CEPS © 2020

The European Green Deal after Corona Implications for EU climate policy
CEPS In Brief

Will privacy be one of the victims of COVID-19?

Published on: 23 March 2020

Will privacy be one of the victims of COVID-19?

As the COVID-19 outbreak rages across the world, governments have started observing the effectiveness of different approaches to ‘flatten the curve’ or contain the spread of the virus. So far, the most effective governments seem to be those that have invested in solid and even redundant healthcare infrastructure, engaged in mass testing, and identified and isolated infected people (and quarantined their contacts) to reduce the spread to healthy individuals. European countries appear to suffer from a lack of medical and testing equipment, and to be reluctant to impose restrictions on individual rights, such as privacy and the free movement of people. Against this background, a dangerous debate has emerged on whether key tenets of European democracies, including the protection of the fundamental right to privacy, should be set aside during the pandemic to enable a more effective response.

This is not a new debate. Already in 52 BC, Cicero observed in his De Legibus that “salus publica suprema lex esto” (people’s well-being shall be the supreme law). When Louis Pasteur (1822–1895) and Robert Koch (1843–1910) started the bacteriological revolution in public healthcare, providing scientific backing for already-existing practices such as quarantine, sharp resistance emerged in many countries, based on the fear that the imposition of such measures would limit the freedom of movement of people and goods. The fights against tuberculosis and smallpox, and later HIV and Ebola, created tensions between the protection of public health and other fundamental rights, including personal privacy, over the course of more than a century. A similar compression of civil liberties is also seen in other fields, such as in the fight against terrorism.

In 1966, the International Covenant on Civil and Political Rights provided that, in times of a public emergency threatening the life of a nation, the need to protect public health is a permissible ground for limiting certain rights, including the liberty of movement, freedom of expression and the right to freedom of association. In Europe, this possibility must be gauged against extremely high standards when it comes to privacy and data protection, with far-reaching provisions in EU Treaties, the European Convention on Human Rights, and the General Data Protection Regulation, which firmly established privacy as a fundamental right, and data ownership as belonging to individuals, not States. The EU Charter of Fundamental Rights specifically mentions both the need to ensure protection of personal data (Articles 7-8) and “a high level of human health protection” (Article 35) in the definition and implementation of all Union policies and activities. Article 15 of the European Convention on Human Rights allows for derogations, provided that they are temporary, proportionate and strictly required by the exigencies of the situation. And the European Data Protection Supervisor has already clarified that measures that weaken the protection of the right to privacy should comply with both a necessity and a proportionality test.

But what is necessary, and what is proportionate in the face of such crisis? Governments are likely to struggle to answer these questions. Restrictions of privacy that do not prove essential to save lives, or allow the continuation of essential economic activity, are unlikely to be found necessary. And the availability of feasible privacy-preserving alternatives should rule out the possibility of implementing intrusive policies, even if temporarily, as these would fall short of meeting the proportionality test. The European Data Protection Supervisor has issued dedicated guidance on the two tests, but the need to act quickly in a pandemic may lead governments to rush the tests in their attempt to try all possible measures.

The COVID-19 crisis is already creating trade-offs between the need to safeguard public health and the limitation of certain civil liberties. Estonia, Latvia, and Romania have already notified the application of Article 15 ECHR; and a recent collection of guidance documents shows that countries like Ireland and Poland are implementing a rather permissive approach to data processing activities. Recently, Austria, Germany, Italy and the UK have started to follow in the footsteps of China, South Korea and Israel, where mobile phone data tracking, public mapping of infected individuals and mass surveillance techniques were implemented to monitor and enforce lockdown, quarantine and social distancing policies. The list of national measures, ranging from cooperation between governments and mobile operators to developing tracking and alert applications, gets longer every day.

Will this emergency period lead some countries, even in Europe, to establish a regime of mass citizen surveillance? The risk is real, notwithstanding all the constitutional safeguards that exist in Europe, which stand in defence of our democratic societies. The temptation should however be firmly resisted, for many reasons.

First, the successful experience of countries like Hong Kong, South Korea and Singapore can be traced back to a mix of measures, including enhanced levels of preparedness (also due to the legacy of SARS in those countries), a well-developed health infrastructure, massive use of testing and very rigid enforcement practices. There is no evidence that deployment of technology, alone, can contain the virus, unless European countries manage to invest in more generalised testing. As a matter of fact, Taiwan appears to have achieved similar results through widespread testing, enhanced preparedness, and a less intrusive use of technology: still, all quarantined patients are being monitored through their mobile phones.

Second, technology has limits. Geolocational data are relatively inaccurate, especially outside densely populated areas, and can only be used to monitor the effectiveness of social distancing measures, rather than to sanction citizens.

Third, the use of apps for self-diagnosis and reporting, similar to the “colour code” app deployed in China, would be easily gamed or boycotted by citizens outside countries that rely on surgical enforcement practices such as China or Singapore. The social acceptance of these measures, especially if applied to a population already in lockdown, would be much lower in European countries compared to where they have been successfully applied.

That said, there is no doubt that digital technology can, and will be a useful aid once patients have been diagnosed with COVID-19. In this case, restrictive measures such as isolation and quarantine can be usefully implemented with the help of tracking systems, without necessarily affecting the individual right to privacy. A promising example is the new TraceTogether app developed in Singapore, which uses Bluetooth connectivity and embeds a number of (potentially) privacy-preserving features, such as data anonymisation, explicit user content to data sharing and no use of geolocation.

In the coming weeks, policy trade-offs between the protection of privacy and the need to safeguard healthcare will likely become inevitable. When the peak of contagion is passed and lockdown policies released to help the economy recover, will governments start implementing new systems, which warn citizens whenever they are interacting with infected individuals? Will these measures be rejected as too intrusive of privacy, or defended as protecting the equally important fundamental right to free movement (of the healthy)?

This is neither the first, nor the last time governments face the temptation of technology-enabled mass surveillance to secure society. In the future, especially with the rise of the Internet of Things and advances in Artificial Intelligence techniques such as body and facial recognition, the temptation to engage in surgical technological monitoring will become even stronger, and the potential benefits will skyrocket along with the associated risks. This is why establishing clear boundaries, such as those outlined by the work of the EU High Level Expert Group on AI (full disclosure:  I am a member of the group), is essential to guide governments both in times of emergency, and when, hopefully soon, a less constrained course of life will again become possible.

About the Author


Author
Andrea Renda Andrea Renda
Andrea Renda