Privacy & Covid-19 Country Reports Privacy & Covid-19 Country Reports
Editorial Board Ruby Rosselle Tugade, LL.M., Editor-In-Chief Raphael Lorenzo A. Pangalangan, M.St., LL.M., Managing Editor Amer Madcasim, Jr., MA, Editorial Assistant
Editors Mashal Aamir, M.Phil., Isabel L. Guidote, MA., Lucas Nacif, LL.M., Antonio Bonifacio C. Reynes, J.D., Anton Miguel Sison, J.D., Michael Tiu, LL.M., Vinitika Vij, LL.M.
Design Editor Konstantinos Tsakiliotis
Illustration Credit “Balcony Concerts”, Catherine Cordasco
Submitted for United Nations Global Call Out To Creatives - help stop the spread of COVID-19, https://unsplash.com/photos/gMPsl1ez-Ts
Inquiries may be directed to [email protected]
DOI: 10.5281/zenodo.4540902
Copyright © 2021, Institute for Internet and the Just Society e.V.
This work is licensed under a Creative Commons Attribution- NonCommercial 4.0 International License (CC BY-NC 4.0) by its copyright owner, Institute for Internet and the Just Society e.V. To view this license, visit: (https://creativecommons.org/licenses/by-nc/4.0/). For re-use or distribution, please include this copyright notice: Institute for Internet and the Just Society, Privacy & Covid-19 Country Reports, www.internetjustsociety.org, 2021 About us
The Institute for Internet & the Just Society is a think and do tank connecting civic engagement with interdisciplinary research focused on fair artificial intelligence, inclusive digital governance and human rights law in digital spheres. We collaborate and deliberate to find progressive solutions to the most pressing challenges of our digital society. We cultivate synergies by bringing the most interesting people together from all over the world and across cultural backgrounds. We empower young people to use their creativity, intelligence and voice for promoting our cause and inspiring others in their communities. We work pluralistically and independently. Pro bono. Contents
Foreword
5 Summary Evaluation
7 Brazil
By Andreu Wi13lson, Daniel Becker, Natália Brigagão, Victor Silveira, Vinícius Alvarez
Croatia
By Alina Škiljić 26
Finland
By Mikko Ru danko 42 Ireland
By Cian Henry 60 & Matthew Nuding The Netherlands
By Merel van Gils 76 The Philippines
By Dr. jur. Ma. Angela Leonor 90 Aguinaldo, J.D., LL.M Foreword
We shouldn't have to make a choice between health and privacy. For this, we publish a collection of country reports on the legislative and regulatory measures taken in the respective jurisdictions in response to Covid-19 from a human rights and rule of law perspective, with particular focus on privacy rights. The objective of the country reports is to offer an overview of the main, or most problematic, measures, and to highlight “alarm bells” and “best practices” in assessing the state of privacy and data protection amidst the current pandemic. Data is crucial in the fight against the pandemic but not unchecked
Governments are taking unprecedented steps to track, trace, contain and mitigate the spread of Covid-19 by resorting to digital technologies and advanced analytics to collect, analyse and share data for front-line responses. Data is essential for efficiently tackling the pandemic and forecasting the spread of the virus, to assess the resources of health care systems and to evaluate the efficacy of policies restricting the movement of individuals.
While contact-tracing technologies can be useful to limit the spread of the virus, if left unchecked, they can also be misused for extensive collection and sharing of personal data, mass surveillance, limiting individual freedoms and challenging democratic governance. Core principles of data protection should apply
According to the European Data Protection Board, data subjects should receive transparent information on the processing activities that are being carried out and their main features, including the retention period for collected data and the purposes of the processing. Measures
5 implemented to manage the current emergency and the underlying decision-making process should be appropriately documented. Transparency and effective communication are not solely dictated by data protection objectives. They are crucial for establishing public trust in the emergency measures taken and a broad compliance hereto as a requisite for effective democratic governance.
Governments, in multistakeholder consultations, must therefore reconcile the risks with the benefits of the data processing while guaranteeing that any extraordinary measures are proportionate to the risks and are implemented with full transparency, accountability and a commitment to immediately cease or reverse exceptional uses of data when the crisis is over.
With the following publication, we hope to contribute to the global policy and research discourse for an efficient and human rights compliant handling of the Covid-19 pandemic. I would personally like to wholeheartedly thank our authors for shedding light in the measures of their respective jurisdictions: Alina Škiljić, Mikko Rudanko, Dr. jur. Ma. Angela Leonor Aguinaldo, J.D., LL.M, Merel van Gils, Cian Henry, Matthew Nuding. Special thanks to Ruby Rosselle Tugade and Raphael Lorenzo A. Pangalangan for their outstanding work in managing and coordinating an international team of editors, without whom this result would not have been possible.
Of course, we all at our institute could not be prouder since we are presenting you our very first publication.
Konstantinos Tsakiliotis President
6 Summary Evaluation
I. Brazil
Best Practices
− Non-“CLT” workers deprived of any social assistance and comparable labour rights to CLT workers, were provided emergency income for tens of millions of Brazilians. − Personal health data were aggregated and anonymized before being processed by the authorities. − The Plenary of the CNJ unanimously approved, in October 2020, Resolution No. 345, which allows the courts to adopt the so-called “100% Online Court”. This means that all procedural acts, such as hearings, summons and trial sessions, will be carried out exclusively electronically and remotely, during office hours, via the internet. − Evidence that the country has very qualified and competent technical personnel, and strong institutions which are capable of curbing and resisting authoritarian measures.
Concerns
− No proper assessment of the applicable human rights obligations, which might constitute a breach of certain guarantees enshrined in the International Covenant on Economic, Social and Cultural Rights. − Digital applications to the Emergency Aid were discriminatory against persons living in poverty unable to use basic digital tools and indigenous people. Cases of fraud highlighted cybersecurity flaws. − The resilience of documental exclusion of about 3 million people in Brazil has raised specialists’ calls for expanding digital identities in the country. − The pandemic struck Brazil when the country was still adapting for the General Data Protection Law (Law No. 13,709/2018), which only came into force in August 2020. As such, some of public entities’ initiatives to provide responses to the pandemic by treating personal data were met with skepticism by judicial authorities.
7 − Impaired access to justice: a backlog of almost 80 million lawsuits waiting for a final and binding decision.
II. Croatia
Best Practices
− AZOP’s endeavours to clarify the most pressing pandemic- related privacy and data protection implications (especially with respect to giving a clear guidance for pandemic- induced processing of health data in the employment context); − Avoidance of prescribing measures which are per se very intrusive (such as mandatory monitoring applications and mechanisms and temperature measurements); − Attempts of the Croatian Government to develop digital technologies as privacy friendly as possible, including by contracting trusted third parties (although these attempts have not been completely successful, as noted below and in the report).
Concerns
− Insufficient regulation and inexistence of a concrete legal framework for data and privacy protection during the pandemic; − Insufficient control and investigations conducted by AZOP for inspecting privacy and data protection compliance during the pandemic; − Not making non-privacy-related legal and policy documents, which could form the legal basis for data processing, officially binding (but merely recommendatory in form), thus leaving data controllers without clear guidance; − Insufficient regulation and clarification of special measures (such as envisaged power of the police to conduct checks of private gatherings), but rather giving vague explanations in press conferences and newspapers; − Release and use of digital technologies raising data protection concerns (such as interactive AI assistant intended to give “health” advice to citizens that makes immensely hard to control the collected data and ambiguousness associated with the Stop COVID-19 application);
8 − Inexistence of public alertness and specific cybersecurity measures to cope with the increased cybersecurity threats arising from shifting to remote work.
III. Finland
Best Practices
− Caution in the use of emergency powers, parliamentary right to review. − Quick and controlled response when needed (Uusimaa region lockdown). − Right to privacy recognized (tracing app, workplace, customer information). − No prohibition or sanction without law or regulation, proportionality. − Trust and transparency in measures, focus on individual responsibility. − Cooperation between authorities, rapid action locally and regionally.
Concerns
− Practical issues with the implementation of lockdown on short notice. − Even over-reliance on recommendations and individual responsibility. − Excessive optimism and pandemic fatigue among people. − New legislation needed if the situation worsens (face masks, private events).
IV. Ireland
Best Practices
− Empirical study of the effectiveness of contact tracing and clear communication of findings to the public. − Assessment of which health statistics can and cannot be published, balancing public health goals and data protection principles. − Review of contact tracing by retail businesses and improved training/oversight. − Review of cybersecurity strategy, with special regard to COVID-19 risks.
9 − Examination of impact of WFH technologies on privacy rights, and issuance of guidance to employers.
Concerns
− Under-justification/lack of transparency regarding effectiveness of contact tracing. − Lack of scrutiny of Google/Apple API technology used by COVID-19 Tracker App. − Data protection concerns regarding manual contact tracing by retail businesses. − Vulnerability to cyber-security attacks especially due to prevalence of WFH. − Privacy burden of technology relied upon for WFH.
V. The Netherlands
Best Practices
− Extensive privacy rights and regulations provided for in law. − The government is open to criticism and actively listens to and tries to implement comments on their COVID-19 related policies. − A ‘Corona Bill’ enters into force on December 1st and will form a democratically legitimised legal basis for COVID-19 related measures. − Authorities have developed a tracing app which does not collect any personal information by design. − Many COVID-19 related measures are not compulsory, but observed on a voluntary basis. − Measures relating to social distancing are not strictly mandatory in the private sphere of citizens’ homes.
Concerns
− Far-reaching measures have been based on local emergency ordinances instead of a democratically legitimized law for a considerable length of time. − Not all measures have sufficient legal bases. − Citizens have been obliged to gather personal details by the government, including medical information, but have no idea how to adequately apply, often complex, privacy regulations.
VI. The Philippines
10 Best practices
− As early as January 2020, the Inter-Agency Task Force on Emerging Infectious Diseases convened to discuss the threat of the novel coronavirus from Wuhan, China. − There was recognition by the government to “address the pandemic’s threat and likewise capacitate government agencies and local government units to immediately act to prevent loss of life, utilize the appropriate resources, mitigate the pandemic’s effects and its impact to the community, and prevent serious disruption of the functioning of the government and the community” via Proclamation No. 922. − Emergency powers provided under the Bayanihan to Heal as One Act was only for a limited period of time. − Any emergency powers provided by the Bayanihan to Recover as One Act is more limited compared to its predecessor law. − There was recognition and affirmation of constitutional supremacy in the provisions of both the Bayanihan to Heal as One Act and its successor Bayanihan to Recover as One Act. − The maintenance of oversight function under the Bayanihan pieces of legislation. − Privacy and non-discrimination rights are in general provided in law. − Provisions are provided to encourage efficacy and efficiency in response to COVID-19. − Laws do not only address the public health aspect of the problem but likewise the economic issues especially vis-à- vis the stimulation package provisions provided in the Bayanihan to Recover as One Act.
Concerns
− Top-down and state-centric approach adopted by the government, even if with consultation with local government authorities, maybe too myopic to be effective in addressing the different issues and problems brought by COVID-19. − Efficiency and efficacy issues. − While any law is subject to abuse by law enforcement authorities and government officials, the securitization of
11 COVID-19 has led to different abuses and human rights violations. − Disenfranchisement of actors who can contribute to viable and meaningful solutions; a highly state-centric approach towards a non-traditional security issue. − Disjunct between law in books v law in practice. − Unequal distribution of benefits and restrictions. − Alleged misuse and abuse of COVID-19 legislation against detractors, activists, and commentators on government action. − Limitations on freedom of movement used as means to conduct human rights violations. − Excessive use of force and/or criminal behavior in implementing COVID-19 measures. − “False information” or “fake news” penal provision as mala prohibitum misused and abused; questionably void for vagueness. − Lack of parameters on privacy and data protection vis-à-vis possible takeover or directing of operations of public utilities, medical facilities and other necessary facilities such as telecommunications or holders of personal data and information.
12 Brazil
By Andreu Wilson, Daniel Becker, Natália Brigagão, Victor Silveira, Vinícius Alvarez
13 Brazil
By Andreu Wilson, Daniel Becker, Natália Brigagão, Victor Silveira, Vinícius Alvarez
I. Introduction
Brazil is one of the countries most affected by the COVID-19 pandemic, which has already caused more than 187.000 deaths as of December 23, 2020. There have also been more than 5 million people diagnosed with the disease in Brazil since March. In order to try and mitigate the effects of the pandemic, governmental entities have taken action in all levels (Federal, State and Municipal), with varying degrees of success. This report does not seek to provide an exhaustive list of all the issues and measures, but only point out the main reflections of the Covid-19 pandemic and a critical review of their impacts in the Brazilian society. II. Covid-19 and the right to adequate standard of living
Among the measures taken to try and combat and limit the spread of the virus, quarantines were decreed (with more or less intensity) in several states and municipalities. The Brazilian Federal Government did not impose a mandatory lockdown for the whole country and the Brazilian Supreme Court (Supremo Tribunal Federal - STF) decided that Mayors and Governors were allowed to rule on lockdown and isolation measures.1
Mainly because of such lockdown measures the Brazilian economy (already facing a severe economic crisis in the recent years) was severely impacted. Only essential economic activities were allowed to continue during lockdown, and, even still, with various restrictions. As for non-essential activities, these were largely suspended for more than 6 months, with millions of companies going bankrupt and relevant effects on less qualified workers. As of
1 Brazilian Federal Supreme Court, ‘ Claim of Non-Compliance with a Fundamental Precept’, ADPF No.672, Distrito Federal, Justice Rapporteur Alexandre de Moraes
14 the second quarter of 2020, Brazil currently has 13.5 million unemployed people.2
In Brazil most of the labour rights are granted only to duly registered workers (the so-called “CLT” workers, which are subject to the Brazilian Decree No. 5.452/43 – Consolidação das Leis do Trabalho). By contrast, because less qualified workers and those with lower wages are deprived of any social assistance and comparable labour rights to CLT workers, the government responded by providing emergency income for tens of millions of Brazilians, as will be further detailed below .
Indeed, the Brazilian Federal Constitution grants every Brazilian citizen a right to an adequate standard of living for himself and his family, which includes access to adequate food, clothing, and housing, and to the continuous improvement of living conditions. Most of these guarantees, which already faced significant constraints in Brazil, became even more severely impacted by the pandemic.
Although the Brazilian government has taken certain steps to mitigate the harmful effects of the pandemic on the population, it has done so without a proper assessment of the applicable human rights obligations, which might constitute a breach of certain guarantees enshrined in the International Covenant on Economic, Social and Cultural Rights, of which Brazil is a signatory, especially in relation to economic welfare.3 III. Covid 19 and Government Response
The “Auxilio Emergencial”4 or “Emergency Aid” – a cash transfer program providing for emergency aid of R$ 600.00 for those who are not formally employed and with a per capita income below 1/4 of the minimum wage or family income less than 3 minimum wages, was designed to alleviate the pandemic’s harmful impact over their livelihoods. The program was initially designed to last for 3 months (as of April 2020), but has been extended until December 20205.
Although the Emergency Aid programme gained praise for attempting to alleviate extreme poverty during the Covid-19
2 Instituto Brasileiro de Geografia e Estatística (IBGE), ‘ Dashboard of Indicators’, (IBGE, 2020), < https://www.ibge.gov.br/indicadores#desemprego>, Accessed on 27.10.2020. 3 Decree No. 591, 6 July 1992 4 Law No. 13.982, 2 April 2020 5 Provisional Measure No. 1.000, September 2, 2020
15 pandemic, such program has also been criticised due to its inaccessibility, preventing several vulnerable groups from fully exercising their right to social security on an equal basis.
Firstly, applications to the Emergency Aid program were made through an app, which constitutes a significant barrier to persons living in poverty, who are often unable to “to use basic digital tools at all, let alone effectively and efficiently” 6 as they tend to have limited or inexistent digital literacy and internet access.7 Similar access issues were faced by indigenous peoples.8 Those who did manage to apply and became beneficiaries also faced problems when using a second app, “Caixa Tem”, to access their entitlements, “which was indispensable for those who did not include an existing bank account to their application.9 There have also been reports of fraud in the apps,10 which denotes serious cybersecurity flaws.
These obstacles can be better understood in light of the dynamics of a larger phenomenon, the “digital welfare state”, in which “systems of social protection and assistance are increasingly driven by digital data and technologies that are used to automate, predict, identify, surveil, detect, target and punish”.11 In this context, the lack of genuine alternatives to digital mechanisms exacerbates inequalities between different groups, especially when digital welfare programs are not “accompanied by programs designed to promote and teach the digital skills needed and to ensure reasonable access to the necessary equipment, as well as effective online access”
6 Philip Alston, Report of the Special Rapporteur on extreme poverty and human rights, (U.N. Doc. A/74/493) 15 at [45],
16 and systems are not “co-designed by their intended users and evaluated in a participatory manner” as was the case of the Emergency Aid. 12
The use of technology can have additional impacts on eligibility assessment as well, transforming it “into an electronic question-and- answer process that almost inevitably puts already vulnerable individuals at even greater disadvantage” especially due to the rigidity of rule applications and the lack of possibility of “meaningful questioning or clarification”.13 Applicants to the Emergency Aid experienced this very challenge. Many low-income families were deemed ineligible since databases used for such purposes were severely outdated14 – impairing access by those who, despite their previous financial background, are currently living in poverty or in a difficult financial situation and should be entitled to the benefit.
There were also reports of unfair exclusion of incarcerated persons and their family members, many of whom had their benefits withheld in the first round of concessions without any legal justification. As the database used for their identification is not updated frequently, the issue might have impacted people who were previously incarcerated as well.15 Their case highlights the fact that the “imposition of technological requirements can make it impossible or very difficult for individuals” to effectively exercise their right to access and maintain social security benefits without discrimination.16 IV. Covid-19, policymaking, and Data Protection
Amid the policy response to the Covid-19 pandemic, Brazilian authorities seem to have grasped that obtaining further data on their citizens makes it easier to build policies for people who are in need of public services. This has highlighted the importance of government entities seeking access to citizens’ personal data in
12 ibid, 16 at [49] 13 ibid, 17 at [55] 14 Letícia Bartholo, Andrea Barreto de Paiva, Marco Natalino, Elaine Cristina Licio and Marina Brito Pinheiro, As Transferências Monetárias Federais de Caráter Assistencial em Resposta à Covid-19: Mudanças e Desafios de Implementação , (Instituto de Pesquisa Economica Aplicada (IPEA), Nota Tecnica 72) 12. 15 i bid; Adriana Fernandes and Camila Turtelli, “Governo nega auxílio emergencial para parentes de presos”, (UOL Economia, May 14, 2020),
17 order to plan courses of action that are both data-based and effective, such as policies which aim to combat the spread of the disease, as well as policies that are able to help people most affected by the public health and economic crises. At the same time, the pandemic has also highlighted the importance of building these policies around sound privacy standards, to ensure both their safety and compliance to Privacy and Data Protection statutes and regulations, such as the Brazilian General Data Protection Law (Law No. 13,708/18) and Executive Decree No. 10,046/19, which disciplines the processing of personal data by public entities 17.
The aforementioned federal Emergency Aid is a good example of this trend: even though the Brazilian government had spent many years consolidating the Ministry of Citizenship’s Single Register (Cadastro Único) to identify vulnerable families who are eligible to conditional cash transfers from the Programa Bolsa Família (PBF), with huge impacts on narrowing the longstanding gap in socio- economic inequalities in the country,18 as of 2015, the number of undocumented Brazilians still hinged on 3 million. Evidence available hints that many Brazilians who are eligible to Emergency Aid entitlements are unable to file for it because they do not have a natural person’s register number (Cadastro da Pessoa Física - CPF), nor any other document that would be required in order to obtain a CPF, such as birth certificates.19 The resilience of documental exclusion in Brazil has raised specialists’ calls for expanding digital identities in the country, following foreign examples, such as India’s Aadhaar.20
The Indian experience is noteworthy: Aadhaar, created in 2009, is a twelve-digit digital identity available to every Indian citizen, which reunites individuals’ personal and biometric information. Since its creation, the program has been integrated to a plethora of public
17 Danilo Doneda. A proteção de dados em tempos de coronavírus (Jota, 25 March 2020)
18 services, from cash transfer programs such as Direct Benefit Transfer (DBT) to criminal background checks for issuing passports and certifying voter registration21.
