Data Protection in Health Crises in the EU: Apps in the Battle against COVID-19

Mobile technology is increasingly being used to manage crisis situations, such as the corona pandemic. Apps process large quantities of personal data, which has consequences for the right to data protection. In the battle against COVID-19, millions of European citizens entrust Covid-apps with their sensitive personal data. To what extent may the right to data protection be limited in the light of a health crisis and which role does the EU play in this matter? In her article, van Kolfschooten focuses on the role of data protection in crisis management in the EU and discusses to what extent the right to data protection can be limited in the light of a health crisis. She argues that the right to data protection is not protected in the same way and to the same extent by all European Member States during health crises. A high and equal level of data protection for every EU citizen is therefore on edge.

[Paper published in Dutch]

In crisissituaties – waaronder de coronacrisis – wordt steeds meer gebruik gemaakt van mobiele technologie. Apps verwerken grote hoeveelheden persoonsgegevens van individuen, met gevolgen voor het grondrecht op gegevensbescherming. Deze bijdrage gaat in op de rol van gegevensbescherming in crisisbeheersing en -bestrijding in de EU en bespreekt in hoeverre het recht op gegevensbescherming kan worden ingeperkt in het kader van een gezondheidscrisis.

H.B. van Kolfschooten, ‘Gegevensbescherming in gezondheidscrises in de EU: apps in de strijd tegen COVID-19’, Ars Aequi 2021(70).

Privacy Harmonisation in Times of Crisis

Hannah van Kolfschooten & Bastiaan Wallage

On 25 May 2018, the General Data Protection Regulation (GDPR) entered into force. From then on, the lawfulness of processing personal data within the European Union has been harmonised. The right to personal data protection, an important part of the human right to privacy, is thus one of the few human rights that has also been elaborated in European law. The aim of the GDPR is to provide every Union citizen with a high and equivalent level of data protection. However, the plethora of mobile corona apps that have sprung up like mushrooms since March 2020 shows that European Member States do not always apply the same meaning to the term ‘privacy’. The question is therefore whether the GDPR – even in times of corona crisis – can guarantee a consistent level of protection across Europe. We will answer this question below.

The right to privacy and data protection is very topical. For example, the District Court of The Hague recently ruled that the ‘fraud detection system’ known as SyRI violates the European Convention on Human Rights (ECHR), in which the right to privacy is laid down, among other things. First of all, it is relevant that it follows from case law that the GDPR must be interpreted in accordance with Article 8 ECHR. In line with the aforementioned judgment about SyRI, Member States would in that case be expected to exercise restraint when relying on a justification or exception, also under the GDPR. In Covid-19 times, this does not seem to be the case so far and the provisions of the GDPR are quickly brushed aside by Member States. Some Member States are even developing mobile applications that seriously infringe the privacy rights of their residents. These apps differ greatly from one Member State to another, and there is as yet no harmonised approach at the European level.

An example of a European corona app is the Polish home quarantine app ‘Kwarantanna domowa’. Polish citizens in compulsory home quarantine (14 days, after returning home from abroad or after contact with a corona patient) could choose between downloading this app and an unexpected police visit to check whether they were indeed staying at home. The app asks for a selfie at random moments. This selfie is shared with the authorities and then, by means of facial recognition and location data, it is checked whether the user is indeed at home. If this is not the case, or if the user does not respond within twenty minutes, the police are alerted. It should be clear that this app has a major impact on the privacy of users.

It is doubtful whether the Polish app would stand the test of the GDPR. Although the GDPR provides an exception clause for situations such as the corona crisis, the data protection principles of the GDPR apply in full. Also in times of crisis, the requirements of proportionality and subsidiarity must be met. This means, among other things, that only those personal data may be processed that are necessary to achieve the objective, that the data may not be kept unnecessarily long, and that the security must be in order. Although the Polish app collects information for the purpose of quarantine, the personal data it requests for this purpose (such as selfies) are probably a step too far. In short, the app does not seem to meet the requirements of proportionality and subsidiarity.

