Covid-19 and data protection in Ireland, by Edoardo Celeste

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com.

Covid-19 in Ireland: a brief overview

On February 29^th, the Republic of Ireland reported its first case of Covid-19, which was an individual returning from Northern Italy. From mid-March the number of cases rose exponentially for a month. On April 18^th, the Irish Chief Medical Officer officially announced that the curve of contagions had been flattened. According to the Ireland’s Covid-19 Data Hub, at the end of June, the death toll amounted to 1,735, with a total of 25,439 confirmed cases, and the number of daily cases consistently under 10.

Political instability and State response to the pandemic

Since the outset, the State’s response to the pandemic has been firm and well planned notwithstanding the climate of political instability following the general election held in February. The vote of Irish citizens in the general election did not present a clear majority, leading to months of negotiations among parties. Talks about the new government were halted by the outbreak of Coronavirus. The interim Taoiseach, Leo Varadkar, acted as prime minister until June 27^th, when the new coalition government supported by Fianna Fáil, Fine Gael and Green Party, and led by the Fianna Fáil leader Micheál Martin assumed office.

In comparison with other European countries, the outbreak of Coronavirus in Ireland occurred at a later stage. While Italy imposed a nation-wide lockdown on March 9^th, similar measures were only imposed in Ireland from March 20^th. On March 9^th, the Irish prime minister announced the imminent adoption of emergency measures to limit the spread of Covid-19, including the cancellation of the traditional St Patrick’s parade. On March 12^th, schools and universities were closed for a period that was originally supposed to last for two weeks, but was subsequently extended until the beginning of the new school and academic year. On March 20^th, the Oireachtas, the legislature of the Republic of Ireland, passed the Health (Preservation and Protection and other Emergency Measures in the Public Interest) Act 2020, which amended the Health Act 1947 inserting a specific provision, Article 31A, to deal with the Coronavirus pandemic. By virtue of Article 31A of the Health Act 1947, the Minister for Health acquires the power to ‘make regulations for the purpose of preventing, limiting, minimising or slowing down the spread of Covid-19 (including the spread outside the State)’. On April 8^th, the Irish Minister for Health adopted two statutory instruments (S.I. No. 120/2020 and 121/2020) imposing temporary restrictions to people’s movement, the closure of non-essential retailers as well as the suspension of many commercial activities and services. The Irish police force, An Garda Síochána, was given the power to enforce these regulations, by making their infringement a criminal offence (see, e.g. Section 4(3) of S.I. No. 121/2020). By the end of April, the Gardaí had arrested 76 people for breaching the lockdown measures. From June 6^th, the Irish police has lost this power since violations of movement restrictions are no longer criminal.

In May, the Government published a road map to progressively lift the restrictions imposed due to the outbreak of Coronavirus. It was originally composed of five phases, which were subsequently reduced to four and accelerated on June 8^th. At the time of writing, all retailers have reopened and movement restrictions within the island of Ireland have been removed. The Government still advises not to travel overseas and a compulsory two-week quarantine is in place for those arriving from abroad.

Main data protection issues and the Data Protection Commission

In March, satellite pictures of Europe depicted a scenario never seen before. The busiest European airports were quiet grass fields. Vibrant metropolises appeared unusually desert and silent. However, human life was only hidden. It pulsed in our houses, and flowed impetuously in the virtual world. When individual mobility rights were restricted in the physical reality, our existence migrated to and flourished in the digital space, in this way exposing us to the multiple threats that information and communication technologies may generate to our fundamental rights, and in particular our rights to privacy and data protection.

In contrast to some non-European countries, the Irish police never resorted to monitor the location of mobile phones to verify if people were complying with the lockdown measures. Some critical voices have been recently raised by Irish trade unions in relation to increased surveillance by employers on individuals working at home. The Irish Data Protection Commission did not directly deal with this issue, but since the beginning of March issued a series of guidelines on how to safeguard privacy and data protection during the health crisis, including practical information for employers. When the government started to put in place emergency measures to fight the pandemic, the Irish data protection authority, being aware of the risks associated to a higher number of individuals working from home, issued a series of guidelines on how employees can continue to protect personal data outside their office, how to deal with data subject requests when a company is closed, and how to avoid data breaches. The Data Protection Commission also offered guidance to the wider population on the potential dangers related to a more significant use of online services, focusing in particular on video-conferencing services. In these documents, the Irish regulator highlighted how our online habits have changed since the outbreak of Covid-19 and the adoption of restrictive measures. In particular, the Commission stressed the risks associated with the use of new apps and services never used before or normally used for different purposes, such as exclusively for work.

