This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at firstname.lastname@example.org.
In Belgium, the question of digital tracing via an application is dealt with at the same time as that of « manual » tracing, via “call center” agents. On 26 June 2020, after numerous legislative modifications, discussed in this contribution, the federal government adopted a Royal Decree of Special Powers that regulates both manual and digital tracing (Royal Decree N° 44 on the joint processing of data by Sciensano and the contact centres designated by the competent regional authorities or by the competent agencies, by health inspectorates and by mobile teams in the framework of contact follow-up with (presumed) persons infected with the coronavirus COVID-19 on the basis of a database at Sciensano). This text expires on 15 October at the latest. Between now and that date, a new standard will therefore have to be adopted to regulate the matter in the longer term.
The Starting Point and First Questions
Initially, the subject of tracing reached the Federal Parliament at the end of March, thanks to a motion for a resolution tabled by several political groups. This motion for a resolution aimed to ask the government to respect certain guidelines when developing a digital tracing application, such as, in particular, to « work in complete transparency, and to always proactively present the working method and objectives of the public authorities to all citizens » (Point 1.a of the resolution ), to « make public the functioning of the envisaged mobile application, including its algorithm and source code » (Point 1.e) , and to « explicitly justify the reasons why the use of this mobile application is necessary and proportionate »; and to demonstrate that other measures have been seriously considered » (Point 1.f), to « guarantee (…) that this application can never be used to monitor compliance with social distancing or quarantine measures » (Point 1.g), to « rely as far as possible on a shared European model, and to consult with neighbouring countries to ensure the development of a mobile application which, if necessary and if security conditions are met, can communicate with mobile applications in neighbouring countries that respect the same democratic guarantees » (Point 1.s), etc. It concluded by asking that a digital application should only be developed if, « at the very least » (Point 2), all the conditions the motion set out were met.
Hearings were then held in the Parliamentary Committee « Economy, Consumer Protection and the Digital Agenda », in which I was invited to participate in my capacity of university professor specializing in digital law, alongside, in particular, the President of the Data Protection Authority and the President of the Human Rights League and a university professor in cryptology.
Important questions were raised. Is this application necessary in a democratic society, as required by Article 8 of the European Convention on Human Rights? What data will be collected and for what purposes? Where will they be stored? For how long? Who will have access to it?
These questions are particularly acute in Belgium. Indeed, the Belgian model of digital administration (“e-government”) is based on the networking of administrations with shared missions to facilitate the exchange of data between them (For more informations about this model, see E. Degrave, L’e-gouvernement et la protection de la vie privée. Légalité, transparence et contrôle, Bruxelles, Larcier, coll. Crids, 2014, n° 12 ff). In view of this interconnection, is there not a risk of data crossing, in that the data collected today in the framework of the Covid-19 could be reused tomorrow for other purposes?
During this hearing, it also appeared that the government, via various « task forces » whose composition was not known (were they politicians, consultants, university experts, etc.?), had already made good progress, inter alia in the creation of a digital tracing application. Should the fear and urgency generated by the pandemic push Belgium to set up this application without a democratic debate, at the risk of giving into technological solutionism, i.e., seeing technology as a « magic wand » type solution? Is there not also a risk of technocracy, by entrusting decisions to experts? In our view, to act as such would be to forget that, in a state governed by the rule of law, it is for the law to regulate technology, and not for technology to dictate the law.
Collaboration between Academics and Associations
In this tense context, we decided to join forces together with several members of the academic and associative worlds to try to bring constructive reflections to this delicate issue.
