This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com
Introductory remarks on Covid-19’s arrival in Spain: state of play and statistics
Without entering into details about the origin and development of SARS-CoV-2, allegedly traced back to China’s Wuhan region, the first patient registered in Spain with Covid-19 is said to have been a German citizen in the Canary island of La Gomera on 31 January 2020. Nine days later, virus circulation was established in Palma de Mallorca, but it was not until 24 February that the virus leaped to the peninsula. The Autonomous Communities of Madrid, Catalonia and the Basque Country were the most affected. From 24 February to early March, the expansion of the virus and the growth in number of infections were modest. The scenario soon changed when the virus seemed to spiral out of control. It was precisely on 9 March that the Spanish National Health Service adopted the earliest targeted measures in areas with confirmed community transmission. Madrid, for example, decided to close down educational facilities, which soon extended to the rest of the Spanish territory. On March 13, the day before the State of Alarm, the number of reported cases amounted to 4,209 –among these, 120 deaths–.
As of 10 June 2020, Spain has reported 289,046 confirmed cases of infection and 27,136 deaths deriving from SARS-CoV-2. These figures are just the tip of the iceberg. This contribution will explore the most relevant legal and constitutional issues related to the Covid-19 state-of-affairs in Spain, with a special focus on its data protection implications.
Legal implications and emergency measures in the context of the Covid-19 pandemic
Providing a global vision of data protection in Spain during Covid-19 requires looking into a number of constitutional and legally relevant issues. Spain decreed its first State of Alarm on 14 March (Royal Decree 463/2020, of 14 March). The Government, after the Spanish Congress of Deputies’ authorization, extended it on six occasions (RD 476/2020, of 27 March; RD 487/2020, of 10 April; RD 492/2020, of 24 April; RD 514/2020, of 8 May; RD 537/2020, of 22 May and RD 555/2020, of 5 June). Each extension has been decreed for a period of 15 days, and the last three extensions have been part of the so-called de-escalation process. As per Art. 4(b) of the Organic Act 4/1981 on the States of Alarm, Emergency and Siege and art. 116.2 of the Spanish Constitution (hereinafter, SC), the Government has the authority to declare a State of Alarm, in all or part of the national territory, when health crises, such as epidemics, seriously disturb ordinary life. In the democratic Spain, the State of Alarm had been only decreed in 2010 with the Real Decreto 1673/2010. In this unique precedent the State of Alarm aimed at opening the Spanish airspace blocked by a strike of the air controllers. It implied a temporary submission of the air controllers to the military authorities.
By contrast, the Covid-19 State of Alarm has affected the entirety of the Spanish territory. The competent authority has been the national Government, under the supervision of the Prime Minister. Powers have legitimately been delegated to the Ministers of Defence, Home Affairs, Transport, Mobility and Urban Agenda, and to the Minister of Health. The latter has been designated as the competent delegated authority to exercise State of Alarm functions under the direct supervision of the Prime Minister. Organic Act (OA) 4/1981 includes, among the authorized restriction measures under a State of Alarm limits the movement or stay of people or vehicles at certain times and places, or condition them to fulfil certain requirements. Pursuant to art. 11(a) of OA 4/1981, the truth is that Art. 7 of Royal Decree (RD) 463/2020 imposed an extreme limitation on people’s freedom of movement, just allowing a reduced list of really basic activities, such as the acquisition of food and basic necessities, visiting health centres and some limited work-commutes.
These absolutely restrictive measures lasted seven weeks. On 28 April, the Council of Ministers approved the Transition plan towards a new normality in which a process of gradual, asymmetric and coordinated de-escalation, in cooperation with the Autonomous Communities, was scheduled. This de-escalation plan was made up of four phases, distinguished according to the permitted activities. It was also a flexible plan, dependent upon the collected epidemiological data.
Once the last phase has been successfully implemented and completed (in the different territories), social and economic restrictions will be lifted and the measures derived from the State of Alarm declaration will cease to have effect. The validity of the State of Alarm in Spain ended on 21 June 2020, when the duration of the extension provided for in RD 555/2020, of 5 June ended. The resulting legal scenario has proved extraordinarily complex. There have been constant substantive changes at the normative level. A number of reasons have contributed to the lack of clarity and legal certainty. Firstly, the ample amount of governmental corrections must be highlighted. Secondly, the legal channels through which regulatory attempts have been used in the fight against further expansion of the pandemic are also worth noting. Precisely in this regard, we must also allude to the various containment and prevention measures used to ‘bend the curve’. In fact, the original Royal Decree declaring the State of Alarm (RD 463/2020, of 14 March) was modified by RD 465/2020, of 17 de March just three days later.