Contact tracing app in Ireland

At the end of April, the Government formally announced the development of a contact tracing app for the Republic of Ireland: Covid Tracker App. The Irish health authority HSE worked together with other European public and private organizations to develop a Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) system and elaborate a model of contact tracing which would be GDPR-compliant and respectful of European fundamental rights. Covid Tracker App was also developed in close collaboration with Google and Apple in order to ensure its compatibility with the operating systems of most smartphones. Although declared to be ready since June, the app was only launched on July 7^th.

Contact tracing has always been manually operated since the outbreak of Coronavirus in Ireland. The Irish government and the HSE considers the use of Covid Tracker App as an essential instrument to accompany the country in its phase of economic recovery after the lockdown. The app provides a symptom checker and news functions besides its contact tracing functionality. A data protection impact assessment of Covid Tracker App was published following receipt of feedback from the Data Protection Commission and the Attorney General’s Office, which in Ireland acts as legal counsel to the government. The app respects the guidelines developed by the eHealth Network, the European Commission and the European Data Protection Board. To this effect, contact tracing is not based on geo-location data, but only uses Bluetooth technology and process proximity data, i.e. the information about the likelihood of virus transmission based on the epidemiological distance and duration of contact between two individuals. Joint data controllers are the HSE and the Department of Health. The chosen data storage model is decentralised, meaning that data are stored on each individual’s device. Data are also set to be automatically deleted after a period of time proportionate to the incubation period.

The question of interoperability and the need for an all-Ireland approach

Besides the question, common to many countries, of whether Irish people will effectively download and use Covid Tracker App, the situation in Ireland as regards contact tracing is complicated by the presence of two jurisdictions, the Republic and Northern Ireland, on the same island. At EU level, authorities have stressed the necessity to introduce interoperable apps among European countries in order to guarantee the effectiveness of these instruments in a context characterized by free movement of individuals. Ireland is not part of the Schengen area, but is conversely part of a Common Travel Area with the UK. More specifically, on the island of Ireland, at the moment, there is no physical border between the Republic and Northern Ireland. The UK has however left the European Union in January, and a transition period is foreseen until the end of the year. The conundrum that the introduction of contact tracing apps is therefore creating on the island of Ireland relates to the interoperability of multiple contact tracing apps, respectively developed in an EU and a non-EU country. To make the situation even more complex, Northern Ireland has developed its own app, announcing its interoperability with both the Irish and the British app. In a context where the Brexit negotiations have reopened the question of the Irish border, with a pandemic which conversely knows no frontiers, the choice by individuals of which contact tracing app to download becomes an issue of political allegiance, and the use by health authorities of data collected by those apps may trigger the complexities of a cross-border data transfer to a third country. An all-Ireland approach seems to be more than ever needed.

* I would like to thank Ms Kyra McCarthy for her research assistance.

Edoardo Celeste is Assistant Professor in Law, Technology and Innovation at Dublin City University. His research interests lie in the field of digital rights and constitutionalism, social media policy and regulation, privacy and data protection law, and EU digital policy. Edoardo studied law at the University of Rome ‘La Sapienza’, at the University of Paris II ‘Panthéon-Assas’, and at King’s College London. From 2016 to 2020, Edoardo was an Irish Research Council Government of Ireland Scholar at the Sutherland School of Law of University College Dublin. His PhD thesis ‘Digital constitutionalism: The Role of Internet Bills of Rights’ examines how the digital revolution is changing contemporary constitutionalism, and explores the constitutional role of Internet bills of rights. Edoardo is currently the principal investigator of the project ‘Digital Constitutionalism: In Search of a Content Governance Standard’ funded by Facebook Research.