A report just published by the Council of Europe identifies a number of shortcomings in the protection of privacy and personal data in some of the legal and technical measures adopted by governments to prevent the spread of the COVID-19 pandemic among the 55 African, Latin-American and European countries which have joined the data protection “Convention 108”.
The report “Digital solutions to fight COVID-19” provides an analysis of the impact on the rights to privacy and data protection of the legislative framework and policies adopted by governments as well as an in-depth and technical review of digital contact tracing applications and monitoring tools.
It calls on governments to ensure transparency of digital solutions in order to ensure respect of the rights to privacy and data protection. It also regrets that in spite of numerous calls for coordination and interoperability of digital solutions to prevent the spread of the COVID-19 pandemic, countries have individually implemented widely diverging systems, thereby limiting the efficiency of the measures taken.
Whilst aiming to assess how the measures adopted comply with the data protection convention, the report also contains recommendations on how to ensure the efficiency and resilience of the data protection framework.
In most countries, governments adopted emergency measures that gave governments extensive powers, usually only for a limited period of time.
The report identifies shortcomings in a number of countries concerning compliance with the principles of “Convention 108” with regard to issues such as the requirement for a legal basis of the measures adopted, their proportionality and aspects such as their justification by public interest and the consent of the data subject for data processing.
A particularly challenging aspect is the limitation of the purposes for data processing – the report points out that in some countries the boundaries between healthcare and police enforcement purposes have been sometimes blurred. The report also points to data protection risks related to the security, storage and sharing of data, which has led to the withdrawal of certain measures in some countries.
When examining compliance with the principle of privacy by design, the report notes that out of 55 Parties to “Convention 108”, 26 jurisdictions have chosen a de-centralised approach for proximity and contact tracing apps whilst 14 have chosen a centralised approach. 5 countries have decided not to use apps at all.
The report contains the findings of a survey among the states Parties to “Convention 108” on the use of digital solutions to control the dissemination of the virus. Out of the 47 respondents participating in the survey, 36 use apps for contact tracing or proximity alerts (77%), 20 for self-diagnosis (43%), 11 for quarantine enforcement (23%) and 8 for mapping travel patterns (17%). Only two countries used apps for crowd control and another two for immunity passports.
Finally, the report welcomes that 20 countries participating in the survey have published the apps source codes, a measure that can contribute to building the trust of users and to make the apps effective. To further strengthen this trust, the reports recommends involving civil society and the general public in the development of digital solutions and transparency measures.