Luca Luchetti & Dr. El Hanini Taki Eddine
The new digital opportunities at the time of COVID-19.
Today democratic governments need more than ever digital tools and personal data to combat the ongoing pandemic, but excessive sharing of the latter can affect the freedoms and rights of individuals, conquered after years of hard battles.
The United Nations Department of Economic and Social Affairs (UNDESA), in the Policy briefing No. 61 published on the 14th April 2020, highlighted the need for governments to make full use of digital technologies to combat COVID-19 and address the various pandemic related issues. Some states have already used known computer technologies to respond to the crisis, adopting measures that allow the use of digital communication channels to provide reliable information on the development of the virus at a national and global level. At the same time, technology is rapidly identifying new innovative to deal with this exceptional situation. In the programming document of UNDESA, it is stated that “The pandemic is compelling governments and societies to turn toward digital technologies to respond to the crisis and, increasingly, is requiring governments to adopt an open government approach and to use digiÂtal communication channels to provide reliable inforÂmation on global and national COVID-19 developments." For this reason, more states are considering starting collaborations with large technology companies. Google has begun to share part of its vast location data collection with public health care researchers and epidemiologists to help to trace the movement of its users.
Bending Spoons, the Italian company that has been chosen by the Italian government, has developed a proximity tracking application to track down those who have had contact with COVID-19 patients. Google and Apple have announced the introduction of programming interfaces for Android and iOS applications to facilitate the voluntary traceability of contacts via Bluetooth Low Energy transmissions.
The issues that all this entails are not, however, of little importance, given that, inevitably, there will be a direct impact on the lives of citizens, who will see other rights and freedoms hitherto taken for granted.
The effect of Coronavirus on the economy is not yet quantified and the only certainty is that the crisis triggered by COVID-19 and the consequent lock-down will burn millions of jobs across Europe.
According to the investment bank Goldman Sachs, the unemployment rate in the eurozone could rise to 11% by the middle of the year with particularly conspicuous leaps in Spain, to 23%, and in Italy, where the percentage of unemployed could reach 17%.
The lock-down has forced the Italian government to put in place a package of interventions worth more than 55 billion euros.
However, vaccines or other treatments are unlikely to materialize before mid-2021; therefore, national governments will necessarily have to take this into account in the next inevitable interventions in support of public health care and the economy.
To date, the only model that appears effective in containing the spread of the virus, in an already partially reopened economy, is the combination of large-scale tests, the widespread use of personal protective equipment and the use of surveillance, with, however, as mentioned, the inevitable consequences on the rights and freedoms. The governments of Hong Kong, Singapore, South Korea and Taiwan have all managed to avoid prolonged lock-downs - some even by keeping businesses, restaurants and schools open - by applying this combined approach, but the restrictions have been extreme, and many rights have been temporally limited.
The Italian experience as a European benchmark?
In Italy, the spread of the virus has suddenly undermined the freedoms and fundamental rights, which have never been questioned since the period from the end of world war II onwards. In fact, just three months earlier, the lock-down of China seemed, seen from the West, to be a draconian imposition by an authoritarian state, on March 8, 2020, with a special DPCM (Prime Ministerial Decree), the government imposed measures for the containment and contrast of the spread of COVID-19 throughout the national territory, prohibiting, among others, any form of a gathering of people in public places or places open to the public, limiting travel, as well as industrial and commercial activities, that have been reduced to the essential ones.
The pandemic and the consequent measures to combat it, therefore immediately led to a contrast between the protection of public health and the fundamental democratic principles such as freedom of movement and citizens' privacy. If the situation does not improve rapidly, further limitations on civil liberties and individual rights could be foreseen, and this can happen in the digital sphere.
At present, there are few reasons to believe that the end of the emergency will result in an immediate easing of the ongoing limitations. The pandemic is likely to last longer than the public can tolerate. Considering, therefore, that we will have to live together for a long time in this situation, how can a right balance be found between health care, understood as the fundamental right of every citizen and the interest of the community, and other rights such as the right of privacy that with the use without control of the technology risks to undermine in its essence? And this, in Italy, can only happen in compliance with democratic and constitutionally guaranteed principles. As the President of the Constitutional Court, Marta Cartabia recently recalled, " the Constitution does not contemplate a special right for exceptional times, and this for a conscious choice, but offers the compass to 'navigate the open sea' in the times of crisis ".
The complex relationship between the right to health care and the right to privacy.
The relationship between citizens' right to health care and privacy has always been complex and has undergone further repercussions in recent months. The President of the Authority for the protection of personal data, Antonello Soro, recently declared that " Privacy is neither an obstacle to the effective action to prevent contagion nor, even less, a luxury which, according to some, should be renounced in emergency times. It is a right of freedom which, like any other fundamental right, subject to balance with other legal assets, modulates its intensity and its content based on the specific context in which it is exercised ".
