COVID-19 and new IT solutions: Privacy in quarantine?

The corona virus is putting the health and social contemporary world in crisis. The spreading of the virus is very fast and the implementation of new IT solutions to manage both ascertained and potential corona contagions is under evaluation worldwide. The question is - how will the new technologies handle privacy of individuals?

Several countries, including Norway and Italy, have already adopted solutions to analyse data from mobile network cells in order to trace citizens' movements. The mobile carriers who provide these solutions have ensured that the data are completely anonymous. However, it appears that the competent data protection authorities have not always been appropriately involved in this regard. The Italian Data Protection Authority states to not have been informed of such initiative and therefore they are not in the position to make any further assessment on the matter at hand.

In any case, tracing of citizens' movements by means of mobile network cells has proved to be an insufficient measure to contain the virus. Italy is therefore evaluating the implementation of "digital contact-tracing" in order to map and trace individuals who have been in physical contact with persons infected by the virus. It has also been proposed to involve big data companies such as Google and Facebook to collect relevant information on the spreading of the virus. Germany and Poland are considering to implement similar solutions. In Norway, the Norwegian Institute of Public Health is currently evaluating the implementation of an app able to trace citizens' movements. The general goal is to automate and speed-up the control over infected cases.

The abovementioned IT solutions raises several privacy concerns. Who is the data controller for the personal data processed? What personal data can be processed and for how long? How will protection of personal data be ensured? How will governments enforce the use of the IT solutions by individuals? The answers to these questions will obviously depend on the solutions adopted and the time constraints. Provided that it is challenging for democratic countries to copy the Chinese model, where intrusive solutions have considerably reduced the privacy rights, what operating margins do the European countries have with respect to privacy legislation?

Privacy is considered as a fundamental right under the European Convention of Human Rights (see Article 8) and the Charter of Fundamental Rights of the European Union (see Article 7), and it can be compressed where certain requirements such as proportionality are satisfied (see Article 52 of the Charter).

The elasticity of privacy rights also emerges from the General Data Protection Regulation (GDPR). Article 6 specifies that processing of personal data is lawful when processing is required for reasons of public interest, while Article 9 permits the processing of special categories of data (i.e. data concerning health) when processing is necessary for reasons of public interest, provided that the processing is based on Union or Member State law. This is also confirmed by the European Data Protection Board (EDPB) which issued a statement on 16 March 2020 stating that "data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic".

With reference to tracing of mobile network cells and digital contact tracing, Article 15 of the Directive 2002/58 on Privacy and Electronic Communication allows Member States to introduce legislative measures to process location data without the consent of individuals and in a non-anonymised form, when pursuing national and public security.

In light of the above, privacy rights may be compressed only by means of legislative measures. In Italy, for instance, the Law Decree of 9 March 2020, no. 9 allows those providing national health and care services and those guaranteeing the enforcement of containment measures to process personal data, including special categories of data, for the purposes of national security and public health. The measure is limited to the current emergency period and operates as a legal basis for the processing of personal data. However, it is currently disputed whether the decree also applies to private companies and new law decrees will probably be adopted to regulate the possible implementation of the digital contact tracing. The Italian Data Protection Authority has encouraged the further use of law decrees, intended as instruments of emergency legislation that combine timeliness and democratic participation. The Authority has also recommended, with reference to digital contact tracing, that the collection of data must be as little invasive as possible. For instance, anonymised or pseudonymised data processing by the mobile carrier has to be preferred, thus leaving the public authorities the power to analyse personal data on individuals where needed.

The Italian model testifies how privacy rights can be disregarded in favour of other collective interests. Compressions of privacy rights should take place on legislative measures adopted by central and qualified authorities, thus ensuring uniformity in application of the measures implemented. Limitations to privacy rights should be proportionate to the effective needs.

The method of implementation of new IT solutions against the virus must therefore be carefully considered. For example, the regulation on possible involvement of big data companies such as Google and Facebook should prevent these actors from massive collection of personal data. It is crucial to find the right balance between the safeguard of public interests and compression of privacy rights. If countries succeed in this, technology can be a decisive factor in the fight against the virus. IT solutions that are already available in the market have demonstrated their importance in this regard. Solutions such as smart working or electronic health consultations prevent contagion and ensure business continuity. There are also solutions that can help monitor the spreading of the virus. In Norway, the Norwegian Institute of Public Health has been provided with a self-report solution for respiratory symptoms by a private IT company. Moreover, Norwegian citizens have been enabled and encouraged to register their suspect symptoms of coronavirus in online public health portals.

The implementation of new IT solutions requires also that IT contractual and regulatory matters will be addressed. Issues such as to proprietary rights, licenses, intellectual property, systems requirements and liabilities of the parties must be regulated.

Our team of experts assists both private and public undertakings on privacy and IT related issues and follows closely the development of new technology which should contribute to the suppression of the virus.

  • Technology and IT Law

    2020

    COVID-19, unfair commercial practices and online platform liability

    An unfortunate result of the coronavirus pandemic has been the increase of deceptive commercial practices that feed off the fear, worry and anxiety in the general public. Since March, the Norwegian Consumer Authority has prioritised the investigation of cases involving misleading advertising and the use of aggressive commercial practices to promote products that claim to cure, prevent or otherwise safeguard consumers from the coronavirus.

  • Technology and IT Law, COVID-19

    2020

    Do you want to share your technology for free in the fight against COVID-19?

    Our days are characterized by a national and global effort to fight the COVID-19 virus. As long as we do not have vaccines, medicines or other solutions that can defeat the pandemic, countries around the world resort to curfew restrictions, guidelines for hand washing and social distancing to keep the virus from spreading. There is however no doubt that the race to fight the pandemic is on, and now "Open COVID Pledge" encourages organizations around the world to contribute to research and development by sharing their intellectual property rights for free. Recently, giants such as Facebook, Microsoft, Amazon and IBM announced that they are joining the initiative.

