The content of this post is available in PDF for download here:
1. Chronology of events
During the last month, i.e. since the focus has increased on the incidence of the COVID-19 pandemic with respect to personal data protection, we have witnessed the publication of the following main measures issued by some institutional bodies:
- On 16/03/2020 the document entitled “Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak” was published with which the Chair of the European Data Protection Board (EDPB), Andrea Jelinek, he declared “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
- On 19/03/2020 the EDPB document entitled “Statement on the processing of personal data in the context of the COVID-19 outbreak. Adopted on 19 March 2020“ was published. In this document, the EDPB takes a formal position on the issue, which seems to be an expanded clarification and fully in line with what its Chair, Andrea Jelinek, has already expressed in the previous
The statement exposes the following four points: 1. Lawfulness of processing; 2. Core principles relating to the processing of personal data; 3. Use of mobile location data; 4. Employment. In summary, the previous contributions show that both in the light of the GDPR (Regulation (EU) 2016/679) and under the rules of Directive 2002/58/EC (better known as the “e-Privacy Directive” - Currently under discussion is the “Proposal for a Regulation of the European Parliament and of the Council on privacy and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on privacy and electronic communications)”, COM/2017/010 final - 2017/03 (COD), available here: https://eur-lex.europa.eu/legal-content/IT/ALL/?uri=CELEX%3A52017PC0010) personal data protection rules cannot be disregarded and any restrictive measures as a consequence of the pandemic should be adopted by ad hoc legislation.
- On 30/03/2020 the Council of Europe (CoE) published the document entitled “Joint Statement on the right to data protection in the context of the COVID-19 pandemic by Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe”. The central point of this statement is as follows: “According to Convention 108+ (see Article 11) exceptions shall be “provided for by law, respect the essence of the fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society”. Basically, referring fundamentally to Convention 108+, it insists on the need for legislative action for possible restrictions in pandemic times. In addition, the document in question highlights 5 points: Processing of health-related data; 2. Large-scale data processing; 3. Data processing by employers; 4. Mobile, computer data; 5. Data processing in educational systems.
- On 6/04/2020, Wojciech Wiewiórowski, European Data Protection Supervisor (EDPS), published a speech (in video and text) on the subject of “EU Digital Solidarity: a call for a pan-European approach against the pandemic” with which, by the way, he states: “Therefore, we are going to work with the European Commission to make sure that any measures taken at European or national level are:
- Temporary – they are not here to stay after the crisis.
- Their purposes are limited – we know what we are doing.
- Access to the data is limited – we know who is doing what.
- We know what we will do both with results of our operations and with raw data used in the process – we know the way back to normality.“
Furthermore, we read “Given these divergences, the European Data Protection Supervisor calls for a pan-European model “COVID-19 mobile application”, coordinated at EU level. Ideally, coordination with the World Health Organisation should also take place, to ensure data protection by design globally from the start.” Clearly, the focus shifts to the need for a pan-European approach. The EDPS, therefore, suggests national measures that are temporary, with limited purpose and access to the data, awareness of what will be done with both the results of our operations and raw data. Finally, a call for a pan-European app is suggested.
- On 7/04/2020 the EDPB assigned a mandate to the technology expert subgroup with the document “Request for mandate regarding geolocation and other tracing tools in the context of the COVID-19 outbreak - Technology ESG”.
- On 7/04/2020 the Secretary General of the Council of Europe, Marija Pejčinović Burić, published a document entitled “Respecting democracy, rule of law and human rights in the framework of the COVID-19 sanitary crisis - A toolkit for member states” for governments across Europe on respect for human rights, democracy and the rule of law during the COVID-19 crisis.
- On 8/04/2020 the European Commission published the “COMMISSION RECOMMENDATION of 8.4.2020 on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data”.
The aims of the recommendation are stated in the following terms: “This recommendation sets up a process for developing a common approach, referred to as a Toolbox, to use digital means to address the crisis. The Toolbox will consist of practical measures for making effective use of technologies and data, with a focus on two areas in particular: (1) A pan-European approach for the use of mobile applications, coordinated at Union level, for empowering citizens to take effective and more targeted social distancing measures, and for warning, preventing and contact tracing to help limit the propagation of the COVID-19 disease. This will involve a methodology monitoring and sharing assessments of effectiveness of these applications, their interoperability and cross-border implications, and their respect for security, privacy and data protection; and (2) A common scheme for using anonymized and aggregated data on mobility of populations in order (i) to model and predict the evolution of the disease, (ii) to monitor the effectiveness of decision-making by Member States’ authorities on measures such as social distancing and confinement, and (iii) to inform a coordinated strategy for exiting from the COVID-19 crisis.” In essence, not only is the suggestion of the EPDS that a pan-European approach is needed, but also the development of a common scheme for the use of anonymous and aggregated data on the mobility of populations taken on board.
