EU data watchdog asks for single, pan-European COVID-19 app

European Data Protection Supervisor (EDPS) Wojciech Wiewiorowski has requested nations work together through a single app to track the spread of COVID-19.

With several nations, including Wiewiorowski’s home country Poland, creating apps for Government authorities and consumers to track the spread of COVID-19, the digital economy is searching for solutions. But there are questions as to whether this is being done in the most effective manner.

“Given these divergences, the European Data Protection Supervisor calls for a pan-European model ‘COVID-19 mobile application’, coordinated at EU level,” said Wiewiorowski. “Ideally, coordination with the World Health Organisation should also take place, to ensure data protection by design globally from the start.”

Not only would a pan-European approach to add more depth to the data, it would ensure more eyeballs are evaluating the data sets instead of a fragmented approach with several national apps. Another benefit for Wiewiorowski and his team at the EDPS office is there is less opportunity for data protection rules to be screwed.

Wiewiorowski has spoken about the right to data protection not being an absolute right, but one which should be balanced against the context of societal need. Today, more sensitive data should be opened up for analysis because of substantial public interest. This is how GDPR has been designed; to allow for the necessary and validated application of data analysis.

This is why having a single, pan-European app is more attractive than several different ones. The impact on data protection and privacy principles can be managed more effectively, but also reversed once the crisis has passed. This is a very important element of the opinion which has been offered by Wiewiorowski.

Data is critical to fight the coronavirus outbreak, but any measures taken at European or national level should be:

  • Temporary to deal with the outbreak
  • Limited to specific purposes
  • Access should be limited to specified individuals
  • A route back to normality should be planned, including the deletion of data

This is the most important part of the EDPS opinion; the collection and analysis of sensitive information is for the benefit of society. The heightened activities should only be in place because there is a heightened state of requirements. This should not be considered normal, and access should be deescalated once the crisis has passed.

How this process is managed is critical. Taking powers away from authorities is very difficult once they have become accustomed to them, therefore it will have to defined very carefully. The apps to track the spread of the virus are very useful today, but the same applications could be twisted for very nefarious means quite easily. Such insight should not be considered normal, and any other time, would be considered a very dangerous blow to privacy.

This is one area which Wiewiorowski is keeping an eye on, but he is not alone.

“Now more than ever, EFF is dedicated to ensuring that technology supports freedom, justice, and innovation for all the people of the world,” Electronic Frontier Foundation has said in a blog post. “As our society struggles with how to protect public health, we must carefully consider how all manner of government and private decisions may impact our digital rights.”

Data is critical to combatting the coronavirus outbreak, but a careful eye has to be kept on whether the concessions made are eroding long-term privacy rights. The consumers cannot be net-losers from COVID-19.

European Data Protection Supervisor: Data sharing to combat COVID-19 is legit

After suggestions there might be some suspect data sharing going on to combat the coronavirus outbreak, the European Data Protection Supervisor has said it is within the rules.

The European Commission’s Internal Market chief Thierry Breton has been one of the busier bureaucrats in recent times. Last week, Breton’s calendar showed meetings with Walt Disney, Netflix and Google to ‘preserve the smooth functioning of the internet’, and this week it appears the telcos are on the speed-dial.

This week, meetings with the major European telcos have been on the agenda to discuss ways and means to which data can be used to combat COVID-19. The collection and analysis of anonymised and aggregated geo-location data is one proposed initiative which the telcos can help with.

There might be some concerns about the legality of the proposed ideas, though European Data Protection Supervisor Wojciech Wiewiórowski has attempted to calm fears.

“Firstly, let me underline that data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics,” Wiewiórowski said in an open letter to Roberto Viola, Director-General of DG CNECT.

“I am aware of the discussions taking place in some Member States with telecommunications providers with the objective of using such data to track the spread of the COVID-19 outbreak.”

While previous generations have had to go by educated assumptions to combat the spread of such pandemics, today data us one of the most valuable tools. Insight on how citizens are moving around the country can inform on the success of self-isolation demands or give clues as to where perhaps the next viral hotspot would be. Information is critical in creating the most effective response to a pandemic which caught the world by surprise.

However, the presence of coronavirus does not give authorities a blank cheque to do whatever they please; rules and regulations to protect the interest of the citizen and mitigate the risk of abuse have to be adhered to.

Sophie in’t Veld, a Dutch Member of the European Parliament, is one such person to have raised concerns.

Writing to Internal Market chief Thierry Breton, in’t Veld wanted reassurances to ensure data would be and remain anonymised, including asking how this would be done, whether the European Data Protection Supervisor has been consulted for an opinion and how the Commission will respond to academic criticism that the collection of geo-location data will not offer benefits as it is not specific enough.

Breton responded to the letter from in’t Veld in satisfactory fashion, but also added that all data collected during this initiative would be deleted once the COVID-19 outbreak is in the past. Adding to Breton’s reassurances, the opinion of the European Data Protection Supervisor further validates the actions from authorities.

In the opinion, European Data Protection Supervisor Wiewiórowski states:

  • Effectively anonymised data fall outside of the scope of data protection rules, assuming the protections applied are resilient enough
  • Should third parties be used for the purposes of collection or analysis, the Commission should ensure appropriate protections are applied
  • Data obtained should be deleted as soon as the current emergency comes to an end

Should the conditions mentioned above be met, Wiewiórowski believes the European Commission should be able to act within the boundaries of data protection rules and regulations.

