We speak with Innocenzo Genna, independent public affairs consultant advising in telecoms and Internet European regulation. He is also known via his professional blog RadioBruxellesLibera.
How would you evaluate the current increased use of data (especially in non-EU countries) and its effectiveness in “stopping” the virus?
Which tensions with the GDPR might arise (or are even likely to arise) when governments process citizens’ data on a large scale and possibly for longer?
Innocenzo Genna: The European framework already fits the emergency scenario: GDPR rules (art. 6 and 9) authorise the treatment of data without consent in case it is necessary to protect national security, including public health, while Art. 15 of the ePrivacy directive allows Member States to enact legislation to track persons under specific limitations, including necessity, proportionality and transitional time, – while collecting anonymous data and aggregating them is not an issue per se. So, theoretically, there should be no tension between GDPR and tracking technologies.
However, the debate is rising because the European citizens are not ready for the idea that the State can exert massive tracking – despite the fact that everybody is already tracked by mobile operators, vendors, online platforms and apps. A market of geolocation data already exists since a long time, because these data of people are normally sold. “Big Tech” obtained massive information about people thanks to the sole geolocation data they collect or buy: What and where they eat, whom they love and meet, which sport they do, eg. I think there is a problem of basic education: People must start understand that a) their location data are already tracked and collected, and b) that GDPR and ePrivacy are useful rules, because they protect citizens from both “Big Tech” and the State.
By contrast, in some Asian countries, such protection does not exist and the State can collect any data for public health reasons without providing guarantee as to the correct use, storage and protection of such data.
Would you say that monitoring citizens’ data is appropriate, regardless of GDPR? Or are we adapting ourselves already to the “surveillance-style” way of life, especially in contrast to how non-European countries deal with citizens’ data (see China, South Korea, Israel)?
Innocenzo Genna: As mentioned above, people are already used to be surveilled by “Big Tech”. Or at least they tolerate this form of surveillance, but not surveillance by the State. It is strange, but so it is. We must further implement education in this regard, because now, this adaptation to surveillance is due to ignorance rather than to consent.
Monitoring citizens could be appropriate when data are anonymised and aggregated. Individual tracking should be an exception and there should be a clear evidence that it is the only effective way to achieve a given objective.
GDPR and ePrivacy must remain robust and set rules for protecting citizens’ data by both “Big Tech” and the State. European democracies are weak in the short term, thus is why they need such robust privacy rules when elections accidentally bring illiberal forces to power.