As the pandemic status has been declared around the world due to COVID-19 dissemination, the main problem that governments are trying to face out are all related to the effectiveness of different approaches with the purpose of ‘flattening the curve’ or containing the spread of the virus[1]. Certainly not a simple task at all, as along with a lack of medical and testing equipment, a complex debate has emerged on whether fundamental principles of European democracies should be set aside in order to reach a fast response. In particular, the fundamental right to privacy turns out to be the most threatened principle, as data plays a crucial role in containing the spread of the virus but not every data processing can be just justified on that basis.
GDPR and the European Charter of Fundamental Rights grant the existence of exceptions that allow the processing of data without the consent for reasons of public interest or to protect vital interests (Article 6 and 9)[2] and only if temporary, proportionate and strictly required. But, the most significant privacy infringement is mainly based on the fact that governments and businesses join together to track and stop the spread of the disease. Data can be useful to reconstruct the path of a positive patient of the past 14 days, identify strangers with whom he had contacts, locate contacts and last, inform contacts. But who can determine what is necessary and proportionate in this specific situation? The main challenge is to reduce at a minimum level the damages of the limitation of the right to privacy.
The Chair of the European Data Protection Board (EDPB) has recently provided a statement on the processing of personal information in the context of Covid-19. EDPB mainly confirmed that employers and governments can act lawfully collecting and processing personal data, relying on article 6 and 9 of the GDPR. It also provides a guideline of the use of location data, establishing that it can be used only if made anonymous otherwise if this is not possible, article 15 of the ePrivacy Directive enables Member States to introduce legislative measure to enable such authorities to use this information. In such cases, consent of the data subject will not be required.
In addition, EDPB analyses the specific case of collection of certain special categories of personal data, such as health data. Health data may also be at risk as reports of illness are dropped into aggregated statistics for national, State and local governments, outclassing privacy protection. Under the GDPR health data needs a higher degree of protection, relying on article 9. This means that collection of special categories of personal data, in order to be lawful, needs to be done only in case of public interest.
COVID-19 crisis creates trade-offs between the need to safeguard public health and the limitation of certain civil liberties, establishing different approaches that change State by State.
South Korea is cited as the country that handles in the best way this crisis. Its government employs thermal goggles that read people’s temperature from a distance and a specific app, called “Self-Quarantine Safety Protection”[3], used only for patients seek that are living their quarantine at home for two weeks.[4] This tool has a restricted area of functioning, if the patient goes out of that area a mobile alert sends a signal to the government case officer.
The United States are working with social media, with the so called “social listening” tools[5]. The U.S. government is working with Facebook, Instagram and Twitter to track people’s movements, and with Google to find out useful information through personal use of mapping applications.
These two cases are clear examples of abuse of collection of data on the base of two principles: first, we do not know what will happen to data once the crisis is over and second, a clear lack of transparency.
Differently, there are several States such as Israel Singapore and Italy that decided to grant a higher quality of protection of data. Initially Israel used a cell phone tracking tool that was previously used for fighting terrorism[6]. This tool detected 30% of the cases but was in clear contrast with the provisions of protection of personal data. For this reason, the government of Israel decided to use a specific app, called “HaMagen”, based on the consent and on the principle that data can be collected only on user’s devices and not directly shared with the government. At the same way, Singapore developed the app “TraceTogether”, a voluntary app which uses Bluetooth connectivity granting protection of data avoiding the use of geolocation and allowing data anonymization[7]. The last Country that decided to use this approach is Italy that has recently developed the app “Immuni”, a voluntary system based on the principle of reducing the spread of the virus protecting always data.
What will happen once the crisis is gone is not a simple question and without an easy answer. For sure data will be storage for a long time in order to collect a specific number of contagion and to have already a possible solution on how to afford similar pandemic illnesses in the future. But, is it always a good idea to invest on technology even in case of breach of fundamental human rights?
There is no evidence that deployment of technology can, by itself, contains the virus. Taiwan appear to have reached the same result as EU through widespread testing and a less intrusive use of technology[8]. Secondly, technology and geolocational data can not grant accuracy, as this might be inaccurate, and can not be used to monitor the effectiveness of social distancing measures. Data can not even sanction citizens that violate the quarantine. Lastly, the use of apps can be, sometimes, gamed or boycotted by citizens.
After this analysis, we can clearly affirm that information can be an important tool in this situation, and data is playing a crucial role. What is mostly important is that the use and collection of these information has to be done in respect of fundamental human rights or at least granting the minor impact on them, without abusing it. This result can be achieve limiting the number of persons subjected to the digital control, granting confidentiality and transparency but mostly limiting for a specific timeline, the possibility to use the data collected.
[1] EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1. – Art. 6 and 9;
[2] ‘Statement of the EDPB on the processing of personal data in the context of the COVID-19 outbreak – 2020’;
[3] Zastrow, Mark, ‘South Korea is reporting intimate details of COVID-19 cases: has it helped?’, Nature, 2020;
[4] Baker McKenzie, ‘Covid-19 – Data Privacy & Security Survey’ 2020;
[5] Bird&Bird, ‘COVID-19 & Privacy & Data Protection chart’ 2020;
[6] Jaffe-Hoffman, Maayan, ‘Israel plans to use counter-terrorism tools to stop spread of coronavirus’, The Jerusalem Post, 2020;
[7] Singapore Government Agency, ‘Help speed up contact tracing with TraceTogether – A new app uses a community-driven approach to identify close contacts of users’ 2020;
[8] William Yang “How has Taiwan kept its coronavirus infection rate so low?” Deutsche Welle, 2020;