What should be taken into account is whether such processes are deemed legitimate with other laws.

“The data is anonymised so its use is in compliance with UK and EU data privacy laws, but it may still be an infringement of the human right to privacy under the Human Rights Act,” said Toni Vitale, Partner and Head of Data Protection at JMW Solicitors.

“A lot depends on how the data is used.  If it is limited to creating heat maps showing where people are congregating, that might be OK. Some shopping centres already do this to show where shoppers are. This is useful to plan exits, where the cafes should be placed etc. Location data is commonly scraped from mobiles without users being aware.”

Little attention has been paid to whether the collection of personal information on this scale is a violation of the Human Rights Act, though one would hope the appropriate protections have been put in place. Data could hold the key to mitigate the worst impacts of COVID-19, so the European Commission should be applauded with its attempts to be as informed as possible.

European Parliament reprimanded by Data Protection Supervisor

The European Data Protection Supervisor (EDPS) has launched a data protection probe into the European Parliament for continued work with a US firm.

The firm in question, NationBuilder, processes data collected though websites run by the European Parliament for citizen engagement, though it has fallen short of European standards on data protection and privacy. This is the second reprimand handed to the European Parliament concerning NationBuilder.

The website placed under current scrutiny, thistimeimvoting.eu, collected personal data from more than 329,000 people who had an interest in European Parliament elections.

“Strong data protection rules are essential for democracy, especially in the digital age,” said Assistant EDPS Wojciech Wiewiórowski.

“They help to foster trust in our institutions and the democratic process, through promoting the responsible use of personal data and respect for individual rights. With this in mind, starting in February 2019, the EDPS acted proactively and decisively in the interest of all individuals in the EU to ensure that the European Parliament upholds the highest of standards when collecting and using personal data.”

Although the details are relatively thin for the moment, the EDPS has issue involving the selection and approval of sub-processors used by NationBuilder. The sub-processors have not been named, though the EDPS has stated Article 29 of Regulation (EU) 2018/1725 are the rules in question.

Considering Europe’s position atop the data protection and privacy high-horse, this should be seen as quite an embarrassing incident. The European Parliament has taken a very condemning approach to those who flirt with data protection and privacy regulations, most notably Facebook and Cambridge Analytica. With this announcement from the EDPS, it does not appear the bureaucrats are listening to their own condemning words.

The collection and application of personal information surrounding elections is of course a very relevant topic today, not only because of numerous scandals and accusations, but also some very high-profile events on the horizon. Not only is the UK’s General Election taking place in a matter of weeks, the threat of a second Brexit referendum is a possibility, while campaigning for the US Presidential Election will hit full-steam over the next couple of months.

Posturing and rhetoric regarding the importance of data privacy and the application of data analytics in a responsible manner are more prominent than ever, but it seems to be nothing more than statements of intent. Data protection and privacy scandals will perhaps never be a thing of the past.

Microsoft might be toying with European data protection compliance

The European Data Protection Supervisor has raised ‘serious concerns’ over whether Microsoft is compliant with data protection regulations.

The contracts in question are between the software giant and various European Union institutions which are making use of said products. The central issue is whether contractual terms are compliant with data protection laws intended to protect individual rights across the region from foreign bodies which do not hold data protection to the same standards.

“Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services,” a statement reads.

“Similar risk assessments were carried out by the Dutch Ministry of Justice and Security confirmed that public authorities in the Member States face similar issues.”

The preliminary findings from the European Data Protection Supervisor follow on from investigations taking place in the Netherlands and also changes to the Microsoft privacy policies for its VoIP product Skype and AI assistant Cortana. The changes were seemingly a knee-jerk reaction to reports contractors were listening to audio clips to improve translations and the accuracy of inferences.

What is worth noting is that Microsoft is not the only company which has been bending the definition of privacy with regard to contractors and audio clips. Amazon and Google have also been dragged into the hazy definition of privacy and consent.

The issue which seems to be at the heart of this investigation is one of arm’s length. While government authorities and agencies might hand-over responsibility of data protection and privacy compliance to the cloud companies, the European Data Protection Supervisor is suggesting more scrutiny and oversight should be applied by said government parties.

Once again, the definition and extent of privacy principles are causing problems. Europe takes a much more stringent stance on the depth of privacy, as well as the rights which are affording to individuals, than other regions around the world. Ensuring the rights of European citizens are extended elsewhere was one of the primary objectives of the GDPR, though it seems there are still teething problems.

“When using the products and services of IT service providers, EU institutions outsource the processing of large amounts of personal data,” the statement continues.

“Nevertheless, they remain accountable for any processing activities carried out on their behalf. They must assess the risks and have appropriate contractual and technical safeguards in place to mitigate those risks. The same applies to all controllers operating within the EEA.”

One development which could result in additional scrutiny is The Hague Forum, an initiative to create standardised contracts for European member states which meet the baseline data protection and privacy conditions set forward. The European Data Protection Supervisor has encouraged all European institutions to join the Forum.

Although GDPR was seen as a headache for many companies around the world, such statements from the European Data Protection Supervisor proves this is not an area which can simply be addressed once and then forgotten. GDPR was supposed to set a baseline, and there will be more regulation to build further protections. Perhaps the fact that Microsoft is seemingly non-compliant with current regulations justifies the introduction of more rules and red-tape.