Data Protection Issues related to Covid-19

Data Protection Issues and Covid-19 : Comparative Perspectives, Opening remarks, by Olivia Tambou

Why this e-conference ?

1. The Need to Have a Focus on Data Protection Issues Related to Covid-19 

Legal experts are currently dealing with numerous issues related to Covid-19. This topic and the concerns about it are spread in our public space. Blogdroiteuropeen has already reported on the launch of other blogs’ initiatives aiming at analysing the European European Solidarity in Times of Emergency, or focusing on how Law addresses crises such as the Covid-19.  Research Centre such as the Innovation and Artificial intelligence Laboratory of the School of Law of the University of Buenos Aires has already started to systematize information on the Mobile Apps used worldwide by public authorities to fight the pandemic. However, to our knowledge, there has been no initiative so far to analyse the main Data protection Issues related to Covid-19 in a systemic way.

The pandemic raises several Data Protection issues which could be broadly classified into three categories. The first one is related to safeguard guarantees related to the collection and processing of Health data for the public Health interest including research purposes. The second one is the proportionality of the surveillance measures aimed at enforcing the rules related to the lockdown and the relaxation of the lockdown. The third one is related to the conformity of uses derivated from the generalisation of the homeworking, homeschooling, staycation, with data protection rules. In this uncertain context, for a majority of people, the risks for their lives or for keeping their jobs, the need to ensure the continuity of public services, or simply to enjoy an online social life thanks to user-friendly tools often prevail over data protection considerations.

More than six months after the outbreak of the pandemic in China, Blogdroiteuropeen wants to contribute usefully to the public debates surrounding data protection under the Covid-19 pandemic. This e-conference is particularly welcomed as a second Covid-19 wave risk is not excluded, even if some authors consider that this is a flawed idea. The purpose of this e-conference is to provide an analysis of what is really at stake, what has been done so far, and which impact this crisis may have in the longer term or at least to offer some signposts in the different scenarios laying ahead of us.

2. The Need to Have a Worldwide Comparative Approach on Data Protection Issues Related to Covid-19

Despite the widespread statement that people are more and more Data protection’ sensitive, Data protection rules are often considered to be too technical, unpractical and costly. After two years of implementation, the GDPR and more globally the European Data Protection Reform of 2016 balance seems to be mixed, as the Multistakeholder Expert Group to support the application of the GDPR and the European Commission recently reported. Law scholars and practitioners keep commenting on the deep gap between Data Protection in the Book and Data protection in Action. Being a global event, the Covid-19 pandemic is a unique opportunity to analyse in-depth whether the European Data Protection Model exists, and how robust this European Model has been when faced with this unprecedented pandemic. (click HERE to have an overview of the main components of the European Data Protection Law)

At this stage of these Opening remarks, it is worth recalling the three main features of this European Model. The first feature is that in Europe, Data Protection is considered to be a Human Right derivated from the right to the respect of private life according to article 8 of the European Convention on Human Rights. In the EU, Data protection is an autonomous fundamental Right, enshrined in article 8 of the Charter of Fundamental Rights of the European Union. The second feature of the European Model is the existence of a Data Protection Authority, although no European Model of Data Protection Authority exists (click on the picture for more information). Only the members of the Council of Europe which have ratified the Additional Protocol to the Convention 108 are committed to setting up supervisory authorities, exercising their functions in complete independence, whereas the compulsory nature of the data protection authority had been foreseen in the first place by the Directive 95/46 EC. In the EU, the added value of the 2016 reform is to provide a harmonisation of the competences, tasks and powers of the national Data Protection Authorities. In addition, the European Data Protection Board was set up in order to ensure the consistent application both of the GDPR and the Directive 680/2016 related to enforcement processing at the level of the European Economic Area. The existence of the independent data protection authorities is an essential element of the fundamental right to data protection as the CJEU recalled in its famous Schrems case of 2015. This e-conference should be able to show whether the strong regulation powers of the national data protection authorities have made a difference in the context of the Covid-19 crisis.

The third feature of the European Data Protection Model is its pluralistic nature, often misunderstood or underestimated. Beyond an important set of European harmonised rules, national Member States are still authorized to develop national data protection laws for specific issues. This applies to a range of processes at the core of the current pandemic because of the sensitivity of the data (ie. Health Data, or biometric Data) or the nature of their purposes (research, public security, prevention of the fraud and the crimes, other important objectives of general public interest purposes).

Therefore, the first purpose of this e-conference is to analyse to what extent the European States tackle the Data Protection Issues differently, inside their legal order and in relation with other States. The scrutiny over the national mobile applications created to fight Covid-19 is a good illustration of the complex dimension of the legal pluralism of European Data protection. As the implementation of such apps rely on the competence of each State, the European Commission has issued a recommendation which support exit strategies through mobile data and apps. Based on this recommendation, the eHealth Network, a voluntary network of Member States’ competent authorities dealing with digital health, prepared a common EU tool books for Member States. In addition, the European Commission adopted a guidance in which cross-border interoperability between the national apps with different architectures are encouraged. All the European States willing to implement such an application have opted for the tracing app which uses the Bluetooth and consists in a notification to the people who have voluntary downloaded the application when they have been in contact with infected people who have voluntarily transmitted this information to the apps. The geotracking app model, widerspread in Asia, has been globally rejected by the European States. This geolocalisation of infected people was considered to be a disproportionate surveillance, not in line with the European rules and values. Beyond this European consensus, there is a variety of technical, political and legal modalities in the implementation of the contact tracing apps across European States. This will be detailed in the national contributions.

