Challenges for privacy protection while implementing the COVID-19 countermeasures
The measures taken for managing the COVID-19 crisis are the focus of governments, public and private enterprises, and the civil society sector around the world. Quite unexpectedly, the dynamic measures largely affect the issue of processing different categories of personal data. The laws on personal data protection, including the General Data Protection Regulation (GDPR), are not an obstacle to the implementation of the COVID-19 countermeasures taken to combat the pandemic and they should represent support for protecting citizens’ interests.
Several issues related to the right to personal data protection when adopting new such measures for managing the COVID-19 crisis have caused debate in the Republic of North Macedonia. The first issue is related to the monitoring of the movement of citizens who are in self-isolation through a mobile application, i.e. by monitoring the geo-location, and the second issue concerns the public disclosure of the name, surname and address of residence/stay of the persons in self-isolation.
Following the principles of personal data protection established in the Law on Personal Data Protection, including the General Data Protection Regulation (GDPR), special attention should be paid to the legality of personal data processing. Institutions that are directly involved in the implementation and enforcement of COVID-19 countermeasures, process various categories of personal data needed to protect the country’s essential public health interests. It is especially important to note that in emergencies like this one, institutions are not obliged to obtain the consent of citizens for processing personal data. Although the consent of citizens is not a condition for processing personal data, the authorities are obliged to process personal data only for specific and clear purposes, to be transparent and to inform the citizens about the ways of processing their data, the volume of processed personal data, as well as the deadlines within which this data will be stored.
Tracking the location on mobile phones
The governments of several European countries believe that tracking the location on mobile phones is a potentially good measure for managing the COVID-19 crisis. According to the processing regulations of telecommunication data, the location data can only be processed by the operator only if it is anonymised or with the prior consent of the individual whose personal data should be processed. However, in emergencies, the exception to this rule states that the Government may adopt measures that will primarily aim at protecting public health and safety while taking into account the justification of the need, the scope of data and the limitation of the deadlines within which this data will be processed. Before deciding on the use of such invasive measures, the Government should make a serious assessment of the capacities of those who will be involved in their implementation. This assessment should especially answer the questions of which institutions will have access to this data, who will control the monitoring process, how and at what point will the monitoring of the people who have been cured or whose period of self-isolation has passed be terminated, and whether the state provides adequate judicial protection to persons whose right to personal data protection may be violated during the implementation of this measure.
Public disclosure of name, surname and address of residence/stay
According to the Law on Personal Data Protection, data related to health, including data on the received health care, are a separate category of data or sensitive personal data. Because of this, it is forbidden to process special categories of personal data unless by exception, i.e. if the processing is necessary for the public interest in the field of public health, such as protection against serious cross-border health threats or providing high-quality standards and health care safety. This exception applies to the volume of personal data collected without the consent of citizens in times of crisis such as the COVID-19 crisis, their sharing between institutions, mapping and the like. This exception does NOT apply to the public disclosure of personal data about infected persons or persons in self-isolation.
Before deciding to take new COVID-19 countermeasures, it is necessary to conduct:
- extensive consultation with institutions such as the Agency for Personal Data Protection, the Operational Technical Agency, the Ministry of Interior and the relevant civil society organizations operating in the field of human rights protection;
- analysis of the case law, especially since the European Court of Human Rights has made decisions that define the public disclosure of personal data of people infected with the virus as against the law;
- a serious test of the harmfulness of the application of the envisaged measures in terms of which rights would be violated in the name of protecting the essential interests of the state (violation of the right to privacy, stigmatization of patients and their families, etc.); and
- analysis of the experiences from the implementation of the same or similar measures in other countries that can serve as an example and lesson for our country.
In consultation with several EDRi members (European Digital Rights Initiative), we present some of the experiences of several European countries.
In the Netherlands, a special government decision stipulates that the Ministry of Health, within 24 hours of receiving a positive COVID-19 test, notify the mayor of the municipality in which the infected person lives about their identity and health condition. The only thing the mayor of the municipality is allowed do is to impose a measure of mandatory domestic or hospital quarantine on the infected person. Also, the mayor can use the help of the police to check whether the person respects the measure without violating the privacy of the infected person. According to the current legal norms in the Netherlands, public disclosure of personal data of infected persons or persons in self-isolation is not an option at all.
Slovakia has released a detailed map with the location of people infected with COVID-19. The map did not contain a name and surname but contained gender and age, and zooming in for more detailed insight into the address was also possible. Experts in the field of personal data protection considered this solution problematic, especially its application for smaller towns and villages where the identity of individuals is easy to detect and stigmatization is unavoidable. Only a few days after the map was published, the Government issued a statement of apology to the citizens where it admits its mistake and the data on the map were reduced only to data on the municipality and the number of infected. The use of the detailed map is strictly limited to institutions responsible for implementing the measures, and this use is regulated by a specially adopted law exclusively for the state of emergency during the pandemic.
In Ireland, stigmatization of people infected with COVID-19 is one of the main reasons why public disclosure of personal data is not allowed. According to the authorities, the disclosure of such data will not result in anything other than a large number of people refusing to be tested just so that they are not made public if the tests are positive. Based on this view, in revealing the first cases, the authorities only announced that they were citizens of the eastern part of the country without specifying the municipalities from which the persons came. When a case of an infected school employee appeared, the name of the school was published, and the media’s interest in finding out the identity of the infected was condemned by the citizens as a violation of privacy.
The stance of the Czech Republic on this matter is that the disclosure of personal data of infected persons or persons in self-isolation is dangerous due to the possibility of violence from the environment and stigmatization of the persons. One case strengthened this stance of the authorities when a team of health workers went in a small area in the Czech Republic to perform a swab test on a young man who had just returned from Peru. The locals, who saw the situation, immediately began to exert pressure on the whole family – not to leave the house or move anywhere in the neighbourhood.
Two mobile applications are used in Israel. The first gives citizens information about whether they are close to a person infected with COVID-19, while the second gives information about whether they are close to a person in self-isolation. Neither application reveals the exact location or identity of the individuals. Also, Israel is fully using the country’s security infrastructure, including counter-terrorism measures.
More than 90 countries are implementing similar measures to deal with COVID-19 while keeping an eye on the balance between protecting the public interest and basic human rights.
The Metamorphosis Foundation, through its program Human Rights Online, represents human rights online, helping communities cope with the enormous changes that result from the growing influence of new technologies. Metamorphosis focuses on protecting privacy by strengthening the capacity of citizens, institutions and the business sector to function in a digital society.