Data protection, however, is a large part of this challenge, as demonstrated, in India, by public controversy surrounding Aadhaar’s potential uses for surveillance purposes and risks to citizens’ privacy22. In Brazil, The Emergency Aid program, for instance, has shown evidence of low standards of cybersecurity: as of August, both the Comptroller General’s and the Attorney General’s offices had received almost 12 thousand complaints of fraud/identity theft involving unauthorized third parties gaining access to Emergency Aid entitlements by using eligible beneficiaries’ CPFs to do cash transfers without their consent or knowledge.23
Governments have also sought to devise their pandemic-fighting strategies around treatment of citizens’ personal data, perceiving it as a policymaking resource. We have chosen to highlight two specific initiatives in this regard.
First, the Brazilian Single Health System (Sistema Único de Saúde - SUS)’s “Coronavirus SUS” app.24 At first, this was simply a way of informing users of the main recurring Covid-19 symptoms and providing them with instructions on whether to test or not, as well as other preemptive measures to avoid spreading the disease, such as washing hands, cleaning surfaces and wearing masks,25 Afterwards, the app began to ask users to (i) report whether they had recently tested positive for Covid-19, and (ii) grant permission
21Kalyani Menon Sen. ‘Aadhaar: Wrong Number, Or Big Brother Calling’. Socio-Legal Review, Vol. 11, n. 2, 2015, pp. 85-108. Smriti Singh. ‘Understanding Aadhaar: The Unique Identification Authority of India and Its Challenges’. Human Rights Defender, Vol. 27, n. 3, 2018, pp. 21-24. 22 In particular, privacy advocates argued that some public services required that citizens obtained Aadhaar identities to gain access to their entitlements, which, in practice, forced them to provide personal data well beyond the amount strictly needed by public entities. This constituted a violation of their informational self-determination, and thus of their basic right to privacy, as ruled by the Indian Supreme Court in 2017. See Varun Kalra; Ramisha Jain. ‘An Armistice between Right to Privacy and Right of Surveillance’. Indian Journal of Law & Public Policy, Vol. 4, n. 1, 2017, p. 1-23. 23 Otávio Augusto, ‘ CGU registra 11 mil denúncias de fraude no pagamento do auxílio emergencial’ (Metrópoles, 19 August 2020),
19 to access their geolocational data. With this information, the app informs other users if they have recently come in range of infected individuals and thus instructs them to quarantine themselves and take tests. In terms of data protection, the app anonymizes the data by attributing a random code to each phone, making sure that only this code is shared with other users’ phones, via Bluetooth low energy.26
The other noteworthy initiative is the Intelligent Monitoring System (Sistema de Monitoramento Inteligente - SIMI), implemented by the State of São Paulo’s Secretariat for Economic Development.27 SIMI functions as a massive aggregator of data concerning the evolution of the Covid-19 pandemic in São Paulo (Brazil’s largest city, with a population of over 12 million), providing the State with relevant information regarding the number cases and deaths, the occupation rate of intensive care units (ICUs) in each city, the effectiveness of social distance, among others. This information is in turn used to justify the government’s imposing or lifting of administrative restrictions in each city (Plano São Paulo).28
SIMI operated by collecting patients’ health data, as well as geolocational data provided by cellphone users, which is used by telecom companies to keep track of social distancing in each part of the State and then shared with the government’s Institute for Technological Research (Instituto de Pesquisas Tecnológicas - IPT). As per the technical cooperation agreement signed by the IPT and the telecom providers, the São Paulo state government is not directly involved in the treatment of users’ geolocational data, but with the isolation indexes, which are drawn by the companies themselves. As such, the São Paulo government claims that it does not have access to users’ and patients’ personal data, which is provided to it after being aggregated and anonymized.29
The pandemic struck Brazil when the country was still adapting for the General Data Protection Law (Law No. 13,709/2018), which had been approved and sanctioned in August 2018, but only came into
26 Rodrigo Trinidade, ‘App Coronavírus SUS agora vai avisar quando usuário foi exposto; entenda’ (Tilt, 31 July 2020),
28 Government of São Paulo, ‘Retomada Consciente: Plano São Paulo’ (Government of São Paulo, 2020),
20 force in August 2020. As such, some of public entities’ initiatives to provide responses to the pandemic by treating personal data were met with skepticism by judicial authorities, given their apparent low appreciation and regard for privacy and information security standards. An example of this was Provisional Measure No. 954/2020, issued by President Jair Bolsonaro in April, which obligated phone companies to share their clients’ full names, phone numbers and addresses with the Brazilian Institute of Geography and Statistics (Instituto Brasileiro de Geografia e Estatística - IBGE), which would then use this data to conduct interviews in order to build statistic figures – used to design policies to contain the spread of the disease.
While reviewing writs of injunction applied by several opposition parties and by the Federal Council of the Brazilian Bar Association (Ordem dos Advogados do Brasil - OAB), the Court stayed the provisional measure’s effects, ruling that even though the General Data Protection Law had not yet come to force, the Privacy and Data Protection Law principles on which it is grounded are implicit to the basic rights to freedom and privacy, protected by the Federal Constitution.30 According to Justice Rosa Weber, the primary author of the opinion, the provisional measure had failed to meet the constitutional privacy and data protection requirements by creating an obligation to share data whose correlation to fighting the pandemic was not made clear (finality, adequacy, and necessity)31, as well as by not specifying the information security standards to be followed by treatment agents (security)32. As such, the provisional measure was stayed, and eventually became void, since the National Congress did not pass it into law in the period imposed by article 62 of the Federal Constitution33. V. Covid-19 and access to justice
Recently, empirical reports from the Brazilian National Council of Justice (CNJ) have shed light on the extent of the backlog experienced by Brazilian courts. There is a backlog of almost 80 million lawsuits waiting for a final and binding decision (1 for every
30 MC in ADI No. 6,387, 6,388, 6,389, 6,390, 6,393, Primary Author: Justice Rosa Weber, trial on May 07th, 2020. Available at
21 2.6 inhabitants). Additionally, Brazil spends almost 2% of its Gross Domestic Product (GDP) with the Judiciary Branch, which is more than any other country in the world.34 There were many attempts to tackle the crisis of the justice system; however, all of them have thus far been unsuccessful. For instance, despite the efforts to promote alternative dispute resolution (ADR) mechanisms in Brazil, to date only 10% of lawsuits reach a settlement.
Implementing and adapting the use of technology in the Brazilian courts systems seems to be the only feasible solution. Adopting cutting-edge technology to solve legal disputes, therefore, is a major agenda of public and private stakeholders, and Brazil has experienced a huge growth in the number of legal technology companies as well as in the digitalization of courts and tribunals.
Even though efforts towards the use of technology to promote access to justice are not new, the pandemic proved to be an important milestone in this uphill battle.
In the context of the COVID-19 pandemic, the virtualization of the courts was compulsorily boosted. In addition, to boost and speed up procedural communications, companies and entities were obliged to register in the before courts to receive online services and subpoenas. Since 2 April 2020, the Brazilian National Council of Justice (Conselho Nacional de Justiça - CNJ), in partnership with Cisco, has provided a platform for the conduction of procedural acts through videoconference.35
In the same sense, in late April 2020, the Law No. 13,994/2036 was enacted to amend the Law No. 9,099/9537 (Small Claims Courts Law) to enable virtual conciliation hearings. The benefits, in addition to the public health issues posed by the pandemic, is that it makes it possible to conclude disputes in a cost and time efficient manner.
34 Fábio Fabrini, ‘Com estoque alto de processos brasil gasta 1,5% do PIB com judiciário’, (Folha de São Paulo, 5 October 2020), < https://www1.folha.uol.com.br/mercado/2020/10/com-estoque-alto-de-processos- brasil-gasta-15-do-pib-com-judiciario.shtml>, Accessed on 27.10.2020 35 Conselho Nacional de Justiça, ‘Plataforma Emergencial de Videoconferência para Atos Processuais’ (CNJ, 31 March 2020), Accessed on 27.10.2020. https://www.cnj.jus.br/plataforma-videoconferencia-nacional/ 36 Law No.13.994, 24 April 2020 37 Law No.9.099, 26 September 1995
22 It was only during the pandemic that the Brazilian Supreme Court held its first video conference trial session in its history, dated April 2020.38
The Plenary of the CNJ unanimously approved, in October 2020, Resolution No. 345,39 which allows the courts to adopt the so-called “100% Online Court”. This means that all procedural acts, such as hearings, summons and trial sessions, will be carried out exclusively electronically and remotely, during office hours, via the internet. The choice of this system is optional and the court itself must decide whether to adopt it or not.40
Therefore, courts that implement the digital model will have a period of 30 days to inform the CNJ about the details of the implementation. In addition, when filing a claim, lawyers must provide their e-mail address and telephone number so that they can receive information about the progress of the lawsuit in which they operate.41
It should also be noted that the choice for the “100% Online Court” is optional and will be exercised at the time of filing the claim, and the defendant may oppose it. Without prejudice, until the award is delivered, the parties may withdraw their choice to use this new fast-track and online procedure. The new digital model follows the guidelines proposed by the Civil Procedure Code, according to which it determines that preference should be given to electronic means for the practice of procedural acts, in view of the speed given to the process through the use of virtual means.42
Also, the implementation of remote work on the courts has proved to be extremely efficient. For instance, data from the Brazilian Superior Court of Justice (STJ) shows that, during the pandemic, it was possible to reduce 34 thousand cases from its case backlog.43
38 Supremo Tribunal Federal, ‘STF realizará em abril as primeiras sessões de julgamento por videoconferência de sua história’ (STF, 31 March 2020), Accessed on 27.10.2020. https://portal.stf.jus.br/noticias/verNoticiaDetalhe.asp?idConteudo=440483&ori=1 39 Consultor Jurídico, ‘Plenário aprova proposta para varas atuarem de modo 100% digital’ (Consultor Jurídico, 7 October 2020), < https://www.cnj.jus.br/plenario- aprova-proposta-para-varas-atuarem-de-modo-100-digital/>, Accessed on 27.10.2020. 40 Brazil, 9 October 2020, ‘Resolução CNJ nº 345/2020’, Accessed on 27.10.2020. https://atos.cnj.jus.br/files/original175500202010145f873b7482503.pdf 41 Brazil, 9 October 2020, ‘Resolução CNJ nº 345/2020’, Accessed on 27.10.2020. https://atos.cnj.jus.br/files/original175500202010145f873b7482503.pdf 42 Brazil, 16 March 2015, ‘Lei nº 13.105/2015’, Accessed on 27.10.2020. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2015/lei/l13105.htm 43 Superior Tribunal de Justiça, ‘STJ supera desafios da pandemia e encerra primeiro semestre com marca de 250 mil decisões’ (STJ, 1 July 2020), Accessed on 27.10.2020, https://www.stj.jus.br/sites/portalp/Paginas/Comunicacao/Noticias/STJ-supera-
23 With all the difficulties brought by this new way of working, the numbers for 2020 were very expressive and approached the marks of the same period in 2019. In the first half of this year, 203,601 lawsuits had summary decisions and, last year, 202,407. The Superior Court's total income was 252,639 tried cases, while in 2019, the total number was 255,915.44 VI. Covid-19 and the Municipal Elections
Brazil is a Federative Republic divided into 26 states (and the Federal District), as well as 5570 municipalities.45The Brazilian Federal Constitution mandates that elections are held every two years, which are divided into Municipal (Mayors and city council (Vereador)) and State and Federal (President, Senators, Federal Deputies (Deputado Federal), Governors and State Deputies (Deputado Estadual), and the elections were scheduled for November 15 (first round) and November 29 (second round).
Although Brazil’s electronic voting system is quick in comparison to ballot voting, staging elections in a large country such as Brazil involves very complex and detailed logistics and, due to the mandatory and in-person voting requirements, more often than not leads to massive voting queues. This is naturally a problem in the current Covid-19 pandemic.
The Brazilian Electoral Justice (Justica Eleitoral) jointly with the Supreme Electoral Court (Superior Tribunal Eleitoral) had come up with a voting manual for this year’s elections, and voters were required to wear face masks and maintain social distancing guidelines.46 These measures might nonetheless be insufficient, particularly with voters which face serious health conditions and are considered ‘at-risk’ in a pandemic .
Although voting was still mandatory, voters were allowed to justify their absence through apps provided by the TSE.47 This is the first desafios-da-pandemia-e-encerra-primeiro-semestre-com-marca-de-250-mil- decisoes.aspx 44 Superior Tribunal de Justiça, ‘STJ supera desafios da pandemia e encerra primeiro semestre com marca de 250 mil decisões’ (STJ, 1 July 2020), Accessed on 27.10.2020, https://www.stj.jus.br/sites/portalp/Paginas/Comunicacao/Noticias/STJ-supera- desafios-da-pandemia-e-encerra-primeiro-semestre-com-marca-de-250-mil- decisoes.aspx 45 Instituto Brasileiro de Geografia e Estatística (IBGE), ‘Conheça Cidades e Estados do Brasil’, (IBGE, 2020), < https://cidades.ibge.gov.br/>, Accessed on 27.10.2020. 46 Justiça Eleitoral, ‘Dicas Para o Eleitor’, (Justiça Eleitoral, 2020), < https://www.justicaeleitoral.jus.br/dicas-ao-eleitor/assets/arquivos/dicas-para-o- eleitor-covid.pdf>, Accessed on 27.10.2020. 47 Tribunal Superior Eleitoral (TSE), ‘Eleições 2020 na palma da mão: baixe os aplicativos da Justiça Eleitoral e fique conectado’ (TSE, 5 October 2020), < https://www.tse.jus.br/imprensa/noticias-tse/2020/Outubro/eleicoes-2020-na-palma-
24 time this was allowed, since in past elections it was required to pay a small fine and/or justify in person why someone was not able to vote48.
There have been no indication of violations in relation to the data collected and use of the governmental authorities by such apps of the TSE, it is something to be aware and in the lookout in the next few years, especially considering the current Brazilian General Data Protection Law (Lei Geral de Proteção de Dados - LGPD)49. VII. Conclusions
Despite some political hurdles, Brazil has responded to the COVID- 19 pandemic in a reasonable manner. Being the largest country in South America means that all numbers are relevant and large. It also means that there are vast possibilities for human rights violations.
Nevertheless, the issues highlighted above evidence that the country has very qualified and competent technical personnel, and strong institutions which are capable of curbing and resisting authoritarian measures and violations to our young constitution.
da-mao-baixe-os-aplicativos-da-justica-eleitoral-e-fique-conectado>, Accessed on 27.10.2020. 48 Law 4.737, dated July 15, 1965 49 Law No. 13.709, dated as of August 14, 2018.
25 Croatia
By Alina Škiljić
26 Croatia
By Alina Škiljić
I. Introductory observations: inexistence of the specific COVID-19 law or guidance on data protection or privacy
When COVID-19 first appeared in Croatia in late February 2020, the Croatian Government, public authorities, and epidemiologists promptly reacted by introducing different measures for combating the virus, as well as adopting guidelines, recommendations, and amendments to existing laws.1 However, to this date, Croatia has not adopted a COVID-19-related data protection or privacy law (or any other legal document, such as binding orders and decisions) dealing particularly with the increased and invasive data processing and surveillance of Croatian citizens.
Government (and others) has only partially regulated extensive health- related data collection, implementation of tracing technologies, widespread temperature measurements, and, to a certain extent, monitoring of data subjects by employers, As a result, data controllers must search for legal strongholds in existing laws. Interesting and dangerous is that non-privacy-related legal and policy documents, which could form the legal basis for data processing, have not been made officially binding (but are merely recommendatory in form), thus indeed leaving data controllers without clear guidance.
What is partially but not sufficiently clear is that employers can process COVID-19-related data of their employees, relying on the Act on Health and Safety at the Workplace (the “Health and Safety Act”)2 and the Labour Act.3 The circulation and sharing of COVID-19-related data (e.g. positive results, symptoms, etc.) between different bodies and
1 Act on the Protection of Population from Infectious Diseases (Zakon o zaštiti pučanstva od zaraznih bolesti, Official Gazette 79/07, 113/08, 43/09, 130/17, 114/18, 47/20) (CRO). 2 Act on Health and Safety at the Workplace (Zakon o zaštiti na radu, Official Gazette 71/14, 118/14, 154/14 , 94/18, 96/18) (CRO). 3 Labour Act (Zakon o radu, Official Gazette 93/14, 127/17, 98/19) (CRO).
27 persons are not fully clear. To this extent, the Croatian Institute of Public Health noted in its instructions to employers that if an employer suspects its employee to be infected with COVID-19 (for instance, if the employee is showing symptoms), the employer’s health and safety expert (or another responsible person) must notify an authorised epidemiologist.4 Information on the results of the COVID-19 tests are presumably further communicated to the government authorities by epidemiologists. Most of the other data processing and privacy protection aspects are vague.
Recently, as a result of the high number of COVID-19 cases in Croatia, the Government introduced a new set of measures, including one imposing a limitation on private gatherings. Namely, a maximum of ten people may be present at private gatherings and ceremonies.5 This measure has caused panic amongst Croatian citizens, as no clarification was given on how the police will enforce compliance. Precisely, citizens were concerned that the police would conduct regular ‘checks’ and freely enter citizens’ homes, thus violating their right to a private and family life. The Croatian Minister of Health reacted and explained that the police will operate pursuant to their regular authorizations and refrain from violently entering citizens’ homes. Moreover, they clarified that no new powers are being given to the police. The Minister further explained that the police will conduct checks of private gatherings only upon notifications and complaints from other citizens. However, these clarifications were given in an ‘informal; way through press conferences and have not been officially confirmed in writing.6 Moreover, it is not (yet) publicly known if the police effectively conduct these checks and under which conditions.
4 Instructions for employers and employees in relation to the nCoV disease (Uputa za poslodavce i radnike vezano uz nCoV bolesti, Klasa: 008-02/20-09/1) (28 February 2020) < www.hzjz.hr/wp-content/uploads/2020/02/Uputa-poslodavcima-i-radnicima-o-postupanju- vezano-uz-koronavirus.pdf> 5 Decision on necessary epidemiological measures restricting gatherings and introducing other necessary epidemiological measures and recommendations to prevent the transmission of COVID-19 through gatherings (Odluka o nužnim epidemiološkim mjerama kojima se ograničavaju okupljanja i uvode druge nužne epidemiološke mjere i preporuke radi sprječavanja prijenosa bolesti COVID-19 putem okupljanja, Official Gazette 131/2020) (27 November 2020) < https://narodne- novine.nn.hr/clanci/sluzbeni/2020_11_131_2496.html> 6 The police will not forcibly enter apartments for private gatherings (Policija neće nasilno ul aziti u stanove na privatna druženja) (1 December 2020) < https://www.24sata.hr/news/kako-ce-se-nadzirati-privatne-zabave-i-kucna-druzenja- 731341>
28 This Report aims to outline the state of data protection in Croatia in relation to the efforts to combat the pandemic, by illustrating the related activities of the Croatian Personal Data Protection Agency (‘AZOP’), Croatian digital technologies, and the Croatian contact tracing application, which generally follows all the relevant recommendations7 but still raises privacy doubts for having a confusing (or even misleading) privacy policy.8 Further, this Report will explore the lack of a proper response to increased cybersecurity threats brought about by shifting a significant part of the Croatian workforce to home offices.
II. Attitude and response of the national data protection authority
The absence of a specific data protection or privacy-related laws to cope with the intrusive COVID-19 data processing placed a great burden on AZOP to supervise and govern privacy protection. Generally, AZOP is not amongst the most dynamic data protection authorities in the European Union (‘EU’), having imposed only two fines under the General Data Protection Regulation (‘GDPR’)9 so far.10 Further, it has been quite silent during the pandemic in contrast with other EU authorities, having issued only a few opinions which are analysed below.
