Council of Europe's Commissioner for Human Rights, Dunja Mijatovic, published an editorial on Wednesday carried by several European media outlets in which she warned all 47 Council of Europe governments about the importance of maintaining data privacy in light of apps which are increasingly used to monitor and track the Covid-19 pandemic.
What follows is Mijatovic’s editorial.
“The COVID-19 pandemic has already killed over 200,000 people in the world, more than half of whom died in the last two months in Europe. Looking at these numbers alone one can understand why governments had to take extraordinary measures such as lockdowns and quarantine orders. These efforts are now yielding encouraging results. As some governments are gradually easing restrictions, it is crucial that they ensure that the very restrictive measures adopted so far do not outlast the emergency.
Surveillance is a case in point. Many European countries are resorting to digital devices to help enforce quarantine orders, track the progression of infections or inform people about their possible exposure to infected individuals. The aim is to strengthen the ability to contain the spread of COVID-19, thereby reducing pressure on the healthcare system and enabling a resumption of clinical services and surgeries that have been put on hold because of the pandemic. The potential of digital tools is therefore worth exploring. However, the health imperative must not become a carte blanche to snoop on people’s lives. It is necessary that digital health technologies be counterbalanced by respect for privacy.
The design, development and use of digital technologies indeed carry ethical and legal implications that cannot be ignored. If it is true that they can improve the quality of our lives – notably by enabling a safer and faster exit from the current situation of confinement, improve the response to public health threats, strengthen accountability, and create new opportunities in many key sectors of life like health care, they can also turn against us when they intrude on our private lives and restrict our ability to participate in society.
This risk has already materialised in several European countries.
In Russia, the government resorted to facial recognition cameras to enforce quarantine orders without adequate guarantees that such intrusive technology will not be generalised for other purposes. In Azerbaijan citizens are required to report their movements by SMS to an electronic system, potentially enabling the police to monitor them. In Montenegro the government published on its website a list comprising the names and the addresses of the individuals who have been ordered to self-isolate for 14 days upon their return from abroad, in order to discourage them from breaching the order.
In Poland, a mandatory government-provided smartphone application requires quarantined people to take time-stamped selfies with GPS coordinates several times a day to prove they are respecting the quarantine order. Failure to comply with the task may result in police intervention and lead to a hefty fine. Turkey also announced a similar mandatory smartphone application to follow the whereabouts of persons who have been tested positive for SARS-CoV-2.
In Spain, personal data of people using a mobile application of the government of the Autonomous Community of Madrid were initially to be shared with the private companies which helped develop the app, such as Google, Telefónica and Ferrovial, before the app was rectified to better protect privacy. In the United Kingdom the Guardian uncovered that technology firms are processing the confidential personal data of patients without transparency or accountability.
These are the most worrying examples of a more general surveillance trend going on in Europe which raises concerns about its compatibility with human rights standards governing data protection, in particular the case-law of the European Court of Human Rights.
The Court acknowledged that restrictions to human rights can take place and that the use of personal data may be necessary in certain emergency situations. However, it also stressed that states can collect, use and store sensitive personal data only under exceptional and precise conditions, while offering adequate legal safeguards and independent supervision. They must also ensure that the measures adopted be based on the law, remain necessary to the aim pursued, be the least intrusive possible and be lifted once the reason for introducing them no longer exists.
Retention of telecommunication data is also strictly regulated by the Council of Europe Convention for the protection of individuals with regard to the processing of personal data and by EU law, with the clear limits that the Court of Justice set to the operations of EU member states that interfere with respect for private life.
While digital technologies can assist in the response to the pandemic, we should not fall for the narrative that they can solve it all. Their help should be enlisted only if they are used while respecting democratic rules.
If the governments do not respect these legal boundaries, they risk endangering our system of human rights protection, without necessarily improving the protection of our health. They will also risk losing public trust and support, which is an indispensable feature in state efforts to protect people’s lives and health.
It is therefore encouraging to see that the Committee of Ministers of the Council of Europe, in which all of its 47 member States are represented, adopted a declaration on 22 April in which they recall that “measures to combat the disease and its wider consequences must be taken in accordance with the Organisation’s principles and the commitments entered into by member States”. This is an important commitment to which member states must give concrete implementation.
Indeed, a democracy does not need to sacrifice our privacy to protect our health. On the contrary, health and data protection are part and parcel of a life lived in dignity and security. Governments can and must find the right balance between these two pressing imperatives and ensure that technology works for and not against human rights, democracy and the rule of law.
To make this happen, they have a series of steps to undertake.
First of all, governments must ensure that digital devices are designed and used in compliance with privacy and non-discrimination norms. Such devices must be anonymous, encrypted, decentralised, function on open source and be available to the largest number of people possible, thus bridging the digital divide that still exists in Europe. Their use must be voluntary, based on informed consent, restricted to the purposes of health protection, contain a clear time-limit and be fully transparent. Users should be able to opt-out at any moment, deleting all their data, and be able to challenge intrusions into their private sphere through independent and effective remedies.
Secondly, laws enabling states to gather, use and store personal data must comply strictly with the right to privacy as protected by the case-laws of national constitutions and the case-law of the European Court of Human Rights and the European Court of Justice.
Thirdly, government operations must be subject to independent scrutiny. In times when fears for our health may understandably increase people’s acceptance of intrusive measures, strong oversight by competent and independent bodies which can operate outside an emergency mode becomes even more crucial. This requires judicial review and accountability as well as monitoring by parliament and national human rights institutions. As a minimum, independent Data Protection Authorities must test and approve technological devices before they are used by state authorities and their partners.
Public health crises are real threats that require an effective response. But surveillance measures that bypass human rights and the rule of law are not a democratic solution.”