To date, and just in relation to health crisis management measures, more than 180 provisions have been adopted in matters ranging from health, security, home affairs, civil protection, transport, mobility, economy, security, internal affairs, traffic and civil protection, to name but a few. These provisions can be found in a diverse array of legal sources, such as royal decrees, orders, memos, resolutions, and multilateral agreements. Apart from the above, there are countless ministerial orders and resolutions issued in what has been systematized as part of the ‘transition to a new normal’. The new normal has been a recurrent notion in political and media discourse. However, the notion also has its policy and normative backdrop. Spain’s transition plan defines it as the last phase of the de-escalation process whereby “social and economic restrictions officially end, but epidemiological monitoring and surveillance are preserved, health system capacity and citizenship self-protection are reinforced” (p. 28). Hundreds of the recently-adopted normative provisions have affected the most varied range of legislation, which, in turn, has even led to categorizations according to groups and sectors.
It is well worth remembering, as it affects fundamental rights’ exercise and effectiveness, that the suspension and interruption of procedural time limits for all jurisdictional orders and administrative deadlines, were enacted. It is worth noting that habeas corpus proceedings were excluded and that particular importance was attached to public-sector-deadline-interruption exceptions not envisaged in Law 39/2015 on the Common Administrative Procedure of Public Administrations. These exceptions were based on the urgent or essential need of resuming proceedings in cases directly linked to health crisis management.
The difficult balance between health and data protection in the light of Covid-19
A holistic overview of the right to data protection in Spain also demands an overview of the current socio-digital reality. The health emergency in which we find ourselves is characterized by drastic lockdown measures, home confinement and the establishment of containment measures, all driven by the need to prevent the spread and reduce the effects of the Covid-19 outbreak. This, in turn, has activated the creation, proliferation and proposed application of a whole set of technological tools, which often times do not minimally pass the balancing test with seemingly conflicting rights. Sadly, the consequence has been two-fold: on the one hand, the unchallenged sacrifice (whether by action or omission) of the fundamental right to data protection, and, on the other hand, the inadequate guarantees and control mechanisms for its effective protection.
Clearly, data protection is not an absolute right. However, from a Spanish constitutional perspective, it is a right that, unlike others, cannot be suspended, even if any type of emergency state is declared. This is expressly provided for in Art. 55.1 of the SC. What is most striking, in my view, is the lack of insistence on this point by the Spanish Data Protection Authority (SDPA). This rings especially true, if we bear in mind that the new Spanish Data Protection Act (Ley Orgánica 3/2018 de Protección de Datos) provides some insight into the processing of health-based data – including such processing for research purposes – among other considerations. This has been the epicentre of many of the debates and tools that are used, or are planned to be used, for health protection and infection prevention.
In fact, by virtue of Order SND/297/2020, of 27 March, the Ministry of Health entrusted the Digitalization and Artificial Intelligence State Secretariat with the development of technological solutions and mobile applications for data collection, in order to improve the operational efficiency of health services, and to study personal mobility in the days prior and during confinement. This was done by cross-matching data, in an aggregate and anonymous manner, supplied by mobile operators. The competent State Secretariat reassured that compliance with the GDPR and the SDP Act would be ensured. Time will tell.
Current technological advances have been proposed as crucial tools in the fight against the Covid-19 pandemic, arguing that they supposedly provide greater benefits to the general public than costs to individual privacy.
The role of the Spanish Data Protection Authority
Of particular interest in this area is the study carried out by the SDPA “The use of information technologies in the fight against Covid19. A cost-benefit analysis”, whose aim is to analyse the following systems: mobile geolocation collected by telecommunications operators, geolocation on social networks, apps, websites and chat bots for self-testing or support based on prior appointment, voluntary infection information apps (COVAPPS), Bluetooth contact tracking apps (CONTACT TRACE APPS), as well as ‘immunity passports’ and infrared cameras.
