COVID-19 & GDPR, a scientist’s opinion
We speak with Innocenzo Genna, independent public affairs consultant advising in telecoms and Internet European regulation. He is also known via his professional blog RadioBruxellesLibera.
How would you evaluate the current increased use of data (especially in non-EU countries) and its effectiveness in “stopping” the virus?
I have read various news and reports about South Korea, Israel, Singapore and China. There is a lot of attention on South Korea where the epidemic is slowing down. However, such reports are normally descriptive and do not scientifically analyse the circumstances. In other words, they show a correlation between the use of geolocation apps and the trend of epidemics, not the link of causality. An interesting counter-case could be Japan, where the epidemic has been well controlled without the use of geolocation apps. In Japan, some basic social habits preventing epidemics exists by default and are followed by population – irrespective from emergencies: social distance (few shaking or kisses), often washing hands privately and in public locations, not touching people or objects. It could be the same in South Korea. In other words, we are still far from clear evidence about how to better fight epidemics, and at this stage we must be cautious about the use of data, especially geolocation data. They might be useful but there is also the risk of over-evaluation. The effectiveness still needs to be proved.
Which tensions with the GDPR might arise (or are even likely to arise) when governments process citizens’ data on a large scale and possibly for longer?
The European framework already fits the emergency scenario: GDPR rules (art. 6 and 9) authorise the treatment of data without consent in case it is necessary to protect national security, including public health, while Art. 15 of the ePrivacy directive allows Member States to enact legislation to track persons under specific limitations, including necessity, proportionality and transitional time, – while collecting anonymous data and aggregating them is not an issue per se. So, theoretically, there should be no tension between GDPR and tracking technologies.
However, the debate is rising because the European citizens are not ready for the idea that the State can exert massive tracking – despite the fact that everybody is already tracked by mobile operators, vendors, online platforms and apps. A market of geolocation data already exists since a long time, because these data of people are normally sold. “Big Tech” obtained massive information about people thanks to the sole geolocation data they collect or buy: What and where they eat, whom they love and meet, which sport they do, eg. I think there is a problem of basic education: People must start understand that a) their location data are already tracked and collected, and b) that GDPR and ePrivacy are useful rules, because they protect citizens from both “Big Tech” and the State.
By contrast, in some Asian countries, such protection does not exist and the State can collect any data for public health reasons without providing guarantee as to the correct use, storage and protection of such data.
Would you say that monitoring citizens’ data is appropriate, regardless of GDPR? Or are we adapting ourselves already to the “surveillance-style” way of life, especially in contrast to how non-European countries deal with citizens’ data (see China, South Korea, Israel)?
As mentioned above, people are already used to be surveilled by “Big Tech”. Or at least they tolerate this form of surveillance, but not surveillance by the State. It is strange, but so it is. We must further implement education in this regard, because now, this adaptation to surveillance is due to ignorance rather than to consent.
Monitoring citizens could be appropriate when data are anonymised and aggregated. Individual tracking should be an exception and there should be a clear evidence that it is the only effective way to achieve a given objective.
GDPR and ePrivacy must remain robust and set rules for protecting citizens’ data by both “Big Tech” and the State. European democracies are weak in the short term, thus is why they need such robust privacy rules when elections accidentally bring illiberal forces to power.