By our member, Eirini Koutsoukou
The unprecedented outbreak of the Corona Pandemic has clarified not only the (un)preparedness of national health systems but has brought into discussion the measures applied by governments in terms of human rights protection, proportionality and effectiveness. Given the urgency of the situation, States have incorporated to their political ‘armoury’ the measure of contact tracing, in order to enable the identification or estimation of COVID-19 cases and mainly the limitation of spread. Moreover, Apple and Google have introduced the ‘Exposure Notification’ applications, which facilitate States’ missions to view clearly the transmission of virus and its variants throughout their territories and consequently adapt their policy for the alleviation of their already degenerated public health systems. Therefore, the aim of this article is to examine whether the escalation of the current health crisis justifies the use of tracking applications, which prima facie affects the general scope of Data Protection and poses a dilemma; should the Right to be Forgotten be actually forgotten for the sake of the Right to Health?
- A Collaboration between IT Titans: Apple and Google on Exposure Notification
As stated afore, the outbreak of the pandemic revealed the weaknesses of national health and financial systems, thus the escalation of COVID-19 from an epidemic to a tremendous threat to the global health was rapid. The WHO Director General vividly stressed that ‘[…] We have therefore made the assessment that COVID-19 can be characterized as a pandemic. Pandemic is not a word to use lightly or carelessly. It is a word that, if misused, can cause unreasonable fear, or unjustified acceptance that the fight is over, leading to unnecessary suffering and death. […]We have never before seen a pandemic sparked by a Coronavirus. This is the first pandemic caused by a Coronavirus […] We have rung the alarm bell round and clear […]’.
The call for immediate response coincided with the announcement of collaboration between Apple and Google, which introduced the creation of specific applications, feasible to track contacts in iPhone and Android devices, in order to enable States to calculate the speed of spreading and consequently protect their citizens. This initiative was embraced by various countries all over the world, including China and Singapore (thus they suffered the most during the first wave of the pandemic) as well as EU countries, e.g. Spain, France etc.
- Exposure Notification System (ENS): Data Collection and Cultural Differences
The Apple and Google’s tracking applications have the ability to detect devices within a specific distance and duration, provided that public health authorities designate so. The operation of these applications enables the storage of unique identifying codes encrypted in devices. It should be mentioned that not all applications conduct the same missions, thus some of them focus on self-diagnosis, while others specialize on monitoring and notification of cases to public health authorities. Usually, these applications require the acceptance of sharing location, in order to guarantee the quality of the data and ameliorate epidemiological analyses and depending on their object, users fill in their personal details and potentially their symptoms, if the applications aim at self-diagnosis.
Bradford summarizes that Apple’s and Google’s Exposure Notification System generates and collects the following types of information:
- Bluetooth identifier codes and associated contact information, generated by the ENS and stored on individually devices;
- Diagnosed identifier codes for the confirmation of positive diagnosis;
- Associated encrypted metadata, which contain inter alia IP address, detectable by the app server and include information about the proximity and timing of contacts, stored decentrally on user devices, which will be decrypted locally in case of positive diagnosis;
- Notifications to exposed users, through the daily storage and broadcasting of identifier codes by the ENS. Moreover, the ENS will identify devices with codes and specific algorithms in order to assess the risk and degree of exposure;
- Potentially, a combination of these exposure information with individual user identities and location is promoted in terms of law enforcement, in case of quarantine breach, and facilitation of the public health policy by depicting regions with high infection rates.
2.1. Degree of Democratization and Human Rights Protection: Strong Sense of Commitment vs Sensitive Rights
The differentiation in applications designated by Eastern or Western authorities mainly relates to anonymity, which could be described as a consequence of their cultural background. More specifically, in Eastern countries such applications have access to more sensitive data and anonymity of users is discouraged, as an attempt from the respective authorities to depict that public health prevails individual data protection.
Indicatively, the South Korean ‘Self-quarantine safety protection’ application collects data on the user’s gender, health, nationality and locations , the latter of which based on the GPS tracking information mode that the application authorizes. Consequently, authorities are notified whether individuals comply with self-quarantine obligations or even inform other citizens in case they are found to have met a positive case. Similarly, in Singapore, a Bluetooth-enabled system notifies users whether they have been in contact with infected persons and although these applications enable users to not consent with the collection of such private information, the majority of population consents to the use and process of their data, because they support the cruciality of early identification and confrontation.