Although in the heat of the coronas battle in the Netherlands there was talk of using telecom data and an ‘appathon’ was urgently organised, we have not yet got that far in the Netherlands. After much criticism of the security and importance of privacy, the Dutch government is currently developing its own corona app, with the close involvement of the Dutch Data Protection Authority and the Human Rights Board. This app is expected to be launched – on a voluntary basis – in the summer. Such a practice has been meticulously avoided for the time being.

Now that the worst of the crisis has been averted, there also seems to be more interest in European cooperation. Where apps were mainly used to enforce restrictive measures at the beginning of the lockdown, the emphasis is now on ‘tracking apps’. These apps map out the contacts of infected patients using Bluetooth, GPS or smartphone tracking. Several Member States have now released their own tracking apps. The European Data Protection Supervisor, however, pleads for one European Corona tracking app. The supervisor points out the risks that the large differences between apps pose to privacy rights. Coordination from the EU, with due regard for the rights from the GDPR and the ECHR, would lead to better privacy protection in Europe.

The corona crisis therefore leads to different approaches to the right to privacy and data protection. The difference between national corona apps shows that some Member States impose far-reaching restrictions on privacy. The question is whether this is proportionate and subsidiary in all cases. That was precisely not the intention of the GDPR: it should have equalised this right in all Member States. A European approach to the development of coronatracking apps is therefore necessary. A crisis should not be a licence to ignore European human rights.

A Legal Perspective on Contact Tracing

Information for early detection of health emergencies can save lives. In the COVID-19 crisis, we see that national governments in the European Union (EU) turn to widespread surveillance and contact tracing in order to gather information on the spreading and risks of the virus. Contact tracing is the tracing of individuals and their contacts, who have been exposed to a pathogen that can cause a serious (cross-border) threat to health, and who are in danger of developing or have developed a disease. While these surveillance measures can focus on groups of people, contact tracing often directly affects individuals. In light of this difficult conundrum, the European Commission has published a toolbox for contact tracing and the interoperability between member states. In this guidance privacy is a key concern, including the use of contract tracing in a proportionate manner. Yet there is no guidance as to what proportionality might mean and how we should go about assessing this.

Contact tracing of individuals across the EU in the context of COVID-19 therefore raises the question how privacy can be protected when a disease rises to the level of a threat to security? In 2013, the EU has been given a larger role in pandemic responses, as formalized in the Health Threats Decision. As a consequence, contact tracing is now no longer a primarily national issue responsibility as information is exchanged at EU level. In the COVID-19 crisis, the practice of exchanging personal (health) data between the member states for the purpose of contact tracing gains importance. However, in the field of EU health law there is only limited guidance as to how public health can be safeguarded in a proportional manner.

In this article, we analyze EU case law in the field of security to give us guidance as to determine proportionality of limitations on privacy in light of a public health threat. Proportionality in this regard implies that the measures–in this case contact tracing–do not go further than what is needed in light of the public policy aims. In the case of COVID-19 the aim of protecting public health has risen to a level of threat that it can also be seen as a risk to security. However, important differences are also noteworthy and caution against a simple one to one comparison with security and public health. In the field of security policy makers are working often within a friend-enemy dichotomy, whereas in the field of public health the patient is seen as vulnerable and in need of assistance rather than as the enemy.

From Saramago’s Blindness Epidemic to EU Health Law

My interest in health emergencies was sparked when reading Saramago’s novel Blindness at age 16. It tells the story of a sudden blindness pandemic afflicting nearly everyone and I loved every word. Since then, I’ve seen countless post-apocalyptic movies on pandemics, ranging from classic contagion to zombies. I’ve played the video game Plague Inc. so many times that I unlocked all pathogens needed to design the perfect plague to wipe out mankind. With great astonishment I watched the increasing number of tourists roaming Amsterdam wearing face masks. It all seemed so far away. So unrealistic and a bit exaggerated. Only while doing a master’s in Health Law years later, I realised that pandemic preparedness and control is actually a big thing in the EU. I started writing a master’s thesis about what the EU could have done if Ebola had spread to Europe and the possible consequences of this hypothetical action for fundamental rights protection (later published here). It always felt a bit like a science fiction project. Because pandemics in the 21st century belong in literature and films – right?

And here I am, starting a health law blog in 2020 in the Netherlands. While working from home because the national government advised me to do so. To prevent COVID-19 from spreading any further.