A. Employment context
AZOP’s first response to pandemic-influenced data processing was an opinion published in March 2020 on the processing of health data in
7 See eg European Data Protection Board, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID- 19 outbreak (21 April 2020) < https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_traci ng_covid_with_annex_en.pdf> ; see also Communication from the Commission Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection 2020/C 124 I/01C/2020/2523, OJ C 124I. 8 The Privacy Policy < https://stopcovid19.zdravlje.hr/html/privacy-policy.html> (“PP”). 9 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L119/1 (“GDPR”). 10 See eg Alina Škiljić, ‘2 years, 2 fines, 2 banks: Croatia DPA advocating for right of access to credit documentation’ (IAPP, 10 September 2020) < https://iapp.org/news/a/2-years-2- fines-2-banks-croatia-dpa-advocating-for-right-of-access-to-credit-documentation/>
29 the employment context.11 The opinion aimed to determine whether additional health data (other than those usually processed) can be processed by employers and, if so, under what legal bases.12 AZOP’s first opinion was one of the most straightforward and direct it has ever provided and can indeed be regarded as ‘good practice’ in privacy protection in the context of the pandemic.
In determining the appropriate legal bases, AZOP instructed that the ‘main’ anchors for processing are those legal obligations to which the employer, as data controller, is subject.13 The ‘legal obligation(s)’ in the employment context are provided in the Health and Safety Act and the Labour Act under which employers are obliged to protect the life, health, and morals of employees and must, among other things, organise work in a manner that guarantees the protection of life and health of employees.14 Additionally, employees must notify employers of illness or other circumstances which may endanger the life or health of persons with whom the employees come into contact during the performance of the employment contract.15 Alternatively, AZOP declared that the legal basis might be the necessity to protect the vital interests of the data subject or of another natural person.16 However, AZOP has not provided guidance on precisely how this legal basis should be relied on. For health data, employers can follow the same ‘obligations of a controller’17 logic as previously mentioned.
Although AZOP’s instructions are quite concrete, they still raise doubts. Not every instance of personal data processing can be justified by the Labour Act and Health and Safety Act provisions, and the main GDPR principles (such as proportionality, necessity, and data minimisation) must still be respected.18 While AZOP has noted these points, no criteria has been provided for differentiating which instances of data
11 AZOP, Processing of personal health data in the context of an emergency situation caused by COVD-19 virus (Obrada osobnih podataka o zdravlju u kontekstu izvanredne situacije izazvane COVID-19 virusom) < https://azop.hr/aktualno/detaljnije/obrada- osobnih-podataka-o-zdravlju-u-kontekstu-izvanredne-situacije-izazvan> 12 As the data in question is health data the processing of which is by general GDPR’s rule prohibited, two legal basis must be defined - the “main” Article 6’s legal basis and the additional Article 9’s legal basis (being an exception from the prohibition of processing). 13 GDPR, art 6(1)(c). 14 Act on Health and Safety at the Workplace (Zakon o zaštiti na radu, Official Gazette 71/1 4, 118/14, 154/14 , 94/18, 96/18) (CRO). 15 Labour Act (Zakon o radu, Official Gazette 93/14, 127/17, 98/19) (CRO). 16 GDPR, art 6(1)(d). 17 GDPR, art 9(2)(b). 18 GDPR, art 5.
30 processing can and cannot be justified. In other words, there is no defined dividing line for determining which acts of data processing are justified as compliance measures with the aforementioned legal obligations. For example, temperature measurements (as analysed below) could be grounded in health and safety protection, but requiring employees to report any travelling outside Croatia, especially when Croatian authorities have not adopted a concrete ‘red list’ of unsafe countries,19 seems out of scope.
B. Temperature measurements
AZOP has also issued an opinion regarding the temperature measurements using thermal cameras, following an anonymous question on whether the use of such cameras for temperature checks is proportionate to COVID-19 threats.20 AZOP’s opinion in this matter could have, argumentum a fortiori, also been useful for accessing temperature checks performed with the ‘basic’ digital thermometers that are less intrusive than thermal cameras. ‘Could have been,’ as the opinion is quite succinct and vastly consisted of citations to GDPR principles.
The key takeaway is that data processing and surveillance through the use of thermal cameras would be considered disproportionate if the footage of thermal cameras is being stored digitally, and if the health condition (i.e. temperature) of employees and other data subjects (e.g. visitors) is monitored through a long-specified period. To clarify the matter, AZOP opined that the results (of both thermal cameras and basic digital thermometers) must not be recorded. In other words, if temperature is measured but not recorded, such practice would be considered proportionate and would not constitute data processing under the GDPR.21 It must be highlighted that the situation contemplated by AZOP applies when the measured temperature is ‘negative,’ in which case, an employee would be allowed to enter the
19 The Croatian Government has only adopted a decision requiring that third-country nationals (ie people outside EU/EEA), when entering Croatia, must either present the negative test or go into 14-day self-isolation, while the same obligation does not exist for Croatians returning from third countries. Decision on the temporarily prohibition of crossing the border crossing points of the Republic of Croatia (Odluka o privremenoj zabrani prelaska preko graničnih prijelaza Republike Hrvatske, Official Gazette 112/2020). 20 AZOP, Thermal cameras temperature measurement system (Sustav za mjerenje temperature putem termalnih kamera) (10 June 2020) < https://azop.hr/misljenja- agencije/detaljnije/sustav-za-mjerenje-tjelesne-temperature-putem-termalnih-kamera> 21 ibid.
31 workplace without his/her temperature needing to be recorded. Conversely, when the temperature is high, an employee would be distanced from the workplace and his/her temperature would surely be transmitted through the system (e.g. by recording the absence in HR files), thus undergoing data processing contemplated by the GDPR. No guidelines on how to handle the latter situation have been given so far, while temperature measurements, both by thermal cameras and digital thermometers, are largely performed in Croatia and different practices can be observed despite the absence of concrete instructions.
C. Additional remarks
Regarding AZOP’s other activities during the pandemic, it has issued only two other COVID-19 related opinions – one dealing with health data processing of customers in service activities (e.g. restaurants, hairdressers)22 and one regarding the data of pupils.23 Recently, AZOP held an interesting online workshop for healthcare professionals on the subject of personal data protection and compliance with the GDPR. According to AZOP’s report, the workshop attracted many health professionals, which shows they are aware of COVID-19 related privacy implications and interested in being compliant.24 Although it is positive that AZOP is trying to bring data processing obligations closer to data controllers and make data subjects aware of their rights, it is still quite difficult to interpret the concrete advice behind its opinions, and its instructions are not sufficiently clear. The dangerous consequence is that data controllers are left with a broad manoeuvre space, while this should not be the case in such privacy-intrusive situations involving large-scale processing of personal health data. The existing opinions cannot be considered sufficient for regulating privacy protection during the COVID-19 pandemic, especially with the lack of a specific legal or policy framework. To add, it is also quite disappointing that AZOP has not had any (at least publicly available) response to the
22 AZOP, Processing of personal data of customers in service activities in the context of combating COVD-19 (Obrada osobnih podataka klijenata u uslužnim djelatnostima u kontekstu suzbijanja COVID-19) < https://azop.hr/info- servis/detaljnije/obrada- osobnih- podataka- klijenata- u- usluznim- djelatnostima- u- suzbi janja- cov> 23 AZOP, Collection of personal data by schools at the time of the COVD-19 epidemic (Prikupljanje osobnih podataka učenika od strane škola u vrijeme epidemije COVID-19) (11 November 2020) < https://azop.hr/misljenja-agencije/detaljnije/prikupljanje-osobnih- podataka-ucenika-od-strane-skola-u-vrijeme-epidemije-c> 24 AZOP, Online Workshop: Healthcare workers have shown great interest in the GDPR (Onli ne radionica: Zdravstveni djelatnici pokazali velik interes za GDPR) < https://azop.hr/aktualno/detaljnije/zdravstveni-djelatnici-pokazali-velik-interes-za-gdpr>
32 developed and released Croatian digital tools, particularly having in mind that these, as described further below in detail, are doubtfully sufficient in terms of privacy protection compliance.
To date, there are no COVID-19 related cases or breaches investigated or sanctioned by AZOP, nor any pending administrative actions (at least not ones that are publicly known or available). Apart from the aforementioned opinions and initiatives, AZOP had not conducted any other pandemic-related activities.
III. Digital technologies developed in response to the COVID-19 pandemic
This is probably the ‘greyest’ zone of the Croatian COVID-19 activism. Although Croatian authorities must be acknowledged for endeavours to develop digital technologies as privacy friendly as possible, there are still many uncertainties, some of which might be considered vastly dubious from a privacy perspective. So far, Croatia has released two digital technologies in response to the COVID-19 pandemic: an artificial intelligence (AI) digital assistant and a contact tracing application.
A. AI Digital Assistant
The AI digital assistant was released in March 2020 during the spring lockdown and is a truly interesting AI solution. The digital assistant is called ‘Andrija’ and its purpose is advising people on how to diagnose and manage suspected COVID-19 cases.25 Andrija was developed in response to the panic spread among the Croatian citizens after public contact spots, Civil Protection, and epidemiologists were overloaded with citizens’ inquiries. The aim of Andrija was to lessen the burden of these entities by answering citizens’ questions with respect to symptoms, health concerns, and the like. Andrija is activated through the WhatsApp network by sending a message to ‘its’ number, and it interactively responds to senders.26
From a data protection and privacy perspective, this technology tool is quite alarming. Firstly, public authorities have not properly informed the citizens on the data collection that occurs during communication
25 For further information on this digital assistant see https://andrija.ai/ 26 ibid.
33 with Andrija, and the high amount of its technical properties and, accordingly, the level of privacy intrusion, remain uncertain. Certainly, privacy was not among the citizens’ top priorities at the time of Andrija’s widespread use. However, this does not justify the lack of transparency from the public authorities’ side. Secondly, being an interactive tool, it is immensely challenging (and, to a certain extent, impossible) to identify and track the categories of data collected and processed by Andrija. Needless to say, this data is predominantly health data, while the crucial aspects of Andrija’s usage, such as its legal basis for processing, security measures, and information on who has access to collected data and if the data is in any way stored, are unknown.
B. Status quo of the proposal on the mandatory location tracking
In late March 2020, when the virus spread considerably and many Croatian citizens were compulsorily quarantined, the Croatian Government announced the location tracking of quarantined citizens, which was intended to be mandatory. In order to have a legal stronghold for this mandatory location tracking, the Government introduced a proposal for amendments of the Croatian Electronic Communication Act, which would allow tracking of location data other than traffic data where, inter alia, the Minister of Health proclaimed an epidemic of an infectious disease or the danger thereof.27 The proposed amendments were intended to compel public communications network operators to store and provide such location data to the Minister of Health upon his request.28 This proposal, justifiably classified as controversial, received numerous critiques and its fate remains uncertain, as it was never voted on nor was it formally withdrawn from or rejected by the Croatian Parliament.
C. Croatian contact tracing application
The status quo of the amended Electronic Communication Act is presumably grounded in the elucidations of the European Data
27 Proposal for amendments of the Electronic Communications Act (Prijedlog za izmjenu Zakona o elektroničkim komunikacijama) (Official Gazette 73/08, 90/11, 133/12, 80/13, 71/14, 72/17) (19 March 2020) < https://www.sabor.hr/sites/default/files/uploads/sabor/2020-03- 19/114102/PZ_881.pdf> 28 ibid.
34 Protection Board and the European Commission that only voluntary tracing tools are considered legitimate within the EU.29 Consequently, the Government focused on developing a volunteer-based contact tracing application and engaged the company APIS IT.30 These measures were based on the decision on digital platform and interoperability implementation for the purpose of monitoring and repressing infectious diseases.31 In July 2020, the Croatian contact tracing application called ‘Stop COVID-19’ was released. The main purpose of Stop COVID-19 is the exchange of information between application users and the notification of said users on possible COVID- 19 infections based on epidemiologically relevant contacts.32 The data controller for Stop COVID-19 is the Ministry of Health (“Ministry”), and the data processor is APIS IT. Without getting into details of the technical properties of Stop COVID-19,33 it generally operates on the Bluetooth Low Energy based on the Exposure Notification technology34 within Google’s and Apple’s operating systems. Stop COVID-19 is voluntary, temporary, and decentralized (as opposed to a centralized approach where all relevant data are stored in the central server), and uses proximity data and not location data. Although the word ‘tracing’ as a functionality of the contact tracing applications already raises implications, and besides the alarms commonly attributable to all such applications, the privacy policy (the ‘PP’)35 accompanying Stop COVID- 19 raises significant privacy uncertainties: the unclear nature of how the data is being processed (anonymised/pseudonymised), legitimacy of
29 See n 5. 30Profile, APIS IT < https://www.apis-it.hr/apisit/index.html - /page?docId=D9619A3BDFD4D0DBC1257F50004F4C2C> 31 Decision of the Government on the creation of a digital platform and establishing interoperability for the prevention and control of infectious diseases (Odluka Vlade o izradi digitalne platforme i uspostavi interoperabilnosti u svrhu praćenja i suzbijanja zaraznih bolesti) ( March 2020) < https://vlada.gov.hr/dokumenti/10?trazi=1&tip2=&datumod=&datumdo=&pojam=&page =69> under document ‘216-10.dox’ 32 Stop COVID-19, Accessibility Statement < https://stopcovid19.zdravlje.hr/html/accessibility-policy.html> 33 For the explanation of Stop COVID-19’s technical functioning, see Alina Škiljić, ‘“Stop COVID-19”: The Croatian Application for Contact Tracing - Overview and Privacy-related Uncertainties’ [2020] 3 EDLP 433, 433-434 < https://doi.org/10.21552/edpl/2020/3/13> 34 This is an application programming interface which allows contact tracing applications to work across the iOS (Apple) and Android (Google) devices – it is the “system” which essentially enables applications to function and to trace contacts. See Exposure Notification, Frequently Asked Questions https://blog.googl e/documents/73/Exposure_Notification_-_FAQ_v1.1.pdf 35 See PP (n 6).
35 the consent-withdrawal method, and the exercise of the data subjects’ rights.
Firstly, an important difference exists between anonymised and pseudonymised data. Anonymised data cannot (or should not) enable the person’s identification and is thus not considered ‘personal data,’36 consequently falling out of the GDPR’s scope.37 Conversely, pseudonymised data is personal data, which only superficially prevents the identification — the identification is possible if such data is combined with additional data.38 According to the PP, Stop COVID-19 collects and processes only the randomly generated keys,39 proximity data, and the date and duration of the contact. The PP, inter alia, claims that this data cannot enable the users’ identification – thus explicitly argues that the data being processed is anonymised.40 The anonymity of the data has also been emphasized several times by the public authorities,41 and indicated in the publicly available summary of the conducted data protection impact assessment (‘DPIA’).42 What is ambiguous is that if de-anonymisation is impossible, why does the PP even refer to the GDPR when it does not apply to anonymised data?
To determine the identifiability of a person, the GDPR’s ‘reasonably likely’ criterion must be scrutinized considering the objective factors.43 The identifiability of Stop COVID-19 users can be convincingly claimed on the following examples: if a user was in contact only with five people in the preceding two weeks, and he/she knows that only three of them have Stop COVID-19 installed, then there is a high possibility that the user who got notified of an exposure would be able to identify the
36 For the definition of “personal data”, see GDPR, art 4(1). 37 GDPR, whereas cl 26, art 4(5). 38 ibid. 39 To briefly explain, Stop COVID-19 assigns randomly generated keys to each device on which the app has been installed and activated, which are exchanged with other devices via Bluetooth. These keys are changed a few times within one hour and only the device’s own randomly generated key (and not the exchanged ones) is shared with the central Stop COVID-19 server. See Škiljić (n 30) 434. 40 The PP also claims that data is shared only with the server without the possibility of revealing the identity. See PP (n 6) point 6. 41 See eg public statements given by the Croatian Government (27 July 2020) < https://vlada.gov.hr/vijesti/u-ministarstvu-zdravstva-predstavljena-mobilna-aplikacija-stop- covid-19-o-izlozenosti-koronavirusu/30035> ; (3 August 2020) < www.index.hr/vijesti/clanak/beros- o- aplikaciji- za- pracenje- zarazenih- koronom- kao- lijecnik- je- preporucujem/2202726.aspx> 42 Published summary of the conducted DPIA (16 November 2020) < https://www.koronavirus.hr/UserDocsImages/Dokumenti/Stop_COVID- 19_Data_Protection_Impact_Assesment-Summary_2020-11-16.pdf> 43 GDPR, whereas cl 26.
36 infected person.44 Moreover, there are also ways of identifying all users (i.e. not only the infected ones) by tracking a user’s device and linking it to a specific person. For example, since devices are broadcasting randomly generated keys, and where this is not done on a large scale (e.g. a smaller number of devices exchanging their keys in one room or auditorium), someone could track the individual broadcasting devices.45 Thus, reasonably argued, the data processed by Stop COVID- 19 is pseudonymised and contradictory claims might be perceived as misleading.
Furthermore, the processing of data via Stop COVID-19 is based on consent given through the consent form, which in itself is quite interesting. Firstly, Stop COVID-19, when opened, requires an affirmative action (clicking the “turn on” option) for data processing. Once a user tries to turn it on, the banner appears alerting the users and they can choose between ‘cancel’ or ‘turn on’ – the latter representing consent. However, there is no clear indication that clicking “turn on” represents the consent for data processing.46 Also, it is dubious whether the method provided for withdrawing consent is appropriate. Withdrawing consent must be as easy as expressing it47 and therefore, as the consenting requires only clicking the ‘turn on; of tracing, the withdrawal should simply be performed by turning it off. However, consent can be withdrawn only by denying access to Bluetooth from the App and the Exposure Notification system in the operating system of the mobile device, with no clear instructions where and how exactly this is to be done.48 As it may take up to fifteen minutes for the user to find how to withdraw the consent, while consenting requires only clicking ‘turn on’, withdrawing consent is much more complex than expressing it. What also remains unclear is what happens with data which was already sent to the centralised server after the consent has been withdrawn.
44 Škiljić (n 30) 436. 45 ibid; see also Johannes Becker, David Starobinski, ‘How Apple and Google will let your phone warn you if you’ve been exposed to the coronavirus’ (30 April 2020) < https://theconversation.com/how-apple-and-google-will-let-your-phone-warn-you-if- youve-been-exposed-to-the-coronavirus-136597> 46 For the requirements which consent must fulfil to be lawful see GDPR, whereas cl 32, art 7; see also European Data Protection Board, Guidelines 05/2020 on consent under Regulation 2016/679 [2020] < https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf > 47 GDPR, art 7. 48 PP (n 6), point 10.
37 Last but certainly not least, it is questionable if Stop COVID-19 users can exercise their rights granted by the GDPR.49 Namely, considering the data being processed, the main purpose is not to identify data subjects nor does it require identification (irrespective of if the identification is possible) and can thus be considered ‘processing which does not require identification’ to which specific rules apply under the Article 11 of the GDPR.50 However, it seems that the Ministry misinterpreted the respective provisions when referencing Article 11 by practically stating that, since the Ministry does not possess data which could clearly be assigned to the user, and as they are not obliged to collect it, they could simply prevent users to exercise their GDPR rights.51 Although it is true that the Ministry would need additional data to assign the pseudonymised data to the user in order to, for instance, enable right of access, Article 11 of the GDPR presumes that the controller is not obliged to collect additional data in order to enable exercising of the data subject’s rights, and does not presume that the controller can reject data subjects’ requests by reference to the inexistence of such an obligation, if data subjects are willing to provide additional data.52 It is uncertain if the intention of the Ministry was to prevent Stop COVID-19 users from exercising their rights or if this is a result of the puzzling wording of the PP, but it could quite possibly be concluded that users cannot exercise rights under Articles 15-21 GDPR against the Ministry.