Moreover, the mandatory use of these tracing systems in Eastern countries reflects not only the sense of commitment as a ‘cultural’ feature, but foremost the level of democratization and human rights protection. In contrary, the notions of human rights protection and the degree of democratic deficit play a vital role in the European legal order; hence the latter constitute bases for the proportionality threshold in terms of human rights derogations.
- What about GDPR and COVID Treatment?
3.1. Health Data
Initially, Article 4 of the GDPR defines personal data as:
‘(1). […] any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(3) ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;’
Additionally, paragraphs 13-15 state that:
‘(13) ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
(14) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;’.
Particularly, Article 9(1) clarifies the prohibition of processing health data, yet paras. 2(h) and (i) stress that this prohibition is not absolute, provided that the processing of health, genetic or biometric data seeks the fortification of preventive or occupational medicine or is vital for reasons of public interest and especially public health, provided that legality and professional secrecy are guaranteed. As a result, Member States are obliged to take necessary measures to guarantee the protection of the fundamental rights and interests of the data subject.
3.2. Location Data and Anonymization
Nevertheless, it is crucial to mention that in terms of location data, national laws implementing the Directive 2002/58/EC (also known as the ‘ePrivacy Directive’) set the provisions of lawful process of traffic and location data, the first of which can only be shared with public authorities or third parties, provided the electronic communication service providers proceed with anonymization. The lawful process of location data requires the prior consent of users, whereas where location data is effectively anonymized, that data loses its personal character and can be processed without taking consideration of the GDPR obligations.
Moreover, the Guidelines 04/2020 of the European Data Protection Board on the use of location data and contact tracing tools for the fight against the pandemic emphasize that for anonymization to be effective, the ‘reasonability test’ and the ability to remove the feasibility to link the data with an identifiable natural person against any ‘reasonable’ effort.
As mentioned afore, the principle of proportionality constitutes the main criterion which may justify human rights derogations or limitations. More specifically, a prima facie human rights limitation is attributed as legal under the cumulative criteria of:
- Not touching upon the core of rights, which constitutes an essential prerequisite in the EU legal order;
- Legal provision;
- Corresponding to a legitimate aim;
- Necessity in democratic society/Stricto sensu proportionality.
The confrontation of this ever-increasing health crisis resulted in the promotion of tracing applications, which phenomenally infringe the aim of general data protection, thus their function allows access to sensitive data, e.g. when applications aim at self-diagnosis, or access location. It was also stressed previously, that the compulsory or optional process of personal data during the current crisis reflects the degree of democratization and cultural differences among states.
Since the GDPR’s scope encompasses the principles of legality-fairness and transparency, purpose limitation, data minimisation, and storage limitation, as well as accuracy-integrity-confidentiality and accountability, each Member State must establish a competent and independent authority to enforce the provisions of the Regulations and investigate the legality of processing, in addition to examining the complaints lodged by data subjects themselves for receiving effective judicial protection.
The latter argument is reinforced by the intensification of cybercrime during the pandemic, hence several malicious actors began registering domains with the words ‘Coronavirus’, ‘Corona’, ‘COVID-19’ and other relevant. In that way, cybercriminals were able to impersonate national health institutions or even the WHO, convincing individuals to perform actions or to spread fake news, thus they were giving the illusion of being a legitimate, acknowledged authority. Cybercriminals, taking advantage of the sudden outbreak and the psychological stress of individuals, used phising, ads or text messages, in which malicious links were attached and citizens fall victims to financial fraud simply by entering their personal data in malware software.
As a result, the fortification of cyber security both in national and international authorities is necessary for the increase of cyber-crime resilience and mitigation of attacks.
- Governance through IT?
