Personal data should have proper safeguards

“Actions to tackle the covid-19 virus using personal data should have proper safeguards.”Diego Naranjo, head of policy at EDRi.

The novel covid-19 disease is a global health crisis, and the ways countries in Europe are attempting to hinder the progress of the disease’s outbreak are wide-ranging. In some countries, governments are now looking into the possibilities of using a smartphone app to prevent spread of the virus.

Diego Naranjo is head of policy at EDRi, one of the organizations receiving a grant from Civitates within the line of work that pushes for a healthy digital public sphere.

What do you think of actions taken by governments and businesses in the fight against covid-19? What will the repercussions be on freedom of expression, privacy and other human rights?
Actions to tackle the covid-19 virus using personal health data, geolocation data or other metadata should always be legitimate, necessary, proportionate and have proper safeguards.

If people are being followed by the use of data from their mobile phones, they can easily be discriminated, not only by other people who may not want to interfere with them, but also because, for instance, they can be denied access to certain areas. It could as well lead to problems in the future, if insurance companies would not accept their application because of having had a certain disease. In some countries people saw information about the virus that they posted taken down which as such endangered their freedom of speech. These are only few examples of course.

And we have to keep in mind what we’ve also seen in the past: that emergency measures tend to remain in place even after a crisis, as it has happened with measures implemented with the excuse of the ‘war on terror’ (such as increased security measures in flights) or to fight terrorism or other serious crimes.

What about the European response?
Within the EU we noticed quite a variety of ways tackling the crisis. Fortunately, we saw that almost from the beginning the European Commission is very careful and keeps the EU Charter in full force. The Commission is contacting the European Data Protection Supervisor and other key authorities for advice which we interpret as a good sign. The problem in this crisis however will mainly take place at the national level. If the response from the EU is not harmonized, some states may take short sighted decisions which may or may not be in line with EU legislation.

How could digital data help fight covid-19?
We are tracking the developments and it seems that some of the governments within the EU are open to work with an analysis of aggregated data, while others still focus on the control of the geo-location of specific individuals. Instead of trying to ensure that citizens respect confinement by controlling them with GPS, there are proposals to combat the spread of covid-19 with the use of Bluetooth technologies as the European Data Protection Supervisor is proposing. The basic idea is that anybody could voluntarily install a certain app (which should be released on a free software license) on their mobile phone and if that person would pass by someone who has declared him- or herself positive, the app would give an alert. This would all happen within the mobile phone, without passing any data to anyone unless the user wants to.

A recent German hackathon (a contest for hackers) aimed at finding technology responses to the covid-19 virus resulted in 800 possible projects. Initiatives like this could be interesting, and analysis of trends via Artificial Intelligence or any other technologies could be interesting too, but should always keep strong data protection and privacy standards in mind.

However, even though we are technology activists here at EDRi, not everything can be done digitally. So far the World Health Organization (WHO) insists that the main measures to avoid the virus from spreading is social distancing, washing hands … and not implementing mass surveillance.

What is it like to do EU advocacy in times when everyone is working from home and the institutions are in crisis mode?
I am sending out emails to some of our key commissioners; we had meetings scheduled with them  this week and also in the coming weeks, but these are postponed now. We want to tell them that precisely because of these extraordinary times our voice is more needed than ever. We are therefore requesting to meet them online. Even though the European Parliament is relatively quiet, we are still very busy and keep doing most of our work except in-person meetings: we work more on position papers, writing and researching instead. We are also mapping what the member state responses to the covid-19 crisis are, in order to inform our members about what is going on in their respective countries.

What is your dream with regard to the use of personal data and the covid-19 crisis?
If I look at the crisis from the bright side…maybe we can use this crisis to figure out what we would like the internet to look like in the next 10-15 years. In my view, we should strive for an open internet which is decentralized, privacy-friendly and where choice, control and access to justice are imperative when using internet services as well as hardware and software. In essence, technology should work for us; it’s not us working for technology.

European Digital Rights (EDRi) is an association of 42 civil and human rights organizations from across Europe that defend rights and freedoms in the digital environment. The association advocates in Brussels at European institutions. With a grant from Civitates, EDRi supports states and internet platforms to put forward a human-rights compliant, evidence-based response to illegal online content.