IV. (Non)-response to increased cyber-threats
Shifting to remote work opened a plethora of possibilities for cyberattacks. Employees extensively use their personal devices for remote access to the employer server and their private Wi-Fi networks, all being potential entry points for cyber criminals.53 Often, interruptions in remote access might cause employees under pressure of work assignments to download company files on their personal
49 GDPR, arts 15-22. 50 GDPR, art 11. 51 PP (n 6), point 11; see also Škiljić (n 30) 437–439. 52 GDPR, art 11; see also Alina Škiljić, ‘Article 11 GDPR: Processing data that does not require identification and how it should not be interpreted’ (27 October 2020) < https://iapp.org/news/a/article-11-gdpr-processing-data-that-does-not-require- identification-and-how-it-should-not-be-interpreted/> 53 See Alina Škiljić, ‘Cybersecurity and remote working: Croatia’s (non-)response to increased cyber threats’ [2020] 1 ICLR 51 < https://doi.org/10.1365/s43439-020-00014- 3> ; see also Hunter Seymour, ‘A pandemic and remote working: Cyber security under the microscope’ [2020]
38 computers. Increased ‘home distractions’ and COVID-19 influenced concerns (e.g. health, finances) might cause employees to become negligent and to lose sight of safeguards against cyber-attacks.54 Phishing and ransomware attacks have thus, unsurprisingly, increased.55
Croatia, unfortunately, has not had any reaction to the increased cyber threats and has not recognized cybersecurity as being at risk during the COVID-19 pandemic. Many countries promptly issued recommendations addressed to the public and private sector and individuals, while cyber threats have not been addressed in Croatia.56 This is unsurprising, as it has been continuously emphasized that Croatia lacks enough experts in the cybersecurity field.57 Public authorities and cybersecurity entities have been silent on this topic and have left the companies to figure out their own ways of reacting to the increased cyber threats, without even warning individuals. Remote work and the limited possibilities to control the workplace, combined with curtailed diligence of individuals arising from their fears and almost desperate need for information the pandemic has influenced, force companies to envisage and implement long-term IT solutions – while employees’ negligence is often out of their reach.58 Of course, companies are primarily responsible for ensuring cybersecurity of their systems, but public alertness could contribute to a more diligent attitude of individuals towards these issues. Yet, to this date, no specific recommendations or guidelines have been issued in this respect.
V. Conclusion
As shown in this Report, Croatia has put some efforts into privacy protection during the COVID-19 pandemic and consequential
54 ibid. 55 See eg World Health Organization, ‘WHO reports fivefold increase in cyber-attacks and urges vigilance’ (23 April 2020) < > ; see also Panda Security, ’43 COVID- 19 Cybersecurity Statistics’ (26 August 2020) < www.pandasecurity.com/mediacenter/news/covid-cybersecurity-statistics/> 56 See eg Guidelines of the Slovenian Data Protection Authority (Informacijski pooblaščenec) on the protection of data while working from home (7 April 2020) < www.ip- rs.si/novice/kako-zascititi-osebne-podatke-ko-delamo-od-doma-1180/> ; Guidelines of the Romanian Cybersecurity Authority (Serviciul Tehnologia Informației și Securitate Cibernetică) on secure remote working < https://stisc.gov.md/ro> . 57 See Elvis Sprečić, “We do not have enough cybersecurity experts” (Nemamo dovoljno stru čnjaka za kibernetičku sigurnost) (7 April 2019) < www.vecernji.hr/premium/nemamo-dovoljno-strucnjaka-za-kiberneticku-sigurnost- 1311620> 58 See Škiljić (n 50) 60.
39 extensive data processing and monitoring. However, its greatest fault is staying overly inert to the increased peril. Pandemic-influenced sensitive data collection and processing, tracing technologies, widespread temperature measurements, and different measures of ‘monitoring’ data subjects by employers, public bodies, and others, have been only partially regulated. The inexistence of a concrete legal framework leaves tremendous manoeuvre space for shadowed data processing and privacy invasions, including uncontrolled data collection, as well as unsupervised data sharing and storage for long periods. AZOP attempted to fill the legislative void by issuing opinions intended to serve as guidelines, but apart from a partially clear framework for COVID-19 related data processing in the employment context which AZOP efficiently addressed, these opinions are not sufficient to regulate and supervise privacy protection. Further, implemented digital technologies likewise present alarm bells. The AI digital assistant intended to give ‘health’ advice to citizens, being an interactive tool, makes it immensely challenging (and, to a certain extent, impossible) to identify and track the categories of data collected and processed via its usage.
Additionally, none of the ambiguity arising out of the Croatian contact tracing application (Stop COVID-19) — due to the unclear nature of processed data, the doubtfully lawful consent on which the processing is based and the possible prevention of exercising data subject rights — has, unfortunately, been addressed in Stop COVID-19’s data protection impact assessment, or at least is not contained in the publicly available summary thereof, while AZOP has likewise not had any reaction to it. Stop COVID-19’s usage and Privacy Policy should be significantly revised to give precise and accurate information on data processing and to avoid misunderstandings and any data processing irregularities. The lack of the proper response by Croatia to increased cybersecurity threats as a result of shifting a significant part of the Croatian workforce to home offices is also quite alarming. Efforts to combat the virus should be combined with the efforts to combat the increased cyber threats, such as phishing and ransomware attacks, arising from shifting to remote work – especially as these can result in massive personal data theft. Overall, Croatian oversight could be characterized more as negligence towards potential and actual privacy intrusion occurring during the COVID-19 pandemic, rather than direct privacy infringements by intrusive measures. However, the lack of
40 regulation is equally alarming for Croatian citizens’ privacy as the directly invasive measures.
41 Finland
By Mikko Rudanko
42 Finland
By Mikko Rudanko
I. Introduction
This country report looks at the Finnish response to the COVID-19 pandemic in 2020, with special focus on human rights and the rule of law. The most relevant rights and freedoms affected by the pandemic are listed in the Constitution of Finland (731/1999, PL), which includes the right to life, personal liberty and integrity (s 7), the freedom of movement (s 9), the right to privacy (s 10), and the freedom of assembly (s 13.1). At the least, the right to work and the freedom to engage in commercial activity have been affected (s 18), but this consideration has been largely left out.1
The Finnish Government (Government) and Ministries are primarily responsible for the nationwide response, emergency powers, and tougher measures like travel and entry restrictions, while the seven Regional State Administrative Agencies (AVIs) handle issues like local restrictions on assemblies, public events, and restaurants. The Finnish Institute for Health and Welfare (THL) has been especially responsible for statistics and research2 that support COVID-19 related decision- making and the contact tracing app, whereas the 21 Healthcare Districts and possible “corona coordination groups” have given local recommendations on various matters including private events, remote work, and mask recommendations.
Both the THL and individual Healthcare Districts have regularly published anonymized statistics on the number of tests, diagnosed cases, and COVID-19 related deaths, as well as the number of patients
1 During spring 2020, most public spaces like libraries and sport facilities were closed, whereas participant limits affected businesses. Restaurants and bars were still forced to close temporarily from 4 April to 31 May 2020 . Government Decree on temporarily restricting the opening hours of catering establishments to prevent the spread of a communicable disease (173/2020). There has been also some relief actions, for example, European Commission, ‘State aid: Commission approves €3 billion Finnish scheme to support companies affected by coronavirus outbreak’ (European Commission website, 24 April 2020)
43 in ward care and intensive care. However, no data has been shown by the THL for cities or towns with less than five diagnosed cases. As of 27 November 2020, the THL had reported 23,766 findings in 1,880,100 tests, as well as 393 cases of death.3 The total number of findings has been 429 per 100,000 population, a relatively low number in comparison to other countries. Thus, the question is, “what kind of measures have been taken in response to the pandemic?” II. Uusimaa Lockdown and the Freedom of Movement
So far, the most invasive measure has clearly been the “Uusimaa Lockdown” (Lockdown) from 28 March to 15 April 2020. Uusimaa is the most populous region in Finland which, including the capital Helsinki, has almost 1.7 million inhabitants, around 30% of all population in the country. At the beginning of the Lockdown, the number of new positive virus findings was around four times higher than the rest of Finland combined. During the Lockdown, anyone wishing to cross the border to or from Uusimaa had to present at the border a good reason for doing so, including work, study, societal position of trust, official activity, statutory obligation, or a “compelling personal reason,” including cases of child care and death of a family member. However, in all these cases, crossing the border needed to be “essential” (välttämätöntä), as well.4 The question of “essentiality” was significant also as regards the lockdown itself, since it considerably limited the freedom of movement under the PL, s 9.1, which guarantees the citizens and legal residents the right to freely move within the country.
Based on the considerable four-fold difference in virus findings between Uusimaa and the rest of Finland, it was found that the Lockdown was essential.5 The restriction was made by the Governmental Decree6 on 27 March 2020 after the Government had given another Decree7 on the implementation of emergency powers to “restrict movement and residence in order to protect the population,”
3 THL, ‘Tilannekatsaus koronaviruksesta’
44 as regulated under the Emergency Powers Act (1552/2011, EPA), s 118. At the time, the Government considered such restrictions “essential and proportionate to slow down the spread and progression of the COVID-19 pandemic and, in particular, to ensure the adequacy of human resources in intensive care.”8 On 16 March, the Government, together with the President, had declared that “emergency circumstances” (poikkeusolot) referred to in the EPA, ss 3.3, 5 prevailed in Finland and on 17 March, given two Decrees on emergency powers.9
The traffic routes were mostly manned at the border by police officers assisted by military conscripts, and anyone without a valid reason was refused the right to cross the border of Uusimaa. Anyone wishing to cross the border was also asked to bring an identity card and an informal certificate from their employer or any other relevant party. However, it was not possible to obtain a prior permission from the police, and the consideration was made on a case-by-case basis at the border.10 The police also checked official databases for information concerning the border-crosser or another person.11 In some cases, fine requests were issued by the police for violations of the provision under the EPA, s 133. This included cases like “detected lying to the police,” “crossing the border for fun by running,” and “circumventing the control through another route.”12 The restrictions also applied to train traffic, but there was seldom an inspection before the train crossed the Uusimaa border. Thus, even after crossing, anyone found to have intentionally crossed the border without a valid reason could still be fined in principle.
However, this does not mean that people from Uusimaa or other regions would have been tracked, for example, through their car license plates, mobile phone location information, or other means of mass
8 Prime Minister's Office, ‘Valtioneuvoston asetus liikkumisen tilapäisistä rajoituksista väestön suojaamiseksi’ (27 March 2020) 12 9 The Parliament always has the power to uphold or repeal any such Decrees, although not the declaration itself. 10 Neither the Governmental Decree 146/2020 nor the Prime Minister's Office Memorandum 27 March 2020 stated anything about prior permissions. According to the National Police Board, the consideration was made case-by-case and at least the Helsinki Police Department interpreted this to exclude a prior permission. National Police Board, ‘Liikkumista koskevat rajoitukset otetaan Uudellamaalla käyttöön – poliisi kehottaa kaikkia tekemään osansa koronaviruksen leviämisen hillitsemiseksi’ (26 March 2020); Helsinki Police Department, ‘Helsingin poliisi valmistautuu valvomaan muiden poliisilaitosten kanssa liikkumisrajoitusta Uudenmaan rajalla’ (26 March 2020) 11 Prime Minister's Office Memorandum (27 March 2020) 9-10 refers to the Police Act (872/2011), c 2 s 1, finding that the police could use the Population Information System to verify information on border-crosser’s residence. At least in one case the residence information of another was checked to expose a lie. Tuomas Rimpiläinen, ‘Nuorison bileet, hätävale kuolevasta mummosta ja mies jota "rajoitukset eivät koske" – Yle selvitti: näin valmiuslakia on rikottu’ (YLE, 8 May 2020)
45 surveillance. Nor were they fined for the fact that they were outside of their own region at that moment without a valid reason—for example, when they had earlier travelled to their summer cottage. Such measures were not even allowed in the provisions on the basis of which the border was closed. On the other hand, the Government entered into an agreement with the telecommunications company Telia for using the Crowd Insight service to track changes in mobility between different regions and to assess the effectiveness of restrictive measures.13 The service tracks how mobile devices are connected to network base stations in different places.14 The Attorney General did not see any problem with the anonymized and aggregated statistical- level tracking, since the data could not even be indirectly connected to an individual person or device.15
The number of Uusimaa border crossers, those turned at the border, and those fined were recorded and published, but it does not seem that any personal data register was kept for the first two groups. During the Lockdown, 117 fine requests and 159 admonitions were given by the police, and 4,383 were turned at the border.16 Notably, the Parliamentary Ombudsman pointed out that the police had given fine requests also for people who had not crossed the border although the EPA, s 133 does not apply to attempted offences.17 Even though a person had tried several times to cross the border, they should not have been fined. The National Police Board estimated that 10-20 of such fine requests had been given.18 However, it always depends on the prosecutor whether a fine is imposed or not. Furthermore, although EPA, s 133 applies also to negligent acts, the police policy was that only intentional acts were fined.
Although the Lockdown was supposed to last until 19 April, it was prematurely lifted by the Government19 on 15 April since, based on the expert opinions, it was no longer found (absolutely) essential
13 Telia, ‘Telian paikkatietopalvelu auttaa Valtioneuvostoa koronaviruksen vastaisessa taistelussa’ (Telia website, 3 April 2020)
46 (välttämätön, as compared to tarpeellinen, “necessary or useful,” which it still was) as required for such measures, considering also that by that time, the gap between Uusimaa and other regions, like the one bordering Sweden in southwest Lapland (Länsi-Pohja), had considerably narrowed.20 The pandemic had also slowed down, both in reproduction21 and absolute22 numbers. III. Tracing App and the Right to Privacy
During Spring 2020, a tracking app called Ketju project was started in Finland; and from May to June, the app was piloted in Vaasa Central Hospital with 34 staff members who had volunteered to test it in simulated scenarios. The app was one of the first to use the decentralized DP-3T-technology. Although the app was found generally good by the test users, it was also found that the anonymity provided by such a model made tracing infections difficult and that false positives were inevitable.”23 Alternative projects were Fevermap, developed during the Hack the Crisis Finland hackathon in March 2020 and FinPandem, which was designed by a group of Finnish physicians in April 2020. The former was based on self-reporting of body temperatures and other symptoms under a given postal code. Although the information (e.g. symptoms, test result, trips abroad) in the latter was given anonymously, the app was still based on the user’s location information and GPS, not on Bluetooth like Ketju. It would have been a map app, where users would have been shown as red (“risk”) or green (“safe”), with an accuracy of some meters.24 Ultimately, the developers of these apps did not participate in the June public tender, which was won by the digital services company Solita.
On 31 August 2020, the THL and Solita introduced the EUPL 1.2- licensed contact tracing app, Koronavilkku (App), which uses the
20 Prime Minister's Office, Memorandum ‘Valtioneuvoston asetus valmiuslain 118 §:ssä säädettyjen toimivaltuuksien käyttöönotosta annetun valtioneuvoston asetuksen ja liikkumisen tilapäisistä rajoituksista väestön suojaamiseksi annetun valtioneuvoston asetuksen kumoamisesta’ (15 April 2020) 4-5 21 Estimates without restrictions had been 2.4, but the reproduction number had decreased to 1.1-1.3. THL, Memorandum ‘COVID-19 epidemia - tilannekuva ja Uudenmaan rajoitukset’ (13 April 2020) 2 22 There were 211 findings on 6.4. and 199 on 7.4., but a daily average of 114 between 8.- 15.4. The number from 6.4. would be exceeded only in October with the “second wave”. However, the test capacity in April was still limited and tested were mostly those with serious symptoms. In October 2020, the capacity was around 20,000. 23 Ketju-sovellus, ‘Ketju-project - Final Report’ (18 June 2020) 27
47 Exposure Notification API by Apple and Google and whose source code has been published in GitHub.25 Thus, it has been produced later than many similar apps in other countries. This may have given more time to ensure the protection of privacy, and open-source code may also better ensure independent evaluation of the App.26 In addition to the Finnish National Cyber Security Centre,27 at least two Finnish security companies Nixu28 and Mint Security29 have positively reviewed the App. On the other hand, this late release date meant that until the end of August, there was no real possibility to trace infection chains by such means.
The use of the App is voluntary and free of charge. By 5 November 2020, it has been downloaded 2.5 million times. Thus, the App has been popular, but the target of 50-60% has not yet been reached. Using the App, randomly generated and pseudonymized identification codes are used to track close contacts with other App users. “Close contact” is one where two people have been less than 2 meters apart, either for at least 15 minutes (potential exposure) or for a shorter period (small risk of exposure). If two users are at such distance from each other, their phones share with each other the pseudonymized identification codes via Bluetooth connection. At this point, this information will only remain on these users’ own phones and is not uploaded to any server. The App does not use location information, but user distances are instead estimated using Bluetooth signal strength.
The codes of contacts, without any information of their identity or location, but together with the signal strength, time and duration, are stored for a maximum of 21 days, and if one is diagnosed with COVID- 19, the App can be used to anonymously warn others about their potential exposure. This is voluntary.30 If A is diagnosed and chooses to do this, the App sends A’s codes to the server managed by the Finnish Social Insurance Institution, and anyone who has in the last ten
25 ‘Koronavilkku backend and Android and iOS applications’
48 days (previously 14) been in a close contact with such an uploaded code gets a warning next time their App checks the server, as long as their contact with A exceeds a certain threshold based on the distance and duration of the contact, as well as A’s estimated contagiousness at the time. However, in order to share the diagnosis this way, one first has to get a single use unlock code from the THL or other health authorities via telephone or SMS message. This should prevent abuse of the App, which is also supposed to reject any invalid codes, but in some cases, it may take some time to get such an unlock code from the authorities, since only a limited number of people have the authority to send codes.
The legal provisions31 concerning the App are temporarily in force (from 31 August 2020 to 31 March 2021) and stipulate voluntariness, user consent, and the limitations on the use of any personal data, including the pseudonymized identification codes and personal information an App user. It also gives the health authorities when they want to act after the App warns about a potential exposure. They also state that the THL acts as the controller in the processing of any personal data related to the use of the central server, and such data may only be used to break the chains of infection, to reach and inform the potentially exposed users, or within certain limits for statistical purposes essential to evaluate the performance of the system. Excluded are any other purposes, including the use in police or pre- trial investigations. Similarly, research purposes would be excluded, with the exception of the already aggregated statistical data.32
The App does not seem to violate the right to privacy guaranteed under the PL, s 10. Even though the idea of a tracing app may at first seem problematic, it is important to notice that the users are not tracked using their location information, since such data is “not asked for, nor saved or sent by the App.”33 Thus, there are no such data points, where certain location X could be connected to the time person A has been there. Furthermore, the only moment a person would need to provide their personal information is when they give health authorities a phone number after a positive diagnosis, if they wish to use the App to warn others of potential exposure. The number is not used for other purposes in the App. In cases of notifications of potential exposures, a user is not obliged to report such exposure to anyone but may choose to do so to get tested. Although COVID-19 is currently listed as a generally hazardous communicable disease, there is an
31 Communicable Diseases Act (1227/2016, CDA), c 4a, added with Law 582/2020. 32 Governmental Proposition to Parliament for a Law temporarily amending the Communicable Diseases Act HE 101/2020 vp, p. 25 33 Antti Tiainen, ‘HS tilasi tietoturvayhtiöltä selvityksen: Miten Koronavilkku toimii ja onko sen tietoturva riittävä?’ (Helsingin Sanomat, 2 September 2020)
49 exemption from the duty to inform physicians (CDA, s 22) when it comes to information received in the App. This is explicitly stated in the law (CDA, s 43d). It is on the user’s discretion whether they wish to contact the health authorities and which information they wish to share. Otherwise, the identity of the user is not given to the authorities. IV. Restrictions on the Freedom of Assembly
During the COVID-19 pandemic, different restrictions on assemblies have been imposed at different times based on the situation. Regional AVIs have mostly been responsible for any restrictions on public assemblies and demonstrations. The pandemic has not meant the prohibition of demonstrations, but it has set some restrictions on their participation, as well as rules on hygiene. For example, on 23 June, the police in Helsinki urged the organizers to disperse their support demonstration for the Black Lives Matter movement because of the excessive number of participants. According to the restrictions at the time, up to 500 people were allowed to participate, provided that specific instructions especially on sufficient social distance were followed, but there were around 3,000 participants in that demonstration. The organizers had then dispersed the demonstration in accordance with the Assembly Act (530/1999), s 21.