The emergency must be able to foresee every possible derogation, provided that it is not irreversible; in other words, it must not be for the Guarantor a point of no return, but a moment in which to prudently modulate the relationship between norm and exception.
The current legislation on the processing of personal and sensitive data in the health care sector is somewhat controversial, precisely because it is considered not always functional to the needs of urgency and guarantee of the health care of the citizen and because it’s seen by many only as a bureaucratic burden. The same General Data Protection Regulation (the so-called GDPR - General Data Protection Regulation ) does not provide for a complete and specific discipline for the processing of personal data carried out in the health care sector beyond some references to the application of certain rules or institutions. But the real issue that arises today is whether the tracing of the infected and the related processing of personal data can legitimately coexist, not only in the emergency phase, taking into account the impact that this has on constitutionally guaranteed rights and freedoms.
It must be said that both the current provisions of the GDPR (art.6, Lett. e-d and art.9, par.2, lett.i) and those of the Italian Privacy Code (art. 2-sexies and 126) and the same emergency legislation (in particular, art. 14 of Legislative Decree 9 March 2020, n. 14) seems to legitimize the tracking, considering that they meet a specific health protection purpose and find their legal basis in the safeguard of vital interests of the interested person or other persons (art.6, par.1, letter d), that is in the need to perform tasks of public interest or the exercise of public powers with which the data controller is invested (art . 6, par. 1, letter e). Concerning health care data, art. 9, co. 2, of the GDPR, moreover, expressly states that it is not forbidden to process these categories of data, when, among others, the processing is necessary: (i) processing is necessary for reasons of substantial public interest, on the basis of European Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;(letter g) and (ii) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of European Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular, professional secrecy;(letter i).
Article. 126 of the Italian Privacy Code also allows the use of geo-localized data if they are processed anonymously or if the user has previously expressed his consent.
These compromises of privacy find their justification, for reasons of protection of public safety, in the same 46th Recital of the GDPR which considers the treatment lawful when it responds to pre-ordered interests like when " Some types of processing may serve both important grounds of public interest and the vital interests of the data subject for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.". So true that the GDPR itself authorizes the compression of privacy to safeguard, through legislative measures, the security or public health (art.23, GDPR), even if it was necessary to use, in a non-anonymous or without the consent of the interested party, geo-localized data (art.15, Directive 2002/58 / EC).
Therefore, in the legislation in question, principles are found which, while recognizing a primary value to privacy, determine its compliance in certain cases concerning other rights, such as that, in fact, to health, and fundamental freedoms and functions constitutionally entrusted to the State. However, limitations must always be proportionate and respectful of constitutional principles.
It is time for a digital rights reform.
Without prejudice to the usefulness or otherwise of the new tracking apps, until there are swabs for a large percentage of the population that will allow better monitoring of the progress of the virus, the question that arises is where our data will be saved, how will they be treated and, above all, what safeguards will we have? In fact, how can we be sure that our sensitive data will not be fragile to cyber-attacks? And once the emergency is over, what will happen to the data collected in the app such as the much-publicized named "Immuni"?
COPASIR, the Parliamentary Committee for the Security of the Republic, on 14th of May 2020, approved the report on the application of tracking contacts through the "Immuni" app. The report highlights, however, that "it may be appropriate to verify that no national and especially international actor, including the company, awarded the app's development, can in any way have direct or incidental access to the data collected, even if this person has given any contribution - including technological - for the implementation or effectiveness of the Covid-19 national alert system. This is to prevent such information - relevant both in terms of quality and quantity and above all in terms of capillarity - from getting more or less directly into the possession of European and international actors, both public and private, interested in various capacities ". This means that it will be necessary to ensure in any way that there is no possible transmission of data to external companies, for any reason involved in the operation of the app, such as, for example, they could be Apple or Google. The document in question will be sent to Parliament where the decree-law which sets the legal framework for the operation is under discussion. But we cannot stop at this.
It is increasingly urgent to intervene more generally, through an organic reform, on digital rights, to be understood as the rights of the individual as they exist in every other aspect of life, in the new perspective of digital technology. Hence the need that work begins immediately on a legislative text that completely regulates these rights to protect citizens and businesses, not only in an emergency but also subsequently and must be done before things can precipitate and the people permanently lose control of their data online.
Must not forget that the hypothesized tracing is used to follow the movements and meetings of an individual so that if after it turns out that the owner of the app is positive, he can warn and control all the people with whom he has come into contact in the last two weeks. But this raises not only confidentiality issues but also a different question of constitutional legitimacy, given that art. 16 of the Constitution allows limitations on the freedom of movement and residence, only if " the law establishes for health or safety reasons ".
And until now a law on these new apps is missing and the time has come to intervene because our rights cannot also fall victim to COVID-19.
Avv. Luca Luchetti & Dr. El Hanini Taki Eddine