Data Protection Issues related to Covid-19, Ressources pour chercheurs en droit

Data protection issues related to Covid-19 in Austria, Nikolaus Forgó, Johanna Göschlberger

On 25 February 2020, there were the first two confirmed cases of Covid-19 in Austria. Due to the exponential increase of the virus, the Austrian government aimed to take measures as swiftly as possible. Since then a long list of legal and organisational measures have been taken and it is to be expected that the stream will not end soon so that the following remarks are only preliminary.

Legal measures in response to the coronavirus in Austria

The Austrian Constitution does not provide for a state of emergency but stipulates specific procedures which are applicable in times of distress, in case the republic faces serious and irreparable harm requiring immediate action when the parliament is not able to convene. However, despite the coronavirus pandemic the parliament has been able to convene at all times. Thus, the constitutional provisions in times of distress did not have to be resorted to.

The first legal measures in response to the outbreak of Covid-19 were taken by the Federal Ministry of Social Affairs, Health, Care and Consumer Protection (“Bundesministerium für Soziales, Gesundheit, Pflege und Konsumentenschutz”) already on 28 February 2020. By virtue of a regulation (“Verordnung”), the Federal Minister has extended the notification obligation, which is contained within the Epidemics Act 1950 (“Epidemiegesetz 1950”) to coronavirus. In the same manner, further provisions of the Epidemics Act have been adapted.

Nevertheless, the measures provided through the Epidemics Act were not considered sufficient in order to combat coronavirus. Thus, on 15 March 2020, the parliament adopted the Covid-19 Measures Act (“Covid-19-MaßnahmenG”), which is provided with a sunset clause until 31 December 2020. This enabled for the Federal Ministry to issue a nationwide ban on entering business premises for the purchase of goods or services (including catering establishments), as well as local entering bans.

Subsequently, these bans on entry were issued by virtue of two regulations. Certain premises, which are explicitly listed in the regulation, such as pharmacies or food stores, were not affected by the ban on entering. The resulting shutdowns of business premises and catering establishments were caused by economic necessity – not due to a legal obligation.

Since then not less than 21 “Covid-19-Maßnahmegesetze” passed the parliament and more than 100 legislative acts with Covid-19-impact were created.

The Austrian contact tracing app “Stopp Corona” by the red cross

Austria was one of the first European countries to have developed a contract tracing app aiming to help identify infection chains. The Stopp Corona-App was developed by a private initiative without the involvement of the Austrian government, namely the Austrian red cross. There is no obligation to download and use the app.

The app tracks interaction between people using the app with a so-called digital handshake. These digital handshakes can be performed automatically, provided the user explicitly consents. However, this only takes place after a certain amount of time, which can last up to five minutes, in which the user is close to another person. Several people can be registered at the same time, provided that they all use the app and have given their consent. If there is a suspicion of an infection in one of the documented contacts, the respective users with whom a digital handshake was triggered in the last 2 days will be notified.

According to the FAQ on the Website, no personal data has to be provided to use the App. The user’s contacts are stored on their mobile device. However, if the user reports as infected, he will be asked for his phone number, which is then stored for 30 days. The red cross provides data protection information about the app in detail and a report on the data protection impact assessment for the application of the app. Furthermore, the app has been reviewed in a report by noyb, epicenter.works and SBA Research. In addition, a report on the data protection framework for the use of tracing apps to combat the COVID 19 crisis was submitted in April at the request of a member of the Austrian parliament.

However, the app did not bring the success the Government and the red cross had hoped for, due to the low user numbers (approximately 600,000 downloads and 300,000 active users as of June 2020). However, an exact number is not available because a corresponding statistics function originally included in the app has been removed due to a security recommendation. A general problem, of national contact tracing apps, such as Stopp Corona is that many states developed their own contact tracing apps instead of aiming for a joint European or even worldwide solution.

Proceedings before the Constitutional Court

On July 14, the Austrian Constitutional Court issued three rulings on cases involving laws or regulations under the Covid-19 measures. It was held that the Covid-19-MaßnahmenG was in conformity with the constitution, the regulations on bans on entry, however, were partially unconstitutional.