At that time, there was no obligation to wear a face mask, so the lack of masks alone would not have been a reason to disperse the demonstration, and in any case, masks were widely used. Notably, there have not been many demonstrations against the COVID-19 restrictions, which may be due in part to the fact that masks have not been made compulsory. However, there have been some smaller-scale demonstrations, like the 8 October protest against restrictions on the restaurant industry, such as the mandatory early closing times of restaurants and nightclubs. On 15 October, the Constitutional Law Committee practically stopped the proposed extension on restaurant restrictions, requiring more regional and restaurant type-specific restrictions.34
As of 27 November 2020, assemblies, public indoor and outdoor events, and general meetings of more than 50 people were allowed in November and December 2020, provided that the organizers could ensure the safety of the participants in accordance with the guidelines by the THL and the Ministry of Education and Culture. However, this applied only to regions still in “Phase 1” (basic phase), and public events and meetings may even be prohibited altogether in regions or cities in “Phase 3” (spreading phase) if needed. Since the introduction of the three-stage system, the first to reach the Phase 3 was the Vaasa
34 Constitutional Law Committee Statement PeVL 31/2020 vp.
50 Healthcare District, where all public events and general meetings of more than 10 people, including demonstrations, were prohibited.35 This measure, based on the CDA, s 58.136 and as given by the responsible AVI,37 was in force from 12 to 31 October. At the time of its adoption, the 14-day incidence rate in Vaasa was 356 and in the whole District, 166 cases per 100,000 people. Subsequently, similar restrictions have been given in other regions. It does not seem that there have been demonstrations or decided court cases to challenge such restrictions. However, in KHO 2020:108, the Supreme Administrative Court of Finland upheld the view of an Administrative Court that the 50-people restriction by the AVI Northern Finland did not directly affect the person A living in Uusimaa and thus A could not appeal against that restriction. It remains to be seen whether there will be other similar cases, especially if tougher measures are imposed. V. Mandatory Face Masks
As of 27 November 2020, wearing of face masks has not been made mandatory in Finland, although during fall 2020, mask recommendations have gradually been given in all regions, especially for situations where it is not possible to maintain a sufficient distance from other people, such as in public transport. As the situation has gotten worse in certain areas (Phases 2 and 3, “acceleration” and “spreading”), the authorities have confirmed broader and stronger recommendations for the use of masks, including secondary education schools, public buildings, supermarkets, churches, and cinemas. In the worst affected areas, such as Vaasa, strong recommendations have been given to all public areas.
However, it has been generally considered that the current law would not allow the mandatory use of masks, with the exception of private companies, which could require a mask as a condition of admission in restaurants or sport events, for example. However, supermarkets have been unwilling, if even allowed,38 to introduce mask requirements, and similarly, the public transport companies have concluded that they
35 However, there were similar restrictions already during Spring 2020, including the Decision on 17.3. for the period of 18.3.-13.4.2020, the Decision on 8.4. for 14.4.–13.5.2020 and the Decision on 8.5.2020 for 14.-31.5.2020. Notably, the decisions were given by all AVIs and concerned the whole of mainland Finland. The Decision on 19.5. for June 2020 then considerably eased restrictions, allowing even events of 500 people under certain conditions. 36 The provision requires that such measures are “essential for preventing the spread of a generally hazardous communicable disease”. Thus, similarly to the case of Lockdown, the question of essentialness is decisive here. 37 AVI Western and Inland Finland Decision 9 May 2020 Reg. no LSSAVI/13954/2020 38 As long as there is no general legal requirement of mask-wearing, there does not seem to be any law that could justify compulsory masks in supermarkets in a way that would not cause problems with controlling and sanctioning the requirement in a non-discriminatory way, keeping in mind that supermarkets provide essential goods.
51 cannot refuse people without masks. There are still exceptions like the Finnish airline company Finnair, but access to flights is already in other respects more limited than to trains or busses. Thus, only in some cases people without masks could be refused entry, but currently, there are no other means to sanction the people not wearing masks despite the strong recommendations of the authorities to do so.
Thus, it would require a law change to introduce compulsory masks, but there has not been much enthusiasm for it among decision makers; and Finland, as one of the few European countries, has remained without such a law. Similar to other measures, it would need to be essential and proportional, and the right to life and health and the prevention of spreading have not been found essential enough to amend the law. VI. Right to Privacy in Workplaces and Restaurants
According to the General Data Protection Regulation39 and the Data Protection Act (1050/2018), the processing of personal data must in many respects be “proportionate” and “necessary.” This applies also to data at workplaces and confidential health data, such as COVID-19 infection, should be handled only by specifically designated persons. The Office of the Finnish Data Protection Ombudsman (DPO) has instructed that employers are normally not allowed to internally or externally name an employee who has been diagnosed positive and that they should instead internally inform their employees more generally, possibly advising others to work remotely, and externally in some other way, if needed, that the diagnosed person is not able to work.40 In suspected violations, a person may notify the DPO.
As of 27 November 2020, restaurants have not been required to collect contact information from their customers in case of possible exposure. If a person diagnosed with COVID-19 has visited a particular restaurant, authorities have often asked anyone who had been at that restaurant at a certain time to monitor their condition, rather than these people being directly contacted by the authorities or the restaurant. However, on 2 October, such “customer logs” were introduced by the Healthcare Districts of Lapland and Länsi-Pohja.41 Naturally, this would form a
39 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119/1 (General Data Protection Regulation, GDPR) 40 Office of the DPO, ‘Data protection and limiting the spread of coronavirus’, (12 March 2020, in English 17 March 2020)
52 personal data register, and maintaining such a register requires certain steps. Furthermore, even if such information were required by the health authorities, there is no such obligation under the law and no means to sanction those who refuse to give information or provide false information, other than possibly refusing entry to that restaurant.
The DPO has instructed that a recommendation by the authorities would not be a sufficient basis for the processing of personal data. Instead, there would need to be the customer’s “voluntary, specific, informed and unambiguous consent”42. This means that a person could not be refused the entry even if they did not give their consent. The DPO has also emphasized the limitations on purpose and storage as well as data minimization and confidentiality, as well as the possibility to withdraw consent and request the data erasure.43 VII. Evaluation
Similar to many other countries, Finland has adopted emergency powers during the COVID-19 pandemic. However, even during the state of emergency (16.3.-15.6.2020), restrictions on rights have been temporary and reviewed by the Parliament. Thus, even though the Government has received more powers, these have still been limited, and any restrictions must have been essential and proportionate. These requirements applied also to the Uusimaa lockdown, maybe the most severe restriction on the freedom of movement in Finland to date and one of the few cases where criminal law has been needed. However, it is notable that this measure affected only the borders and there was no lockdown within Uusimaa, also not between Helsinki and the rest of Uusimaa.
Similarly, there have been considerable restrictions on the freedom of assembly, such as the 10-person maximum, but these have always been temporary and set by the authorities rather than politicians. So far, such restrictions have not been widely challenged. On the other hand, unlike many other countries, Finland has not made face masks compulsory, not even in the worst-affected areas. This would require a law change and so far, only strong recommendations without sanctions have been given. It remains to be seen whether the “second wave” changes the situation in this respect. So far, measures in Finland have been relatively soft in comparison to other countries, with the focus is on recommendations and public event restrictions.
42 ‘Mitä on huomioitava, jos asiakkaiden yhteystietoja kerätään koronavirusaltistumisten jäljittämistä varten?’ (added 23.10.2020) under Office of the DPO, ‘Usein kysyttyä koronaviruksesta ja tietosuojasta’
53 Finland has introduced its own contact tracing app in order to track infection chains. This took place later than other countries, but so far, there have not been problems with the right to privacy, and most notably, the app does not use the user’s location information. Thus, even though the app has been downloaded 2.4 million times, it does not seem use the data for mass surveillance. Anonymized data on mobility has thus been obtained in other ways, such as through the Crowd Insights service. The use of the app is also voluntary and there are no legal duties set on those who tested positive or those who were potentially exposed. In addition to the Decrees during the state of emergency, the temporary legislation concerning the app is one of the few cases where new legislation has been needed due to the pandemic. Otherwise, the restrictions have been made on the basis of the existing laws, such as the CDA, s 58.1. Similarly, the GDPR and the Data Protection Act have also been applied during the pandemic and these clearly set restrictions on the processing of personal data in contexts like restaurant customer contact information, whose collection has not been generally required and which would always require customer’s consent. It remains to be seen whether the Government wishes to introduce some new specific legislation. VIII. Conclusion
As of 27 November 2020, Finland had reported 23,766 COVID-19 cases (7,419 in Helsinki) and 393 related deaths.44 This was less than one- tenth of the cases (250,983) and around one- eighteenth of the deaths (7,035) in neighboring Sweden.45 27 November 2020 set the daily Finnish record with 618 new cases and the 14-day incidence rate in Uusimaa was 172 and in the whole country 98.9 per 100,000, clearly rising, but still one of the lowest in Europe. At the same time, tougher measures were imposed, such as the 10-person limit for public events, but mandatory face masks or emergency powers were not adopted. Recommendations instead of prohibitions and sanctions have worked quite well, but tougher measures (Uusimaa lockdown) have been needed, too.
44 THL, ‘Tilannekatsaus koronaviruksesta’
54 Bibliography
Table of Cases
KHO 2020:108
Table of Legislation
Assembly Act (530/1999)
Communicable Diseases Act (1227/2016)
Data Protection Act (1050/2018)
Emergency Powers Act (1552/2011)
Finnish Constitution (731/1999)
Governmental Decree on the introduction of the powers provided for in s 118 of the Emergency Powers Act (145/2020)
Government Decree on temporarily restricting the opening hours of catering establishments to prevent the spread of a communicable disease (173/2020)
Governmental Decree on temporary restrictions on movement in order to protect the population (146/2020)
Governmental Decree repealing the Governmental Decree on the introduction of the powers provided for in s 118 of the Emergency Powers Act and the Governmental Decree on temporary restrictions on movement in order to protect the population (217/2020)
Police Act (872/2011)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L 119/1 (General Data Protection Regulation)
55 Table of Secondary Sources
Attorney General Decision 28 April 2020 Reg. no OKV/15/50/2020
AVI Western and Inland Finland Decision 9 May 2020 Reg. no LSSAVI/13954/2020
Constitutional Law Committee Statement PeVL 31/2020 vp
European Commission, ‘State aid: Commission approves €3 billion Finnish scheme to support companies affected by coronavirus outbreak’ (24 April 2020) https://ec.europa.eu/commission/presscorner/detail/en/IP_20_692 accessed 10 December 2020
FinPandem ‘FinPandem-sovellus taistelee koronaviruksen leviämistä vastaan’ (8 April 2020) https://www.sttinfo.fi/tiedote/finpandem- sovellus-taistelee-koronaviruksen-leviamista-vastaan- ?publisherId=69817967&releaseId=69878753 accessed 24 October 2020
Folkhälsomyndigheten, ‘Antal fall av covid-19 i Sverige’ https://experience.arcgis.com/experience/09f821667ce64bf7be6f9f87 457ed9aa accessed 10 December 2020
Governmental Proposition to Parliament for a Law temporarily amending the Communicable Diseases Act HE 101/2020 vp.
Helsinki Police Department, ‘Helsingin poliisi valmistautuu valvomaan muiden poliisilaitosten kanssa liikkumisrajoitusta Uudenmaan rajalla’ (26 March 2020) https://poliisi.fi/helsinki/tiedotteet/1/0/helsingin_poliisilaitos_valmista utuu_valvomaan_yhdessa_muiden_poliisilaitosten_kanssa_liikkumisraj oituksen_noudattamista_uudenmaan_rajalla_88872 accessed 24 October 2020
Järv, O., Willberg, E., Väisänen, T. & Toivonen, T. ‘Towards summer cottages: Mobility flows amid the COVID-19 outbreak in Finland in March’ (15 May 2020) https://blogs.helsinki.fi/digital- geography/2020/05/15/urban-dwellers-escaped-to-their-summer- cottages-amid-the-covid-19-outbreak-in-finland-in-march/ accessed 24 October 2020
Ketju-sovellus, ‘Ketju-project - Final Report’ (18 June 2020) https://github.com/ketjusovellus/documents/blob/master/Ketju- project_final_report.pdf accessed 24 October 2020
56 Koronavilkku backend and Android and iOS applications https://github.com/THLfi accessed 24 October 2020
Lapin alueen matkailu- ja ravintola-alan terveysturvallisuusohjeet 2 October 2020 (online 5 October 2020) https://www.lshp.fi/fi- FI/Lapin_ja_LansiPohjan_sairaanhoitopiirien(12796) accessed 24 October 2020
Malmberg, T. ‘We scanned Koronavilkku – these are our findings’ (22 September 2020) https://www.mintsecurity.fi/en/we-scanned- koronavilkku-these-are-our-findings/ accessed 24 October 2020
National Cyber Security Centre Opinion 25 August 2020 Reg. no TRAFICOM/10075/09.04.00/2020
National Police Board, ‘Liikkumista koskevat rajoitukset otetaan Uudellamaalla käyttöön – poliisi kehottaa kaikkia tekemään osansa koronaviruksen leviämisen hillitsemiseksi’ (26 March 2020) https://poliisi.fi/poliisihallitus/tiedotteet/1/0/liikkumista_koskevat_rajo itukset_otetaan_uudellamaalla_kayttoon_poliisi_kehottaa_kaikkia_teke maan_osansa_koronaviruksen_leviamisen_hillitsemiseksi_88852 accessed 24 October 2020
National Police Board, ‘Poliisi tarkastelee Uudenmaan maakuntarajalla 28.3.–15.4.2020 annettuja sakkovaatimuksia Eduskunnan oikeusasiamiehen päätöksen mukaisesti’ (11 May 2020) https://www.poliisi.fi/poliisihallitus/tiedotteet/1/0/poliisi_tarkastelee_u udenmaan_maakuntarajalla_28_3_15_4_2020_annettuja_sakkovaatimu ksia_eduskunnan_oikeusasiamiehen_paatoksen_mukaisesti_90130 accessed 24 October 2020
Norwegian Institute of Public Health, ‘Daily report and statistics about coronavirus and COVID-19’ https://www.fhi.no/en/id/infectious- diseases/coronavirus/daily-reports/daily-reports-COVID19/ accessed 10 December 2020
Office of the DPO, ‘Data protection and limiting the spread of coronavirus’, (12 March 2020, in English 17 March 2020) https://tietosuoja.fi/en/-/tietosuoja-ja-koronaviruksen-leviamisen- hillitseminen accessed 24 October 2020
Office of the DPO, ‘Usein kysyttyä koronaviruksesta ja tietosuojasta’ https://tietosuoja.fi/koronavirus accessed 24 October 2020
Parliamentary Ombudsman Decision 8 May 2020 Reg. no EOAK/2464/2020
57 Prime Minister's Office, Memorandum ‘Valtioneuvoston asetus liikkumisen tilapäisistä rajoituksista väestön suojaamiseksi’ (27 March 2020)
Prime Minister's Office, Memorandum ‘Valtioneuvoston asetus valmiuslain 118 §:ssä säädettyjen toimivaltuuksien käyttöönotosta annetun valtioneuvoston asetuksen ja liikkumisen tilapäisistä rajoituksista väestön suojaamiseksi annetun valtioneuvoston asetuksen kumoamisesta’ (15 April 2020)
Rimpiläinen, T. ‘Nuorison bileet, hätävale kuolevasta mummosta ja mies jota "rajoitukset eivät koske" – Yle selvitti: näin valmiuslakia on rikottu’ (YLE, 8 May 2020) https://yle.fi/uutiset/3-11335443 accessed 24 October 2020
Scheinin, M. & Rautiainen, P. ’Koronakriisin uusissa toimissa valmiuslain nojalla ollaan nyt poikkeamassa ihmisoikeussopimuksista – valtioneuvosto leikkii jumalaa’ (Perustuslakiblogi, 26 March 2020) https://perustuslakiblogi.wordpress.com/2020/03/26/martin-scheinin- pauli-rautiainen-koronakriisin-uusissa-toimissa-valmiuslain-nojalla- ollaan-nyt-poikkeamassa-ihmisoikeussopimuksista-valtioneuvosto- leikkii-jumalaa/ accessed 24 October 2020
Telia, ‘Telian paikkatietopalvelu auttaa Valtioneuvostoa koronaviruksen vastaisessa taistelussa’ (3 April 2020) https://www.telia.fi/artikkelit/artikkeli/telia-ja-vnk-yhteistyohon- korona-taistelussa-newsroom accessed 24 October 2020
THL, ‘Käyttäjät tekivät Koronavilkun kautta 600 tartuntailmoitusta syyskuussa’ (1 October 2020) https://thl.fi/fi/-/kayttajat-tekivat- koronavilkun-kautta-600-tartuntailmoitusta-syyskuussa-varmista- etta-sinulla-on-sovelluksen-uusin-versio accessed 24 October 2020
THL, Memorandum ‘COVID-19 epidemia - tilannekuva ja Uudenmaan rajoitukset’ (13 April 2020)
THL, ‘Serological population study of the coronavirus epidemic’, https://thl.fi/en/web/thlfi-en/research-and-expertwork/projects-and- programmes/serological-population-study-of-the-coronavirus- epidemic accessed 24 October 2020
THL, ‘Tilannekatsaus koronaviruksesta’, https://thl.fi/fi/web/infektiotaudit-ja- rokotukset/ajankohtaista/ajankohtaista-koronaviruksesta-covid- 19/tilannekatsaus-koronaviruksesta accessed 27 November 2020
58 Tiainen, A. ‘HS tilasi tietoturvayhtiöltä selvityksen: Miten Koronavilkku toimii ja onko sen tietoturva riittävä?’ (Helsingin Sanomat, 2 September 2020) https://www.hs.fi/teknologia/art- 2000006621797.html accessed 24 October 2020
59 Ireland
By Cian Henry & Matthew Nuding
60 Ireland
By Cian Henry & Matthew Nuding1
I. Introduction
The story of the Irish response to the COVID-19 pandemic has been one of phases. Initially, lockdown began in mid-March 2020, followed by the easing of restrictions from May and continuing over the summer, leading to the re-tightening of restrictions from August up until the time of writing in November. The approach of the Irish government and public health authorities has been to ‘flatten the curve’ and ‘live with COVID’ – loosening restrictions where possible and tightening them where necessary.
While draconian restrictions on people’s movements have existed at points throughout Ireland’s response to COVID-19,2 these have generally been used as a tool of last resort where the incidence of the virus is very high. In an attempt to avoid implementing unpopular and economically damaging restrictions on liberty, the Irish government has looked to other strategies to contain the virus. While these strategies have sought to limit impact on basic rights of movement, they have instead been replaced with a pressure on citizens’ privacy rights. The gravity of the situation may merit the approach, yet the shifting of focus in containing the virus from liberty to privacy rights carries its own costs and dangers, which are the subject of this report.
In Part I, we address the practice of contact tracing, as carried out via the creation of a mobile application, as performed in government-established contacting tracing centres, and as outsourced to retail and hospitality businesses. In Part II, we consider some additional data processing on the part of the government, in particular the use of health data in statistics and the
1 Cian Henry is a Barrister-at-Law student at The Honorable Society of King’s Inns. Matthew Nuding is a Junior Policy Analyst in Digital Economy. The authors would like to thank Rachael O’Byrne and Orla Heatley for their helpful comments on a previous draft of this report. All views expressed herein are those of the authors alone. 2 Paul Cullen and Pat Leahy, Coronavirus: People told to stay at home in virtually all circumstances, The Irish Times (27 March 2020); Pat Leahy, Jack Horgan-Jones, Jennifer Bray and Shauna Bowers, Covid-19: State moves to Level 5 for six weeks with hopes of “meaningful” Christmas celebrations, The Irish Times (19 October 2020).
61 gathering of location data via the passenger locator form. In Part III, we address the now-widespread practice of working from home as encouraged by the Irish authorities, which has significant implications related to data breaches and employee surveillance.
Before commencing our analysis, it is worth noting that most of the threats to privacy rights which we identify do not result from direct action by the Irish government. Whereas there has been little legislation or regulation on the topic since the onset of the pandemic, more relevant have been the practices which have sprung up in response to the crisis, existing largely in the shadow of the law. In some cases, there has been little or no regulation of these practices, however there has been a significant volume of guidance issued. We examine the impact that these practices have on privacy rights, having regard both to explicit regulation and the applicable guidance.