With the conviction that it must be possible to find a balance between the effectiveness of the fight against the pandemic and the protection of citizens’ freedoms, we drafted a legal text that could provide a balanced framework for manual tracing, with the idea that it could then help with digital tracing as well. What a delicate task! In this text, we set out, in particular, guidelines aimed at complying with the requirement to minimise the data collected. In this respect, one element is of particular interest. Currently, every citizen who undergoes the Covid-19 test is registered in a central database, via his or her identification number in the National Register. In Belgium, this number is a unique identifier, similar to the health number, the social security number and the tax number. This « universal password » should be handled with care and collected only when really necessary. In the present case, from the research carried out, it does not appear that the collection of this number is necessary to effectively combat the Covid-19, although its registration in this database raises concerns that future data cross-referencing may be possible. These fears are all the greater as the purposes of this « Covid » database are unclear, in particular with regard to enabling administrations to « conduct scientific or statistical studies » on Covid-19 « and/or to support policies in this field » via the exchange of data between databases. Such a broad purpose, correlated to the use of the unique identifier of each citizen, seemed to us too vague to comply with the basic requirements of data protection. This is why the legal text proposed in particular the use of a random number, which would depend on the order of arrival of patients.
In parallel with this technical text, we drafted an open letter, setting out the important guidelines to be submitted to a democratic debate: transparency in order to win the confidence of citizens, minimisation of data, and the organisation of a strong accountability through the appointment of a minister who would be responsible for reporting to Parliament. This letter was then sent to the public, as part of a call for signatures. Within a few hours, more than 300 people signed this open letter, including academics, lawyers, doctors, writers, actors, filmmakers, judges, citizens from all walks of life, French-speaking and Dutch-speaking people. This is proof that civil society is also concerned by the challenges of tracing.
The next day, the open letter and the legal text were sent to the President of the Chamber and to all the group leaders of the Chamber. One party, the PS (Socialist Party), attached our legal text as a comprehensive amendment to the proposed manual tracing bill.
On 5 June 2020, the Data Protection Authority decided positively on this amendment (Opinion n° 46/2020). In its opinion, it stated in particular that the amendment « takes up all the essential elements of the planned data processing operations and provides a clear and predictable framework for these operations, in accordance with the requirements of the GDPR, the Constitution and the European Convention on Human Rights » (Ibidem, n° 42).
However, as Belgium is a federal state whose competences in the field of health are spread between the federal entity and the regions, the file is now in the hands of the regions. Political leaders have chosen to use a cooperation agreement to regulate manual and digital tracing. This legal instrument does not require a democratic debate in Parliament for its adoption. In practical terms, the framework for tracing is therefore left to the ministerial cabinets, without transparency or democratic debate.
A New Royal Decree with Special Powers – New Questions
A new twist on 26 June: in parallel with the discussions between ministerial cabinets, the Royal Decree of Special Powers hitherto governing manual tracing was to expire on 30 June. However, the cooperation agreement to replace it was not ready. The government therefore decided to adopt a new Royal Decree with Special Powers, which will expire on 15 October, in the hope that by then the cooperation agreement will have replaced this text. This text contains two worrying surprises. On the one hand, the flawed manual tracing system is confirmed without having been improved. On the other hand, digital tracing is incorporated into it, which is a mere pity: it means that, from 1 July, digital tracing in Belgium is legally possible. Without the Council of State having given its opinion. Without the Data Protection Authority having given its opinion. And without there having been a democratic debate on the subject.
However, the fundamental questions remain, in particular with regard to the data collected, the persons having access to it, and the purpose for which the data is processed.
Thus, with regard to the digital application, is it possible to create a secure application which guarantees the anonymity of citizens? At present, it is not certain. Discussions are continuing among computer specialists, in particular, about various possible technical solutions, but the risks of misuse of these systems are real, as the site http://www.risques-tracage.fr explains very well. Moreover, in Belgium, several guarantees seem to be put in place, but will they be respected in practice? For example, the downloading of the application is voluntary. Nevertheless, won’t the communication campaigns play on the guilt of citizens who do not want to download it, trying to influence their behaviour through « nudging »? Moreover, the new Royal Decree of Special Powers states that the installation or not of the application « may not give rise to any advantage or disadvantage ». This means that access to a restaurant, for example, cannot be conditional on downloading the application. But, curiously, there are no sanctions for a restaurant owner, for example, who does not respect this prohibition… Can we therefore believe that this rule will be effective?
