This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at firstname.lastname@example.org
THE USE OF SURVEILLANCE DURING THE PANDEMIC CRISIS
On 11 March 2020, the World Health Organization (WHO) declared COVID-19 to be an international pandemic. Three days later via Royal Decree 463/2020, the Spanish Government declared a state of alarm that suspended ordinary law and gave the government more powers to protect public health and security of citizens. In Spain, states of emergency are provided for in article 116 of the Spanish Constitution and regulated in Organic Law 4/1981 on states of alarm, emergency and siege. This legal framework allows the government to temporarily limit individual freedoms such as the freedom of movement, requisition property and require mandatory service from individuals. The “serious alterations of normality” that might justify the declaration of a state of alarm include “health crises, such as epidemics” (article 4.1.b). In these cases, health security becomes a matter of public security.
The limitation of the freedom of movement is provided for in article 7 of the royal decree, and one exceptional measure for the emergency is the use of mass surveillance technologies. The WHO advised states to intensify active surveillance to identify infected individuals to implement rapid isolation and quarantine. Spain, like many other countries such as Italy, Germany, France and the USA, are making use of drones to strictly implement surveillance during the lockdown and monitor the whereabouts of citizens. That’s the case of the police departments in Madrid or Sabadell which are operating drones with various functions such as on-board cameras and thermal sensors, the so-called pandemic drones. Unlike other neighbouring countries like France, no judicial cases or complaints before the Spanish Data Protection Agency have been filed so far.
A drone or unmanned aerial vehicle is any remotely piloted aircraft. As they are remotely controlled, drones are proving to be a valuable tool in helping to reduce the risk of COVID-19 transmission. In addition to surveillance activities, they are becoming a support tool for public authorities for many other purposes such as issuing instructions and warnings in Madrid, performing logistics tasks in Pontevedra and disinfecting contaminated areas in Sevilla, Barcelona and 19 other provinces.
When used for surveillance, drones must be equipped with on-board cameras or other sensors. This raises obvious data protection and privacy concerns.
While health tracking systems have the potential to save lives and help authorities flatten the coronavirus curve, the vast trails of collected data could see the surveillance of health issues morph into the surveillance of individuals. Thus, a balance must be struck between the costs and benefits of using drones.
LEGAL FRAMEWORK FOR DATA PROTECTION AND VIDEO SURVEILLANCE WITH DRONES
Government use and operation of drones must be in accordance with current legislation, both the regulations on drone use and the provisions of the state of alarm order.
The regulations on drones are found in Royal Decree 1036/2017, which regulates civilian use of remotely piloted aircraft. One requirement of this legislation is that measures must be adopted to ensure compliance with personal data protection regulations since the acquisition and/or recording of images of identified or identifiable persons for surveillance purposes by cameras, camcorders or any other similar technical means constitutes the personal data processing subject to data protection regulations. Video surveillance systems that merely reproduce or transmit images in real time, without recording or storing them, also require the recording of processing activities.
In these operations, the restrictions on video surveillance by camera or camcorder systems or the tracking of identifiers of mobile devices apply. Therefore, only the Spanish security forces have the power to install camcorders, both fixed and mobile, in public places for security purposes.
The applicable legislation for automatic data processing and video surveillance by drones is Organic Law 4/1997, which regulates the use of video surveillance in public places by the security forces, and Directive (EU) 2016/680, which regulates the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. This directive has not yet been implemented into Spanish law, which entails the application of the Organic Law 3/2018 on personal data protection and the guarantee of digital rights, which, in its fourth transitional provision, refers to Organic Law 15/1999 as regards this processing. This regulation works in parallel with specific aeronautic regulation, the Royal Decree 1036/2017, which article 26 defends the obligation to take the necessary measures to ensure compliance with the provisions of protection of personal data and protection of privacy regardless of the scope to which the drone operation is associated.
Regarding Directive (EU) 2016/680, on 6 March 2020 the Spanish Government submitted the draft of an Organic Law on the use of data from the registration of passenger names for prevention, detection, investigation and prosecution of terrorism offences and serious crimes to the Congress of Deputies – which is now in a standstill – but the European Commission has already brought Spain to the Court of Justice of the European Union for the delay in transposing the Directive in August 2019.
So, the use of drones and the processing of personal data in health emergency situations is possible when all the data protection principles contained in article 4 of the directive are applied (principles of lawfulness, fairness and transparency; purpose limitation; accuracy and data minimisation). More specifically, the use of drones would be justified in the current state of alarm if the following conditions (among others) were met:
- a) The use is proportionate, appropriate and necessary. Drones should only be used when appropriate for the purposes described (public security and compliance with legal obligations required for health-related reasons of urgency or necessity).
- b) The intended purpose and the rights of the data subjects are weighed up, not only with regard to personal data protection but also privacy and self-image. Video surveillance by the security forces would not be considered illegitimate meddling if the above-mentioned standards are met.
- c) There is a specific, imminent and/or emergency hazard (currently, the state of alarm). Cameras, which may be incorporated into drones, can be used when the above circumstances occur in areas where fixed cameras may already be installed.
Given this list, the principles of data minimisation and purpose limitation are particularly important as personal data collected for a stated purpose tends to be derived from other uses. This emphasises, first, the importance of ensuring that the data collected using drones is only used to support legitimate public health surveillance efforts, not government surveillance. It implies that any unrelated activities discovered during the collecting aerial data cannot be pursued or punished. Second, the data processed must be exclusively limited to that necessary for the intended purpose. This processing must not be extended to any other personal data not strictly necessary for this purpose. Convenience must not be confused with necessity as the fundamental right to data protection continues to apply as it normally would, with the exception established by the personal data protection regulations that in emergency situations the necessary health data may be processed to prevent the spread of the disease that caused the health emergency for the protection of essential public interests and/or the health of persons. Coronavirus-related surveillance must be clearly legitimated and justified against the privacy risks.