The Constitutional Court – contrary to previous case law – declared motions to be admissible, although provisions had in part already expired at the time of the decision. It was found that the legal interest of an applicant to obtain a binding decision on the legality of provisions may extend beyond the relatively short period during which the provisions were in force. The Court justified this by stating that it is the meaning of the rule of law that all acts of state organs must be justified in law and in the constitution and that legal protection institutions provide the guarantee for this.

Amongst the three cases there was an individual motion (“Individualantrag”) against the regulation of the Minister of Health, Rudolf Anschober, according to which access to public places was only permitted under narrowly restricted conditions. The Court declared that the provisions of §§ 1, 2, 4 and 6 of the regulation were unconstitutional because the limits for the competent Federal Minister, as set out in § 2 Covid-19-MaßnahmenG, were exceeded.

Since the contested provisions already expired at the end of April 30, 2020, the Constitutional Court ruled that these provisions were unconstitutional. Furthermore, the Court ruled that these provisions are no longer applicable – for example in ongoing administrative criminal proceedings.

In view of these constitutional court findings, a draft amendment to the Epidemics Act 1950 (“Epidemiegesetz 1950”) and the Covid-19-MaßnahmenG, which according to the Federal Minister aims to provide the missing legal basis, was submitted for review in August. The evaluation period was until 28 August.

Obligatory or voluntary keeping of guest lists

First, Austria refrained from introducing guest lists, as already existing in other countries, such as for example Germany. However, the draft amendment to the Epidemic Act (“Epidemiegesetz 1950”) of August states that businesses, organisers and associations are obliged to keep personal data of those guests for a period of 28 days, who provided explicit consent on the processing. However, there is (probably) no obligation of businesses, organisers and associations to actively collect these data. The purpose of the measure is to fulfil the obligation to cooperate in the course of contact tracing. In any case, it is expressly prohibited to use the data for other purposes.

This regulation raises numerous questions.

Firstly, it is unclear which companies, organisers and associations are specifically covered and in which scenarios this duty does (not) exist. For example, would a pastry shop which, in addition to its main business, sells ice cream scoops on the lakeside with a trolley, be obliged to record the contact details of each consenting ice cream purchaser and keep them for a period of 28 days? Do Universities have the obligation or permission to collect such data?

Furthermore, the explanations of the draft stipulate that the entrance or service may not be refused if the guest does not wish to disclose his contact details. At first glance, this seems to imply that only establishments, organisers and associations are subject to an obligation, while guests can decide voluntarily whether to give their data. However, it should be noted in this regard that the explanations are not binding. Moreover, it is unclear what the consequences of giving false information would be or what possibilities are available if one person falsely claims to be another.

If one were to assume that the guests and the hosts can decide voluntarily, it is doubtful whether the guest list measure is at all appropriate. In any case, such a measure is subject to the requirement of proportionality. If, due to the voluntary nature of the guest list, hardly any guests agree to disclose contact details and the guest list is therefore not useful, it can hardly be considered proportionate to oblige businesses, events or associations to maintain such a list. In any case, a measure, restricting fundamental rights is only permissible if it is suitable for achieving a legitimate goal.

In addition, an important question is how the specific registration, keeping and storage should be done in practice. Handwritten lists, on which each guest can see the contact details of his predecessors, would naturally be unsuitable. If the lists are slips of paper, they would have to be kept locked. Furthermore, password-protected solutions would be conceivable, for example on a tablet. However, the position of the ministry of health seems to be that digital solutions are not primarily desirable, since it would involve a further party.

Conclusion

Certainly, it is necessary to introduce measures to combat the virus, particularly in light of the now again rising numbers in Austria and the forthcoming colder season. However, there are many aspects, that need to be better thought out and clarified, such as the numerous questions in relation to the keeping of guest lists or more generally, which new measures will be introduced and the way they are communicated to the public. As regards to tracing apps, a joint approach, beyond Austria, would be desirable.

Nikolaus Forgó, Professor of IT and IP Law and Head of the Department of Innovation and Digitalisation in Law
Johanna Göschlberger, Student Assistant at the Department of Innovation and Digitalisation in Law

Votre commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Gravatar
Logo WordPress.com

Vous commentez à l’aide de votre compte WordPress.com. Déconnexion /  Changer )

Image Twitter

Vous commentez à l’aide de votre compte Twitter. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l’aide de votre compte Facebook. Déconnexion /  Changer )

Annuler

Connexion à %s

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur la façon dont les données de vos commentaires sont traitées.