In addition, and given the problems that arise in relation to the protection of personal data, the SDPA has developed various resources during the State of Alarm; it has also prepared Report 0017/2020 on data processing resulting from the spread of the Covid-19 virus. It has also responded to a consultation on issues related to the use of proctoring in online tests, since RD 463/2020 established the move to online teaching and assessment. It has released two statements, one in relation to webs and apps that offer self-assessment tools and advise on the coronavirus; and the other one in relation to taking temperature in stores, the workplace or other facilities. This issue continues to raise countless questions, given that, from an occupational risk prevention perspective, there is a legal basis, albeit nuanced, for the processing of the abovementioned health data on the part of employers. However, finding a legal basis becomes less clear in cases when such processing is done by private organizations and corporate entities. Additionally, if such businesses cannot certify the technical capacity to anonymize data and to comply with general data protection principles, there will be serious violations to individuals’ right to data protection and breaches to national and European data protection legislation. In fact, the SDPA expressed this very concern, given that these measures are being carried out without the prior and necessary notice of the health authorities and effectively imply intense interference in the rights of those affected.
The SDPA has also published a series of recommendations to protect personal data in mobility and teleworking situations. Likewise, and through a series of FAQ it has given answers to the most frequent questions raised by citizens and companies. The SDPA has also provided an open source blog where it has published, among others, infographics on personal data processing in emergency situations; notices and guides on data security breach management during the State of Alarm and Covid-19 phishing awareness campaigns.
Sub-national data protection authorities have published, within their areas of competence, guides, reminders or their own analysis on very specific problem areas.
A brief overview of the lack of jurisprudential insight on data protection issues related to Covid-19 measures
From a case-law perspective, the attention has been mainly focused on essential aspects of Labour Law. Recent case-law establishes that the right to life and physical integrity are infringed when a business fails to comply with the duty of labour risk prevention –basically, by not providing the necessary protection equipment (STSJ PV 30/2020; STSJ PV 31/2020; SJSO 1539/2020)–. Interesting case-law from the administrative sections of regional High Courts of Justice (STSJCL 1096/2020; STSJ G 914/2020) and our very own Constitutional Court (Order 40/2020) is also emerging in relation to the limits to the right to demonstrate in emergency situations, under public order and public health defences. However, aspects related to data protection have hardly been tackled, so far not even by the Spanish Constitutional Court.
Concluding remarks
In the current scenario, technology does not exclusively affect the processing of health data (including scientific research) and, therefore, we cannot limit its regulation to the area of public health. On the contrary, technology transcends and impacts all facets of daily life of individuals and their relations both in the public and private environment (labour, educational, economic, etc.).
Without a doubt, even during a health crisis, personal data must be processed in accordance with the GDPR and the SDP Act, under the principles of lawfulness, loyalty, transparency, purpose limitation, accuracy and minimization. Just as the principle of transparency takes on, nowadays more than ever, an unusual value, so too must technology contribute to the fight against Covid-19. This technology in no way can turn its back on the general principles of effectiveness, necessity and proportionality.
The technological instruments enlisted to serve in the fight against the pandemic will undoubtedly bring about irreversible consequences in the field of rights and freedoms. Their impact calls for evaluation, monitoring and review by both national and European authorities. The EU must foresee and envision general and specific supranational mechanisms to combat a pandemic that not only affects humankind but also its fundamental rights.
Translated by Mónica Martínez López-Sáez (University of Valencia Department of Constitutional Law, Spain).
* This work is part of the research projects on the implementation of the General Data Protection Regulation in Spain funded by Spain’s Ministry of Science, Innovation and Universities (RTI2018-095367-B-I00) and Valencian Government (AICO/2019/205).
Rosario García Mahamut, professor of Constitutional Law at Jaume I University (Castellón, Spain), author of numerous books, book chapters, and articles published in international journals. In the field of Data Protection she coordinates several international projects in particular on the implementation of the GDPR in Spain. She was the Director of Internal Policy at the homeland security Ministry (2004-2008) and member of the Spanish Electoral Board -Central Electoral Commission- (2008-2012). Rosario García Mahamut, has been a visiting professor in several Universities (Oxford University, Université de Montréal, Université Paris I Panthéon-Sorbonne, Universitá La Sapienza (Roma) and Universitá degli Studi Roma Tre.)
blogdroiteuropéen 