In 2017, BBC launched an app called ‘BBC Pandemic’ as part of a nation-wide experiment in the UK that collected data of volunteers who used the app to model how an infectious disease like flu would spread and affect people living in the UK. The app collected volunteers’ location data, user profiles, user encounters, from which researchers at the University of Cambridge and the London School of Hygiene and Tropical Medicine extracted data (age, gender, location patterns) and built a mathematical model addressing for example questions such as the fatality rate. A documentary about the experiment aired in 2018, showing the audience a glimpse of how data might be central to respond to the spread of infectious disease.
As the Covid-19 pandemic ravages the world, the value of data has come to the forefront of policies to contain the spread of the virus and allow healthcare providers and researchers to exchange data. Examples range from using mobile applications to track contacts of people who have tested positive or to allow app users to track their symptoms to accessing telecommunications and internet service provider data to monitor and control population movement. In this blog, we aim to give our tentative observations on the controversy surrounding the emergent need to respond pandemic and data protection rules.
Regional Legal Framework for Privacy and Data Protection
As processing of personal data has become the main bloodline of our lives, so has the significance of rules regulating it in some form. For some experts, it is less likely to achieve harmonised data protection standards around the world in the short-term (Bygrave 2012), though some experts viewed earlier in the last decade that only China and the USA are real outliers (Greenleaf 2012). There has been some progress at the UN level to establish common standards but this work is not yet recognised by all states.
However, privacy and data protection standards in Europe have been the subject of very substantial harmonisation over the past 50 years. In the wider Europe, all 47 countries of the Council of Europe are parties to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108; Convention 108). It has also been opened to non-Council of Europe states, of which 11 have been authorised to join. The Convention was updated in 2018 (now known as 108+) in light of contemporary challenges and all Council of Europe states have signed it. The European Union updated its data protection legislation in 2016 with the General Data Protection Regulation (Regulation (EU) 2016/679; GDPR) (addressing both private and state sector). It is generally recognised that the GDPR and, its predecessor, the Data Protection Directive (Directive 95/46) set a ‘gold’ standard of data protection. Both EU and Council of Europe legislators when updating their measures were very aware of the challenges of technological developments to the rights of individuals. All these measures (GDPR, Council of Europe Protocol) were adopted to ensure a correct balance between the rights of data subjects and other state and commercial interests in the use of personal data. Yet, in these times of pandemic, some state and private sector actors seek to change the rules and to rewrite the conditions under which they have access to and use of personal data.
Hypothesis: ‘Data protection rules slow down the response to the Covid-19 pandemic’
An argument against the GDPR is that its strict rules prevent collection and use of data and slow down data-oriented responses such as AI-based solutions that otherwise should have addressed the outbreak more rapidly. This argument illustrates the ongoing scepticismtowards the GDPR as an obstacle to innovation and economic growth.
Contrary to this argument, the GDPR does not prohibit the collection of data. As emphasised by the Chair of European Data Protection Board (EDPB) and some experts, those principles do not present an obstacle to data-driven responses to counter the spread of virus. The GDPR does not prohibit the data processing activities, but instead permits them if certain principles are met. It does so in order to ensure the respect to individuals’ integrity, dignity and fundamental rights such as the right to privacy.
The GDPR is not the only regional framework that is applicable to processing of personal data. As mentioned above, Convention 108, adopted in 1981 predating the GDPR and modernised in 2018 (Convention 108+), contains similar rules and principles applicable to processing of personal data. These principles differ according to the type of data in question.
In these Covid-19 times, when a number of actors see an opportunity to open up access to personal data or in other words to diminish privacy protections, it is worth reiterating the rules.
