Covid-19 and data protection in Portugal, by Rui T. Lanceiro

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com

The Covid-19 crisis in Portugal

Drawing on lessons from countries that were hit earlier by the Covid-19 crisis, Portugal was one of the quickest European states to adopt measures aimed at reducing social contact after the first two cases were diagnosed on 2 March 2020, including the closure of schools and a general ban on non-essential movement. That kept infection and death rates under control in comparison with neighbouring countries and led to Portugal being hailed as a rare European success story. However, after the easing of the lockdown measures in the last weeks, it has failed to bring infection rates down, especially in the greater Lisbon area.

General overview of the legal response to the pandemic

In a first stage of response to the pandemic, the Government response to the crisis was mainly based on the already existing legal framework, namely the Framework Law of Civil Protection, the Framework Health Law, and the Law on Public Vigilance of Health Risks. As the crisis evolved, the Government felt the need to enact Decree-Law 10-A/2020 on 12 March (at the national level, both the Parliament and the Government enjoy legislative power). Doubts on its constitutionality lead to its ex post ratification by an act of Parliament.

On 18 March, the second stage of the response was initiated when, for the first time since the coming into force of the democratic Constitution of 1976, a state of emergency was declared by a presidential Decree which suspended several fundamental rights for 15 days, starting at midnight 19 March. It was renewed through two successive presidential Decrees, for additional periods of 15 days each. According to the principle of proportionality, rights were only suspended in what was necessary to combat the pandemic. Implementing powers of the Decrees granted the Government a wide margin of discretion.

The state of emergency expired at midnight of 2 May and was replaced by a governmental declaration of a state of national calamity, under which the easing of restrictions is taking place.

Disclosure of data for health warnings and scientific investigation

Under the pre-existing legal framework, the system of warnings to the population was activated by the declaration of a state of alert by the Ministers of the Interior and of Health on 13 March. The system is intended to provide information, warnings, and advice to the public in general or located in a specific region or municipality and not to send individualized SMS. This allowed the Civil Protection Authority (ANEPC), in collaboration with the Directorate-General of Health (DGS), to ask telecommunications operators to send text messages (SMS) related to the Covid-19 pandemic to the population. The first of these messages was send on 17 March and read: «COVID19: Wash hands regularly. Avoid social contact. Prevent virus spreading. Follow recommendations. Info http://covid19.min-saude.pt www.prociv.pt /ANEPC-DGS».

PICTURE TEXT

During the state of emergency, the fundamental right to personal data protection was suspended by the second and third presidential Decrees, enabling the authorities to require telecommunications operators to send their customers SMS with warnings related to the fight against the pandemic. It is not clear why the need to suspend this right was felt. In fact, the government admitted, in reports to the Parliament on the implementation of the state of emergency, that the citizens’ personal data was not collected or processed on this basis in any way, the telecommunications operators being limited to sending SMS to mobile phones registered in the national mobile telecommunications network, without associating the number to its holder. One possible explanation would be the need to provide a legal basis for the system of warnings to remain active also during this stage, but the existing legal framework already provided for this. It was probably an overzealous effort to provide the authorities with an instrument they already possessed. In any case, during Easter another SMS was sent saying «COVID19: Special movement restrictions 9 to 13 April. This Easter stay at home. Prevent virus spreading. Info at covid19estamoson.gov.pt / http://www.prociv.pt / ANEPC».

After the end of the state of emergency, the system of warnings remained active under the declaration of a state of national calamity.

Regarding access to health data for scientific investigation, the governmental Decrees regulating the state of emergency provided for access to anonymized microdata regarding Covid-19 patients from the National System of Epidemiological Surveillance for the Portuguese scientific and technological community, providing that there was no possibility of identifying the respective person.

Still on the subject of disclosure of health data of persons infected with Covid-19, the Portuguese National Data Protection Authority (CNPD) issued guidelines on 22 April, after receiving several complaints from Covid-19 patients who saw their personal information disclosed by local authorities, on their websites. The CNPD barred local authorities from publishing health data identifying the persons to whom it relates. On the one hand, because there is no legal basis for municipalities to process health data on an individual basis and improper disclosure is likely to generate stigmatisation. On the other hand, the patients were considered to be in a situation of dependence on health authorities that was incompatible with them freely consenting to the disclosure of the data. Finally, CNPD deemed this measure to be disproportionate because there were ways less damaging to privacy to achieve the same objective. For the same reasons, the CNPD stated that health data cannot be published even if anonymized when the small number of patients in a constituency allows the identification of the person.

In terms of the use of location data and contact tracing tools in the context of the Covid-19, the CNPD published on its website the Portuguese version of the Guidelines 04/2020, adopted on 21 April, by the European Data Protection Board.

More recently, CNPD’s Deliberation 2020/251, of 3 June, analysed a technological solution that estimates the occupation rate of beaches (Smart Crowd), to provide the public through specific apps with information about which ones guarantee appropriate social distance. The CNPD firstly recalls that the installation of the cameras needs to consider the specific circumstances of each beach to mitigate the risks of identification of the people covered. Secondly, considering the degree of intrusion in privacy due to the amplitude and extent of personal data processing, it stresses the need to mitigate its impact on private life, and to observe the data minimization and transparency principles.

