Contact tracing beyond the pandemic?
This is the first in our blog series on EU law and civic space. #EUlaw4civicfreedoms
Let’s imagine that, following a massive government campaign on the necessity of contact tracing apps to contain the current Covid19 pandemic without imposing an indefinite lockdown, the residents of a EU country feel urged to install an app that shares users’ personal information and travel and location data with health authorities and with the police. The government justifies the sharing of data with the police as necessary to make sure that contaminated people respect quarantine and confinement measures for the risk they pose to public health, and get sanctioned if they don’t. However, there is not much transparency around whose and which data are being transmitted to the police and why. At the same time, an increase in searches of certain activists’ and CSOs’ premises is registered during the pandemic, supposedly to verify conformity with precautionary requirements – and is accompanied by the imposition of heavy sanctions. As a result, concerns start growing among activists and civil society organizations (CSOs) that these data are being used to enable government’s authorities to put them under surveillance with the aim of unduly interfering with their activities. These practices continue in the aftermath of the emergency, with authorities also starting to arbitrarily refuse authorisation for or disrupting events, gatherings and demonstrations involving those activists and CSOs.
Contact tracing & abusive surveillance: a not so far away scenario
Governments around the world, including in the EU, are exploring the use of data and technology to strengthen their responses to the coronavirus pandemic. Many are contracting companies to develop Covid19 contact tracing apps, supposed to trace contacts of people exposed to the disease and help to track and prevent its further spread. In some non-European countries, like India, the use of such apps is already mandatory, with fines and even detention imposed to those that refuse to download them.
Besides the many doubts expressed by experts over their effectiveness – including the World Health Organisation – at a recent debate organised by a group of members of the European Parliament, the problem with these apps is that they collect a large quantity of data, including personal and sensitive data, which may be stored and processed in ways which could leave them exposed to breach and abuse. This has sparked a vivid debate within the EU on how to make sure that the development and use of such apps is in line with EU data protection law – with Hungary, e.g., already rushing to preventively suspend altogether rights of data subjects with a view to implementing their contact-tracing programme.
The European Data Protection Board (EDPB) has issued guidelines for app developers on the matter and the European Commission has also come up with general guidance for Member States. Civil society and human rights organisations, including ECNL, have also already raised their concerns. Indeed, some governments may not want to waste such an opportunity to put critics and watchdogs under constant surveillance, even beyond the pandemic.
EU law is there to protect everybody’s privacy – and civic freedoms
Privacy and data protection are fundamental rights enshrined in Articles 7 and 8 of the EU Charter of Fundamental Rights (CFR) – the EU human rights catalogue. These fundamental rights have been translated in EU rules which set common legal standards to ensure that any measure adopted by an EU member state involving the processing and storing of personal data respects the principles of necessity and proportionality, including as regards purpose limitation, data minimisation and data retention. These EU rules are contained in the General Data Protection Regulation (GDPR) and, as regards processing of personal data by law enforcement authorities, in the Data Protection Law Enforcement Directive.
The application of such common privacy and data protection standards to contact tracing apps translates into a number of minimum requirements. The main recommendations set out by the European Data Protection Board and civil society experts include:
- the obligation to ensure that apps do not allow users to be directly identified when using the application, or their movements be traced;
- the definite lifetime of contact tracing apps, requiring their deactivation and uninstallation and the deletion of all collected data from all databases as soon as the Covid19 emergency is over;
- the use of commonly understood and accessible source codes that can be subject to public and transparent audit during and after the use of such apps;
- strict purpose limitation, meaning that apps must not be used for any other purpose than Covid19 contact tracing, which also excludes the use of data for monitoring compliance with quarantine or confinement measures and/or social distancing as well as the use of data to locate users;
- strict data minimisation, meaning that apps should process only the data that is essential to make the tracing work (which would, for example, exclude location data);
- the obligation to give users clear and transparent information on all personal data that are collected, how such data are used and stored and all parties with which they are shared and why;
- the obligation to allow users to provide freely their authorisation and to withdraw consent at all times;
- the limitation of data storage, including by preferring the use of decentralised protocols to that of centralised servers;
- the need to ensure privacy, data protection, and security by design;
- the availability of effective and expedited avenues for users to exercise their rights and get remedy if they suspect that their data protection and privacy rights are violated.
These principles, given expression in relevant provisions of the GDPR and the Data Protection Law Enforcement Directive, can be relied upon to stop EU governments from abusing data and technology such as contact tracing apps to violate people’s privacy and data protection rights. This includes measures which, going beyond the scope they were meant for, may place activists and CSOs under surveillance, for the purpose of obstructing their work and restricting their civic freedoms.
Alongside with the violation of EU rules on data protection, breaches by the government of other fundamental rights and freedoms enshrined in the CFR may also be invoked. Having regards to the way the contested national measures may affect activists and CSOs, reference could be made to civic freedoms such as freedom of expression and of information (Article 11 CFR) and freedom of assembly and of association (Article 12 CFR).
Calling on national and EU bodies to enforce EU rules
When rights and freedoms are violated, bringing the matter before competent courts is the first thing one may think about. Litigation can be a very effective means to enforce one’s rights and get redress. But it can take time and may be difficult to take forward, including for CSOs already under strain. In addition, in certain situations, building a strong case requires specialised and costly expertise – as it may be the case for breaches of complex data protection and privacy rules.
In such circumstances, individuals and organizations can consider turning to national and EU bodies which can assess the contested national measures and take action to urge public authorities to remedy a violation. Specialised bodies exist at national level which can take up complaints and investigate alleged breaches in different areas covered by EU law. This is the case, as regards data protection, of the national Data Protection Authorities (DPAs), which supervise, through investigative and corrective powers, the application of data protection law, including EU rules. An example is the recent inquiry opened by EDPB, the EU network of DPAs, on the suspension of rights of data subject decided by Hungary, following a call by CSOs, which raises concern as regards the respect of relevant standards including as regards users’ consent and right to restriction of and objection to processing as well as the right to an effective remedy in case of breaches.
Complaints on systemic breaches of EU law can also be addressed to the European Commission, prompting it to open an inquiry and take legal action against the concerned EU member state.
Check out our new EU Law Handbook for more guidance!
ECNL, in partnership with EFC and DAFNE, just published a new Handbook on “How to use EU law to protect civic space”, intended to provide practical guidance for CSOs to advocate and litigate using EU law to protect their rights and civic space in the EU. Check out our user-friendly guide to know more on:
- What EU law is and how it affects individuals and organisations;
- When and how CSOs can challenge national provisions or measures that impact their mission, activities and operations on the basis of EU law, including the CFR;
- Which legal avenues and resources are available for CSOs to defend their civic space within the EU law framework.