As the weeks pass and the coronavirus crisis evolves, debates about the day after have become increasingly important. The ‘day after’ poses some enormous difficulties: the virus will continue to be here, and the vaccine will still not be a reality. Many hopes have been placed on technology in order for the economy to not remain paralyzed – an economy that, in large part, is based on the movement of people – and to avoid, once again, the nightmare of an outbreak capable of saturating hospitals and ending the lives of tens of thousands of people. More specifically, hopes are placed on the effectiveness of applications that track the proximity of citizens. Like this, health services can contact all those who have been in contact with others who have become sick to apply selective isolation measures.
The debate is not about what to do, as there is consensus that such technological solutions can be very useful; in fact, several are already being developed, albeit in a disorderly way, across the EU. So disorganised that the European Commission tried to bring some order to the situation on Tuesday, April 14, recommending that States report, before May 31, on what solution they are going to use.
The debate is in the how, and specifically how to reconcile this technological surveillance with citizens’ right to privacy, in digital environments as well, and how to create common standards across the EU, avoiding the creation of national islands of data that minimize the effectiveness of these applications.
How to reconcile technological surveillance with citizens’ right to privacy?
The legal discussion in Europe has a very clear framework : the General Data Protection Regulation. It is a complete regulation, so much so that it includes possible exceptions in its application for situations as serious as the current one: Article 9.2 (i) repeals the prohibition on the “processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” when necessary “for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care.”
These are temporary solutions, as the press release from the Commission on April 14 noted: the data will be deleted once the pandemic is under control.
Therefore, facing solutions from authoritarian regimes such as the Chinese, in Europe we fortunately have a law that protects citizens, based on acknowledging that the protection of their data is not a supreme good. Facing a pandemic like the present one, the data can be relinquished and processed because, ultimately, it saves lives.
¿How to create common standards across the EU?
The second ‘how’, the creation of a common standard to ensure the effectiveness of the app throughout the EU, is equally complex.
On April 10, Google and Apple announced in a joint statement a technical alliance to improve the apps that are fighting against coronavirus. The two companies committed to having the API (Application Program Interface) up and running in May, which will make it possible for devices with Android and iOS operating systems to, in fact, work like a single system when apps from the public health authorities are used. The desired universality of the solutions these APIs use would be guaranteed: Android has a 72.6% market share in Europe, and in conjunction with the Apple operating system would reach 99.1% of mobile phones. The ‘fine print’ of the applications, which is essential, would be the responsibility of the authorities in each country.
The initiative is as promising as it is praiseworthy, but it awakens a certain gloom: In this case, is Europe once again going to cede the initiative, and access to data, to the large companies from the United States? Are we not capable, in Europe, to do something similar, or at least to try?
Fortunately, the answer to this last question is yes. More than 130 institutions in eight EU member countries have formed the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT). Its purpose is to provide a set of “standards, technology and services” to countries and developers, in such a way that tracing is done uniformly, in addition to with a scrupulous respect for the law, throughout the European Union.
Technically, there doesn’t seem to be any major differences with the project from Apple and Google. But, from other perspectives, there indeed are. A key difference is that the PEPP-PT has been formed as a non-profit association; it is a project born as a result of the pandemic, with its roots anchored in European society and its technological fabric. Its leading promoter is a German organization, the Fraunhofer Heinrich Hertz Institute for Telecoms.
Only those companies that control their data will be masters of their own future. Therefore, with appreciation for the initiative from Apple and Google, we think a European solution would be better in the search for protocols for apps to fight against coronavirus. The pandemic knows no borders, but European protection of data, the belief that citizens own this data, is truly something that is characteristic of the EU. The implementation of a technology is never neutral, and this case is not going to be the exception. This is why we must be especially careful when it comes to urgent solutions.