II. Contact Tracing
A crucial way that governments across the world have tackled the spread of COVID-19 is via the strategy of contact tracing. The goal of this strategy is that citizens can be tracked and alerted when they come into close contact with people who later test positive for COVID, so that they can self-isolate and reduce the spread of the virus. Although contact tracing to some extent alleviates the need for blanket restrictions on movement, concerns have been raised about the volume of data and the processing of which contact tracing implies, particularly in the context of Ireland’s obligations pursuant to GDPR.
Compliance with GDPR does not preclude the possibility of an aggressive and effective response to COVID-19 with a comprehensive contact tracing regime. In fact, Article 9(2)(i) of GDPR and s. 53 of Ireland’s Data Protection Act 2018 explicitly permit the processing of data acting on the guidance of public health authorities. Nonetheless, it is clear that Ireland’s data protection regime does place limits on contact tracing efforts insofar as certain key GDPR principles must be respected, such as data minimisation, limitation of purpose, transparency, and non- retention. This is especially so in circumstances where health data, a central component of contact tracing, is considered by GDPR as a category of data warranting special protection.3 Two kinds of
3 General Data Protection Regulation, art 9.
62 contact tracing will be considered in this Part: digital contact tracing via the proliferation of a mobile application and manual tracing carried out both by the government and as outsourced to businesses.
A. COVID Tracker App
A central limb of the Irish government’s contact tracing strategy has been the development and use of a mobile app. On 6 July 2020, over three months after government officials announced that an app was in development,4 the ‘COVID Tracker App’ was launched. Within eight days, the app was downloaded 1.3 million times, becoming the fastest-downloaded app per capita in Europe.5 At the time of writing, the app has 2.2 million downloads in a population of 4.7 million,6 with its active users totalling 1.3 million.7
The principal purpose of the app is to automate a proportion of the work of identifying and notifying close contacts of confirmed COVID-19 cases which provides the basis for the government’s contact tracing efforts. Separate to contact tracing, the app collects data which the government uses to track trends and possible outbreaks. In particular, users are requested upon registration to volunteer information such as age, sex, and location; thereafter they have an option every day to indicate any symptoms that they have developed. In addition, the app acts as a means through which information can be communicated to the public, such as statistics of confirmed cases and deaths.
How the contact tracing function works
Developed by an Irish company called NearForm,8 the Irish COVID app was built based on the Google and Apple Exposure Notification
4 Susan Mitchell and Aaron Rogan, Phone tracking app set to be used as next step to fight COVID-19 Business Post (Dublin, 29 March 2020)
63 (GAEN) API.9 The app uses a smartphone’s Bluetooth signal to exchange digital keys with other phones running the app where the devices are within two meters for more than 15 minutes, with the data stored on the phone locally to protect users’ privacy. Positive COVID cases can upload their anonymous keys to the app to signal to close contact users, who receive a notification or phone call, that they need to self-isolate and seek a COVID test. Crucially, the company achieved interoperability between apps when used in different jurisdictions. In the Irish context, this is significant for Northern Ireland and the Republic of Ireland, two jurisdictions which share a border.10
At the time of writing, 5,739 confirmed cases of COVID-19 have uploaded their random IDs to the app and 10,530 users have been sent a close contact alert.11 It is unclear how many of these users would otherwise have been notified by the manual contact tracing process, how many completed the self-isolation period and how many developed COVID-19.
Privacy concerns
Prior to the app’s release, the Health Service Executive (HSE) published key design and data privacy documents, including the app’s source code,12 a Data Protection Information Notice (DPIN),13 and a Data Protection Impact Assessment (DPIA),14 which were sent to the Data Protection Commission (DPC). The legal basis for the processing of data is based on consent of the user, provided for by Art 6(1)(a) of GDPR for processing of personal data and Art 9(2)(a) for processing of special categories – in this case, health data.
While many have praised Ireland’s COVID tracker app, some researchers have raised serious concerns relating to privacy and
9 This is a collaboration between Google and Apple that provides the core functionality for building public health contact tracing apps. 10 Department of Health, Ireland achieves world first in contact tracing app interoperability – Minister Donnelly (31 July 2020)
64 data harvesting. Leith and Farrell15 found that while the public health authority component of the app shares little data and is relatively private, the software – Google Play Services – that runs on all Android phones, and which is required to use the app, sends highly sensitive personal data to Google servers every 20 minutes. This potentially allows tracking of the IP address of the phone user. The data includes the phone’s contact number, IMEI, hardware and SIM serial numbers, and information on other apps on the phone. This has the potential to draw a mature profile of the users’ lives. Leith and Farrell described this component of the app as ‘extremely troubling from a privacy viewpoint’.16 They further criticised that, despite ample opportunities to review NearForm’s technology and source code, there was a complete lack of scrutiny of the Google/Apple API technology. This concern was shared by the Irish Council for Civil Liberties (ICCL) who claimed the closed nature of the source code of the Google/Apple API is problematic in terms of governance and oversight.17
In response to Leith and Farrell’s paper, the HSE said it welcomed research to improve the app and implemented one of the suggestions to upgrade the app’s privacy rating – the removal of a contact between the application and Google’s Firebase system. However, two other suggestions were not implemented. One being the removal of a field in requests sent to the HSE, such as a person’s close contact records, which could potentially be used to track a phone over time. The second relates to how the app communicates with Google. For their part, Google claimed that the sharing of such information was standard industry practice and aimed to keep people and systems safe from attacks.18 Moreover, Google stated that they do not have access to data within the app, including that gathered by Google Play Services, and information relating to the end user, location data, or information about any other devices in the proximity of which the user has been.19
15 Douglas J. Leith and Stephen Farrell, Contact Tracing App Privacy: What Data Is Shared By Europe’s GAEN Contact Tracing Apps (18 July 2020)
65 Prior to the app’s release, ICCL, together with Digital Rights Ireland (DRI), reviewed the app from a privacy perspective and gave it a C+. They cited a lack of evidence from the HSE that the app would curb transmission of COVID-19, submitting that the HSE asserted this as fact rather than proving it with evidence.20 Moreover, they stated that while preventing COVID-19 is a laudable goal, human rights law requires that any interference with privacy must be lawful, necessary, and proportionate.21 ICCL and DRI also took issue with the app’s symptom tracking feature because it extends beyond the clear and limited purpose for a contact tracing app.22 They also criticised that the app asks people to submit optional information during the registration process.
Another potentially problematic aspect of the app is that it outsources the text messaging service to a US company, Twilio, which entails user data being transferred to the US for processing. The DPIN states that the EU-US Privacy Shield provides sufficient data protection safeguards in this regard. This agreement, however, was recently ruled invalid by the European Court of Justice (ECJ) on 16 July in Schrems II.23 The implications of this ruling remain to be seen and extend far beyond this instance.
Several months into the app’s operations, ICCL commended the steps taken by the HSE and the Department of Health (DoH) before launching the app, stating that it was an example of good practice in terms of consultation and transparency.24 However, they requested information from the government on whether or not the app has been effective in curbing the transmission of COVID-19, and noted the outstanding data privacy concerns regarding the Google/Apple API, as discussed above.
66 B. Manual Contact Tracing
While the COVID-19 app automates a significant portion of the work involved in contact tracing, it is only one aspect of the overall Contact Management Program (CMP) which has been established by the HSE in Ireland.25 Working alongside the app, the government has established a number of Contact Tracing Centres, where more than 1500 people have been trained to do the work of collecting data on COVID-19 cases and alerting close contacts.26 To do so, these contact tracers use a web-based IT system known as COVIDCare Tracker (CCT). When COVID-19 test results are returned from laboratories, or when suspected cases are otherwise reported, the details of those people are uploaded to a password-protected module on the CCT. These cases receive a text message with the results of their test and, if positive, a phone call from a contact tracer which advises them to self-isolate and asks for the contact details of those with whom they have been in close contact.
The contact details of close contacts are uploaded to the CCT and a different contact tracer later calls to alert those people. As COVID- 19 cases are anonymised on the CCT by the assignment of an ID code, the contact tracer cannot see, and would not in any case be permitted to disclose, the identity of the person who has COVID- 19. It is clear that efforts have been made to address the privacy risks inherent in the CMP insofar as possible, and in particular to shield the anonymity of the confirmed or suspected COVID-19 case. Clearly, privacy concerns remain insofar as contact tracers manage a large database including test results, identities of close contacts, and contact details. Generally, this incursion into privacy has been seen as a price worth paying in light of the social good brought about by contact tracing. However, in October, reports emerged that the CMP had become overwhelmed, with the result that more than 2,000 people were asked to inform their own close contacts.27 If it were the case that the CMP could not deliver on its promise to
25 Introduction to COVID-19 Contact Tracing Centres (CTCs), Health Protection Surveillance Centre, Government of Ireland
67 alert close contacts and limit the spread of COVID-19, the impingement on privacy would be much harder to justify.
In addition to relying on people to self-report their close contacts, the National Standards Authority of Ireland has published guidance for businesses which includes a suggested questionnaire to be completed by customers upon arrival.28 Under this guidance, retail and hospitality businesses where close contact can occur, such as bars and restaurants, have been encouraged to keep records of who is present at a given time to aid contact tracing efforts. In some sense, this outsources the work of compiling close contacts from the government to the private sector.
In response to this development, the DPC has issued guidance on how customer data can be processed in a manner compliant with GDPR.29 The extent to which businesses have complied or not with data privacy standards is as of yet unclear. Taking a step back, it can be observed that a large number of retail and hospitality workers with little to no training in the requirements of data protection, such as floor staff in a restaurant, have now become data controllers. This has not been seamless and, anecdotally, it seems that a large number of businesses have not approached the collection of data in a systemised and considered manner as required by GDPR. Several issues in this respect warrant immediate attention. First, the collection of data should be transparent in that it should be flagged to customers in advance. Second, the information must be stored securely; businesses which compile paper lists of customers must take care that the lists are not viewable to customers on the premises and only sparingly to staff. Third, the data should only be used for a limited purpose; businesses should not use contact tracing forms to add customers to their mailing list. Fourth, data should be deleted as soon as practicable and be kept no longer than one month.
III. Health data and statistics
The DoH publishes a press release with details of confirmed cases and deaths notified for that day. This announcement is frequently accompanied by a press conference where these details are
28 National Standards Authority of Ireland, COVID-19 Retail Protection and Improvement Guide (2020)
68 discussed, alongside the measures being undertaken and updates on hospital capacity. In each press release, the department includes the following data: hospital statistics (total number of cases in hospitals, including ICU, clusters); gender of patients; age range affected; the method of COVID-19 transmission (such as community, close contact, travel abroad, unknown); hospitalised cases by age group; and cases by county. This data is also published on Ireland’s open data portal30 and a COVID-19 data hub,31 which includes detailed statistics, graphsm and other information. As the European Data Protection Board (EDPB) has noted, any personal data collected should be sufficiently protected by law, anonymised as much as possible, only used for its stated purpose and disclosed only to the health authorities and no third parties.
At the beginning of the pandemic, when there were few confirmed cases, the DoH was cautious not to provide too much detail of individuals contracting COVID-19 in case they were identified. For example, on 6 March 2020, while five new cases were announced, the location of these cases was made no more than specific than listing the region of the country in which they took place (i.e. east, west).32 Prior to that, on 1 March 2020, a school in Dublin was closed due to a confirmed case of COVID-19 amongst the pupils. The school was not named to protect what the Chief Medical Officer described as ‘patient confidentiality’.33 There have been no reports of data breaches, data being used for a purpose other than intended, nor individuals being identified through anonymised information released to the public.
The HSE published a data protection policy34 in light of COVID-19 which covers data they collect, including personal data relating to patients, service users and health care workers before people are tested for COVID-19. The policy covers all requirements of GDPR.
30 Government of Ireland, Open Data Portal (2020)
69 Meanwhile, the DoH has a general privacy policy35 that is not specific to COVID-19. They have indicated that due to the extraordinary measures arising from COVID-19, there may be delays in responding to data protection and subject access requests.36
IV. Work from Home
While it has long been the case that some portion of the Irish workforce conducts their work remotely, the practice of working from home (‘WFH’) has been propelled into the mainstream by the exigencies of the COVID-19 pandemic. It has consistently been the advice of the Irish government that people should avoid travelling into work physically if it is not necessary that they do so; where possible, employers have generally accommodated for this. In practice, the outcome has been that, whereas many in public-facing jobs have continued to attend work in-person, the large proportion of the Irish workforce who work in office jobs have generally continued their work from home. With many offices having indicated their intention to remain closed for the remainder of 2020, this state of affairs seems likely to persist for the foreseeable future.
Among other things, the increased prevalence of working from home has intensified already-existing privacy concerns and two in particular receive attention below: first, greater opportunities for damaging data breaches; second, the use of technology to invade the privacy of employees.
A. Data breaches
As the location of choice for many data-rich technology companies, it should be no surprise that a large number of data breaches are reported in Ireland every year, including the second highest per- capita number of data breaches in the EU last year.37 These data breaches have the potential to expose large volumes of confidential
35 Department of Health, Privacy Policy (5 June 2020)
70 information, at a significant cost to the privacy rights of data subjects.
The increased prevalence of WFH exacerbates vulnerability to data breaches in two main ways. First, when working outside the office context, employees are more isolated and therefore may be more easily targeted by cyberattacks. Already, early indications show an uptick in online fraud offences in Ireland.38 Perniciously, there have been reports of malicious cyberattack campaigns specifically targeting remote workers, for example ‘phishing’ scams using language related to COVID-19.39 Secondly, the fact that employees are working from home means they will inevitably be handling sensitive information in informal settings, often on personal devices and surrounded by non-employee co-habitants.
In response to the vast increase in people working from home, the DPC has sought to raise awareness of good practice approaches which can prevent breaches occurring in the first place. In particular, the DPC has issued guidance on how to ward against data security risks specific to the WFH context.40 With respect to devices used at home, the DPC advises that their operating systems and anti-virus software are kept up to date, and that devices are kept locked when unattended. The DPC has long stressed the value of multi-factor authentication (MFA) in preventing security violations and strongly emphasises this advice in the current context. When working at home, many may be tempted to use personal email accounts, however the DPC advises against this wherever confidential data is concerned. Where possible employees should work only on their employer’s secured cloud and network services; where they must save data locally, they should do so in a secure manner. Beyond the digital, the use of paper records at home raises significant data privacy concerns, and the DPC advises that this use is avoided. Where necessary, paper records should be stored securely and shredded when no longer required. Finally, with respect to the particular threat posed by phishing scams, the DPC has issued
38 Garreth MacNamee, Garda stats: Domestic violence, drug possession and fraud on the rise during lockdown The Journal (12 June 2020)
71 separate guidance to help people identify such scams and avoid causing data breaches.41
With regard to the government’s approach to cybersecurity in particular, the new government has, since the onset of the pandemic, committed to the full implementation of the national cybersecurity strategy which was published in December 2019.42 Several years ago, the government established the National Cyber Security Centre (NCSC) with a remit specific to cybersecurity, and the NCSC has released its own guidance, in similar terms to the DPC’s, on WFH risks.43 However, as has been observed recently in the Irish parliament, the NCSC runs on a minimal budget of €4 million and employs only 24 staff, which raises questions as to whether it has the resources to tackle the growing threat of cyberattacks.44
B. Surveillance
The idea that the use of technology in the workplace can impinge on the privacy rights of employees is nothing new, yet the sudden shift of reliance onto existing and sometimes relatively untested technology services has prompted further attention to the privacy risks they carry. One technology which warrants singling out is video-conferencing, the use of which increased several-fold virtually overnight. In Ireland, the DPC issued guidance to individuals and organisations regarding the safe use of video- conferencing technology, in particular highlighting the need to use only trusted services, minimise the data shared with them, and make appropriate use of controls allowing the user to mute, switch off video, and log off.45 While the exercise of caution in this respect is welcome, this guidance has little to say about the inherent invasiveness of video-conferencing. Most obviously, when using video-conferencing, employees are effectively required to bring their workplace and work colleagues ‘into’ their home. While the DPC urges that employees exercise care in what they show behind
41 Data Protection Commission, Staying safe online during a pandemic (26 March 2020)
72 them on their camera, there is only so much that the employee who does not have access to a quiet, private room can do to protect the privacy of their home life.
The broader issue here – the difficulty for employees in maintaining a separation between their work and home lives – is not a new one. The explosion of communication technologies since the turn of the century has prompted an ongoing discourse on the ‘right to disconnect’ from work, a topic which warrants extensive analysis elsewhere. For our purposes, it suffices to say that the boundary between work and home has been put even under greater pressure by the sudden increase in reliance on services such as email, video- conferencing, and instant messaging. It is essential to workers’ rights,46 but also to their privacy, that they can at some point ‘leave’ work, and this becomes more difficult where work is conducted remotely.
V. Summary evaluation
As evidenced throughout this report, the main threats to privacy rights have come from practices which have emerged in response to the crisis, rather than through legislation or regulation. In some cases, there has been little or no regulation of these practices, aside from the issuance of guidance by relevant bodies such as the DPC. While the Irish government has sought to make use of alternative strategies to draconian movement restrictions, the Irish response to COVID-19 has at times been restrictive of the privacy rights of citizens.
The rollout of Ireland’s COVID-19 Tracker App was praised, in particular for its transparency and its engagement with relevant stakeholders. It took on board recommendations by civil society groups and academic researchers to improve its privacy standards. Nonetheless, there are outstanding privacy issues which have not been addressed, namely arising from the Google/Apple API. While NearForm’s source code was released on open source, there was a lack of scrutiny of the Google/Apple API, the code of which remains closed. This is problematic in terms of oversight and governance, particularly given the outstanding questions on possible data harvesting by Google. Furthermore, the effectiveness of the app in
46 Alan Eustace, 'Protecting Workers’ Rights during COVID-19 – a Remote Prospect?' COVID-19 Law and Human Rights Observatory Blog (12 June 2020)
73 curbing the transmission of COVID-19 remains to be proven by the government.
The requirement for businesses to conduct manual contact tracing has significantly increased the amount of personal data which is being processed. The collection of data has become pervasive – even an innocuous visit to a restaurant may trigger an obligation to disclose personal data. What is perhaps most troubling in this regard is the increase in the number of data controllers which this implies, as people who have received little training in the requirements of data protection are required to handle large volumes of sensitive data. While there may be good public health reasons for this expansive approach, the risks that this development poses for privacy have yet to be seriously addressed. While the DPC have issued some guidance to assist businesses in collecting and processing personal data, it has yet to be seen whether this will be accompanied by increased oversight. The costs of these developments to data privacy may not yet be felt but may have serious implications in the long run.
The publication of health data and statistics on COVID-19 cases has presented little to no privacy concerns.
An enormous shift towards WFH since mid-March has been an important means of addressing the spread of COVID-19 in Ireland. However, this carries with it significant threats to privacy. The fact that people are working outside the office makes them vulnerable both to cyberattacks and leaks leading to data breaches which can be extremely damaging to the privacy rights of data subjects. In response to these developments, the DPC has issued guidance which will assist remote workers and their employers in mitigating the risks of falling victim to a data breach. On a broader note, however, this would perhaps be a good time for the Irish government to consider their approach to combating nefarious cyberattacks more generally, and in particular how they might move to fully implement the national cybersecurity strategy, which was published immediately prior to the onset of the pandemic. A second issue which has arisen with respect to WFH is an increased reliance on technologies, such as video-conferencing, which have the potential to encroach on the privacy of employees in their homes. While the DPC has issued guidance regarding the safe use of video-conferencing, attention to the broader issue of the invasiveness of technology and its impact on the privacy of remote workers would be welcomed.
74 VI. Conclusion
At the time of writing, there have been 72,238 confirmed cases of COVID-19 in Ireland and 1,795 deaths from amongst them.47 While these numbers are undoubtedly serious, they compare favourably with Ireland’s European neighbours. For example, Irish cases and deaths per capita stand at around half of those experienced by the United Kingdom and at a rate less than almost all other countries in Western Europe. Accordingly, it can be said that Ireland has been reasonably successful in suppressing the spread of COVID-19 in the context of the high incidence of the virus in Europe.
