4. Solving Data Protection or Covid-19: not mutually exclusive

May 12th, 2020

The battle against COVID-19 is often described as a balancing act between public health and privacy. In other words, we are supposed to be prepared to sacrifice some of our privacy for the sake of saving lives, perhaps including our own. But far from positioning this as a binary zero-sum choice, around the world there are concerted efforts to ensure that privacy and cybersecurity are part of the solution. By building data protection practices into the very measures that may threaten our privacy, we can help ensure that those measures are truly effective. For this reason, many governments and organisations are adopting the most advanced data protection practices and making compliance efforts not seen since the preparations for the arrival of GDPR.

With compliance in mind and when considering measures such as temperature screening, COVID-19 testing, immunity passports, contact tracing apps, or anything along those lines, the right approach is to ensure that any roll-out addresses the following key requirements:

 

Transparency – No matter how advanced the mooted data processing, what this involves should be explained clearly and fully, at the outset, and it’s important that is done through the most appropriate interface.

 

Legal basis – Justifying the use of data, particularly when it involves health data, is an essential aspect of justifying the measure itself.

 

Purpose limitation – This is mainly about assertive governance aimed at identifying all possible uses of data and making sure they are legitimate and justifiable. While flexibility is needed, clarity of purposes is a must.

 

Data minimisation – Only the data that is truly relevant and limited to deliver what is necessary in relation to the purposes of the measure must be collected and used.

 

Accuracy – This is a critical requirement not only from a legal perspective, but to ensure the effectiveness of the measure and to generate trust among the population.

 

Storage limitation – In order to avoid function creep and excessive use or oversharing of data, data must not be kept for longer than is necessary for the purposes for which the processing is needed.

 

Data security – The integrity and confidentiality of the data must be maintained through appropriate security measures, which in many cases will rely on encryption and solid access controls. 

 

Rights of individuals – Given that individuals should ultimately be in control of their own data, there must be appropriate mechanisms and procedures for individuals to have access to their own data and exercise their rights of deletion, portability and opting-out of automated decisioning.

 

Protection against unjustified government access globally – The data must always be guarded against the risk of disproportionate and potentially indiscriminate access, particularly when it is stored globally and subject to the jurisdiction of different countries around the world.

 

Accountability – There must be a system of privacy and cybersecurity governance that supports a ‘Privacy by Design’ approach and relies on the involvement of data protection officers and the use of Data Protection Impact Assessments.

 

 

To underline the point that the present Covid-19 crisis does not make existing GDPR obligations go away, consider the following, from the last few days:

 

1)    The Personal Data Protection Authority of Turkey (the KVKK) has fined Amazon Turkey Retail Services Limited TRY 1,100,000 (approx. €143,000) for violations of consent requirements, among others. In particular, the Decision concerns Amazon’s failures to obtain explicit consent from users for the sending of commercial messages for advertising, campaigns, or promotional purposes.

 

2)    The Belgian Data Protection Authority has fined an organisation €50,000 under GDPR Article 38(6) for not appointing and mandating a data protection officer (‘DPO’) in a way such that the DPO could conduct the role in an independent manner without conflicts of interest.

 

Solving data protection issues in Europe will need at least 3 things: EU digital solidarity, a pan-European approach and a realisation from businesses that whatever operational difficulties are temporarily out there, the data privacy obligations are permanent.