The health emergency related to the #COVID19 pandemic is attracting particular attention in the privacy field, also about possible initiatives regarding the development of specific apps. Today, the European Data Protection Supervisor (EDPS) carried out an intervention entitled “EU Digital Solidarity: a call for a pan-European approach against the pandemic”.
In particular, the EDPS intervention states
The GDPR clearly states that the processing of personal data should be designed to serve mankind (it was the favourite quote from GDPR for my predecessor Giovanni Buttarelli).
In the same intervention, the EDPS says
the European Data Protection Supervisor calls for a pan-European model “COVID-19 mobile application”, coordinated at EU level. Ideally, coordination with the World Health Organisation should also take place, to ensure data protection by design globally from the start
Apart from the positions I have already expressed on this topic in other contributions, the intervention mentioned above offers the opportunity for further thoughts. The “tracking apps” topic must be approached with extreme caution and balance, considering that the technological solutions that can be used to face the pandemic must not compromise privacy.
It is necessary to assess in advance the impact of the development of solutions in the correct balance between fundamental rights, the value of the individual, human dignity and public needs, opting in any case for technologies that are also ethically sustainable. To avoid unnecessary and sterile misunderstandings, this must not lead to a position that is, in principle, contrary to technological development.
On the contrary, I believe that innovation and the development of solutions should be encouraged through the use of emerging technologies. However, it is clear that in this balance, specific technological choices must not take precedence over the protection of personal data and privacy; the approach must not be reversed.
However, the technological solution to be adopted must respect the existing regulatory framework according to the principle of technology neutrality with respect to personal data protection and privacy. A result will be effective when it is neutral concerning the regulatory framework on the matter; moreover, the GDPR itself - nor any other rules subject to conventions or treaties - does not provide any indication for specific technologies.
Therefore, the principles laid down in Articles 5 and 25 of the GDPR should be considered fundamental in respect to this topic. Any technological solutions before the concrete development must have passed, already during the design phase, the appropriate assessments regarding compliance with the principle laid down by Article 25 GDPR (Data protection by design and by default). Furthermore, the same technological solution must ensure that only the personal data necessary for each specific purpose of the processing is processed by default.
These principles it carries out, according to the GDPR, by implementing appropriate technical and organizational measures. The approach, therefore, must move from a process that is logically before the solution that remains neutral. In conclusion, the correct approach must necessarily be always to have the focus on standards and not to centralize on the technological solution or the choice of which one is the most suitable.