A privacy misconception could hinder coronavirus-fighting in Europe

A privacy misconception could hinder coronavirus-fighting in Europe

In the last few weeks, we have witnessed European Governments more and more relying on scientists and experts advice – physicians, virologists, epidemiologists, intensivists, but also economists, psychologists, jurists, technologists etc. – and on the guidelines coming from the EU institutions and the WHO. In many cases, with regard to the COVID-19 related emergency, decisions were made just basing on recommendations of external task forces and independent authorities. Not even in the same direction.

A clear example of this “dragging” of the politics, quite disoriented, is represented by the Italian contact tracing app “telenovela”, that has gone on long enough, since months, as it is happening in other EU Member States. Citizens will be asked to download this app for smartphones, designed to quickly identify anyone who has been in close proximity with a positive person and may have been infected in the last 15-30 days, in order to alert and call him/her to some actions. Once detected and recorded the presence of an infected individual, the app could work in different ways – more or less accurately and efficiently – depending on the level of privacy and data protection to ensure.

The highest level of privacy would be ensured by letting people choose whether to download and use the app or not, on a merely voluntary basis, and also by adopting a totally decentralised architecture (storing contacts data exclusively on the smartphones and not in a centralised database): so the public health authority should only be able to detect and identify the single positive case, if directly tested by healthcare providers, never getting the identity of his/her contacts at risk (who would only be alerted through the app, without being identified nor reached by the health authorities). The app would simply send a poke or an alert notification to the contacts at risk and, in this way, the person who has been in close proximity to a COVID-19 positive subject would receive an app notification and would be recommended to do a COVID-19 test.

In this scenario, the key role would be played by the individual good will and by the capacity of the health system to respond to the emergency calls as well as to the likely massive demand of new tests.

According to the opinion of many politicians, experts and insiders involved in the coordination of the health emergency, at least in Italy, this solution will not be effective. The main problem lies in the fact that people will use this tool on a voluntary basis, without any obligations nor incentives, and this will reasonably not boost its widespread adoption. In addition, a totally decentralised contact tracing system will prevent the rapid, effective response of the health authorities, in case of suspected contacts at risk. Viceversa, it is clear that – in order to enable the health authorities to intervene promptly and adequately – it would be necessary to, partially, centralize in their databases the contact-traced data. Moreover, there should be the capacity to carry out carpet tests in order to immediately detect and knock down the viral contagion.

It is a paradox that many privacy and data protection lawyers, like myself, are now agreeing with the privacy-overdose critics. Est modus in rebus: giving too much weight to privacy and data protection will not help the understanding and the protection of these same fundamental rights, which, on the contrary, will be seen as “guilty” of a failure of the plans to fight the virus. What a mistake.

In some measure, and with the best of intentions, some European institutions fostered this imbalance, promoting an interpretation that we could call “fundamentalist” (in a literal and not necessarily in a pejorative sense), that transformed privacy and data protection in the sole, overarching objectives of the entire contact-tracing system. Rather, privacy and data protection are fundamental but not absolute rights, and they should be guaranteed without hindering the public health authorities’ actions. Privacy and data protection should bring safeguards, not replacing the ultimate goal of contrasting the coronavirus and saving human lives.

An example? It is enough to read the Guidelines adopted on the 21st of April 2020 by the European Data Protection Board (EDPB), on the use of location data and contact tracing tools in the context of the COVID-19 outbreak, where the independent Data Protection Authorities seem to claim the power to exclude the compulsoriness of downloading the tracing app: “The systematic and large scale monitoring of location and/or contacts between natural persons is a grave intrusion into their privacy. It can only be legitimised by relying on a voluntary adoption by the users for each of the respective purposes. This would imply, in particular, that individuals who decide not to or cannot use such applications should not suffer from any disadvantage at all…

Can the independent DPAs, through the EDPB, impose to the Governments of Member States the non-mandatory requirement of such anti-coronavirus apps? Of course, they can not. Independent authorities are not legislators and they could not “give orders” to National legislators.

Moreover, the Regulation (EU) 2016/679 (“GDPR”) leaves Countries a wide margin of manoeuvre: it is allowed to derogate, ex lege, from the prohibition on processing special categories of personal data, at certain conditions. Derogating from the prohibition on processing special categories of personal data should be allowed when provided for in Member State law and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so, in particular processing personal data for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. National legislators find a limit in the Art. 52 of the EU Charter of Fundamental Rights: the right to the protection of personal data must be considered in relation to its function in society and be balanced against other fundamental rights and freedoms or substantial public interests, in accordance with the principle of proportionality. Well: where is it written that “proportionality” means “voluntary adoption” and total data decentralisation?

Politicians, Governments and legislators should be aware of their role, clarify their ideas, without the leading hand of bureaucrats. They should apply strategies based on the respect for human rights but well-balanced, effective and, above all, coordinated at the European and the International levels.


Luca Bolognini, President of the Italian Institute for Privacy and Data Valorisation – l.bolognini@istitutoprivacy.it