Moreover, is there a need to implement this application? In this respect, the Data Protection Authority recalls that the necessity requirement imposed by Article 8 of the ECHR implies that the application is necessary – that is, it must be effective and constitute the least intrusive measure to achieve the objective pursued (Opinion n° 34/2020, of 28 April 2020). For example, has sufficient research been done on the effectiveness of masks and physical distance? Has thought been given to offering citizens an application that would allow them to correctly assess physical distance and would emit a signal when the distance is not respected? It must also be proportionate in a strict sense, in the sense that, as the Data Protection Authority states, « the benefits of the data processing in question must (…) outweigh the disadvantages for the data subjects” (Ibidem, n°8). It adds that “it must be possible to demonstrate that this analysis has been carried out before the processing operation is implemented” (Ibidem).
In particular, the effectiveness of the application continues to be questioned, especially in the light of the unconvincing foreign experiences, all of which seem to be hampered by the fact that citizens are not downloading this tool enough. Given that, in order to be effective, the application needs to be downloaded by a large number of people, the Data Protection Authority calls for tangible evidence of this effectiveness to be provided, via « an estimate of the percentage of the population that will use it, based on recent intention surveys, as well as a study of the rate of use required for the system to produce results would help to convince on these points » (Ibidem, n°9). He added that « a campaign to test the effectiveness of the planned measures also seems to us to be indispensable, particularly in order to avoid as far as possible false positives and stress unjustly generated among people wrongly contacted »(Ibidem). The Data Protection Authority also calls for a data protection impact assessment (Ibidem, n°23) to be carried out. To our knowledge, such evidence has not yet been provided. Furthermore, the effectiveness of the application depends on the reliability of the technology, which is also not demonstrated. Experiences abroad show that Bluetooth is not reliable. This blind technology could, for example, warn a person that he or she may have been exposed to contamination even if he or she was behind a Plexiglas wall at the time the application identifies a risk of possible contamination.
Ultimately, whether manual or digital, tracing will not work without the cooperation of citizens, without whom, for example, the digital application will not work. This collaboration can only be inspired by the confidence of everyone in the systems put in place, particularly with regard to the processing of personal data, which must be fair, transparent and decided following an informed democratic debate. The State must inspire this confidence, by giving citizens the necessary tools to understand – and therefore control – the use that is made of their data. It would be very useful, for example, to create a digital platform on which citizens could securely identify themselves and see the data collected about them, the institutions that have accessed it, the data that is re-used, etc. The State must inspire this trust by giving citizens the necessary tools to understand – and therefore control – the use made of their data. Such transparency would reduce the opacity of current processes, which can only generate mistrust.
Is the current calm of the pandemic not an opportunity to rework the topic by defining together – lawyers, computer scientists, virologists, associations, universities, civil society, etc. – with transparency, the necessary, clear and fair guidelines, so that tracing supports, and does not stifle, our civil liberties in the event of a future pandemic? This is the wish that we form, at the dawn of the « next world » …
Élise Degrave is Professor at the Faculty of Law of the University of Namur, Research Director at NADI (Namur Digital Institute) and CRIDS (Centre de recherches Information, Droit et Société) and co-Director of the E-government Chair of the University of Namur. She is Doctor in Legal Sciences of the University of Namur (2013). Her thesis, published in 2014, dealt with e-government and privacy protection. Today, she teaches in particular the Regulation of Artificial Intelligence (BA program) and the E-government (advanced Master in IT and Law). She dedicates her academic research to these different subjects. Furthermore, she is a member of the Walloon Digital Council and is regularly heard as an expert in digital law and privacy protection by public authorities (Parliaments, Legislation Section of the Council of State, etc.), by the media and at conferences.
For more information on the context of this e-conference
and the other papers see here
Don’t miss the next paper on
Protection of personal data during pandemic in Lithuania,
by Miglė Petkevičienė on Wednesday 22nd July 2020 at 12 p.m. (GMT+1).