Hannah van Kolfschooten & Bastiaan Wallage
On 25 May 2018, the General Data Protection Regulation (GDPR) entered into force. From then on, the lawfulness of processing personal data within the European Union has been harmonised. The right to personal data protection, an important part of the human right to privacy, is thus one of the few human rights that has also been elaborated in European law. The aim of the GDPR is to provide every Union citizen with a high and equivalent level of data protection. However, the plethora of mobile corona apps that have sprung up like mushrooms since March 2020 shows that European Member States do not always apply the same meaning to the term ‘privacy’. The question is therefore whether the GDPR – even in times of corona crisis – can guarantee a consistent level of protection across Europe. We will answer this question below.
The right to privacy and data protection is very topical. For example, the District Court of The Hague recently ruled that the ‘fraud detection system’ known as SyRI violates the European Convention on Human Rights (ECHR), in which the right to privacy is laid down, among other things. First of all, it is relevant that it follows from case law that the GDPR must be interpreted in accordance with Article 8 ECHR. In line with the aforementioned judgment about SyRI, Member States would in that case be expected to exercise restraint when relying on a justification or exception, also under the GDPR. In Covid-19 times, this does not seem to be the case so far and the provisions of the GDPR are quickly brushed aside by Member States. Some Member States are even developing mobile applications that seriously infringe the privacy rights of their residents. These apps differ greatly from one Member State to another, and there is as yet no harmonised approach at the European level.
An example of a European corona app is the Polish home quarantine app ‘Kwarantanna domowa’. Polish citizens in compulsory home quarantine (14 days, after returning home from abroad or after contact with a corona patient) could choose between downloading this app and an unexpected police visit to check whether they were indeed staying at home. The app asks for a selfie at random moments. This selfie is shared with the authorities and then, by means of facial recognition and location data, it is checked whether the user is indeed at home. If this is not the case, or if the user does not respond within twenty minutes, the police are alerted. It should be clear that this app has a major impact on the privacy of users.
It is doubtful whether the Polish app would stand the test of the GDPR. Although the GDPR provides an exception clause for situations such as the corona crisis, the data protection principles of the GDPR apply in full. Also in times of crisis, the requirements of proportionality and subsidiarity must be met. This means, among other things, that only those personal data may be processed that are necessary to achieve the objective, that the data may not be kept unnecessarily long, and that the security must be in order. Although the Polish app collects information for the purpose of quarantine, the personal data it requests for this purpose (such as selfies) are probably a step too far. In short, the app does not seem to meet the requirements of proportionality and subsidiarity.
Although in the heat of the coronas battle in the Netherlands there was talk of using telecom data and an ‘appathon’ was urgently organised, we have not yet got that far in the Netherlands. After much criticism of the security and importance of privacy, the Dutch government is currently developing its own corona app, with the close involvement of the Dutch Data Protection Authority and the Human Rights Board. This app is expected to be launched – on a voluntary basis – in the summer. Such a practice has been meticulously avoided for the time being.
Now that the worst of the crisis has been averted, there also seems to be more interest in European cooperation. Where apps were mainly used to enforce restrictive measures at the beginning of the lockdown, the emphasis is now on ‘tracking apps’. These apps map out the contacts of infected patients using Bluetooth, GPS or smartphone tracking. Several Member States have now released their own tracking apps. The European Data Protection Supervisor, however, pleads for one European Corona tracking app. The supervisor points out the risks that the large differences between apps pose to privacy rights. Coordination from the EU, with due regard for the rights from the GDPR and the ECHR, would lead to better privacy protection in Europe.
The corona crisis therefore leads to different approaches to the right to privacy and data protection. The difference between national corona apps shows that some Member States impose far-reaching restrictions on privacy. The question is whether this is proportionate and subsidiary in all cases. That was precisely not the intention of the GDPR: it should have equalised this right in all Member States. A European approach to the development of coronatracking apps is therefore necessary. A crisis should not be a licence to ignore European human rights.