other hand, it seems equally clear that there is an attempt by the European institutions – probably unaware – to move towards a kind of European digital sovereignty or at least an address in this direction. Indeed, the European Commission’s position in the joint roadmap, the Council of Europe’s position on the impact on human rights, the EDPS and EDPB documents on privacy and personal data protection are all in favour of a pan-European solution with specific ways.
However, if Europe (consciously or unknowingly) has moved towards digital sovereignty, the impact of contact tracing on privacy and data protection should give some thought to the impact of choosing a specific technology.
It should not be overlooked that the main reference remains always and in any case the laws in force both in Europe (the GDPR and the others mentioned) and nationally, where they exist (for Italy, Legislative Decree 196/2003, as amended by Legislative Decree 101/2018).
This being the case, it does not escape the attentive interpreter that the expression “technical and organisational measures” is used in GDPR but never specifying which technical solution or technology can or should be adopted. Moreover, the European legislator could not have indicated the technological solution(s) but only the purposes for the protection of personal data.
Therefore, it is clear that in this specific context the technology is neutral about the laws on the protection of personal data, i.e. any solution can be adopted which involves full compliance with the principles and legal rules in force.
The criterion of technical and organizational measures, required by the GDPR, can be expressed in different solutions according to the principle that we want to apply. Thus, this criterion could be expressed in different solutions but always aimed at achieving the same purpose, for example in the hypothesis of Article 25 (data protection by design and protection by default) or in that of Article 32 (security of processing).
The user (data subject) is always at the centre and must be protected, while the technical component must ensure the protection of personal data.
- Contact tracing and ethics
The topic related to contact tracing and apps, and the impact on privacy and data protection also has ethical implications.
Ethics offers the opportunity to mention the recent contribution of Prof. Luciano Floridi entitled “Mind the app – considerations on the ethical risks of COVID-19 apps”, in which the author concludes by expressing a specific concern for what could be the effects of the choice and design of a contact tracing app. We read in his contribution “It is clear that we are entering some uncharted areas of digital ethics. The way forward may lie in designing the right policies that incentive the adoption of the app (voluntary, mandatory or a mix of the two), and/or in a different architecture of the app (e.g. more centralised, using GPS data etc.), and/or the nature of the hardware required (think of a cheap, freely-distributed Bluetooth-based tracker, like those that one can attach to one’s keys to find them at home), and/or how the app is used (think of an app-hub, able to support a whole family through only one mobile phone, in connection with other Bluetooth trackers). But any solution should take care of its ethical implications, and be flexible enough to be improved rapidly, to rectify potential shortcomings and take advantage of new opportunities, as the pandemics develops.”
About privacy, prof. Floridi says “For once, the difficult problem is _not privacy_. A Bluetooth-based app can use anonymous data, recorded only in the mobile phone, used exclusively to send alerts in case of contact with people infected, in a non-centralised way. It is not easy but it is feasible. Of course, it is trivially true that there are and there might always be privacy issues. The point is that, in this case, they can be made much less pressing than other issues. However, once (or, if one is more sceptical than I am, even if) privacy is taken care of, other ethical difficulties need to be resolved. They concern the effectiveness and fairness of the app.”
In sharing the idea of the centrality and essentiality of ethics, unfortunately completely ignored by institutional bodies in the documents mentioned above, it is not possible to consider it as an external element in perspective oriented to privacy and personal data protection issues.
The protection of personal data cannot disregard ethics and an ethical approach by proceeding precisely from the application of legal norms.
The GDPR must also be applied (and therefore respected) with an ethically oriented approach that takes into account the impact of the solutions (technological and non-technological) adopted by all parties (owners, managers, authorities, etc.) and compliance with the principles set out (ex Articles 5, 25, etc.).
Moreover, Prof. Floridi, in his contribution entitled “Soft ethics, the governance of the digital and the General Data Protection Regulation“, described in detail how is fundamental soft ethics (for the interpretative and applicative part of the GDPR in particular) also as a part of the framework explained by him.
Therefore, even for the contact tracing context and the related apps, when assessing their impact on privacy and personal data, we cannot avoid to refer to Ethics and, thus, adopt an ethical approach.