At times, this suppression has been achieved by draconian restrictions on movement, most particularly in March/April and October/November. However, extended ‘lockdowns’ have proved politically unpalatable,- and the Irish government has sought to control the virus by means other than movement restrictions where possible. Most particularly, over summer 2020, it pursued a strategy of tracking citizens with the aim of identifying and suppressing outbreaks early, in the hope that this would avoid the need for strict liberty restrictions. Whether these measures succeeded in limiting the spread of the virus, even for a time over the summer when cases were lower, is the subject of some debate and attention has been drawn to some defects in the government’s approach. Irrespective of this, the central argument of this report has been that, while some pressure on citizens’ liberty rights may have been relieved, the burden of the government’s strategy over the summer on rights has shifted to privacy rights. In addition to the impact of contact of tracing on privacy rights, the report has discussed how new circumstances brought about by the virus, most notably WFH, make citizens’ privacy rights more exposed than ever. While much about the Irish government’s response to COVID-19 is worthy of praise, it is important that the privacy concerns caused by it, as analysed in this report, are addressed promptly.
47 Health Protection Surveillance Centre, ‘Epidemiology of COVID-19 in Ireland’ (30 November 2020).
75 The Netherlands
By Merel van Gils
76 The Netherlands
By Merel van Gils
I. Overview of the Dutch Response to COVID-19
On 9 March 2020, the government of the Netherlands announced the first set of measures to combat the spread of COVID-19 in the country.1 The government measures were neither incredibly far- reaching nor mandatory, but strongly recommended. Everyone was just advised to wash their hands regularly and not to sneeze or cough into their hand. That day, Prime Minister Mark Rutte also urged members of the public to stop shaking hands.
Though the government did not consider more extensive restrictions necessary at that time, the situation in the country swiftly worsened. In response to the increasing number of COVID- 19 patients in intensive care units, the Netherlands gradually entered into an ‘intelligent lockdown’2 within two weeks.3 Measures regarding working from home and social distancing were imposed on the entire country,4 and those who failed to keep 1.5m distance from others in public could be penalized with fines.5 Restaurants, cafés, and coffeeshops were obliged to close their doors to diners, except for take-out orders; while schools and universities had to shut down in-person classes and migrate to online platforms.6 Even
1 Rijksoverheid, ‘Hygiënemaatregelen van belang om verspreiding van het coronavirus tegen te gaan’ ( 9 March 2020) < https://www.rijksoverheid.nl/actueel/nieuws/2020/03/09/hygienemaatregelen-van-belang- om-verspreiding-coronavirus-tegen-te-gaan?> 2 ‘Intelligent lockdown’ is the term the Prime Minister used to describe the relatively mild protective measures that were taken in response to COVID-19 in comparison to other European countries. It was a lighter version of a full lock-down. Although restaurants, schools, gyms and ‘contact professions’ were closed and people were urged to stay indoors, everyone was still allowed to move freely as long as they kept a distance of 1.5m from others in public. 3 Rijksoverheid, ‘Letterlijke tekst persconferentie minister-president Rutte, ministers Grapperhaus, De Jonge en Van Rijn over aangescherpte maatregelen coronavirus ( 23 March 2020)
77 nursing homes became inaccessible for visits from family and friends.7
Since May, many lockdown restrictions were relaxed and were replaced by less restrictive measures due to the drop in confirmed COVID-19 cases in the Netherlands.8 Although online education remains the default mode of delivery in universities, most primary and secondary schools were reopened. During summer and the beginning of fall, the public became complacent in observing the COVID-19 restrictions in place, which may have played a significant role in causing the second wave of infections. This led to the announcement of new regulations at the end of September.9 Instead of an ‘intelligent lockdown’, the new rules related mostly to group sizes and the registration of visitors to certain businesses.
Much of the COVID-19 regulatory measures have had an impact on the privacy of residents. This country report offers an overview of said measures, with particular regard to the right to privacy. Due to the limited volume of words, only the main – or most problematic – measures relating to privacy shall be evaluated. Part II discusses the legal framework within which the measures are taken and applies this framework in analysing the adopted measures. Part III addresses the measures relating to privacy such as the use of face masks, social distancing, and those involving the processing of personal data and data protection. It will then conclude in Part IV that the two largest issues of the Dutch approach to COVID-19 relating to privacy concern a lack of a sufficient legal basis for measures taken by the authorities and a lack of awareness in citizens on how to implement privacy regulations adequately.
II. Legal Framework
A. Fundamental Rights Framework
The Netherlands is subject to various international human rights instruments containing a right to privacy, such as the European Convention on Human Rights (ECHR),10 the International Covenant
7 i bid. 8 Kees Rottinghuis, ‘Acht maanden corona in Nederland, een overzicht van de maatregelen’ NRC (20 April 2020) < https://www.nrc.nl/nieuws/2020/04/20/corona-in-nederland-een- overzicht-van-de-maatregelen-a3995447> 9 Rijksoverheid, ‘Aangescherpte maatregelen om de verspreiding van het virus terug te dringen’ ( 28 September 2020) < https://www.rijksoverheid.nl/actueel/nieuws/2020/09/28/aangescherpte-maatregelen-om- de-verspreiding-van-het-virus-terug-te-dringen> 10 See ECHR, art 8.
78 on Civil and Political Rights (ICCPR),11 and the Universal Declaration on Human Rights (UDHR).12 Moreover, the right to privacy is enshrined in Article 10 of the Dutch Constitution (Grondwet, Gw). Hence, there is no shortage of legal sources which guarantee the right to privacy in the Netherlands.
The protection of privacy of members of the public is not inviolable. There are also human rights provisions that require the government to act. For example, the Dutch government is obliged to take measures to promote public health.13 To carry out this assignment, it can be necessary to interfere with the privacy of members of the public, but exceptions to human rights must be provided for in law. One of the basic premises of the Dutch Constitution is that major interferences with fundamental rights must be laid down in a democratically legitimized law drafted by government and parliament.14 Furthermore, international law provides any interference with the right to privacy must be necessary in a democratic society and must serve a legitimate purpose.15 Although public health goals are legitimate, the Netherlands must still adhere to the principles of necessity and proportionality when imposing measures impacting the privacy of citizens.
B. Legal Basis for Measures
Until 1 December 2020, all regulations regarding the spread of COVID-19 were based on the local government’s emergency powers during times of crisis. The legal bases for these measures are the Public Health Act (Wet publieke gezondheid, Wpg), the Safety Regions Act (Wet op de veiligheidsregio’s, Wvr), and the Municipalities Act (Gemeentewet). These laws provide mayors and presidents of security regions the capacity to issue emergency ordinances.16 However, according to the Municipalities Act, emergency ordinances do not constitute a sufficient legal basis to deviate from the Constitution.17 As has been stated, measures that intervene with basic rights of citizens can only be passed if the government and parliament have explicitly laid it down in a codified law. Currently, the COVID-19 restrictions do not fully comply with this principle, seeing the quite lengthy and often extensive
11 See ICCPR, art 17. 12 See UDHR, art 12. 13 Gw, art 22. 14 For example, article 10 of the Dutch constitution provides ‘everyone shall have the right to respect for his privacy, without prejudice to restrictions laid down by or pursuant to Act of Parliament.’ (emphasis added). 15 ECHR, art 8(2). 16 Gemeentewet, art 39(1)(b) jo art 176(1). 17 Gemeentewet, art 176.
79 interventions in fundamental rights imposed via the emergency ordinances. The Netherlands has not declared a national state of emergency, nor has it opted to invoke Article 15 of the ECHR.18
The lack of a legal basis for the regulations has been heavily condemned given the length of time they have been in force and their severe impact on citizens. At present time, there is a lack of democratic control over COVID-19-related policies. Neither parliament nor local councils have any say in the emergency ordinances. Because of this absence of democratic safeguards, the government plans to anchor the COVID-19 related regulations in codified law. A bill concerning temporary provisions related to measures to combat the COVID-19 pandemic for the longer term (Tijdelijke Wet Maatregelen COVID-19, the ‘Corona bill’) aims to temporarily create additional legal instruments that would form a legal basis for all COVID-19-related measures, and will enter into force on December 1, 2020.19 A complete analysis of this ‘Corona Bill’ falls outside of the temporal scope and would be too extensive for the purposes of this report. III. Current Measures Relating to Privacy
A. Face masks
Until 27 November 2020, wearing a non-medical face mask has only been made compulsory in public transport, but not in public spaces or public indoor areas. The government only urgently advises people aged 13 and over to wear (non-medical) facemasks in publicly accessible indoor areas.20 During the summer, the cities of Amsterdam and Rotterdam experimented with the obligatory use of face masks in a few designated outdoor areas. There was not much support for these experiments and many legal scholars heavily criticised the obligation, because the right to privacy extends to aspects such as bodily integrity and the duty was based on a municipal emergency ordinance.21 The critics argued that emergency ordinances are not suitable for legitimizing a breach of
18 Article 15 of the ECHR contains a ‘derogation clause’. This clause allows Member States to limitedly derogate from their obligations to safeguard certain rights and freedoms provided for in the Convention, in exceptional circumstances, under strict supervision and procedural requirements. 19 Kamerstukken II 2020/21, 35 526, nr 2. 20 Rijksoverheid, ‘Dringend advies tot dragen van mondkapjes’ ( 2 October 2020) < https://www.rijksoverheid.nl/actueel/nieuws/2020/10/02/dringend-advies-tot-dragen-van- mondkapjes> 21 Wafa al Ali, ‘Maakt een rechtszaak tegen de mondkapjesplicht kans?’ de Volkskrant (4 August 2020) < https://www.volkskrant.nl/nieuws-achtergrond/maakt-een-rechtszaak-tegen-de- mondkapjesplicht-kans~bb599083/>
80 a fundamental right, hence the obligation to wear face masks in public was an unlawful interference with the right to privacy.22
The local requirement to wear a face mask was assessed in Court. Though the judge admitted the obligation to wear a mask in public areas infringed upon the right to privacy, it considered this infringement was only minor.23 The measure was necessary considering the rise in infections, it was limited in time and place, and previously issued measures that were less far-reaching did not support the enforcement the mandatory 1.5-meter distance rule in the designated areas enough.24 Therefore, the Court ruled the obligation did not unlawfully interfere with the right to privacy,25 much to the surprise of academics.26
The facemask obligation in Amsterdam and Rotterdam was abolished after a couple weeks.27 However, due to the resurgence of the spread of the virus in the country in the fall, the government anchored a duty in law to wear facemasks for everyone aged 13 and over in public indoor areas in the new ‘Corona Bill’
B. Social Distancing
Self-Quarantine
The government strongly advises citizens who have been in contact with a COVID-19 infection, travellers arriving from certain countries and regions and all members of the public who have COVID-19 symptoms to stay at home. Again, rules regarding quarantine are not mandatory, but only urgently recommended.28
Maintenance of Social Contacts in Healthcare Institutions
During the ‘intelligent lockdown’, visitors were unable to enter nursing homes for the elderly and the disabled.29 Additionally, institutions often forbade residents to leave the building or location.
22 ibid. 23 Rb Amsterdam 19 August 2020, NJF 2020, 308, para 4.21. 24 ibid. 25 ibid. para 4.22. 26 Victor Schildkamp, ‘Vreemd dat rechter mondkapjesplicht niet aan wet toetst’ AD/Algemeen Dagblad (21 August 2020) 5. 27 Robin Goudsmit, ‘De mondkapjes mogen weer af in Rotterdam en Amsterdam’ Trouw (31 August 2020) 4. 28 Wilma Kieskamp, ‘Felle kritiek op verplichte quarantaine’ Trouw (13 August 2020) 1. 29 College voor de Rechten van de Mens, ‘Coronavirus en mensenrechten’ < https://mensenrechten.nl/nl/coronavirus-en-mensenrechten#Vraag19>
81 According to the Dutch independent institute for the monitoring of human rights (College voor de Rechten van de Mens), the ban on visits to care homes was proportional and necessary to prevent the virus from spreading during the first COVID-19 wave in the Netherlands.30 The disease spread with an incredibly fast pace in these healthcare institutions. However, as the number of COVID-19 patients started to decline, not all care homes scaled down on their restrictions. Even after the Ministry of Health, Welfare, and Sport (VWS) instructed to phase out the strict measures relating to visits, various healthcare institutions continued to adhere to the visiting ban or they only offered very limited visiting options.31 Come the end of June, a Dutch law firm claimed nursing homes were violating human rights and wrote a letter to the Public Health Minister regarding the degrading treatment in nursing homes, threatening to hold the State accountable.32 Subsequently, nursing homes opened their doors again in the wards without infections and allowed as few visitors possible in the wards where the virus persisted. After the first wave, the general view prevailed that restrictions during a potential second wave had to be more humane. The new corona bill now includes a provision that stipulates every resident in a nursing home is always entitled to at least one visitor, whether residents are infected with COVID-19 or not.33
Enforcement of COVID-19 Restrictions in the Private Sphere
At various times since the start of the pandemic, rules regarding the maximum number of household visitors have been issued. It has been noted by authorities that they do not enforce these measures within the private sphere of citizens’ homes, because the Dutch constitution does not permit such an infringement on the private sphere.34 At the same time, however, reports have appeared on both social media and mainstream media showing that police do at times take action against parties and other large gatherings inside homes.35 According to administrative case law, it is not
30 ibid. 31 ibid. 32 Freek Schravesande, ‘Komt het nu goed in het verpleeghuis?’ NRC Handelsblad (25 June 2020) 1. 33 Kamerstukken II 2020/21, 35 526, nr 38, p. 1; Pim van den Dool, ‘Met bezoek blijft het balanceren; Bezoek in verpleeghuis blijft een dilemma’ NRC Next (21 October 2020) 1. 34 ‘Coronavirus en mensenrechten’ (n 29 ); ‘Thuisfeestjes? Rutte: ‘Niet doen’; Dringend advies kabinet, geen controles achter voordeur’ Noordhollands Dagblad (19 August 2020) 1. 35 Reinoud Roemer, ‘Politie beëindigt illegaal huisfeest in Rotterdams studentenpand’ ANP (20 September 2020); Christy Dollen, ‘Dronken feestgangers gooien deur in gezicht van politie bij illegaal huisfeest in Den Haag’ AD/Algemeen Dagblad (28 April 2020); ‘Politie stopt huisfeest met tientallen bezoekers in Arnhem’ De Telegraaf.nl (3 May 2020) <
82 entirely ruled out that behaviour that takes place in the private sphere of someone’s home or yard may be regulated by municipal laws, if that behaviour has a ‘reflex effect’ on the public order.36 One could argue that this is the case when a private gathering increases the risk of the virus spreading, but that would require a very broad interpretation of the concept of public order. Such broad interpretation is certainly not desirable from a human rights point of view, because it makes it far too easy to intervene in the private sphere of citizens via municipal rules.37 The basic principle of the Constitution should be maintained by authorities: infringements of the domestic right and the private sphere of citizen must be codified in law. C. Data Collection and Data Protection
As a member State of the European Union (EU), the EU General Data Protection Regulation (GDPR) is directly applicable in the Netherlands.38 The implementation of the legal obligations arising from this regulation, which addresses data protection and privacy in the EU, is supervised by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP).39 This authority is responsible for overseeing the data protection laws which are in place in the Netherlands. The AP has, amongst other capacities, investigative powers.40 Any breach to the GDPR can lead to an administrative fine sanctioned by the AP.41
Mobile Camera Surveillance
Mobile camera surveillance – such as surveillance by drones and by moving cars with cameras mounted on the roof – is only allowed incidentally and temporarily in the event of an actual (imminent) disruption of the public order.42 Municipalities like Amsterdam and Rotterdam took advantage of this capacity and used mobile camera surveillance to maintain the obligatory safe distance between
https://www.telegraaf.nl/nieuws/254228718/politie-stopt-huisfeest-met-tientallen- bezoekers-in-arnhem> 36 ‘Coronavirus en mensenrechten’ (n 29). 37 ibid. 38 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR). 39 GDPR, art 51. 40 GDPR, art 58. 41 art 83 GDPR. 42 Autoriteit Persoonsgegevens, ‘Cameratoezicht op openbare plaatsen’ < https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/foto-en-film/cameratoezicht-op- openbare-plaatsen#mag-ik-als-gemeente-drones-of-rijdende-camera%E2%80%99s-inzetten- 7757> (accessed 23 October 2020).
83 citizens in the streets. According to the AP, municipalities may only use camera surveillance in public space if less rigorous means are not able to maintain public order.43 Municipalities must also determine privacy risks that may stem from the use of camera surveillance in advance via a so-called Data Protection Impact Assessment (DPIA).44
The use of two cars with camera equipment was criticised in Rotterdam.45 It was unclear for how long camera images would be stored and how long the mobile camera surveillance would last. Besides, there was no real incentive to use the cars to uphold social distancing regulations, as there were less rigorous ways to check whether people kept the required distance, such as the deployment of more officers on the streets. Moreover, the mayor had used the emergency ordinance as a basis for the use of the mobile camera equipment, and had not informed the municipal council.46 Neither was a DPIA made in advance.47 After much criticism and less than two months of use, the city called off what they later called ‘a pilot’ with the mobile camera surveillance.48
Data Collection in the Workplace
With the dramatic increase in the number of COVID-19 cases in March, uncertainty arose in the workplace whether employers were allowed to ask their personnel about the status of their health and whether employers were permitted to check the temperature of any employer who wanted to gain access to the company building. According to the AP, employers are not allowed to collect and process medical data of their personnel.49 However, under stringent conditions, the temperature of employees can be measured. Though the employer may not do this himself, they can outsource the task to a (company) doctor, or to the employees themselves.50 In any case, the temperature should not be passed on to the employer or colleagues nor should it be recorded.51 The measured temperature should also not be linked to an automated
43 ibid. 44 ibid. 45 Eppo König, ‘Camera-auto’s tegen corona van de weg gehaald vanwege privacykritiek’ NRC Handelsblad (13 May 2020) 6. 46 Eppo König, ‘Rotterdam moet voorzichtiger zijn met camera’s na omstreden coronacontroles’ NRC.nl (28 May 2020) < https://www.nrc.nl/nieuws/2020/05/28/rotterdam-moet- voorzichtiger-zijn-met-cameras-na-omstreden-coronacontroles-a4001149> 47 ibid. 48 ibid. 49 Autoriteit Persoonsgegevens, ‘Temperaturen, gezondheidscheck en contactgegevens’ < https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/corona/temperaturen- gezondheidscheck-en-contactgegevens> accessed 23 October 2020 . 50 i bid. 51 ibid.
84 action, such as an electronic gate opening or closing at the entrance of the workplace, because such actions could be observed by colleagues waiting in line, who would then be able draw conclusions about the status of the health of the employee, resulting in a violation of the GDPR, according to the AP.52
Registration of Contact Details
When the Netherlands came out of lockdown at the beginning of summer, a new measure was imposed that required bars, cafés, and restaurants to ask members of the public to register their names and contact details upon arrival.53 This rule was extended to other businesses as well, such as entrepreneurs in contact professions, saunas, and sports clubs.54 The contact details left by customers are for the purpose of contact tracing by the Municipal Health Service (Gemeentelijke gezondheidsdienst, GGD) in case of a patron’s positive COVID-19 test.55 It requires consent to the processing and transfer of data for the purpose of the GGD’s possible inquiry which includes information such as the full name, date of visit to the establishment, email address, and telephone number of the customer.56 The collected data may not be used for other purposes, must be stored safely so only the GGD has access to it, and can only be kept for 14 days, after which the data must be destroyed.57 Though proprietors are obliged to solicit the information, the registration is voluntary, and a visitor’s choice not to provide their contact details cannot result in denial of access to the establishment.58
The same businesses are also obliged to ask patrons as to the status of their health.59 Answers are not permitted to be registered.60 Because of this, it is not allowed to inquire about someone’s health- status in an online booking system.61 Again, responding to the health query is done on a completely voluntary basis, which must
52 ibid. 53 Rijksoverheid, ‘Grip op coronavirus met lokale maatregelen’ ( 6 August 2020) < https://www.rijksoverheid.nl/actueel/nieuws/2020/08/06/grip-op-coronavirus-met-lokale- maatregelen> 54 ‘Aangescherpte maatregelen om de verspreiding van het virus terug te dringen’ (n. 9). 55 ‘Grip op coronavirus met lokale maatregelen’ (n 53). 56 i bid. 57 Autoriteit Persoonsgevens, ‘Gezondheidscheck en contactgegevens’ < https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/corona/gezondheidscheck-en- contactgegevens> accessed 10 December 2020. 58 ‘Grip op coronavirus met lokale maatregelen’ (n 53). 59 i bid. 60 ‘Gezondheidscheck en contactgegevens’ (n 57). 61 i bid.
