EDPS zet in op pan-Europese trackingapp in strijd tegen het coronavirus

Dear Friends,

The spread of Corona virus around the world has shown – like no other challenge we have faced over the last years – how small and connected is our world. How similar our problems are, and how important is to address them together finding strength beyond our nations.

Together we are stronger and in a time of unprecedented crisis as the one we are going through; the European Union is the perfect place to pull resources together and to find common solutions.

The European Data Protection Supervisor, as a data protection authority and as a EU institution, is fully committed co-operate with other European Institutions to put in place as soon as possible efficient measures to fight this existential threat to Europeans, to our economy and to our way of life.

The digital revolution has given us powerful tools to process information about the world we live in, about us – human beings – and about our behaviour.

Our “mantra” is that big data means big responsibility. We have to know what we are doing, and to know that we are responsible for the results of our activity.

Responsibility also means however that we should not hesitate to act when it is necessary. There is also responsibility for not using the tools we have in our hands to fight the pandemic.

This is why the EDPS is co-operating with the other European Institutions to give a European response mitigating as much as possible any risks for the fundamental rights of individuals.

We appreciate the attention these fundamental rights – including right to data protection – gain among European Union politicians and among European administration, scientists and representatives of market. They all work now hand in hand to find solutions on allEuropean and on national level bearing in mind both European Charter of Fundamental Rights, the General Data Protection Regulation and the European Human Rights Convention.

The GDPR clearly states that the processing of personal data should be designed to serve mankind (it was the favourite quote from GDPR for my predecessor Giovanni Buttarelli).

GDPR states also that the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

Legality of processing the personal data – even so called sensitive data like data about health – can be achieved when processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued.

I am not inventing or interpreting “in innovative way” but I am quoting the existing text of the GDPR.

The GDPR also permits processing of sensitive data when it is necessary for reasons of public interest in the area of public health, such as protecting against serious crossborder threats to health.

....

The crisis will not be finished in weeks. It will take months to fight with it and years to recover. If we are so connected with each other, we will not be able to solve it with national tools only. The more European will our answer be the better results we will gain.

You can sometimes hear today the call to suspend data protection law or revise it in light of the current crisis. Let me stress again this law is neither an obstacle for being active nor an excuse that we are not efficient as this law was written with consultation of experienced specialists in extraordinary use of new technologies serving the mankind.

Data protection law calls at the same time for the respect to the essence of the right to data protection and provides suitable and specific measures to safeguard the fundamental rights and the interests of the persons.

Even when we recognize that an unusual way of processing would interfere with the right to privacy and data protection, it may still be necessary in the extraordinary circumstances we are all living over the last few weeks.

measures taken at European or national level are:

• Temporary – they are not here to stay after the crisis.

• Their purposes are limited – we know what we are doing.

• Access to the data is limited – we know who is doing what.

• We know what we will do both with results of our operations and with raw data used in the process – we know the way back to normality.

The EDPS supports the development of technology and digital applications for the fight against the coronavirus pandemic and is monitoring these developments closely in cooperation with other European Data Protection Supervisory authorities. It is firmly of the view that the GDPR is not an obstacle for the processing of personal data, which is considered necessary by the Health Authorities to fight the pandemic.

The EDPS is aware that a number of EU Member States have or are in the process of developing mobile applications that use different approaches to protect public health, involving the processing of personal data in different ways. The use of temporary broadcast identifiers and bluetooth technology for contact tracing seems to be a useful path to achieve privacy and personal data protection effectively.

Given these divergences, the European Data Protection Supervisor calls for a panEuropean model “COVID-19 mobile application”, coordinated at EU level. Ideally, coordination with the World Health Organisation should also take place, to ensure data protection by design globally from the start.

We call all technology developers currently working on effective measures in the fight against the coronavirus pandemic to ensure data protection from the start, e.g. by applying data protection by design principles.

The EDPS and the data protection community stand ready to assist technology developers in this collective endeavour.

Legality, transparency and proportionality should accompany any measures designed to fight the covid-19 pandemic. In our endeavor, we shall recall the words of the President of the Court of Justice - judge Lenaerts when he stated that the law “restricts the authorities in the exercise of their powers by requiring a balance to be struck between the means used and the intended aim (or result reached)”.

In 2016 European data protection authorities formulated a list of requirements for surveillance mechanisms that interfere with the right to privacy and data protection. Later judgments of the Court of Justice of the European Union have confirmed the line of reasoning used by the DPAs, and four relevant pillars of accepted activity at the time of rising insecurity – known as ‘European Essential Guarantees’ – have been described. They consist of:

• the requirement that the processing should be based on clear, precise and accessible rules;

• demonstration of the necessity and proportionality with regard to the legitimate objectives pursued;

• existence of an independent oversight mechanism as well as

• availability of effective remedies to the individual.

Legality, transparency and proportionality are essential for me.

Solutions we prepare – both technological, organizational and legal – have to serve the principle that personal data may only be processed for specified legitimate purposes, where necessary for these purposes, and not used in a way incompatible with those purposes.

Let me finish by stressing that the EDPS is working closely with the European Data Protection Board and other European Union Data Protection Supervisory authorities. This also includes the authorities of the member states of the European Economic Area which also have valuable input as far as the use of big data tools is concerned .We are also in close consultation with our counterparts outside of EU – from the United Kingdom through the United States, Latin America and till New Zealand.

That is how we understand digital solidarity, which should make data working for all people in Europe and especially for those the most vulnerable. Digital solidarity would refuse to replicate the now tarnished and discredited business models of constant surveillance and targeting that have so damaged trust in the digital society but will allow data protection serve mankind during this extraordinary exam in our knowledge, skills and our human values.

Dit nieuwsbericht is ook te vinden in de dossiers AVG, ePrivacy en Coronavirus