RISKS FOR PRIVACY AND DATA PROTECTION IN A POST-EMERGENCY SITUATION
The use of mass surveillance technologies to fight coronavirus has raised concerns about the risks that the exceptional measures may pose to democracy, civil rights and data protection. There is a fear that the emergency powers might outlive their emergencies.
Most people accept that speedy access to data is crucial to respond more effectively to the COVID-19 epidemic. They concede that public health currently trumps individual rights when it comes to the use of coronavirus data. This expression may include geolocation data through cell phone companies or social networks, health data collected by apps, webs or chatbots for self COVID-tests; or a combination of both data by contact trace apps, immunity passports or infrared cameras for thermal-screening. The main threats of such solutions on privacy come from the mapping people-to-people relationships, re-identification by location, potential risk of discrimination, public dissemination of health data, etc. Therefore, as well as weighing up the public health benefit of increased surveillance and the loss of privacy during the pandemic, we also need to consider how we can limit the use of the data and tools in ordinary times.
Although we have focused on surveillance by drones to monitor compliance with the population confinement measures, many other mass data collection methods are already in use (smartphone geolocation data, facial recognition, health mobile apps, etc.). These digital monitoring solutions have varying implications for privacy and data protection. The acceptance of technical solutions that compromise privacy in an emergency can generate new tools that could be used by governments to track citizen movement and interactions when the lockdown is lifted.
However, at least in Western democracies, this threat can realistically be averted. Thus, during the current pandemic, the Spanish Agency for Data Protection (AEPD) has published a report analysing personal data processing during the COVID-19 pandemic. Even in this context, the report highlights that “in relation to the data processing resulting from the current situation arising from the spread of the COVID-19 virus, first of all, in general, it should be clarified that the General Data Protection Regulation, while aimed at safeguarding a fundamental right, apply in its entirety to the current situation, since there is no reason to determine the suspension of fundamental rights, nor has such measure been adopted”.
Furthermore, regulators and privacy organisations are urging governments to implement rules ensuring that health surveillance and monitoring policies will be strictly prescribed by law, proportionate to public health necessities, transparent, monitored by independent regulation authorities, subject to constant ethical reflection, non-discriminatory and respectful of fundamental rights.
Beyond immediate responses, long-term analyses and contributions are emerging from international organisations such as the OECD [Policy Responses to Coronavirus (COVID-19): Tracking and tracing COVID: Protecting privacy and data while using apps and biometrics], which emphasises that fully transparent and accountable privacy-preserving solutions should be embedded by design to balance the benefits and risks associated with personal data collection, process and sharing; and the World Economic Forum’s Global Future Council on Human Rights and the Fourth Industrial Revolution, which states that government-mandated actions that restrict human rights and freedoms may only be justified if they are necessary and proportionate, enforce data minimisation and purpose limitation, and provide transparency in the reporting and tracking of any government action.
The use of big data has proven extremely valuable to the health sector and during the current COVID-19 outbreak. It is undeniable that technology-driven solutions based on collecting and processing personal data will remain with us for some time. To avoid the improper use of the data, a balance must be struck between privacy and public health by observing some basic principles. First, interferences with privacy owing to the public interest must be the exception — not the rule — and based on legitimate reasons. Second, restrictions on privacy must be accepted for the sake of the wider public interest but not in an unlimited fashion. Third, fair use of the information collected must be insured by imposing strict limitations on data collection, storage and use.
The ultimate aim being that a public health crisis does not inevitably have to create a civil liberties crisis and that technology use does not inevitably have to erode privacy.
* This work is part of the research projects on the implementation of the General Data Protection Regulation in Spain funded by Spain’s Ministry of Science, Innovation and Universities (RTI2018-095367-B-I00) and Valencian Government (AICO/2019/205).
Cristina PAUNER CHULVI: is an Associate Professor in Constitutional Law at the Public Law Department of the Universitat Jaume I (Castellón de la Plana, Spain), since 2002.
She has been visitor researcher in European centres and universities such as the Universitè Paris-Sorbonne, Università degli Studi Roma III, London School of Economics and University of Oxford.
She has completed several specialization courses on human rights at the International Human Rights Institute (Strasbourg) as well as the specialization Diploma in Constitutional Law and Political Science at the Centre for Political Studies and Constitutional (Madrid).
She is currently developing her lines of research in several human rights groups and, especially, on personal data protection. She participates as the co-principal investigator in a project on implementation of the General Data Protection Regulation in Spain funded by Spain’s Ministry of Science, Innovation and Universities (RTI2018-095367-B-I00) and as a researcher for the Valencian Government (AICO/2019/205). She has been part of the research team of the European project PHAEDRA II. Improving practical and helpful cooperation Between Data Protection Authorities II financed by the European Commission (Directorate General of Justice) and has coordinated the European project « CRISP. Evaluation and Certification schemes for Security products « funded by the European Union (7th Framework Programme).
She has published 21 papers in national and international journals, 32 chapters of book and 4 books. Her research interests include human rights, gender equality, privacy and press freedom; personal data protection; open access, intellectual property rights, rights of political participation; and freedom or rights of emigrants.
For more information on the context of this e-conference and the other papers see
Don’t miss the next paper tomorrow at 12 p.m. (GMT+1) on
Online evaluation procedures and data protection: the collection and recording of images in Spain by Mónica Arenas Ramiro y Ricard Martínez Martinez