Over the last few weeks, the search for effective measures to stop the spread of COVID-19 has been the number one priority of affected countries. So far, there is no unified approach. A noteworthy trend is the increased awareness of the potential of data, which is sometimes even referred to as the "new oil". This potential is more than ever being used for key decision-making, e.g. in the development of medicines or vaccines, when assessing whether anti-epidemic measures are effective, in which countries travel restrictions should be imposed, in which public places access should be restricted, etc.
Many countries seem especially interested in using location data from mobile devices to help track and fight the spread of the pandemic. But many privacy experts have voiced their concerns.
Nevertheless, the omnibus data protection legislation in the EU – the General Data Protection Regulation ("GDPR") – provides enough flexibility and possibilities to process personal data, including special categories of data such as health data. On 6 April 2020, the European Data Protection Supervisor ("EDPS") expressly noted that "GDPR is not an obstacle for the processing of personal data, which is considered necessary by the Health Authorities to fight the pandemic". The EDPS also noted that "the right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality."
Thus, for EU Member States, the question seems to be not whether such data may be used, but rather where do we draw the line? This article will provide a brief overview of the current situation in Bulgaria, considering the measures adopted during the state of emergency (declared on 13 March 2020), and the possible outlooks for coordination on an EU level.
What amendments were adopted in Bulgaria in relation to the state of emergency?
Due to the pandemic and the spread of COVID-19 in Bulgaria, towards the end of March a new piece of legislation was adopted – the Act on the Measures and Actions During the State of Emergency, announced by a decision of the National Assembly of 13 March 2020 ("Act"). The Act introduced a number of measures for effective crisis management during the state of emergency and amended some other legal acts. One of them was the Electronic Communications Act ("ECA").
The ECA amendment touched on a rather sensitive topic. Namely, the sharing of personal data that can be used to determine the location of a mobile device (e.g. a smartphone). However, this amendment did not receive much media attention and public discussion, or at least not as much as in other countries.
What was the situation before the ECA amendment?
The ECA amendment affects the provisions governing the storage and access to data of providers of publicly available electronic communications services (e.g. telecom operators, internet service providers, etc.)1. For example, even before the amendment, telecom operators were obliged to store data from mobile devices for purposes strictly defined in the ECA for a period of six months. These data include dialled phone numbers, date, time, duration and type of connection, device IMEI, and cell ID. The ECA expressly clarifies that telecom operators do not store data about the contents of the message.
The purpose of these provisions is that data be stored for a short six-month period only for purposes of public importance (strictly defined by the ECA) – national security, investigating certain serious crimes and search and rescue operations (Article 251b). Thus, public authorities explicitly mentioned in the ECA (e.g. the State Agency for National Security, the National Police, etc.) may request access from telecom operators to the above data only for these purposes and not as a general rule. Such access is only allowed after prior court authorisation. As an exception, the ECA allows telecom operators to provide immediate access in certain emergency cases, and only then will a court authorise or deny the already granted access.
What has been amended?
The result of the ECA amendment is that telecom operators are now obliged to store and (upon request, without prior court authorisation) provide data to competent authorities for one more purpose, i.e. to monitor citizens' compliance with the imposed quarantine measures during the state of emergency.
The following paragraphs will briefly look at the details of the newly introduced power of public authorities. A glance below the surface could provide a better idea of whether the line between controlled, targeted anti-COVID-19 measures and uncontrolled digital surveillance has been crossed.
Who is affected by the amendments?
The wording used by the legislator to define the purpose of the data storage and affected persons is the following: "for the purposes of enforcement of mandatory isolation and hospital treatment of persons under Art. 61 of the Health Act, who refused or did not comply with mandatory isolation and treatment". At first glance, it seems that the number of affected persons is limited only to those who have refused or did not comply with mandatory isolation and treatment. The number is further decreased by the reference to Article 61 of the Health Act. Therefore, persons whose data could be accessed by the competent authorities must meet three cumulative conditions.
The first condition requires an order by the Minister of Health, providing for mandatory isolation of sick, contagious, contact persons and persons who have entered the territory of the country from abroad. This condition is in fact fulfilled in connection with COVID-19. The Minister of Health has issued orders in that regard which can be accessed on its website. According to the Health Act, the second condition is for the affected persons to be subjected to mandatory isolation or treatment by an order of the head of the respective hospital at the recommendation of the attending physician or the doctor who referred the patient for hospitalisation (Article 61(3) of the Health Act). The third condition is that those persons have refused or are not complying with the mandatory isolation or treatment.
Therefore, according to the legislation, only the data of persons who have refused or do not comply with mandatory isolation or treatment, imposed by order of the head of a hospital, can be accessed. On the one hand, the number of persons is sufficiently limited so that there is no concern that an unjustifiably wide scope of persons will be subject to location tracking. Thus, the legislative idea is not to apply the measure to all citizens, which in turn would have been a much more intense intrusion of privacy. On the other hand, the question of how the fact of non-compliance with mandatory isolation will be established (especially for people quarantined at home) inevitably arises. And this fact should be established before telecom operators are required to provide the person's data. The answer to this question cannot be found in the legislation so far.
It is important to clarify that when adopting the change in the ECA, the legislator explicitly restricted the data that telecom operators are required to provide to only the cell ID (data to locate a device). Information regarding dialled phone numbers, call duration and other data is not disclosed. It follows that the competent authorities could only obtain the data based on which the approximate location of the device could be determined. In terms of the clarified scope of affected persons, collecting this type of data seems logical. Based on these data, the competent authorities could, for example, establish that a person who should be under 14 days quarantine is not complying with the prescribed isolation measures.
