COVID 19 and Privacy: Personal data rights

Written by: Foteini Zampati, GODAN Data Rights Research Adviser

Many issues have arisen around privacy, personal and open data in the wake of the spreading COVID-19 pandemic. Not least the human and digital rights questions raised by the tracking and surveillance methods that governments, private companies and NGOs are taking in an attempt to mitigate risk and slow the further spread of the virus.
The Corona Virus pandemic is clearly demonstrating the value and risks of using data for public decision making, the huge power and potential of technologies; but also, the need for rigorous data governance.

Currently, the world  seems to be divided into two camps: Those who believe that the use of potentially sensitive data and invasive surveillance technologies is necessary in order to contain and manage the pandemic; and others who raise concerns about individual privacy and data protection over contact-tracking measures being enforced in the name of public interest and health.

So where should the line between public interest and privacy be drawn during this crisis?

In response to the aforementioned concerns, the EU/EEA data protection authorities released a series of guidelines on the processing of personal data and continuity of their role in the context of the Corona Virus.

The European Data Protection Board (EDPB) followed suit, issuing a statement on 16 March, 2020. The statement focused on acceptable standards for data use and processing for reasons of public interest and protecting vital interest, while taking into account compliance with other legal obligations (for example, Articles 6 and 9 of the General Data Protection Regulation). In addition, the EDPB stated that pre-existing rules for processing electronic communications will continue to apply, as laid out in the ePrivacy Directive.

Andrea Jelinek, Chair of the European Data Protection Board (EDPB), stated: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

In exceptional times of crisis, governments are able to legitimately invoke emergency powers. But even though the declaration of a state of emergency is a legal condition under which restrictions of freedom can be legitimised, these restrictions must be proportionate and solely limited to the emergency period.

Nevertheless, an increasing number of more people seem to be concerned about the measures some governments have taken in response to the pandemic.

There are many who believe the decisions that governments make now to confront the pandemic will shape the future and that the COVID-19 pandemic could serve as an excuse for indiscriminate mass surveillance, permanently undermining the individual’s right to privacy, or serving as justification for compromising people’s digital safety. Many fear that this pandemic will further increase the gap in human rights already evident between different levels of society.

These concerns are wholly justified. When information is missing or inaccessible, it is normal to draw conclusions about what governments might be hiding. Data, now more than ever, is an essential tool in decision-making. It is imperative for all stakeholders involved to have access to up-to-date information to deal with this crisis, and therefore necessary that governments openly release all information surrounding COVID-19. Of course it is important that scientists, epidemiologists and researchers, who can use this personal data to model outcomes, have access to it. But it is also important that individuals are aware of how their data is being used, and that principles of privacy and data processing are being applied.

Up until now, no COVID-related data has been released by governments. Making data open without restrictions on access is the best way to ensure it can be used by the people who need it most. When people are concerned about how their personal data is being handled, they seek transparency. Therefore, in order to retain trust, governments need to be clear about how data is being collected, used and shared; with whom, and for what purpose. It is essential that any agreement between a public and private entity must be transparent and openly published to enable public scrutiny and accountability.

Nowadays, there is concern that once governments put public surveillance measures in place, it becomes complicated to roll them back retrospectively. Thus, much care will have to be taken to ensure data collection remains proportionate, temporary and limited only to necessary information.

Recently, I came across an interesting initiative: a joint statement from civil society organisations stating their belief that government use of digital surveillance technologies during the course of the current pandemic must respect human rights. The open letter was signed by a total of 108 organisations. Among them: Amnesty International, Privacy International, the Open Data Institute, the Open Rights Group, the World Wide Web Foundation, Human Rights Watch, European Digital Rights (EDRi), and the Digital Rights Lawyers Initiative (DRLI).

The organisations involved voiced concern that once government measures are put in place for civilian surveillance, it may become extremely difficult to return to the status quo. Specifically, they recommend that measures adopted by national Governments to address the pandemic must remain lawful, necessary and proportionate: They must be provided for by law, justified by legitimate public health objectives - as determined by the appropriate public health authorities - and be proportionate to those needs. Their collective view is that governments must be transparent about the measures they are taking in the current circumstances.

The letter also acknowledges that security precautions must be taken concerning any personal data collected. This should include any hardware and software, and systems security; but also making any devices, applications, networks, or services involved in the collection, transmission, processing, and storage of the data secure. The call also demands that any claims that collected information is anonymous must be based on concrete evidence, and supported with proof of how it has been anonymized.

The current crisis has only served to highlight the imperative need for responsible data governance. Even though data and technology are key factors in tackling the difficulties the global community are currently facing, they are only the means to an end, and people - and their individual rights and freedoms - must be at the centre of any decision or policy making. Any technologies used to collect, transmit or store personal data – including techniques such as cryptography and anonymisation - must ensure end-user privacy. More than ever we need to take into account and be aware of the ethics surrounding regulation if we are to protect the human rights we currently enjoy.