Processing of Non-Sensitive Personal Data
According to the European regional data protection frameworks, processing of personal data, which is data that identifies an individual or makes him identifiable, is allowed provided that certain principles are observed: i.e. lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, as well as accountability. According to the lawfulness principle, the processing of personal data must be based on data subject’s consent or other legal grounds stipulated in the GDPR (Article 6 of GDPR). Data subject’s consent can provide the legal basis for data processing provided that it is obtained in accordance with the requirements under the GDPR; that are freely given, specific, informed and unambiguous indication of the data subject’s wishes by a statement or a clear affirmative action (Article 4(11) of GDPR). This raises, for example, questions on whether proximity-based contact tracing application might rely on consent. The CJEU observed that data subject’s consent would be undermined if he did not have a real choice of objecting to processing of his data (C-291/12 Michael Schwarz v Stadt Bochum). The former Article 29 Working Party took into account of the balance between the data subject and the data controller and considered that ‘if consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given’ (Article 29, Guidelines on Consent, 2018). This means that voluntary participation with contact tracing applications might not necessarily rely on consent as the legal basis to process the data.
Moreover, a number of other legal bases might be relevant for the processing of data for reasons of public health emergency. First, the processing is lawful where it is necessary to ‘protect the vital interests of the data subject or of another natural person (Article 6(1)(d) of GDPR).’ This legal ground is in a sense secondary because it provides the valid legal base if the processing cannot be based on other legal bases provided under the GDPR. The second legal basis for the processing of personal data is where it is ‘in accordance with the legal obligation to which the data controller is subject’ or where it is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ (Article 6(1)(e) of GDPR). Data processing for reasons of public interest may serve processing activities in the order to contain and monitor the Covid-19 pandemic. In fact, the GDPR mentions these two legal bases, processing for vital interests and reasons of public interest can overlap ‘for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread’ (Recital 46 of GDPR). For the legal grounds on the basis of vital interest or public interest, the processing must reach the ‘necessity’ threshold, that is the processing must be proportionate to achieve the aim and the result of processing cannot be achieved in a less intrusive way. Moreover, neither of these legal grounds provides carte blanche to process data for an unlimited period. Processing on these grounds is allowed so long as reasons to protect vital interests and/or public interests exist. For example, when the threat of the spread of the virus ceases to exist, so does the appropriateness of the public interest ground to process data. Finally, data processing for reasons of public interest must be mandated by law.
Processing of Sensitive Data
The European regulatory framework on data protection is based upon the premise that certain types of data require stricter protection than other types of data because their processing might result in higher privacy and security risks. Both the GDPR and Convention 108+ treat genetic and biometric data and data concerning the state of health of individuals as ‘sensitive data’ (Article 9(1) of GDPR; Article 6 of Convention 108+). The European Court of Human Rights (ECtHR) upheld that health data must be subject to stricter safeguards than non-sensitive data (Z v Finland). Processing of this special category of data is prohibited unless it is carried out for specific purposes and under certain conditions.
According to the GDPR, sensitive data cannot be processed unless the data subject explicitly consents or it is based other appropriate legal grounds (Article 9 of GDPR). A couple of legal grounds for which sensitive data processing is allowed stand out here. First, sensitive data can be processed if it is necessary for reasons of health care (‘the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’; Article 9(2)(h) of GDPR). This legal ground covers data processing carried out for provisions of direct health-related services such as hospital admissions and other related administrative purposes, and planning and commission of health-care services such as production of datasets on admissions. In the context of Covid-19 pandemic, this relates to processing of sensitive data for medical diagnosis including Covid-19 testing and planning and running health services in response to the pandemic. Second, it can be processed if it is ‘necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices’ (Article 9(2)(i) of GDPR). This legal ground covers wider public health issues such as allocation of resources, and health-care needs (Recital 54 GDPR). Third, sensitive data can be processed if it is necessary for the protection of vital interest of data subject or other natural persons (Article 9(2)(c) of GDPR). This legal ground however, is only applicable in limited scenarios where the data subject is physically or legally incapable of giving consent, for example when he or she is unconscious or is a minor. Reference to reasons for protecting vital interest of ‘other natural persons’ indicates that even though the data subject is incapable of giving consent, his sensitive data can be processed if he has a communicable disease and other natural person might be infected. However, it does not cover sensitive data processing for general medical research such as clinical trials to cure the disease. Finally, the GDPR allows for processing of sensitive data for medical research if it is authorised by law, which adheres to the principle of proportionality, respects the essence of right to protection of personal data, and provides specific safeguards for the protection of individuals’ fundamental rights and interests (Article 9(1)(j) of GDPR). As recognised by the EDPB, this legal ground is prominent for the processing of sensitive data when conducting general medical research on the Covid-19 pandemic (EDPB, Guidelines 03/2020).
