The Council of Europe ("COE") has published a report that identifies a series of privacy issues with the measures adopted by governments worldwide to prevent the spread of the COVID-19. The document is analytical and somewhat critical of the legal and technical measures that have been put in place. The report carries out an in-depth review of digital contact tracing applications and monitoring tools.
Some of the main issues the COE has spotted are as follows:
- Lack of transparency: The COE calls on governments to ensure transparency of digital solutions in order to ensure respect of the rights to privacy and data protection.
- Lack of coordination: It also regrets that in spite of numerous calls for coordination and interoperability of digital solutions to prevent the spread of the COVID-19 pandemic, countries have individually implemented widely diverging systems, thereby limiting the efficiency of the measures taken.
- Insufficient privacy compliance: The report assesses how the measures adopted comply with privacy requirements as well as gives recommendations on how to ensure the efficiency and resilience of the data protection framework.
- Concern about extensive governments powers and misuse of "public interest": In most countries, governments adopted emergency measures that gave governments extensive powers, usually only for a limited period of time. The report identifies shortcomings in a number of countries concerning the legal basis of the measures adopted, their proportionality and aspects such as their justification by public interest and the consent of the data subject for data processing. A particularly challenging aspect is the limitation of the purposes for data processing – the report points out that in some countries the boundaries between healthcare and police enforcement purposes have been sometimes blurred.
- Lack of adequate security: The report also points out some privacy risks related to the security, storage and sharing of data, which has led to the withdrawal of certain measures in some countries.
The message from the COE seems to be loud and clear: privacy comes first. No ifs, no buts.
Countries should pay particular attention to the following aspects when using technological tools which process personal data to combat the pandemic: ► the need for a time limit (applied to the retention period of all collected personal data) and legal sunset clauses; ► a legally guaranteed purpose limitation (the purpose of any processing must be precisely defined, and based on a specific legal basis, with the exclusion of further processing for any other purpose); ► proportionality of the measures taken and ongoing assessment of the proportionality considering the effective results of the measures (with the possibility to withdraw the measure where there is no concrete evidence of its benefits); ► cooperation with the national data protection authority, at early stages of the design of the processing, as well as at later stages (for example to process the feedback on a data protection impact assessment or an enforcement action); ► Digital solutions to fight Covid-19 ► transparency and explainability of the data processing operations, especially for automated tracing tools (this notably includes the publication of the source code of the software, of impact assessments and security audits); ► accountability of data controllers, integration of privacy by design, realisation of data protection impact assessments of the processing and relevant security measures.