Who can access the data?
According to the ECA, only the following authorities can access the data: the General Directorate National Police, the Sofia City Department of the Interior, and the Ministry of Interior Regional Directorates, i.e. bodies of the Ministry of Interior and the police.
One of the noteworthy features of the data access procedure is the accelerated "instant access" with subsequent (rather than prior) notification and court authorisation. It follows that the police would not have to use the standard procedure, which requires prior court authorisation. On the contrary, telecom operators are obliged to grant access immediately, and the court may subsequently order the refusal and destruction of the data within 24 hours of receiving the request, but only after the data have already been provided.
It appears that the Bulgarian legislator has decided to utilise mobile devices data as a measure to limit the spread of COVID-19. The police will be able to monitor, through location data, whether infected and quarantined persons comply with the mandatory instructions of health authorities. In terms of data protection, the ECA amendment establishes a necessary legal basis for data processing by the telecom operators and the Ministry of Interior bodies for the purposes of enforcing mandatory isolation and hospital treatment. The question of whether this measure is necessary within the meaning of Article 8 of the European Convention on Human Rights and respects the right to private life is beyond the scope of this article.
While objectively intruding on the privacy of individuals, it is important to note that the ECA amendment is also limited in duration. With the end of the state of emergency, the new power of the Ministry of Interior will cease to exist. The latter seems to be an additional safeguard for the right to privacy and minimises risks related to excessive digital surveillance after the state of emergency has ended.
On the other hand, the most serious drawback of the measures goes beyond the specific legislative amendment: the lack of transparency and broader public discussions on how citizens' data will be used, especially in times of crisis.
Although not a legislative measure, in early April the Ministry of Health introduced a new mobile application to help combat COVID-19. Unfortunately, a lack of transparency and public awareness could also be observed in this measure.
The main purpose of the mobile application is for citizens to enter their health data themselves, and to receive information about close contact with a person infected with COVID-19. The mobile application data should also provide a better overview and statistics for public authorities on population morbidity rates.
In addition to personal data such as personal identification number, age and gender, the app also processes special categories of personal data – current health status (symptoms that may be associated with COVID-19) and chronic medical history. The mobile application can also track location data. However, installing the app and providing any personal data is voluntary, i.e. based on consent. There is no obligation to install the app or to provide the data (some countries have chosen a mandatory approach).
Undoubtedly, the use of such an app can help public authorities combat COVID-19. Nevertheless, there are at least two significant data protection aspects which could be improved: data anonymisation and transparency. For example, according to the terms and conditions of the app, the data is received by the Ministry of Health, which in turn can provide it to the authorities competent to take measures against the spread of COVID-19. So far, so good. However, the potential recipients of the data include third-party service providers connected with the administration and operation of the app. The provision of data to third parties does not appear to be made in a particularly transparent manner for citizens, especially given the sensitivity of the processed data. In such circumstances, it is strongly recommended at least to anonymise data (where possible) and to provide greater transparency as to whose and what type of data third parties can access. There is room for improvement here.
Is there a plan to coordinate measures on an EU level?
On an EU level, the need to coordinate the fragmented approach of Member States is becoming ever more apparent. The EU has already voiced concerns about the lack of a common approach towards the use of location tracking and mobile applications.
Amongst the EU bodies and institutions calling for coordination of the various national measures are the EDPS, the European Commission ("EC") and the European Data Protection Board ("EDPB").
The first EU body to provide guidance on coordinated action between Member States was the EDPS in a letter of 25 March 2020 to the EC. The specific reason for the EDPS letter were the ongoing discussions between Member States and telecom operators with the objective of using location data to track the spread of the COVID-19 outbreak. In addition, on 8 April 2020, the EC issued recommendations on a common Union toolbox for the use of technology and data to combat and exit the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data. On 3 and 7 April 2020, the EDPB announced that one of its priorities is to provide guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak.
At the EU level, the potential of data is being recognised as an important tool for informing the public and helping relevant public authorities in their efforts to contain the spread of the virus or allowing healthcare organisations to exchange health data. At the same time, it is recognised that adequate mechanisms must be provided to protect fundamental rights and freedoms, particularly the rights to privacy and protection of personal data.
Among the priorities in the EC, EDPB and EDPS documents published so far are the call for anonymisation of data received from telecom operators, limiting the storage period and deleting data, transparency requirements on the privacy settings to ensure trust in the applications, preference for the least intrusive yet effective measures, etc.
The active involvement of EU bodies and institutions is an indicator of the significance and sensitivity of any measures requiring location tracking via telecom operators' data or mobile applications. Although many Member States have already adopted measures, including legislative ones, they must be reconsidered in the light of a common EU coordinated approach, particularly with a view to finding a reasonable balance between public safety and the fundamental human right to privacy.
Arguments for and against such measures, as well as their specific implementation, are being actively discussed. On the one hand, it cannot be denied that the use of data at this time can be a highly effective means of curbing the pandemic, as has already happened in China, South Korea and Singapore. On the other hand, history has shown that some permanent measures were first introduced as temporary. Privacy experts are concerned that providing sensitive data in large quantities crosses a line that may be difficult to draw back from when things return to normal. Therefore, broad public discussion and coordinated measures at the EU level are increasingly necessary.
This text was originally published on April 15, 2020
By Kristina Chakarova, Associate, Schoenherr