The comparative approach will also indicate how attractive the European Model of Data protection is, since the 2016 reform gave more visibility to it, and with the facilitating work of the Council of Europe also called the « Strasbourg Effect ». The Council of Europe promotes worldwide a « GDPR Light » approach allowing no European States to ratify the modernised Convention 108, which is the unique Data Protection International Agreement. In this context, the Brazilian Supreme Court adopted a landmark ruling last May recognizing the right to data protection as an autonomous right, as further analysed in this e-conference.

3. Covid-19: a Turning Point toward a real proactive European Digital Strategy ?

The need for the EU to build its European Digital Sovereignty has been invoked several times in the context of the fight against Covid-19. The Covid-19 pandemic revealed the intensity of the technological dependence of the European States : they struggled to develop their own digital services and ended up mostly relying on the GAFAM. Whereas the concept of European Digital Sovereignty continues to be more political than legal as before, this e-conference should also help in assessing whether the data protection concerns raised during the pandemic could be an accelerator for the implementation of the European Strategy for Data. Presented last February, this strategy maps for the first time a positive approach of an open single data market articulated on nine common European sectorial data spaces including a Common European Health Data Space. These sectoral data spaces should be articulated with the ongoing construction of the European Open Science Cloud, « which provides open and seamless services for storage, management, analysis and re-use of research data, across borders and scientific disciplines by federating existing scientific data infrastructures, currently dispersed across disciplines and the EU Member States ». The European ambition is to create a holistic freedom of circulation including all the kinds of data (personal/ no personal, public and private) for the creation of public good which could be based on European values and aligned with European Laws. Now, this strategy relies on the building on European digital infrastructures as illustrated with the European Cloud GAIA-X, for the storage of our data in the data protection-friendly environment. The idea is clearly to set up standards and challenge the American and Chinese market players.

Three scenarios are on the table. The first scenario assumes that no specific lesson may be drawn from the Covid-19 pandemic: the statu quo regarding Data protection Issues will remain. The next two scenarios take as a point of departure the hope that Covid-19 will be a watershed moment, with a « before » and an « after » coronavirus (B.C. and A.C.) as some columnists have foreseen more globally. In a second – pessimistic – scenario, the Coronavirus could lead us to a « black mirror » perspective, where the pandemic legitimised the necessity, the irreversibly but overall the harmful dimension of intrusive technologies. In this scenario, the economic issues around the valorisation of the data will prevail over the collective social benefit and reinforce the discrimination between people. Soshana Zuboff recently highlighted the ins and outs of this « surveillance capitalism ». In her book, she illustrates precisely how the GAFAM have hijacked the benefit of the new technologies to their profit. In a third – more optimistic – scenario, Covid-19 could force us to came back to the original spirit of the Internet by finding new ways of creating digital commons where the Law and in particular European Law could have its say. One could be convinced that investments should be done on infrastructures such as a European Cloud as mentioned before or a European Search Engine. Lessons for the past should be taken, when the ambition of Europe is to promote data sharing with private actors. Alternative and more innovative fundings sources should be created for these digital public goods. This e-conference should, therefore, contextualise the need for a pro-active European Strategie for Open and FAIR (Findable, Accessible, Interoperable, Reusable) Data, by showing that these complex technical aspects have major political consequences.

4. The Interest of Data Protection as a Laboratory on State Emergency 

In their contributions, some authors give an overview of the interactions between the national state of the pandemic and the nature of the State of Emergency. This will allow this e-conference to illustrate in a systematic way State Emergencies related to Covid 19. However, more details on European national approaches on State Emergency could be found in two studies of the European Parliament which offers an overview on the situation in  Belgium, France, Germany, Hungary, Italy, Poland and Spain. Here the second report covers Bulgaria, Estonia, Latvia, Malta, Austria, Romania, and Slovenia, and the third one Croatia, Denmark, Finland, Luxembourg, the Netherlands, Portugal, and Sweden.

This e-conference will demonstrate that the states have been linguistically creative, speaking of « State of Alarm » in Spain, of «State of Health Emergency » in France, « State of Alert » in Portugal or « State of Danger » in Hungary for instance. Only ten European States (Albania, Armenia, Estonia, Georgia, Latvia, North Macedonia, Republic of Moldova, Romania, San Marino, Serbia) of the 47 Members of the Council of Europe have used the derogation in time of emergency. None of the founders of the Council of Europe have triggered this procedure. This approach has developed a lively doctrinal debate on whether the State should or have to do it (see in France here and here for instance). In this context, the General Secretary of the Council of Europe has adopted a toolkit for Member States Respecting democracy, rule of law and human rights in the framework of the COVID-19 sanitary crisis. Similar derogations provided by other international Human Rights agreement has no been activated (see).

This e-conference will illustrate the legal differences between the national conceptions of the State of Emergency by analysing how this had an impact of the European right of Data protection. In this context, particular attention should be given to the effectiveness of the system of the check and balances, which relies on the parliaments, the judges, the Data Protection Authorities and the civil society in this governmental time of exercise of the power that the State of Emergency represents.

5. How will the e-conference be held? 

This e-conference will consist in a daily publication on the blog which will analyse the national state of play of Data Protection Issues or more transversal issues. These posts will be published at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication.

This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen.

If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com

Last but not least, at the moment to launch this e-conference, Yseult Marique and I would like to thanks all the contributors who have spontaneously accepted to join this project with enthusiasm in order to share their legal expertise.

 

For more information on the other papers see

Votre commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Gravatar
Logo WordPress.com

Vous commentez à l’aide de votre compte WordPress.com. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l’aide de votre compte Facebook. Déconnexion /  Changer )

Annuler

Connexion à %s

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur la façon dont les données de vos commentaires sont traitées.