This blog post considers human rights dimensions in regard to GDPR and privacy, in light of the ongoing COVID-19 pandemic. Written by Adjunct Professor Katrin Nyman Metcalf, Department of Law, School of Business and Governance, Tallinn University of Technology, Estonia; Senior Legal Expert, Estonian eGovernance Academy
In popular debate as well as academia, there are many speculations about the role of technology in the COVID-19 pandemic and its role for our return to normal life. Imagine how an interoperable global system for tracing the COVID–19 virus could contribute to the return to normal business, travel, and other interaction!
We possess a tool which was not available to such an extent in any previous, major health emergencies. Most of us all over the world carry a powerful device capable of registering where we are and what we do, whom we meet and for how long. In addition, the same device permits authorities to get in touch with us directly and personally, to give advice or admonitions.
Clearly, in a situation in which it is important to trace the virus with the view to slowing its spread so the health sector can cope and isolating it as much as possible especially from vulnerable groups, such a tool should be explored fully. The coin has two sides however: A headline in Bangkok Post on 11 May 2020 states that:
“COVID’s real cost could well be eternal spying”.
The same technology that can be a powerful tool for good can also have negative effects. Technology is neither good nor bad – it depends on how it is used.
The question of contact tracing apps is complicated by several factors. Health data is universally regarded as sensitive. Contact-tracing means that often anonymised data would not be useful. Furthermore, if authorities get used to tracing apps to keep an eye on the movement of people, this may well lead to a temptation to keep doing this in various contexts. Should this mean that possibilities to use technology to help us combat the pandemic and return to normal life should be abandoned?
Who loves the GDPR?
Protection of human rights and fundamental freedoms was born not from peaceful, predictable times but from crises and calamities. So, there is no need to sacrifice rights and freedoms because of a crisis, however grave. Furthermore, many instruments that provide flesh on the bones of basic human rights include considerations of exceptional situations. Protection of privacy is included in most human rights instruments.
Data protection has emanated from this and developed in its own right, with the most famous instrument being the General Data Protection Regulation (GDPR) that influences data protection not just in the EU, but globally.
GDPR with its 173 recitals and 99 articles of EU legalese may not be love at first sight.
However, it does provide useful provisions for dealing with what may appear as a dilemma, a choice between protecting health or protecting privacy, but which in practice does not have to be a choice of either-or.
The core principles of the GDPR is that personal data should not be collected or processed to a greater extent than what is necessary given the purpose for which it is needed – requirements of proportionality and purpose limitation.
There is a need to have a system that enables such rules to be implemented and for independent oversight. This very brief summary of the principles of the GDPR makes it difficult to see what objections there could be to such principles in a democratic society. In an extraordinary situation, if there are extraordinary reasons to use data, this does not have to mean an exception from – or abrogation of – data protection rules, as it is possible to tailor the use in proportion for a specific purpose: even if that purpose is extraordinary!
Is consent needed?
It is a popular misconception that data protection rules, GDPR or others, always require consent of the data subject for any data processing. Such misconception may to some extent be useful, as it is good if anyone who plans to process personal data has in the back of their mind that the persons concerned should agree as much as possible.
This hopefully leads to attempts to design data processing in a manner that people would consent to if asked. However, the GDPR as well as most laws around the world contain several other grounds for legitimate data processing even in non-emergencies, for example that it is necessary in order to protect the vital interests of the data subject or other persons or that it is necessary for the performance of a task in the public interest. Even if it may have its positive side to see any data use through the prism of consent, it is nevertheless unfortunate to forget other legitimate grounds, which all deserve to be examined in their own right.
Although it would consequently be possible to argue for the compulsory use of technology, this commentator agrees with the widely spread view that contact tracing technology or similar tools for use in the Covid-19 crisis should be voluntary and require consent – at least for now. The caveat is added as the pandemic is unpredictable and it should not be ruled out that measures that are not even envisaged today will become necessary. It must be underlined that even should it become necessary to oblige people to undertake certain measures, like using a specific app, data must still be protected.
Data protection as a selling point
The limitation of existing systems is that they need a large number of people to use the same app for it to have any effect. Currently, systems are voluntary, and their uptake is impressive but not extraordinary. Technically, it would be possible to make an app compulsory both in the sense that it could be automatically added to people´s devices and in the sense that there could be a legal obligation to download it (perhaps coupled with a possibility to remotely verify that people indeed do this).
Cooperation between law and technology is essential. Even with an obligatory system, there would still probably be a range of possibilities to avoid it and if people are forced to use something, it is likely that they would find ways around it. Instead of presuming that an obligatory system is the only effective one, it is worth considering how to make a voluntary system so attractive that a sufficient number of people decide to use it. In this context, data protection can be an important selling point.
People are more likely to embrace a technology that they trust. If the purpose of collecting data is understood, trust will more easily follow. Even if anonymisation may not always be possible, given the purpose of the apps in question, it should be used whenever possible and data never kept longer than needed.
Lawyers or other privacy professionals should not assume that most people consciously make evaluations about the importance of data protection versus public health, security versus convenience or so on. People want to be respected as individuals, feel secure including vis-à-vis authorities, lead their daily lives in the manner of their choice – and they want to be healthy!
An argument about the finer points of the GDPR in light of any possible contact-tracing apps is much less effective than a clear demonstration of what the benefit of the app is. Public messages should take this as a starting point, which however is by no means a call to infantilise the debate: the legalistic calculations as well as the technical specification of what is done and how should be readily available for anyone who is interested. This is one of the things that transparency means in practice. However, real transparency also includes making the message understandable and clear without the need for everyone to study all details.
Professor Katrin Nyman Metcalf.
This is a series of updates regarding the Coronavirus from Human Rights Experts – read more here