Fighting Covid-19 and Protecting Privacy Under EU Law — A Proposal Looking at the Roots of European Constitutionalism

pic.png

Oreste Pollicino

Bocconi University, Milan

Editors’ Note: This text is  cross-posted  from EULawLive. It was first published on  16 May 2020  and is available here.   

Singapore: it is a normal May afternoon in the Pandemic season in Bishan-Ang Mo Kio Park.  

A four-legged robot, fitted with a camera, is walking through the park staring at visitors. One’s first impression might be that it is a new walking surveillance tool developed in relation to the Pandemic. However, as is often the case for first impressions, this would be misleading, or even incorrect. 

It is true that the robot is fitted with cameras; however, they are not able to track or recognise specific individuals, and do not collect any personal data. The robot only broadcasts a recorded message reminding park visitors to observe safe distancing measures. 

Although the first impression is surely incorrect as regards the intentions of the robot, from a more general viewpoint it certainly does hit the mark; indeed, as Korean philosopher Byung-Chul Han has argued, ‘to confront the virus Asians are strongly committed to digital surveillance’. 

This robot indeed is just one of the surveillance instruments in times of pandemics. Contact tracing apps have played a critical role in providing a granular map of the virus since the very beginning. While in Europe, most countries are still debating the safest technological model to implement, this has not occurred when looking to the east. 

Before even thinking about the law, we must compare different cultural models. On the one hand there is the Asian model rooted in collectivism, where ‘the term “private sphere” does not appear’, ‘has facilitated the construction of a whole infrastructure for surveillance that is highly effective in containing an epidemic’. On the other hand, there is the individualist European model. According to the Korean philosopher, this is less effective because the systemic use and uncontrolled use of big data is simply not compatible with the European constitutional matrix for protecting fundamental rights in general, and privacy in particular. 

In the light of this background, I shall attempt to show that the narrative concerning the cultural difference between those two models is well-founded regarding legal implications whilst at the same time being totally misleading in the ultimate idea that it seems to give. A trade off must be made between the degree of precision of the virus map and the need to respect the quite demanding European data protection regime. 

With regard to my first aim, as far as the allegedly less effective (in terms of the fight against the virus) European contact tracing model is concerned, my take would be that the beauty of European constitutionalism could be precisely what might appear to be an obstacle from a Far Eastern perspective. Even the most necessary and important goal (such as in this case ensuring safety and, ultimately, protecting life) cannot be achieved by interfering with the essence of contrasting fundamental rights. And the rights at issue, in this case the rights to privacy and to personal data, should not be violated in a disproportionate manner. At the end of the day this is the spirit (and the letter) of Article 52 of the Charter of Fundamental Rights of the European Union. The Court of Justice has not done anything to hide (see the Digital Rights Ireland and Schrems judgments) how this spirit has shaped its case law, creating a super-fundamental right to privacy even before the adoption of GDPR. 

In other words, even without the legendary GDPR, it would already be enough to read Article 52 of the Charter carefully in order to assert that European Union Bill of Rights does not allow for digital surveillance systems but only anonymous digital alerting systems. It is no coincidence that, since the very first call for European Data Protection Supervisor proposing a pan-European approach and the European Commission Recommendation of April 8, proposing a common Union toolbox, Bluetooth technology was the suggested option and GPS was essentially excluded. The question of ‘with whom’ (if the answer is anonymised) is much less intrusive than the question about ‘where’. 

Before returning to EU responses to the pandemic as far as the (apparent) trade-off between public health and privacy is concerned, it should be added that, whilst the framers of the GDPR might not exactly have predicted the Pandemic, they did get quite close. Recital 46 provides, amongst other things, that ‘Some types of processing may serve both important grounds of public interest and the vital interests of the data subject of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics […]’. 

This means that European constitutional law and the European Union legislative compass are sufficiently solid and precise to provide a point of reference during the Pandemic. We do not need to count, as the President of Italian Constitutional Court Marta Cartabia has said in more general terms, on exceptional laws for exceptional times. If the Constitution is to act as our general compass, the relevant provisions of the EU Charter of Fundamental Rights and the GDPR are the specific guides for identifying the limits to contract tracing in Europe. 

The primary European constitutional principles that must be taken into consideration are freedom, individual choice, dignity and solidarity, which lie at the root of the recommendation that usage of the app should be voluntary. The ‘binding suggestion’ was confirmed by the initial responses that followed, starting with the joint statement of the European Commission and the President of the European Council proposing a European Roadmap for lifting COVID-19 containment measures, the Commission guidance paper on COVID-19 apps and the release of a Common EU Toolbox for Member States (‘Toolbox’) by the EU’s eHealth Network, a Commission-established body comprised of Member State authorities responsible for eHealth matters, as well as a letter by the European Data Protection Board (‘EDPB’) in response to the guidance.  

There is the view that adoption of the app should be free, based on individual trust, yet at the same time a choice made by individuals as a token of collective responsibility. 

However, voluntary adoption does not mean that the legal basis for the processing should be consent. This message has been clearly stressed since the outset in the responses mentioned earlier from the European Institutions, and also in even greater detail in the more recent European Data Protectin Board (EDPB) Guidelines 03/2020. It must be clearly stressed, as the EDPB has done many times, that the fact that usage of the contact tracing app is voluntary does not mean that the processing of personal data by public authorities must necessarily be based on consent. When public authorities provide a service, based on a mandate assigned by and in line with requirements laid down by law, it would appear that the most significant legal basis for processing is necessity for the performance of a task in the public interest (Article 6(1)(e) GDPR). As regards health data, Article  9(2)(i)  GDPR clearly states that it is even possible to process health data where it is ‘necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health’.  

