COVID-19 and new IT solutions: Privacy in quarantine?

The corona virus is putting the health and social contemporary world in crisis. The spreading of the virus is very fast and the implementation of new IT solutions to manage both ascertained and potential corona contagions is under evaluation worldwide. The question is - how will the new technologies handle privacy of individuals?

Several countries, including Norway and Italy, have already adopted solutions to analyse data from mobile network cells in order to trace citizens' movements. The mobile carriers who provide these solutions have ensured that the data are completely anonymous. However, it appears that the competent data protection authorities have not always been appropriately involved in this regard. The Italian Data Protection Authority states to not have been informed of such initiative and therefore they are not in the position to make any further assessment on the matter at hand.

In any case, tracing of citizens' movements by means of mobile network cells has proved to be an insufficient measure to contain the virus. Italy is therefore evaluating the implementation of "digital contact-tracing" in order to map and trace individuals who have been in physical contact with persons infected by the virus. It has also been proposed to involve big data companies such as Google and Facebook to collect relevant information on the spreading of the virus. Germany and Poland are considering to implement similar solutions. In Norway, the Norwegian Institute of Public Health is currently evaluating the implementation of an app able to trace citizens' movements. The general goal is to automate and speed-up the control over infected cases.

The abovementioned IT solutions raises several privacy concerns. Who is the data controller for the personal data processed? What personal data can be processed and for how long? How will protection of personal data be ensured? How will governments enforce the use of the IT solutions by individuals? The answers to these questions will obviously depend on the solutions adopted and the time constraints. Provided that it is challenging for democratic countries to copy the Chinese model, where intrusive solutions have considerably reduced the privacy rights, what operating margins do the European countries have with respect to privacy legislation?

Privacy is considered as a fundamental right under the European Convention of Human Rights (see Article 8) and the Charter of Fundamental Rights of the European Union (see Article 7), and it can be compressed where certain requirements such as proportionality are satisfied (see Article 52 of the Charter).

The elasticity of privacy rights also emerges from the General Data Protection Regulation (GDPR). Article 6 specifies that processing of personal data is lawful when processing is required for reasons of public interest, while Article 9 permits the processing of special categories of data (i.e. data concerning health) when processing is necessary for reasons of public interest, provided that the processing is based on Union or Member State law. This is also confirmed by the European Data Protection Board (EDPB) which issued a statement on 16 March 2020 stating that "data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic".

With reference to tracing of mobile network cells and digital contact tracing, Article 15 of the Directive 2002/58 on Privacy and Electronic Communication allows Member States to introduce legislative measures to process location data without the consent of individuals and in a non-anonymised form, when pursuing national and public security.

In light of the above, privacy rights may be compressed only by means of legislative measures. In Italy, for instance, the Law Decree of 9 March 2020, no. 9 allows those providing national health and care services and those guaranteeing the enforcement of containment measures to process personal data, including special categories of data, for the purposes of national security and public health. The measure is limited to the current emergency period and operates as a legal basis for the processing of personal data. However, it is currently disputed whether the decree also applies to private companies and new law decrees will probably be adopted to regulate the possible implementation of the digital contact tracing. The Italian Data Protection Authority has encouraged the further use of law decrees, intended as instruments of emergency legislation that combine timeliness and democratic participation. The Authority has also recommended, with reference to digital contact tracing, that the collection of data must be as little invasive as possible. For instance, anonymised or pseudonymised data processing by the mobile carrier has to be preferred, thus leaving the public authorities the power to analyse personal data on individuals where needed.

The Italian model testifies how privacy rights can be disregarded in favour of other collective interests. Compressions of privacy rights should take place on legislative measures adopted by central and qualified authorities, thus ensuring uniformity in application of the measures implemented. Limitations to privacy rights should be proportionate to the effective needs.

The method of implementation of new IT solutions against the virus must therefore be carefully considered. For example, the regulation on possible involvement of big data companies such as Google and Facebook should prevent these actors from massive collection of personal data. It is crucial to find the right balance between the safeguard of public interests and compression of privacy rights. If countries succeed in this, technology can be a decisive factor in the fight against the virus. IT solutions that are already available in the market have demonstrated their importance in this regard. Solutions such as smart working or electronic health consultations prevent contagion and ensure business continuity. There are also solutions that can help monitor the spreading of the virus. In Norway, the Norwegian Institute of Public Health has been provided with a self-report solution for respiratory symptoms by a private IT company. Moreover, Norwegian citizens have been enabled and encouraged to register their suspect symptoms of coronavirus in online public health portals.

The implementation of new IT solutions requires also that IT contractual and regulatory matters will be addressed. Issues such as to proprietary rights, licenses, intellectual property, systems requirements and liabilities of the parties must be regulated.

Our team of experts assists both private and public undertakings on privacy and IT related issues and follows closely the development of new technology which should contribute to the suppression of the virus.