Data processing in light of the pandemic: Europe should not abandon its model


The severity of the coronavirus pandemic not only reminds us of the real meaning of the internet: it is also putting discussions on the table that the EU did not consider having just a few weeks ago. The technological ability to track the footsteps of its citizens, facing an expanding disease that is countered with social isolation, is a huge temptation for EU governments. And, with tens of thousands of deaths throughout the EU, it would be incomprehensible to completely dispense of a tool capable of combating the virus. 

However, under no circumstances should this be understood as a kind of carte blanche for governments. Data belongs to the citizens, during these extremely difficult weeks as well, and will continue to do so when the nightmare moves into the background. On too many occasions, measures taken in emergency situations end up becoming the new normal. In this case, that would be very bad news for the EU, an entity that carries the defence of democratic values in its DNA. We can look to China, and even try to learn something from their digital control mechanisms. But what we cannot forget is that China is not a liberal democracy.  

What to do then? In the first place be extremely cautious, putting limits on this exceptional situation. A good start is the letter that a group of lawyers, academics and privacy experts have sent to the Spanish government, setting some limits on the use of technology to control the pandemic, all within a general tone of support for these measures. 

The GDPR sets the rules

The signatories remind us that the General Data Protection Regulation in the EU (2016/679) considers that the defence of data can be lowered in exceptional situations. In the case of the coronavirus crisis, Article 9.2 (i) applies which repeals the prohibition on the “processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” when necessary “for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care.” 

But at the same time, these exceptions also have their limits, also specified in the regulation. 

Thus, Article 5.1 (b) establishes the principle of purpose limitation, by which the data may only be used for the specified purposes: management of the crisis caused by the pandemic. In addition, the principle of storage limitation (Article 5.1.e) specifies that all data obtained during the processing must be disposed of once the crisis has definitively ended. Finally, Article 25 underlines the need for strict respect for the principle of data protection as of the design stage and during development of the technological tools that may be applied. 

Technology has tools to fight against this pandemic, but must do so within the regulations that European citizens have given ourselves. Europe cannot simply unleash the tremendous power of data, today essentially dominated by companies from other countries and having their own interests. The danger is to fall into a state of permanent technological surveillance that skirts the border of fundamental rights.