We don’t have to choose between health and privacy!
Technology companies are racing to produce applications for mobile telephones that can be used to trace us and to see if we’ve been in contact with someone carrying the COVID-19 virus. Alessandra Pierucci, Chair of the Council of Europe’s data protection “Convention 108” committee says that there should not have to be a choice made between saving lives and protecting our privacy - the issue is one of reconciling fundamental rights.
Alessandra Pierucci – Data Protection interview
Chair of the Council of Europe’s data protection “Convention 108” committee
Charles Amponsah: As states and governments across Europe consider easing or lifting people-movement restrictions, following the worst effects of the coronavirus, technology companies are racing to produce phone applications to trace us to discover if we’ve been in contact with someone suspected of carrying or of actually having COVID-19. Which do we value more – our health or our privacy? I’m joined from Italy by Alessandra Pierucci, Chair of the Council of Europe’s data protection “Convention 108” committee.
A survey by a polling group found that two-thirds of people in a Council of Europe member state are in favour of government phone tracking to help tackle the COVID-19 pandemic. Does that mean that we should all be willing to allow privacy breaches if they might save lives?
Alessandra Pierucci: I think it very much depends on the way the questions in surveys are submitted. Because, of course, if we ask people, whether they would prefer to save their life or their privacy, I would assume that the answer would be quite obvious and not in favour of saving privacy. The point here is that we should not believe that we are obliged to choose, either health or privacy. We should put ourselves into a different mental attitude, which is not based on the idea of a conflict of fundamental rights, but on the contrary, based on the reconciliation of fundamental rights. In that case, our answer to this kind of question could be that we want and we can have both health and privacy – not to mention the fact that there are certain rights such as health whose sacrifice is more self-evident for people. Other rights, such as the right to privacy, whose erosion, at least in its immediacy, could be less perceivable but still very serious in terms of consequences for individuals’ liberties.
CA: If these so-called coronavirus mobile phone contact-tracing apps are to be deployed, what limitations from a Council of Europe Convention 108 (or 108+) point of view should be in place in order to prevent state or government overreach?
AP: One of the most important elements needed to prevent overuse of personal data is a clear definition of the specific purpose, processing and use of the tool. In this case, the purpose is to prevent the spread of the virus. Any other use, for example commercial or law enforcement should not be allowed. What is also crucial, is that if special measures are taken in an emergency situation, like the one we are facing now, it is always important to ensure that these special measures last as long as the emergency lasts. To prevent further and unexpected use of data, data should also be deleted once the purpose is pursued and once the emergency is over. Trust and voluntary use of apps is also very important. Introduction of these tools constitutes an interference under the right to privacy and it is really very important to ensure that individuals who decide not to or cannot use those apps – because we also have the problem of the digital divide – do not suffer any disadvantage. The effectiveness of these measures, which must be evaluated first, is very much based on the social acceptability and transparency of these tools, and on trust rather than on repression. Minimization of data must also be ensured. It means avoiding the processing of any unnecessary data and therefore opting for the processing of proximity data rather than location data, which has a more sensitive connotation, and preferably opting for solutions which provide for the storing of data in the individuals’ devices. Finally, I would add that data quality is an important issue and should be ensured, considering the consequences that can derive from the processing of possibly inaccurate data. Individuals should be empowered with tools to react to distorted use of personal data. It is important to recall that data subjects, individuals retain the right not to be subject to automated decisions, without having their view taken into account. This also means the possibility to contest the decision, which may have been based on inaccurate factors, as I mentioned before. These are more or less the safeguards which were highlighted by the Council of Europe as a strategy to avoid misuse of this kind of tool and to ensure fundamental rights.
CA: Is there a danger, and you’ve partly touched on this in what you’ve said, that contact-tracing apps could evolve, if some governments or states want them to, into passport-style documents that we would need to have in order to access public places, for example?
AP: Immunity passports, which have entered into the debate but not in very clear terms with respect to their concrete aims, concrete functioning, really deserve to be treated with the highest caution. I think that, in this case too, a first assessment of the effectiveness of the introduction of these new tools should be carried out, as well as an evaluation of their impact on fundamental rights. The specific function and aims, as I mentioned before, should be assessed - taking into account the warning already raised by those who highlight the fact that if the advantage one obtains from using these passports is also linked to the use of apps, then the voluntary nature of the apps may be questioned. Once again, I think that effectiveness, necessity, and proportionality of the recourse to such tools should be primarily assessed, and, I would add, with the proper intervention of legislators – without improvising or delegating such complex activities exclusively to technology.
CA: What about after restrictions are eased or lifted following the worst of the COVID-19 pandemic. How will we know that these potentially unprecedented levels of surveillance will be lifted? Indeed, do we run the risk that some states might want to continue with high levels of surveillance indefinitely?
AP: This is one of the most serious concerns to consider in extraordinary situations like the one we are facing now. There are two elements that must be recalled. First of all, that even if we are in an emergency situation, human rights should not be suspended. Human rights can be derogated by law, and only as long as it is strictly necessary to face the emergency situation, and only ensuring the essence of fundamental rights. Then, there is a second aspect. We have to be sure that, once the emergency situation is over, the exceptional measures which were taken are abandoned and that we go back to the ‘normal’ data protection regime. It is extremely important, therefore, that from the very beginning we contemplate the procedures and mechanisms to be sure that the ordinary data protection regime again assured once the emergency is over. There is always the risk that, once adopted, the extraordinary measures get into the system and are, somehow normalised or absorbed by the system, because new emergencies can always arise, in the name of which the restrictions on freedoms could be invoked. That is why the law itself, and I underline the role again of the legislature, should already foresee its limits and the means and procedures to go back to the full expression of fundamental rights.