May 4, 2020

2020: Covid-19 versus the GDPR

 In the wake of the 2005 London terrorist attacks, the European Union approved data retention laws that required telecom companies to keep extensive records of phone calls and text messages that could be used for law enforcement efforts. In a similar vain, the European Union adopted airline passenger data transfer agreements with the United States and Canada

  Eventually, the European Court of Justice struck down the EU data retention legislation in 2012despite the claims by police and prosecutors throughout the EU that the legislation had saved lives. In 2017, the same ECJ rejected the EU Passenger Name Record agreement with the U.S. and Canada. The ECJ rulings were based on the terms of EU data privacy legislation as well as civil liberty terms in the EU Charter for Fundamental Rights

  In the face of an even more serious life and death situation – not to mention economic catastrophe – due to the Covid-19 pandemic, the EU confronts another data protection and civil liberty dilemma when it comes to electronic messenger apps to track and hopefully limit the spread of the virus. EU member states are frantically finalizing national apps while work is also closing on an EU-wide app. 

  The apps are considered a crucial tracing tool – along with Covid-19 testing – in order to phase out lock-downs, kick start an economic recovery this summer and limit new contagion waves. For many businesses, especially in the hospitality, retail and tourism sector, tracing apps could prove the difference between bankruptcy and barely surviving until a vaccine is available.

   And we know that testing and tracing works. South Korea is perhaps the best example. After the MERS outbreak in 2015, it imposed a mandatory tracing regime based on GPS datacredit card info and CCTV footage. In China, the current system uses a WeChat app that is mandatory on every smart phone. Chinese citizens that have been tested and are negative get a green light and can enter a train, bus, taxi, airplane, restaurant or commercial retail centre. Those with a red light are denied access.

   But in Europe, the South Korean and Chinese methods have been ruled out as unacceptable by EU data privacy officials and civil liberty groups. Even a much less efficient tracing system using an app on a voluntary basis based on bluetooth technology has triggered controversy. There is a parallel debate about whether the information should be stored in a centralised or decentralised data bank . 

   Are these the arguments of ivory tower academics who have prioritized the preservation of the world’s strictest data protection standards in order to protect against potential massive surveillance system abuses used in a authoritarian society? And in doing so have they simply not come to terms with the bleak, desperate economic and social reality that our society faces in the years ahead until there is a reliable, readily available Covid-19 vaccine?

    Indeed, the new post-lock down restrictions being drawn up by governments, including limitations on everything from school room classes, airline seating, restaurant table arrangements and entry to retail stores are onerous. Along with those there will be rigorous de-sanitzing requirements. The sad fact is that these restrictions will be so costly millions of businesses will either decide re-opening is a losing proposition and it is either not worth re-opening. Or, if they do, it will be a short period of time before they go bust long before the long-term EU Recovery Fund plans take effect. 

  Along with this reality is the plight of millions of private citizens who have been sitting at home for six weeks or more – many of whom have lost a job – and are barely surviving economically. If a temporary system such as the one in South Korea or even China could end a lock-down and allow a return to work thus ensuring economic survival would they protest on data privacy grounds? Doubtful

    And why should they? The idea that data such as that collected by the South Korean or even Chinese system is more protected in Europe is often simply inaccurate. After all, the same CCTV, credit card or GPS info or even phone call data in Europe is already used by public authorities and in some cases by businesses for legal or commercial reasons. 

  One of the more recent examples: it was only a few months ago that the EU approved legislation that will require online payment services such as PayPalAmazon and credit card companies to report billions of VAT payments to a centralised data bank to be used by tax authorities. That legislation was added to the ever-growing EU Directive for Administrative Cooperation (DAC) legislation requiring tax related data storage and exchange. To date there are now six different DAC laws, the most prominent requiring the transfer of bank data information as part of the OECD Common Reporting Standard

   In the field of public health there is the non electronic tracing that is also an essential component to fight a pandemic. Countries including Germany have effectively used this kind of tracing to limit the spread of the virus. Instead of collecting data digitally, it involves labor intensive efforts by health department employees. This includes contacting individuals who have been in contact with someone who has tested positive for Covid-19. While the person contacted is supposed to remain anonymous the name of those in the initial ring of contacts and subsequent ones become known. Through this process information such as data of birth, raceliving conditions and, most important, whether or not they have been tested are all documented. All of that information is stored in a centralized data base.

    To be sure the EU General Data Protection Regulation does allow for a temporary loosening of data privacy rules in the face of an emergency such as the Covid-19 pandemic. And for good reason. In in the same way governments can force citizens to stay indoors for weeks or months at a time and require documentation to move about, they have the legal right to require the use of a tracing app as a trade off for imposing stay-at-home civil liberty restrictions. 

   As EU countries and others around the world draw up these testing and tracing app systems, it will shortly, as mentioned, become clear that businesses, schools museums, airlines, concerts, sporting events and just about every other aspect of public will need to set up a security system similar to what exists now in airports. Instead of having to pass through x-ray machines we will have to have a bar code on our phone that indicates a recent positive test or a blood test showing sufficient Covid-19 antibodies – if it is proven that they ensure immunity to the virus.

    Of course the 1984-Big Brother arguments will go into overdrive. And surely there will be flaws and abuses with a bar code testing and tracingsecurity system but these can be ironed out.

   No doubt that this kind of security arrangement using smart phone bar codes will end up before the European Court of Justice. Will the ECJ follow the legal precedent it established with the EU Data Retention and the EU-U.S.-Canada PNR agreement

  Hopefully, by the time the ECJ does adjudicate the current, Covid-19 will be an expensive, tragic saga of the past but one that was limited thanks to a common sense use of temporary, emergency digital technology.