This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com.

COVID-19 has impacted every sphere of our lives. First and most important of all, it has brought immeasurable threats and damages to people’s lives and health. It also has had a huge impact on almost every business – “revenue growth” is usually replaced with “staying alive” in the list of priorities of many businesses. Moreover, this extreme situation penetrates very strongly and deeply into the area of human rights and freedoms, with a major impact on their implementation. Europe has not seen such strict closing of borders and movement restrictions for decades. Even though democracy and the rule of law dictate that human rights and freedoms shall not be put under quarantine in any circumstances and shall be respected even on the darkest days, some countries might fail this test. One of the heavily affected rights, challenging almost every democracy, is the right to privacy.

Lithuania is not an exception. The first case of the virus in Lithuania was confirmed on 28 February 2020, and the first related death occurred on 20 March 2020. As of 13 July 2020, there have been 1,874 confirmed cases in Lithuania, and a total of 79 related deaths. To control the spread of Covid-19, the Government of the Republic of Lithuania decided to declare quarantine on the entire territory. The quarantine regime has been effective as of 16 March 2020, 00:00, until 16 June 2020, 24:00. As of June 17, a state-level emergency regime (with a number of restrictions, including control of cross-border movements, restrictions on economic activities as well as public and administrative services) continues, however, the quarantine is revoked.

Even though the pandemic situation is deemed to have been “well controlled”, the consequences of privacy restrictions may remain for some time, especially if a second wave of the pandemic strikes. The State Data Protection Inspectorate of the Republic of Lithuania has provided guidance on processing of certain personal data related to the current situation due to coronavirus, stating that even in a pandemic situation, the protection of personal data should not be overlooked. The article below lists three measures taken in Lithuania in order to stop the spread of the pandemics, however, having a huge impact on the right to privacy of individuals.

Route maps of infected individuals

Since the beginning of the outbreak, the Government of the Republic of Lithuania has introduced the route maps of infected individuals and announced them publicly. The route maps include maps of movement (dates and times of visited places) of every individual inflected with the virus in order to be able to check if you have potentially been at the same place at the same time with the infected individual and potentially had a chance to be infected. Even though the names of the infected individuals are not announced, the entries of the mentioned map are nevertheless quite detailed. Some of them include the exact flight number, the destination and origin countries, the exact seat or other specific information. No information is available publicly on what grounds this information is being publicized, however, it appears the only legal basis might be the public interest related to stopping the spread of the virus.

Pandemic-related app

The Lithuanian Government together with the Municipality of Vilnius has set up an app called Karantinas (in English – quarantine), which enables daily coronavirus symptom tracking, encourages healthy actions that curb the spread of the virus and helps to care for people in self-isolation. The Privacy Policy claims that GPS location data is available only in case location data is activated. However, the operation of this specific app is not available in case location data is turned off. Therefore, it seems that the provision of location data is based on legitimate interest or other ground (not explained and not provided in the mentioned Privacy Policy), but not a freely given consent according to General Data Protection Regulation.

It appears it is not the only issue related to data protection. Data retention periods, in this article author’s opinion, are too long (almost all the collected data, including location data is saved for 18 months); profiling might have significant impact on a person’s rights and legitimate interests (the wording says “the data controller expects that profiling will not have significant impact, but <…> the results of the analysis could make the person identifiable”; some reviews of the app claim they received unsolicited marketing e-mails after installing the app, etc. Taking into account the above (or, maybe, other potential threats to privacy), the State Data Protection Inspectorate has obliged to stop the mentioned app while it performs its inspection. The results of the inspection are not available publicly at the time of writing.

(Potential) collection of location data of individuals from mobile operators

The Lithuanian Parliament has also been active in taking actions to control the pandemic. The draft amendment to the Law on Electronic Communications was introduced in Parliament by the Government of the Republic of Lithuania (and followed by a number of proposals by Members of the Parliament) which aims to grant governmental authorities with access to mobile location data of individuals. After serious criticism of the society as well as of number of Members of the Parliament, the draft was amended and contains certain privacy safeguards, however they are more nominal than real, giving a ground for many commentators to voice their fears over mass surveillance. The mentioned draft law is widely debated and the hearing of the Parliament has been postponed a number of times, therefore the final destiny of this legislative proposal is not yet known.

Conclusion

Understanding that situations such as the current coronavirus pandemic means that certain human rights and freedoms may be restricted, I strongly believe such restrictions shall be proportionate, legitimate, well-weighed, justified, in line with the rule of law and only signed-off when other less restrictive measures cannot achieve that objective. One can clearly see that there are many means and options of collection of data, and the governments shall choose wisely.

Every country is currently being challenged not only in terms of mitigating the virus, but also in terms of protecting basic human rights and freedoms. Most likely the actions taken, and lines drawn will be analyzed and pushed forward and backward for many years to come. I hope countries will take a serious approach not only towards mitigating the virus, but also to protecting the basic principles of data protection and human right to privacy, including careful anonymization of the data announced about infected individuals as well as thorough pre-assessment of the laws adopted in the light of the pandemic related to tracking and mass surveillance of personal data.

Miglė Petkevičienė, Associate Partner of Law Firm Ellex Valiunas, Member of the Board of the Lithuanian Association of Data Protection Officers, Vilnius, Lithuania

For more information on the context of this e-conference

and the other papers see here

Don’t miss the next paper on Data protection issues related to Covid-19 in France by Olivia Tambou on Thursday 23rd July 2020 at 12 p.m. (GMT+1).