- On 8/04/2020 the Committee of Ministers of the Council of Europe published the “Recommendation CM/Rec(2020)1 of the Committee of Ministers to member States on the human rights impacts of algorithmic systems (Adopted by the Committee of Ministers on 8 April 2020 at the 1373rd meeting of the Ministers’ Deputies)”.
This recommendation, short but with a very extensive annex (Guidelines), obviously highlights human rights aspects.
1.1 What emerges from these institutional documents?
First of all, the need for an ad hoc law if a Member State wants to adopt specific solutions involving restrictions to contain the pandemic. The rules supporting this solution can be found in Article 15 of Directive 2002/58/EC (e-Privacy) and Article 23 of the GDPR. There is also a rapid but growing institutional awareness of the complexity of the issue of the impact of the pandemic on the protection of personal data. In fact, from the documents indicated, a clear and growing evolutionary trend emerges, which at the moment is at a standstill in the last two measures of 8 April (EU Commission and Committee of Ministers). In fact, the first statement by the Secretary of the EDPB seems only a reminder that - despite the growing expansion of the pandemic - the rules on the protection of personal data must still be respected. On the subject, on 19 March, a few hours before the publication of the EDPB statement, my contribution entitled “Coronavirus, apps and privacy: the GDPR’s legal approach is valid” was published, which highlighted - in a nutshell - that even in times of pandemic, the GDPR’s rules on the protection of personal data continue to apply and that, should it prove necessary, any development of solutions useful to facilitate and control the containment of the spread of contagion should be the subject of a specific law. With the second statement, the EDPB takes a much stronger institutional position, indicating the points to be taken into account in the relationship between pandemic and Data Protection. With the third institutional statement, the CoE seems to want to accentuate the importance of the protection of personal data, adhering to what has already been stated by the EDPB but adding further clarifications. The intervention of the EDPS, on the one hand, further underlines the importance of personal data protection, even recalling the lesson of Giovanni Buttarelli “The GDPR clearly states that the processing of personal data must be aimed at the service of humanity”. On the other hand, the EDPS also points out the need for greater attention to the development of apps to contain the pandemic, highlighting the need for a pan-European app. The concepts, already stated, are taken up, enucleated and amplified by the European Commission and the Committee of Ministers of the Council of Europe. Following the intervention of the EPDS, I published a contribution entitled “COVID19 and tracking apps: an aware approach based on privacy and data protection rules”, with which I reiterated that the principle of data protection from the design phase (Privacy by Design) and protection by default (Privacy by Default), according to Article 25(1) of the GDPR, should be respected in the development of any apps. I also pointed out, in the face of a debate that has developed online on the type of technical solution to be adopted (GPS, mobile operator cells, Bluetooth, etc.) that the technology is neutral with respect to standards, as better illustrated below. The further aspect that emerges from the measures in question concerns the development of “anti” (or “pro”,depending on the point of view) COVID-19 apps, aimed, that is, to facilitate the containment of the pandemic. There is no question about the general principles and the use of a correct approach to data protection rules and their precise application. The anti-COVID19 apps and their development currently become the focus with the need they bring in relation to full compliance with the rules on the protection of personal data.
2. The neutrality of technology
How do I choose the technology to use for contact tracing apps and comply with data protection regulations? In my personal view the approach is incorrect. In general, compliance with legal regulations is always primary, while technical regulations can be an aid to the former, unless there is an express regulatory provision that identifies a precise technical solution. In the context of the protection of personal data, therefore, the main reference are the rules in force both in Europe (the GDPR) and nationally, where they exist (for Italy, Legislative Decree 196/2003, as amended by Legislative Decree 101/2018). This being the case, the term “technical and organisational measures” is used in the GDPR, but never specifying which technical solution or technology can or should be adopted. Therefore, it is clear that in this context the technology is neutral with regard to the rules on the protection of personal data: in other words, any solution that is useful but in full compliance with the principles and legal rules in force can be adopted. After all, it could not be otherwise even if one looks at the principle of data protection from the design and protection by default contained in Article 25 of the GDPR. The user (data subject) is at the centre and must be protected, while the technical component must guarantee the protection of personal data right from the design phase.
