CATEGORY: INTERNATIONAL LAW
The outbreak of Covid-19 has led governments and private actors to employ unprecedented actions in order to effectively mitigate or even eliminate the spread of the coronavirus disease.
The extensively high transmissivity of Covid-19 imposes severe doubts on the effectiveness of traditional tracing and tracking methods and therefore the search for more forceful strategies and methods, led inevitably to artificial intelligence, Big Data and personal data.
It is hardly disputable that the common contact tracing is highly labour intensive, requires meetings with infected people and is considerably reliant on human memory. Therefore, the solution to these obstacles seemed to be the development of tracing applications. All over the world, applications were created usually under the monitoring of each Government, so as to track people who are at risk or infected by the disease using their location data. More specifically, in Cyprus, the Research Centre of Excellence in Research and Innovation (RISE) has developed an App called “COVTRACER” to combat the coronavirus spread.
How do these Apps work?
Since there are various tracing applications, their mode of operation varies as well. The general concept and the basic idea of all Apps is the access and analysation of location data submitted or collected from the App users and the creation of a virtual map of a person’s movements.
Through such Applications, the user can be notified in a timely manner in case of proximity or contact with an infected person.
In Cyprus, COVTRACER creates a timestamped log based on the user’s location and movement, which is stored privately on each user’s device. If users get infected, they can voluntarily share their log file with the respective health authorities in order to locate the places each infected user has visited and also notify through the App other users who have been in close proximity with them.
Are there any legal concerns about these Apps?
It is no surprise that a general belief nowadays, after the development of Tracing Apps, is that privacy and data protection might be the next casualty of coronavirus.
The mode of operation of such Applications, triggers -primarily- the three following questions and concerns:
If in the abovementioned questions the answer is positive, then tracking and tracing Applications may result in serious violations of the General Data Protection Regulation (GDPR), the ePrivacy Directive and other relevant national laws, such as The Protection of Individuals Against the Processing of Personal Data and the Free Movement of such Data Law of 2018 (125(I)/2018).
How do these Apps comply with the data protection laws?
The basis on which Tracing Applications are developed, is consent and anonymisation. Users of such Apps are constantly in control of their data, which are only stored on there devices, unless the user extracts and shares them with health officials. Even in instances where data are shared, tracing Apps are mainly focused on notifying other users which were in close proximity with the infected person, without revealing the identity of neither the infected person, nor the people in danger due to proximity.
Some Tracing Applications, in order to ensure that personal data such as location data are only used for a specific purpose, which is the reduction of the spread of the infectious disease via informing users in risk, store personal data only for a limited period of time. After a couple of weeks of the initial collection (depending on the pandemic’s status quo) location data are irretrievably destroyed.
Moreover, tracking Apps are expected to request and to store only the data that are necessary for the purpose of the application and nothing more than that. Following the Data Minimisation Principle, the collection of personal data that do not constitute a necessity for the achievement of a specific purpose, is deemed to be in breach of data protection laws.
As far as data storage is concerned, all personal data should be stored exclusively in the device of each user in an encrypted manner so as to protect the user from potential malicious intrusions and hacking.
The voluntary character of such Apps is a prerequisite for their legitimacy. Individuals should be allowed to choose freely whether they will use the Application or not and they should have full control over their personal data. This control extends even in cases of coronavirus infection since the infected user should choose freely whether to share their location and other data or not.
How does COVTRACER complies with data protection standards?
- The user alone chooses whether to extract location data and whom to supply them to.
- The App creates a digital archive of the location of each user which lasts for a specific period.
- All data are exclusively stored on the user’s device unless the user chooses to extract them.
- The user is able to switch off and switch on the tracking of the App at any point.
- Industry standards, namely physical, technical and administrative safeguards were employed to protect the user against privacy violations (e.g. hacking).
Tracking and tracing applications raise serious concerns, especially in relation to data sharing and privacy protection. Due to these concerns, several privacy policies were adopted and such applications were developed following strict guidelines, in order to ensure that the users’ personal data are protected and that the operation of the applications complies with the GDPR and the ePrivacy Directive.
Even though an evaluation of these Applications is premature at this point, we are optimistic that, if the presented guidelines and policies are strictly followed, the privacy of users will remain almost intact.
Currently, the greatest challenge is to make individuals trust that such Applications are safe to use and to ensure the potential users that their personal data will be handled in accordance with privacy protection laws.
Finally, Governments and developers of tracking and tracing applications shall remember that, despite the fact that limiting certain fundamental rights and freedoms is permitted in instances where public health is in danger, such limitation still has to comply with the established laws on data protection and privacy. After all, the goal is to eradicate a crisis, not to enable a new one.
Authors: MARIA LAZARIDOU