  • Technology and IT Law, Data Protection, COVID-19

    2020

    COVID-19 and new IT solutions: Privacy in quarantine?

    The corona virus is putting the health and social contemporary world in crisis. The spreading of the virus is very fast and the implementation of new IT solutions to manage both ascertained and potential corona contagions is under evaluation worldwide. The question is - how will the new technologies handle privacy of individuals?

  • Technology and IT Law, Intellectual Property

    2020

    Uncertainties for the realisation of Unified Patent Court

    In a decision published 20 March, the German Constitutional Court declared the vote on the ratification act of the Unified Patent Court (UPC) Agreement void because the German Parliament did not pass the act with the required majority.

  • Technology and IT Law, Protection of privacy, COVID-19

    2020

    COVID-19 and Data Protection

    The Norwegian and three other European data protection supervisory authorities on employers' collection and disclosure of employee data.

  • Technology and IT Law

    2020

    Shaping Europe’s Digital Future: The European Commission’s Digital Package

    The European Commission has just published three important policy documents that outline its ideas and vision for Europe's digital future. A key aim is to create a single European data space, “a genuine single market for data, open to data from across the world where personal as well as non-personal data, including sensitive business data,” are secure and accessible to businesses. Our IT and Digitalisation team give an overview of the highlights from this digital package.

  • Technology and IT Law

    2019

    Copyright protection of algorithms – impossible or just a question of definition?

    Legal protection of algorithms has been subject of much debate over the years, and with the huge technological development, the topic is constantly gaining new relevance. Access to good and effective algorithms has become vital for companies that want to gain strong market positions, as giants like Google and Facebook use algorithms to generate customized content. The prevailing view among copyright lawyers has long been that algorithms are not protected by copyright because they are unprotected ideas behind computer programs. However, I think this is misleading and oversimplified.

  • Protection of privacy, Technology and IT Law

    2019

    GDPR, information security and the importance of carrying out "proper due diligence"

    ICO issues statements of intention to fine British Airways and Marriott.

  • Protection of privacy, Technology and IT Law

    2019

    Administrative fines for breach of the privacy by design principle and of the duty to ensure information security in the GDPR

    Two of Norway’s largest municipalities were found to be in breach of the General Data Protection Regulation (GDPR) in two separate and unrelated cases each of which involved the use of technology in the municipalities’ schools.

  • Protection of privacy, Technology and IT Law

    2019

    Google and Apple asked to provide better information on the use of personal data

    A recent initiative co-ordinated by the Norwegian and Dutch consumer associations has asked Google and Apple to respectively provide better information to their users.

  • Protection of privacy, Technology and IT Law

    2019

    The UK prepares for Data Protection after Brexit: Two New Regulations

    When the UK leaves the EU, the General Data Protection Regulation (GDPR) will no longer be directly applicable in the UK. Two new sets of regulations have therefore been recently promulgated by the British Parliament to retain, as much as possible, the status quo and are meant to come into effect upon the UK's withdrawal from the EU. Both sets of regulations were issued pursuant to the UK's European Union (Withdrawal) Act 2018.

  • Protection of privacy, Technology and IT Law

    2019

    Two recent decisions of the Norwegian Privacy Appeals Board

    The Norwegian Data Protection Authority (NDPA) has a broad set of powers, including the power to deliver warnings, reprimands or impose fines on data controllers and processors for non-compliance with the new Personal Data Act and the GDPR. As the new Personal Data Act and the GDPR only recently came into force, there are not yet many decisions based on the new legal regime. However, some of the recent NDPA decisions were appealed to the Privacy Appeals Board (PAB) and the appeal decisions have referred to the new legislation. Two such recent decisions respectively concern the data subject's right to object to processing and the right to erasure.

  • Technology and IT Law

    2019

    CLSR European national news update: Norway

    The update on Norway by Wikborg Rein's Technology and Digitalisation Team in the latest issue of the Computer Law & Security Review highlights the complaints against Google for breach of the GDPR made respectively by the Norwegian Consumer Council and consumer organisations from six other European countries.

  • Technology and IT Law

    2019

    Controversial draft bill on the Norwegian Intelligence Service

  • Protection of privacy, Technology and IT Law

    2018

    Complaints against Google by consumer organisations for breach of GDPR

    On 27th November 2018, the Norwegian Consumer Council and consumer organizations from six other European countries – the Netherlands, Sweden, Greece, Poland, Slovenia and the Czech Republic – each filed a complaint against Google with their respective data protection authority.

  • Protection of privacy, Technology and IT Law

    2018

    Implementing the GDPR in Norway

    The General Data Protection Regulation (GDPR) starts to apply within the European Union (EU) from 25th May 2018. Since the GDPR is an EU regulation, it will have direct applicability and direct effect in all EU member states as from that date. Norway, however, is not an EU member state but a member of the European Economic Area (EEA) and a different procedure therefore applies before the GDPR can become part of Norwegian law.

  • Protection of privacy, Technology and IT Law

    2018

    The WP29 Opinion 2/2017 on data processing at work

    Article 29 Working Party (WP 29), consisting of data protection authorities from all EU and EEA states and the European DP Supervisor, has recently issued an Opinion 2/2017 on data processing at work ("the Opinion").

  • Protection of privacy, Technology and IT Law

    2018

    Fintech and Privacy

    On 7th February 2018, the Norwegian Data Protection Authority ("DPA") published a report which examines the challenges that the revised Payment Services Directive (PSD2) pose for privacy.