Data protection in times of coronavirus: not a question of if, but of how

09 April 2020
person on computer, corona virus in the background

In recent days, the discussions around the use of data to combat the corona pandemic have increased.

Therefore, we have written an ad hoc paper v0.3 (PDF, English) on compliance with the GDPR and would like to take this opportunity to provide an initial overview of these projects.

Overview of various measures and projects

There is a lot of talk about various corona measures and projects that are intended to contain the spread of the virus by using data. These include, for example:

  • Information portals (such as information for self-diagnosis or maps of risk areas),
  • anonymous data analytics (especially from mobile phone networks),
  • apps that attempt to record possible infection situations (contact tracing),
  • apps to check quarantine measures
  • attempts to track infected persons via various data such as mobile phone tracking or the use of credit card data.

In an article on GDPRhub.eu, noyb has compiled a first overview of concrete apps and projects in Europe and beyond, in order to shed some light on this issue as well.

The vast majority of these approaches are far away from problematic forms of mass surveillance or “Chinese approaches”.

GDPR allows data to be used in the event of epidemics - the question is not if, but how.

Contrary to many initial reports, there is no general conflict between data protection (especially the GDPR) and the use of personal data in the fight against an epidemic. Statements claiming that data protection must “waived” seem to be based on a false understanding of law.

Max Schrems, honorary chairman of noyb: "The GDPR explicitly provides for data processing in the fight against epidemics. Data protection laws must therefore not be ‘waived’, but simply observed.”

Articles 6(1)(d) and 9(2)(i) of the GDPR allow, according to the recitals of the GDPR, the processing of data for instance for the fight against "cross-border threats to health " or to combat "epidemics".

However, the GDPR also includes rules to limit the interference with our fundamental rights to a minimum, even in the fight against the coronavirus.

Max Schrems: "The laws provide for the use of data in the fight against corona, but only in reasonable ways. The law limits the use of data to what is absolutely necessary. Together with concepts such as 'Privacy by Design' it is possible to develop legally sound apps and systems that help fight this epidemic. So the question is not if it's possible to use personal data, but how to do this properly."

There is a lot of room between excessive mass surveillance and the collection and specific processing of certain important information. The use of data can, in terms of fundamental rights, also represent the "less onerous way" compared to the current restrictions on the freedom of movement or the freedom to conduct a business.

Schrems: "Voluntary apps based, for example, on locally stored and encrypted self-tracking can be useful. If such data is only decrypted in the event of a positive corona test, such systems can verifiably protect the users’ privacy. Such approaches are more like carrying a private avalanche beacon – contrary to a centralized government surveillance system.

To support projects in the implementation of data protection compliant solutions, noyb has published an ad hoc paper on contact tracing apps.

Trust is necessary for the success of such systems

People must be able to trust technology in the fight against the coronavirus, so that enough people will participate. This can be achieved by measures such as good data encryption, storage of data within the user's phones and the publication of the source code ("open source").

Schrems: "These projects only work if a large part of society participates. To do this, we need systems that allow user control over their data. The source code must be reviewable. If this is done properly, such systems can definitely be recommended."

Realistic view on technical possibilities

What is currently surprising about some statements is the unwavering belief in technology. More complex applications, such as "contact tracing" after an infection, are not feasible without highly specific data. Suggestions, such as calculating the risk of infection between two people using mobile network data, are more wishful thinking than a possible technical reality.

Horst Kapfenberger, computer scientist at noyb: "Due to their inaccuracy, location data by the mobile phone providers are absolutely unsuitable, for example, for determining possible infections with the coronavirus. We cannot build meaningful models with inaccurate raw data".

In addition, there are still uncertainties regarding the spread of the corona virus. Oftentimes, there is very different and vague information available on the ways and time schedule of the spread of the virus. The unclearer the parameters surrounding the spread of the virus are, the less specific risk contacts can be calculated using technical solutions.

There is a danger that users will be lost in an avalanche of irrelevant warnings and information ("information overload"). It is therefore important to collect relevant data with the necessary quality, to actually achieve the objectives of a project.

Max Schrems: "These systems are not meant to guess what advertisements we may be interested in, but to ensure the health of the population. We therefore need specific, accurate and correct information. For a statistic, rough and anonymous data is often sufficient. For attempts to record chains of infection, however, you need highly accurate data - that may be stored locally and encrypted at the users' premises.”