Given the ever-increasing spread of COVID and the constant degeneration of national health systems, States seek to manage the repercussions of the crisis by enabling mass surveillance, which raises questions on the legality and proportionality of the measures applied, thus the intrusiveness of these measures create a dangerous environment, allowing governments to collect sensitive information beyond the necessity. Nevertheless, the European Data Protection Board and the Council of Europe have emphasized that data protection rules should not hinder the measures applied in the battle against the pandemic, because data protection should be considered as an essential means for building the necessary social trust. Without social trust, measures cannot prove their effectiveness and therefore the combination of social trust, human rights protection and effective health policy seems more than crucial. The building of public trust in government’s use of health data requires accountability to the IT sector and democratic control to the governance.
 WHO Director-General’s Opening Remarks at the Media Briefing on COVID-19 (11 March 2020); https://www.who.int/director-general/speeches/detail/who-director-general-s-opening-remarks-at-the-media-briefing-on-covid-19—11-march-2020.
 The Press Release on Apple and Google collaboration is available at https://developer.apple.com/documentation/exposurenotification/building_an_app_to_notify_users_of_covid-19_exposure .
 Laura Bradford, Mateo Aboy and Kathleen Liddell, ‘COVID-19 Contact Tracing Apps: A Stress Test for Privacy, the GDPR and Data Protection Regimes’ (2020) Journal of Law and the Biosciences, 1-21.
 Ibid; Press Release supra note ;
 BBVA, ‘How do Covid-19 Tracing Apps Work and What Kind of Data do They Use?’, available at: https://developer.apple.com/documentation/exposurenotification/building_an_app_to_notify_users_of_covid-19_exposure (accessed 17/3/2021).
 Ibid; See for instance Madrid’s ‘Asistencia Covid19’ tracing system, which covers the community of Madrid; https://coronavirus.comunidad.madrid/preguntas-frecuentes/ (accessed 17/3/2021).
 Bradford, op.cit..
 Ibid; Bradford, op.cit..
 For a conceptual analysis on human rights, proportionality and Covid-19, see Eirini Koutsoukou, ‘The Implementation of Solidarity in Health Crises. The Battle against the Covid-19 Pandemic and the Challenges of European Integration and Human Rights Protection’ (LLM thesis, University of Groningen 2020).
 Cherneva Boyka Ivaylova, ‘Legal Security as a Principle in Lawmaking’ (2017) 2 Globalization, the State and the Individual, 23-29; Pablo Martin Rodriguez, ‘The Principle of Legal Certainty and the Limits to the Applicability of EU Law’ (2016) 50 Cahiers de Droit Européen, 115-140; Tor-Inge Harbo, ‘The Function of the Proportionality Principle in EU Law’ (2010) 16 European Law Journal, 158-185; Epaminondas A. Marias, ‘Solidarity as an Objective of the European Union and the European Integration’ (1994) Legal Issues of European Integration 2, 85-114.
 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in electronic communication sector.
 Emanuele Ventrella, ‘Privacy in emergency circumstances: data protection and the COVID-19 pandemic’ (2020) ERA Forum 21, 379-393.
 Ventrella summarizes that three criteria should be taken into consideration for the evaluation of robustness of anonymization, i.e. a) isolating the individual from the group, b) linkability of records and c) inference, which describes deducing previously unknown information about the individual with significant probability. Ventrella, op.cit., 7 and the references cited therein.
 Koutsoukou, op.cit..
 Sionaidh Douglas-Scott, ‘The European Union and Human Rights after the Treaty of Lisbon’ (2011) 11 Human Rights Law Review 4, 645-682.
 Bradford, op.cit.; Mahsa Shabani, Tom Goffin and Heidi Mertes, ‘Reporting, recording and communication of COVID-19 cases in workplace: data protection as a moving target’ (2020) Journal of Law and the Biosciences, 1-5.
 Ventrella, op.cit..
 Nuffield Council on Bioethics, ‘Beyond the exit strategy: ethical use of data-driven technology in the fight against COVID-19’ (Webinar held jointly with the Ada Lovelace Institute), available at < https://www.nuffieldbioethics.org/publications/covid-19/webinar-beyond-the-exit-strategy-ethical-uses-of-data-driven-technology-in-the-fight-against-covid-19> (accessed 15/3/2021).
Eirini Koutsoukou is a Lawyer and Legal Researcher, LLM European Economic Law (University of Groningen) & LLM Public International Law (Democritus University of Thrace)| ✉ firstname.lastname@example.org