Data protection of students and teachers

With the suspension of all teaching activities, e-learning became widespread during the Covid-19 pandemic. In this context, the CNPD issued on 8 April the guidelines for the use of technologies to support e-learning. These guidelines identified the risks to the privacy of holders namely misuse of data transferred through the platforms or the lack of transparency regarding the form of storage, processing and possible subcontracting carried out. Addressing these risks, the guidelines recommended that these platforms should have well-defined purposes compatible with e-learning, should clearly define the roles and responsibilities of the various actors involved in the processing of personal data, and should comply with the privacy by design and data minimisation principles set out in the General Data Protection Regulation (GDPR). Schools should adopt good practices to raise awareness not only of students, but also of parents of young children and teachers, for the importance of data protection.

According to the guidelines, there needs to be a data protection impact assessment (DPIA) before the adoption of an e-learning platform, in order to correctly identify the risks to privacy and allow the adoption of measures to mitigate these risks, under Article 35(1) and (3) a) and b) GDPR and a CNPD Regulation listing the cases where a DPIA is required. However, it is difficult to estimate the level of compliance with this obligation because there is no need to publish the DPIAs. CNPD also identified as a possible risk of using e-learning platforms the processing of data, based on the user activity in the platforms (of teachers or students), which may result in profiling. This is problematic because it can generate discriminatory treatment (for instance, for children deemed to be autistic), particularly if platforms provide specific educational content for each user, which results from automated decision making based on artificial intelligence systems that analyse student behaviour and performance (learning analytics). CNPD, therefore, advises that the use of such algorithms should always be judicious, made in a fair and transparent manner towards the data holders, and in full compliance of the other legal conditions, especially the need of an informed, free, specific and explicit consent.

On 21 May CNPD also issued guidelines on remote evaluation by higher education institutions. It considers that these institutions should assess if the processing of data needed for remote evaluation is indeed necessary because other less intrusive processes do not exist or are not feasible. The use of a video camera to verify the identity of the student taking the exam is considered appropriate. However, its use for the purpose of student monitoring during the exams (proctoring) seems inappropriate for the CNPD because, on the one hand, the cameras are unable to continuously cover the whole room where the student is, which means that they do not completely prevent cheating. On the other hand, it risks capturing images of the student’s residence or family life that goes beyond what is strictly necessary. It is also considered unnecessary, or at least excessive, to record images and sound during the tests, or to use technology solutions that blocks student access to documents on their computer or to the Internet. This type of solution is only considered admissible for the CNPD if the student can freely choose to take the examination on the premises of the institution or on a computer of the educational institution, respectively. The platforms used for remote evaluation should obey the privacy by design and data minimisation principles. The guidelines, in this case, are excessively vague and broad, for instance, suggesting the need to have a DPIA of the remote evaluation system used, but not imposing it, and not suggesting and effective alternative way of proctoring if the use of the university’s premises is not a possibility.

After their reopening, some schools started measuring the body temperature of students. In response, the CNPD, on 19 May, issued guidelines recalling that this procedure (with or without recording the temperature measured) constitutes a processing of personal data. It considered that no legal provision allowed it, that consent should not be considered free if obtained under threat of not letting the student enter the school otherwise, and that it should be considered disproportionate – given the high percentage of Covid-19 patients without fever, not to mention the other possible causes of fever.

Data protection of workers

In the matter of data protection and teleworking, the CNPD issued guidelines on 17 April clarifying that the use of software for the control of the work activity (e.g. software tracking working time or recording Internet usage) or the imposition on the worker of a permanent connection to the video camera, was considered disproportionate, violating various data protection principles. Labour legal standards relating to the inadmissibility of remote surveillance of the worker’s performance were considered to remain applicable. However, the CNPD admits that records of working time may be made using specific technological solutions.

According to guideline 6/2020 of the DGS, from 26 February, employers must establish procedures to identify and isolate workers with symptoms of Covid-19. However, the CNPD also issued guidelines, on 23 April, on this matter. According to these the processing of health data of workers could only take place in the context of occupational medicine. Hence, even during the Covid-19 pandemic, the employer could not collect and record the body temperature of workers or other information concerning the health or possible risk behaviour of their workers, namely through questionnaires on health data and the worker’s private life (contact with infected persons or risk behaviour).

In response to the CNPD’s guidelines, the Government enacted a Decree-Law, which came into force on 2 May, allowing employers to measure the body temperature of workers, for the purpose of controlling access and permanence in the workplace. The provision expressly states that this is without prejudice of the protection of personal data and expressly forbids the recording of the body temperature associated with the identity of the worker, unless expressly authorized. However, doubts about the compatibility of this regime with the GDPR and workers’ rights have emerged.

This leads to the CNPD, while answering to questions from a Member of Parliament, on 13 May, to criticize this legal provision because it is formulated too broadly, without determining appropriate safeguards for the fundamental rights of data subjects, as required by Article 9(2)(b), (g) and (i) GDPR or regulating the limits of the employer’s power to prevent a worker from entering the workplace. The possibility of registration of personal data concerning health after the authorisation of the data subject is also considered problematic given the asymmetric nature of the employment relationship.

Rui T. Lanceiro is an Assistant Professor at the University of Lisbon Law School and a Senior Research Fellow in the Lisbon Centre for Research in Public Law. He is also a law clerk at the Portuguese Constitutional Court.