As stated in the first Recommendation referred to above, the idea of a pan-European app would mean Member State authorities, represented in the eHealth Network, establishing a process for exchanging information and ensuring interoperability of applications in cross-border scenarios. In other words, even without having a common technological framework of contract tracing apps in Europe, the idea is to find a common legal language European app, which can generate results based on the main ingredients of: voluntary adoption, temporary retention of data, bluetooth technology, as well as open source and decentralised storage systems in which the data controller is a public authority.  

There are essentially two main challenges for a real European interoperable language: one from below and one coming from above.  

As regards the first challenge, Member States could for example have relied on the  operating model that is already functioning well on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) adopted on 23 July 2014. It creates a European internal market for electronic trust services – namely electronic signatures, electronic seals, time stamps, electronic delivery services and website authentication – by ensuring that they will operate across borders and have the same legal status as traditional paper-based processes. They did not follow this model, hence the risk of national fragmentation is really high. There are no indications at the moment of any desire by Member States to truly  seek to set up a pan-European model and this situation could also frustrate the idea of a common legal framework for contact tracing apps in context.  

Looking at the risk from above, this concerns the global strategy adopted by Apple and Google, which are cooperating in order to launch a system ‘to assist in enabling contact tracing’, whereby apps can notify smartphone users if they have come close to people infected with COVID-19. It is very tempting to follow the path proposed by the two web giants. The proposal seems to be entirely consistent with the ingredients of the European approach mentioned earlier. 

However if, as has been said, the contact tracing system is to be based on trust, it should come as no surprise that a degree of digital distrust has been displayed by some states, with France in the lead, toward the new private powers, which are now competing with the public authorities in the digital domain and which, in the recent past, have been (in)famously known in Brussels for their abuses of dominant positions.  

Besides, adopting such a model would require not only users but also EU Institutions to trust these private actors without having the possibility to check how personal data are then stored, processed or used, thus transforming a global health emergency in an opportunity to grow and enhance their political and economic power. 

In a way the fear is that, once Apple and Google has done the hard work, they will then also decide the rules of the game: it is not clear whether this is or is not taken seriously by the State and European Institutions, but perhaps should be in light of Frank Pasquale’s suggestion that there is a shift from territorial sovereignty to functional sovereignty, by which means digital platforms would fall into the hands of private powers competing with and taking over public powers. 

Until now the focus has been on the first of the two of my initial claims: the beauty of European constitutional law in relation to the protection of contrasting fundamental rights, even in the throes of the Pandemic, and the difficulty in speaking a pan-European language as regards app interoperability. 

I would like, very briefly, to dedicate a few words to the second claim I mentioned earlier. In my view the dominant narrative according to which a trade-off must be made between the degree of precision of the virus map and the need to respect the quite demanding European data protection legal regime is entirely misleading. And the reason is simple. This essentially focuses only on the proportionality test and not, as Article 52 of the Charter, but also Article 23 GDPR and Article 15 of the e-Privacy Directive show, on the necessity of the limitations on privacy. In other words, it is taken for granted that the app will be effective in combatting the virus, and it is consequently taken for granted that it will be necessary. This is a typical expression of, in Morozov terms, technology solutionism according to which every problem must find an almost immediate technological solution. In this case, the solution should be the digital contact tracing system. 

The truth is that we do not have any empirical evidence that this is the solution - at least where app downloading is voluntary there will be no penalties for those who choose otherwise (the ABC of a liberal democracy model). Even in Singapore, which is far from such a model and where there is a high degree of digitalisation and an even higher degree of trust in the public authorities, the app (tracing together) has been downloaded by a low percentage of the population and does not appear to have had any significant impact reducing infection. Finally, even in Europe, doubts concerning its necessity (effectiveness) are on the rise. 

Belgium plans to continue with traditional contact tracing as it does not consider that there is sufficient evidence that the instrument will be effective. In Austria only 4% of the population has downloaded the app, despite pressure from the government. In the Netherlands, the supervisory authority has stated that it will not be in a position to approve it unless it is confirmed as being effective. Finally, in France, the CNIL will only approve it after a parliamentary debate has been held and studies have been completed showing it to be effective. 

These responses represent an alarm bell that is not ringing: if we cannot be reasonably certain that the digital tracing model which is in compliance with European constitutional law will be effective and hence necessary, then even minimum restrictions on privacy become problematic. 

The alternative is moving from European modelling of exposure notification to an Asiatic one based on digital surveillance or, in the best scenario, on walking and scary robots in parks.  

I would be inclined to immediately exclude the said option, it would be an unforgivable betrayal of the roots of European constitutionalism. 

Oreste Pollicino is Full Professor of Constitutional Law and Media Law, Bocconi University, Milan 

Suggested citation: Oreste Pollicino, “Fighting Covid-19 and Protecting Privacy Under EU Law — A Proposal Looking at the Roots of European Constitutionalism” IACL-AIDC Blog (21 May 2020) https://blog-iacl-aidc.org/2020-posts/2020/5/21/fighting-covid-19-and-protecting-privacy-under-eu-law-a-proposal-looking-at-the-roots-of-european-constitutionalism