Convention 108+ prohibits the processing of sensitive data unless it is based on law which provides appropriate safeguards that complement data protection safeguards enshrined in the Convention (Article 6 of Convention 108+). The Council of Europe’s Recommendation CM/Rec(2019)2 on the protection of health data considers the application of the Convention to processing of health-related data. Although the Recommendation is not binding, it provides a policy framework that the Council of Europe states should implement in their national laws. It provides the legal grounds on which health-related data can be processed. Thus, the Chair of the Committee of Convention 108+ and the Data Protection Commissioner of the Council of Europe endorsed the Recommendation in their Joint Statement on 30 March 2020 as the framework that practices of sensitive data sharing between health professionals and between health and other professionals should follow.
Privacy and Principles of Proportionality and Necessity
In addition to the European regulatory framework, any authorisation of the processing of data must be in line with the fundamental rights standards enshrined in Article 8 of the ECHR (right to private life) and Articles 7 (right to private life) and 8 (right to protection of personal data) of the EU Charter. Limitations to these rights must be subject to the general principles of legality, necessity and proportionality. Both the ECtHR and the CJEU have required laws authorising collection of personal data to be defined sufficiently clear allowing data subjects to know what types of data would be collected, for which purposes, how long it would be retained and which authorities – if any – could access it (S and Marper v UK; Joined Cases C-203/15 and C-689/15 Tele2; Opinion 1/15. See here and here for commentaries on Tele2 and Opinion 1/15). The law must pursue a legitimate aim for the collection and use of data. Protection of health as well as the protection of the rights and freedoms of others (for example the right to life under Article 2 of the ECHR) amount to a legitimate aim required for justifying interferences with the rights to privacy and protection of personal data. Such interference must also conform to the principles of necessity and proportionality. This would require an analysis on whether collection and use of data fit within the pursued objective.
While contact-tracing applications have been vastly promoted to contain the coronavirus, there are mixed reactions to this type of information collection, particularly in light of reportsrelating to past epidemics and other humanitarian crises. Without evidence on the efficacy of collection and use of data for reasons of public health emergency, questions arise on the necessity of those activities under fundamental rights standards as well as regarding their societal impact.
Conclusion
The European framework of privacy and data protection is robust, up to date and designed to be sensitive to the needs of the modern world. It has been upgraded over the past decade to accommodate technological change and to establish a robust and durable framework for people, states and businesses. The Council of Europe’s Convention 108+ and the EU’s GDPR were designed and negotiated in full knowledge of the interests and demands of all the actors. Both frameworks provide an ample margin for exceptional use of personal data in times of crises, but in all cases protect the interest of the individual in the use of his data.
New technologies that challenge the existing legal framework of data protection must be tailored and revised so that they comply with it before being put into operation. This is because in Europe, at least, we have reached a consensus on how best to protect people while enabling technological development. To use an analogy, our manufacturing industries can produce cars that run at 250 kilometres an hour but we have chosen to limit the speed at which cars can be driven to less than half that for reasons of public safety. Applying the same reasoning by analogy, just because a company has designed a computer programme that can pry into the most intimate details of our lives and make all sorts of calculations on the basis of that information does not mean that we as societies have to accept those technologies. We are entitled to place legislative restrictions on them, as we have done.
The claim that the current data protection regime is inadequate for the current challenges is not correct. The current regime, recently overhauled expresses the limits which European societies have placed on the use of personal data, in particular sensitive personal data. We must not allow the Covid-19 pandemic panic us into accepting lower data protection standards and less privacy.