3. Tracing apps and contact tracing
The theme of COVID19 apps is in the foreground these days for several reasons. The first aspect is of a terminological nature, as “tracing apps” and “tracking apps” are discussed. Which of the two expressions are you referring to? What is the correct definition? Without wishing to assume the role of linguist, the answers are to be found in the definitions of the verbs “to trace” and “to track”. The verb “to trace” means to locate backwards the path from the current point to the initial one (e.g. to locate the place from where a call was made). The verb “to track” means, instead, to follow the path that an object or subject will take forward, i.e. moving from a certain position thus following the movement (e.g. monitoring a mobile phone from its current position to where it will go). In fact, Apple and Google recently announced “a joint effort to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of the virus, with user privacy and security central to the design”. So, we moved to the expression “contact tracing apps” by identifying contact tracing technology. The “joint effort” of Apple and Google is on the use of Bluetooth technology. The idea of using Bluetooth proposed by Apple and Google, however, is nothing new, since some researchers at MIT(https://news.mit.edu/2020/bluetooth-covid-19-contact-tracing-0409) had already talked about it before. In any case, it seems that the most accredited technical solution is Bluetooth. The intention here is not to highlight the technical component but to focus solely on the legal effects of contact tracing activities. In this regard, the aims to be pursued should be clarified: in general, it is necessary to contain the spread of the pandemic by monitoring infected people, preventing them from coming into contact with healthy people. In particular, however, it is not clear whether the monitoring concerns: a) a backwards time span (e.g. from when the app will be there, people are monitored in their movements), or b) forwards (e.g. from when the app will be there, people are monitored in their movements). This is crucial because it changes the meaning of the terms used, namely: considering the meanings of the terms tracing and tracking, perhaps it would be more appropriate to define as tracing the activity indicated in point a) and tracking that indicated in point b). In summary, it would seem that we should talk about tracking apps or contact tracking rather than contact tracing. Having clarified this purely terminological aspect but which certainly helps to better understand the type of purpose to be pursued, it is appropriate to dwell on the relationship between contact tracing activities and the protection of personal data considering its impact and effects. If contact tracing activities consist in monitoring a person - even if only on a voluntary basis - through your smartophone, there is no doubt that you are faced with personal data with the consequent application of the discipline contained in the GDPR. It is clear that, by excluding the existence of personal data or at least the identifiability of a natural person, the GDPR does not apply. This being the case, in the whole contact tracing process it is not possible to exclude the identifiability of a natural person, since monitoring and analysis activities certainly proceed from a personal data (as such associated with a natural person) to conclude with further personal data. In essence, if A is affected by coronavirus, I will certainly have his personal data and if the same A comes into contact with B who is a healthy person, the latter would be informed about the risks resulting from contact with an infected person. At this point, although it is avoided that A and B may know each other or unidirectionally about the other, monitoring activities will not be able to disregard personal data. Therefore, in the entire contact tracing process, in the precise aforementioned described terms, the idea of being able to guarantee the right to the protection of personal data is an oxymoron, a denial in itself, which makes it impossible to implement the GDPR legal rules fully.
4. What might be the most suitable solutions?
At this point, considering the proposals in the field, it is legitimate to wonder what could be the solution through which, through the use of available technologies, we can try to stem the spread of contagions by monitoring people. The present contribution, as already underlined, is not intended to address purely technical issues towards the choice of one or more proposals, also because numerous scientific contributions have already been published that highlight more or less critical issues about one or the other of these (most recently with reference to Bluetooth). Therefore, the approach will remain the legal one to assess the impact - in principle - of a technical solution in the area of personal data protection. As has been said, the technological solution to be found cannot disregard the regulatory provisions on the protection of personal data. In particular, it is necessary to proceed from the definition of personal data contained in the GDPR (Art. 4(1)), i.e. “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. Therefore, the application of the data protection rules can only be excluded if you have not given personal data in the definition set out in the GDPR and just proposed. Very often attention is focused on the identified expression, not considering that the GDPR also considers the natural person as “identifiable”, that is the one who can be identified, directly or indirectly. The purposes related to the development of these apps consist of complex tracking and monitoring activities aimed at identifying individuals affected by or cured of coronavirus and then anonymize their personal data and create alerts to the rest of the population or in restricted areas or based on distance from that source. The nodal point is to guarantee anonymity to both those affected or who have been affected by coronavirus and those who are not. It is hardly necessary to recall that with document WP216 of 10/04/2014 entitled “Opinion 05/2014 on anonymisation techniques” the Working Party illustrated the main solutions, including differential privacy, and concluded that pseudonymisation is not a method of anonymisation. Furthermore, it concluded that anonymisation techniques can only provide guarantees of privacy protection and can only be used to create effective anonymisation procedures if their application is properly designed. It was also stated that, on the one hand, anonymisation and reidentification are active research topics and new findings are regularly published and, on the other hand, even anonymised data, such as statistics, can be used to enrich existing profiles of individuals, thus leading to new data protection problems. Indeed, it is no coincidence that in 1997 Professor Latanya Sweeney 1997 with her contribution entitled ‘Computational Disclosure Control A Primer on Data Privacy Protection’ demonstrated how data resulting after the application of anonymisation techniques can be vulnerable and therefore used to reidentify people. This is only to highlight that although algorithmic solutions are used to anonymize data, it cannot be excluded that one or more individuals may be identified by reverse tracing or reverse processing. In my personal view and without any intention of disserting possible scientific solutions or diminishing or delegitimising their scope, in the light of current legislation on the protection of personal data, it is extremely difficult to exclude not only the identification but also the identifiability of a natural person. Moreover, the EDPS himself stated in an interview with ANSA Europe on 9 April: “It is impossible for the tracking of the individual person to remain anonymous even if it is necessary for effective monitoring of the spread of the coronavirus: this is why the issue must be addressed by the Data Protection Act (GDPR)”.