Taming the COVID-19, not the GDPR: the case of Greece, by Vassilis Hatzopoulos

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com

Greece has been a Covid-19 success story, so far. With early and strict confinement imposed by the government and a spectacular level of compliance by the people, Greece has been one of the least hit countries in the world. With 180 deaths and less than 3,000 confirmed cases of affected people, or a rate of 238 per million inhabitants (compared to 6,139 in Spain, 5,075 in Belgium, 3,878 in Italy, 3,294 in Portugal and 2,323 in France, see here), Greece has been a success story from a healthcare point of view. It is likely to be the worst hit EU country in terms of the economic downturn of the pandemic, but this is another story. Τhe main reasons for the success in the field of healthcare are:

the strength of the images coming from neighboring Italy,
the fact that trans-generational families are very common in Greece and the young generation felt compelled to protect the elderly, and
the fact that the Government was fast in adopting measures, and in putting in place convincing information and communication strategies.

Even after the progressive waving of the lockdown and the opening of the borders, the number of new infections has remained extremely low, between zero and fifteen cases a day.

Tracking app not on the agenda

In view of the above, the use of a tracking app is not ostensibly on the agenda. The issue has not been officially mentioned by any Minister or other Government member, nor has it been brought before the Greek Parliament, not even in the form of a parliamentary question (By contrast see the two parliamentary questions brought before the European Parliament). The scarce publications in Greek language concerning tracking apps and software are of a journalistic/academic nature and are confined to explaining the ways in which the different systems (the decentralized one jointly developed by Android and Apple and the centralized ones put in place by different States, such as France, Germany and the UK) work or, indeed, do not work. There is no study and/or article and/or any other publication, official or not, discussing the eventuality of developing or applying a tracking software in Greece. Therefore, there is no public debate on this issue.

It is worth noting that during the lockdown, the Ministry for Digital Governance had put in place a mobile app, whereby any citizen wishing to go out for one of the foreseen reasons (e.g. assistance to family member, shopping, dog-walking etc) had to send an SMS to a central server and the server automatically confirmed and time-stamped the message. The system, however, was not based on geo-tracking and the server was neither transmitting nor keeping the messages sent to it. While this is the closest that the Greek legal order has come to the use of a tracking system so far, this was not really one, and, therefore, it did not raise any issues or criticism in relation to data protection. Therefore, so far, the only contexts in which data protection has been discussed are:

a) the physical (as opposed to digital) tracking of individual patients affected by Covid-19, occasionally leading to the discovery of extra-marital affairs, thus feeding lifestyle magazines and divorce filings,
b) the way in which patients’ personal data and associated information should be dealt with by hospitals and doctors, the media and employers.

Loosening GDPR requirements in order to serve public health

In relation to the latter the Greek Data Protection Authority (DPA) has issued a set of guidelines as early as 18 March 2020. In these guidelines the DPA basically explains that in view of the necessity to prevent the spread of the virus and to protect public health and public security, the lawfulness of processing should be assessed in a flexible way, especially by reference to GDPR Articles 6(1)c (compliance with a legal obligation to which the controller is subject), 6(1)d (protection of the vital interests of the data subject or of another natural person) and 6(1)e (performance of a task carried out in the public interest or in the exercise of official authority vested in the controller), as well as 9(2)b (exercise of specific rights of the controller or of the data subject in the field of employment and social security and social protection law), 9(2)e (data which are manifestly made public by the data subject), 9(2)h (for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services) and 9(2)f (for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices). At the same time, however, the DPA reminded that communication to third parties of personal data should be made only under the provision that it does not reinforce prejudice and stigma; and that journalists etc should abstain from revealing the names of the cases discussed by them. Further, the DPA issued a set of guidelines concerning the security of teleworking processes, recommending the use of VPNs, of end-to-end encryption, firewalls and the like; the focus here being more on data security than on data treatment as such.

While these lines were being written a “collateral” data issue, in the sense that it is not central to dealing with the Covid-19 but is directly linked to it, has emerged: the conditions under which University students should sit their exams at a distance, and whether the use of cameras, lock-down browsers and other surveillance means should be allowed. The Ministry of Education has, wisely enough, left the choice to the Senate of each individual University, thus resulting to a cacophony of policies, but no legal challenges, so far.

Future outlook

From the above two published documents, one may speculate that (belated) Law 4624/19 for the application, in Greece, of the GDPR and the transposition of Directive 2016/680 (on the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties), would prima facie accommodate any government initiative to introduce the use of tracing software, especially if this operated within a secure environment. Such a move, however, should abide by the principle of proportionality, a requirement which may not be assumed for granted in the present stage of development of the virus in Greece. If, as it is currently the case, the epidemiologic characteristics of the virus do not justify the use of such software, it would not just be legally questionable to introduce it, but most importantly, it would lead to political turmoil, as the number of conspirationists in Greece is quite high already since the 2009 financial and economic crisis.

Vassilis Hatzopoulos, Professor at the Panteion University, Athens and the College of Europe, Bruges.