85 also be made clear to anyone who is asked about the status of their health.62
In practice, establishments often provide registration forms on clipboards, containing telephone numbers and other personal information of customers, which end up being passed around between tables. Another common practice is leaving notebooks at the entrance where visitors can write down their contact details. These ways of collecting information often interfere with the GDPR, because not only the GGD, but any employee or customer could access the data that has been stored in these fashions. The registrations are occasionally used to include customers into unsolicited subscriptions such as to newsletters or to invitations to participate in competitions.63 In some occasions, patrons even received flirty messages from staff members of institutions they had frequented.64 Moreover, hardly any establishment explicitly points out the voluntary basis of responding to the health query and in registering contact details. Additionally, a lot of establishments actually do inquire about the health status of visitors in their online booking systems—a practice that, as previously pointed out, interferes with privacy laws because medical information receives broad protection under the GDPR..65
The CoronaMelder App
The Netherlands planned to launch the CoronaMelder (‘CoronaReporter’) app in October. The Dutch contact tracing app warns the user if they have been near someone who is infected with COVID-19.66 Installing the app on one’s smartphone is completely voluntary, but strongly encouraged by the government. The app does not use location data or GPS, but instead detects whether the user was nearby another user by means of Bluetooth. The closer two users are to each other, the stronger the Bluetooth signal gets. This way, the app does neither recognise the identity nor the location of any user. Neither name, email address, telephone
62 i bid. 63 Marieke de Ruiter, ‘Horecaondernemers moeten persoonsgegevens registreren en bewaren, maar aan privacy is niet gedacht’ de Volkskrant.nl (25 August 2020)
86 number, GPS, nor location data are used, processed, or stored. Only the Bluetooth data is stored on the user’s phone for 14 days and can always be deleted by the user himself. When a person tests positive for COVID-19, they receive a code from the GGD which they can share on the app. A user receives a notification in the app if they have been in the proximity of the person who tested positive for COVID-19 for more than 15 minutes. Like downloading the app, uploading the code the GGD provides after a positive test is done on a complete voluntary basis.
In August, the AP issued an advice on the privacy aspects of the Dutch corona tracing app.67 It gave appraisal for the fact that the app is designed according to the ‘privacy-by-design’ standard and that data minimization is part of the development of the application.68 Still, the AP critiqued some aspects of the tracing app. According to the AP, a legal basis is needed for widespread national use of the app, because there currently is not a sufficient one.69 The government intends to enact a law that will serve as legal basis on 1 December 2020, but wants the app to work on the basis of explicit consent of the user for processing of the data registered by the application prior to the existence of that legal basis. Though the AP found this would be theoretically conceivable, it stated that it found the basis of consent would be less appropriate than an actual legal basis.70
Online Proctoring
The COVID-19 restrictions forced schools and universities to offer education online. Some institutions have started proctoring pupils online during exams. For example, the University of Amsterdam uses online surveillance software that is able to monitor the webcam, microphone, internet traffic, mouse clicks, and even keystrokes of students taking the test. Another way institutions combat exam fraud is by interviewing students about the exam after they have finished it on (Zoom) calls . Additionally, some students are required beforehand to take pictures of the room in which they plan to take the exam. Institutions use these ways of supervision to verify whether it was truly the student who took the exam and whether that student genuinely took the exam on their own merit, instead of using prohibited materials.
67 Kamerstukken II 2019/20 , 25295, nr 501 (letter from the Minister of Health, Welfare and Sport to parliament), p 3. 68 ibid. 69 ibid. 70 ibid.
87 Students of the University of Amsterdam have objected in Court to the use of online surveillance software. They believed that the software infringes upon the privacy of students and is in violation of the GDPR.71 The Court ruled, however, that the use of online surveillance software is not an unlawful invasion of the right of privacy.72 According to the Court, the university has a public task enshrined in law, to provide education. Part of this task is conducting exams and guaranteeing the value of diplomas.73 Therefore, the GDPR offers the university the capacity to process personal data that is necessary for the performance of this task.74 The Court agreed with the university that the COVID-19 measures make it necessary for certain exams to be conducted online and for measures to be taken to combat fraud.75 It also ruled that the university complies with the GDPR regarding the processing of the collected data.76
Photos, videocalls, and online surveillance software contain and process a lot of personal information, oftentimes even of underage children. Therefore, high standards should be set for these online proctoring systems. Schools must consider whether there are less impactful ways to combat exam fraud. IV. Concluding Remarks
The two largest issues with the Dutch approach to COVID-19 relating to privacy are the lack of a sufficient legal basis and ignorance. The initial choice for an ‘intelligent lockdown’ and the voluntary nature of most measures reflect the cultural values within Dutch society: reasonableness, independence, and personal responsibility. Still, the pandemic has shaped an extraordinary situation, clarity for citizens is required. Plans to replace the emergency ordinances with codified law as a legal basis for all these regulations are a decent development. Nonetheless, attention should be paid to the adherence of privacy regulations at a day and age in which data has become one of society’s most valuable resources.
Various measures that have been introduced to combat the spread of COVID-19 in the Netherlands have brought issues regarding privacy rights. Considering the extraordinary situation COVID-19
71 Rb Amsterdam 11 June 2020, JBP 2020, 81, para 4.7. 72 ibid. para 4.17. 73 ibid. para 4.9. 74 ibid. para 4.9. 75 ibid. para 4.10. 76 ibid. para 4.16.
88 created, the lack of knowledge on the virus during the first wave, and the lives that were at stake, it appears reasonable that the rapid adaptation of the government to the pandemic was paired with privacy concerns. But judicial review remained accessible, the government actively asked for feedback from parliament and several organizations, and measures that were heavily critiqued were frequently adjusted or scaled down. For example, during the first wave, residents of nursing homes were effectively deprived of their liberty. After much criticism from members of the public, the proposed corona bill now contains a provision that stipulates any resident of a healthcare institution is always entitled to at least one visitor. Additionally, a lot of the COVID-19 related measures were not mandatory. Many rules relating to social distancing seem more of guidelines, rather than restrictions. Although measures frequently did not have sufficient legal bases, the government acknowledges this problem and is working on a proposed corona bill to provide a framework for all measures.
However, as time passed and people began speaking about a ‘new normal’, data protection should have become more significant. Though the government puts a lot of effort into ensuring the data protection of their own tracing software is airtight, safeguarding the proper collection of personal data of employees and customers at businesses appears less of a priority. Privacy concerns do not stem from improper privacy legislation, but from unawareness and negligence. With regard to such a large-scale obligation to collect data of citizens, consent just does not seem an appropriate basis.
89 The Philippines
By Dr. jur. Ma. Angela Leonor Aguinaldo, J.D., LL.M
90 The Philippines
By Dr. jur. Ma. Angela Leonor Aguinaldo, J.D., LL.M
I. Introduction
The world is still perplexed on how it could properly overcome the challenges and problems brought by the COVID-19 pandemic.1 European countries are placed once again on lockdown due to the rise of new cases, bringing along a new set of stringent measures to quell the overwhelming increase of infections.2 These measures are alongside plans to distribute vaccines before the end of the year.3 As reported by the World Health Organization (WHO) as of 27 November 2020, there have been almost 70,000,000 confirmed cases of persons infected with COVID-19 around the world, including almost 1,500,000 deaths and an average of 650,000 new cases being reported every 24 hours.4 The Southeast Asian region ranks third among regions with the most number of confirmed cases, with the Philippines sliding in and out of the top 20 inflicted countries. As of 03 November 2020, the Philippines has 385,400 confirmed cases and 7,269 deaths.5
COVID-19 has uncovered the failings and fragilities of current systems, such as social security and public health.6 In less than a few weeks, COVID-19 has not only to impacted the different layers of its social fabric and dismantle what used to be orderly structures, but likewise lay bare the rawest vulnerabilities of individual nations
1 See Michael B Cahapay, ‘National Responses for Persons Deprived of Liberty during the COVID-19 Pandemic in the Philippines’ [2020] Victims & Offenders 1, 1 2 Kai Kupferschmidt, ‘Europe Is Locking down a Second Time. But What Is Its Long Term Plan?’ (Science Magazine, 2020) 4 1
91 and the global order as a whole.7 For instance, disparities in health systems showed that Africa and Southeast Asia proved to be the least equipped to cope with a large-scale outbreak.8
In light of these circumstances, states adopted extraordinary measures to contain the threat that the WHO has declared as a global pandemic.9 Rules and regulations go beyond the minimum level of response, and the means and methods undertaken resemble war-time mobilization.10 While most expect COVID-19 to be treated solely as a health issue, a security discourse is being applied.11 COVID-19 is portrayed as an existential security threat like the 2003 SARS epidemic, and specifically in the context that the virus is spreading at a faster pace and with a higher mortality rate.12 Moving away from an initial discourse minimizing the menace posed by COVID-19, some states have increasingly adopted a martial rhetoric: “renegotiating the importance of population health for national stability and positing COVID-19 as an existential threat.”13
However, the securitization of COVID-19 – or the context of COVID- 19 as a security threat – triggers “crisis situations requiring extraordinary mobilization of the magnitude that equals if not exceeds military mobilization.”14 As these measures could be extreme and extraordinary, there is the need “to put them under the test of appropriateness and put the state and its agents under tests of legitimacy.”15 In light of this, experiences in the Southeast Asian region show the painful costs of securitization: “there is clear evidence that disruptions of public health and other essential services coupled with highly securitized emergency measures can create more dangers especially in contexts where there are insufficient social safety nets and legal standards.”16 Further, by
7 ibid 3; João Nunes, ‘The COVID-19 Pandemic: Securitization, Neoliberal Crisis, and Global Vulnerabilization’ (2020) 36 Cadernos de Saúde Pública e00063120, 2–3 8 Daoudi (n 6) 7 9 Arabinda Acharya, ‘Responding to Covid-19’ (2020) 7 Advances in Social Sciences Research Journal 29, 29 10 ibid 11 Nunes (n 7) 1; Nathan Alexander Sears, ‘The Securitization of COVID-19: Three Political Dilemmas’ (Global Policy, 2020) 10 1
92 adopting a wartime rhetoric, states deem it necessary to suspend fundamental rights and freedoms to achieve “victory.”17
Aside from these perils, securitization does not seem to be the first- best solution when it remains state-centric: governments exercising primary responsibility, and a near monopoly, in responding to the COVID-19 threat. As observed, the state does not always have sufficient resources to effectively manage nontraditional security (NTS) issues, which gives rise to the need to mobilize resources from other sources and proliferation of actors in the security domain.18 The state, as represented by its national government, does not or cannot have the monopoly in providing security, as transnational NTS threats necessitate multi-actor engagements at multiple levels.19 Nonetheless, especially in the ASEAN regional level, responses to security threats remain state-centric: the state or military remains at the crux of security, and there is heavy reliance on intergovernmental and inter-agency cooperation.20
This state-centric response is reflected equally on a member state level, and participation from non-state actors are normally “threats” to the state agenda. Southeast Asian nations alone use their
(Strengthening Human Rights and Peace Research and Education in ASEAN/Southeast Asia, 2020) 13 1
93 emergency laws and policies to disenfranchise other actors.21 The Philippines is no exception. The Philippine government has willingly or wittingly crowded out other actors in its response to the COVID-19 situation.22 However, the Philippine central government has been bombarded with criticism in its response, especially in light of efficiency, privacy, rule of law, and human rights.23
Considering the state-centric securitization of COVID-19 responses and the perils it poses, the present contribution wishes to look into the issues on privacy, human rights, and rule of law the Philippine situation faces vis-à-vis its responses to COVID-19. The first portion would outline the responses made so far. The second portion would look into the costs of civil liberty concomitant to the securitization response of the Philippine government. This includes issues of freedom of movement and freedom of expression, as well as privacy and data protection. II. Philippine government’s response to COVID-19 is an example of state-centric securitization
The process of securitization follows the following logic: “an issue is framed as an existential threat to some referent object, which justifies extraordinary measures for protection.”24 In this regard, the global COVID-19 response contains all the critical elements of securitization: referent object(s), threat, audiences, securitizing acts
21 Baysa-Barredo (n 16) 2 22 In fact, it does not shy away from penalizing human rights defenders and shading local government officials who are allegedly against the national agenda. Human rights defenders involved in food distribution in Bulacan Province were charged with violating the Bayanihan to Heal As One Act and incitement to commit sedition after finding newspapers and magazines with anti-government content in their vehicle. The same law was also used as a basis for government officials to order for the arrest of those they deem to be spreading “fake news” on social media. Nick Aspinwall, ‘The Philippines’ Coronavirus Lockdown Is Becoming a Crackdown’ (The Diplomat, 2020) 9 2–9
94 and actors, and emergency measures.25 National governments have identified COVID-19 as a security threat to mankind that necessitates the adoption and implementation of extraordinary measures. The Philippines is of no exception. Akin to how other foreign governments responded to the COVID-19 situation,26 the Philippines declared a country-wide state of public health emergency.27 On 08 March 2020, Philippine President Rodrigo Duterte issued Proclamation No. 922, putting the Philippines under a state of public health emergency.28 COVID-19 is a threat ought to be addressed.29 Under the said Proclamation, the declaration of public health emergency would facilitate the implementation of the relevant provisions of Republic Act No. 11332 or “Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act” to address the pandemic’s threat and likewise capacitate government agencies and local government units to immediately act to prevent loss of life, utilize the appropriate resources, mitigate the pandemic’s effects and its impact to the community, and prevent serious disruption of the functioning of the government and the community.30
On 16 March 2020, President Duterte signed Proclamation No. 929, declaring a state of calamity throughout the country for a period of
25 Baysa-Barredo (n 16) 1; Sears (n 11) 1–2. “The process of securitization begins with the ‘speech act’ of a securitizing actor (the national government of a state or an international organization that has identified and declares an issue to an audience (state’s citizenry or the people in the international community) as a security threat to a referent object (e.g. mankind, community, state, planet earth etc.) which necessitate the adoption and implementation of extraordinary measures to deal with such an existential threat. The legitimacy of the extraordinary measures solely depends on the audience who must be convinced by the securitizing actor of the need to take such actions. It is only when the audience accepts the claim of the securitizing actor, that the issue becomes securitized.” See Adeleke Olumide Ogunnoiki, ‘The Securitisation of COVID-19 in a Globalized World’ (2020) 3 26 Daoudi (n 6) 9–10; Gil (n 24) 1 27 Gil (n 24) 1. Interestingly, President Duterte minimized the menace COVID-19 posed to the country just like other world leaders such as Macron and Trump from France and the USA, respectively, but as the cases increased and there was pressure to the healthcare system and population as a whole, there was a change in rhetoric. Interestingly, countries like France and the US posed themselves as countries at war with the virus and their respective presidents are wartime presidents fighting an “invisible enemy.” Daoudi (n 6) 9–10 28 On 16 September 2020, the President extended the period of the state of calamity and/or public health emergency due to COVID-19 through Proclamation No. 1021 29 “Securitization, as mentioned, follows a distinctive rhetorical structure. It is a process of constructing a shared understanding of what is to be considered and collectively responded to as a threat. In other words an issue becomes securitized when leaders (whether political, societal, or intellectual) begin to talk about it- and attempt to gain the ear of the public and the state- in terms of the existential threat against some valued referent object.41 Though the response of the governments in the countries affected by the Covid- 19 epidemic varies, most treat the outbreak as a national security threat.” See Acharya (n 9) 34 30 See Mandatory Reporting of Notifiable Diseases and Health Events of Public Health Concern Act 2019, s 7
95 six months and implementing the following measures: “(1) price control of basic needs and commodities; (2) granting interest-free loans; (3) distribution of calamity funds; (4) authorization of importation and receipts of donations; and (5) hazard allowance for public health workers and government personnel in the fields of science and technology.” Forms of lockdown were also implemented. At this juncture, concentration of power within the executive can already be observed in managing the situation.
On 25 March 2020, the “Bayanihan to Heal As One Act” was signed into law. This law “authorize[s] the president to exercise powers necessary to carry out urgent measures to meet the current national emergency related to COVID-19 for three months unless extended by Congress.” Under Section 4 of the law, the President is given special powers to enable him to respond to the COVID-19 pandemic. Among others, the President is allowed to temporarily take over or direct the operations of public utilities and privately owned health facilities and other necessary facilities “when the public interest so requires” for quarantine, the accommodation of health professionals, and the distribution and storage of medical relief; require businesses to prioritize and accept contracts for services and materials necessary to promote the law; regulate the distribution and use of energy, fuel, and water, and ensure sufficient supply of these; direct banks and other financial institutions to implement a 30-day grace period for payments of loans and credit card bills; and in general undertake other reasonable and necessary measures to carry out the law subject to the constitution.
Interestingly, a reading of the foregoing special powers provided to the President affirms the concentration of power intended in Proclamation No. 929. It would show a top-down approach in respect of the responses and directives to be made to the COVID- 19 situation. Further, the special powers concerned are not limited to public health but likewise involve public order, security, and the economy. Hence, there is an apparent securitization approach. This highly centralized, top-down, and securitization approach is further evinced by the so-called Inter-Agency Task Force on Emerging Infectious Diseases (IATF-EID) which acts as the government’s instrument to assess, monitor, contain, control, and prevent the spread of any potential epidemic in the Philippines. Created through Executive Order No. 168 (2014) during the administration of President Benigno Aquino III, the IATF-EID is composed of different executive departments and chaired by the Secretary of the Department of Health.
The IATF-EID was convened as early as January 2020 to address the then growing viral outbreak in Wuhan, China. On 28 January 2020, it issued Resolution No. 1 to manage the spreading of the new virus. On 09 March 2020, President Duterte called the IATF-EID amidst the rising amount of COVID-19 cases in the country. At the
96 same date the Bayanihan to Heal as One Act was enacted, the IATF- EID became the policymaking body of operations vis-à-vis COVID- 19; and it revealed its National Action Plan to slow down the spread of COVID-19, which was supposed to effectively and efficiently implement and decentralize the system of managing the COVID- 19 situation. Included therein is the creation of a National Task Force headed by the Secretary of the Department of National Defense, who would handle its operational command. Additionally, there was the creation of the Joint Task Force COVID-19 Shield, headed by General Eleazar and composed of the Philippine National Police, Armed Forces of the Philippines, the Philippine Coast Guard, the Bureau of Fire Protection, and Barangay Tanods. This task force is mandated to enforce quarantine protocols in border checkpoints and streets, as well as maintain peace, order, and security throughout the country to help control the spread of COVID-19.
The Bayanihan to Heal as One Act expired on 24 June 2020 without any extension. A new law – Republic Act No. 11494 or “Bayanihan to Recover as One Act” – was passed on 11 September 2020. Effectively a continuation of the effects of the earlier law and an expansion of its scope, this new law grants the President additional authority to combat the COVID-19 pandemic in the Philippines, as well as provides government funds to stimulate the economy while strengthening the health sector and the government’s pandemic responses. III. Securitization of COVID-19 comes at the high cost of civil liberties in practice
The costs of security, as Sears puts it,31 have social and political manifestations. They entail either a trade-off of values, e.g. security with wealth or liberty, or a balancing of interests, e.g. security and civil liberties.32 In other words, there is a cost-benefit analysis involved.33 Interestingly, the political risks of securitization (such as the increase in state power at the expense individual liberties) were why proponents of securitization, e.g. Buzan, Waever, and de Wilde, maintained a general normative preference for de- securitization.34
31 Sears (n 11) 3 32 ibid 33 Given these societal “calculations”, the adaptation of the security narrative must be able to mobilize the general public’s patriotism, as would be done in wartime for example, “especially where the legitimacy of the regime is highly valued and the protection of the population linked to the raison d’etre of the state.” Hence, when effective, there is the legitimize willingness to forego rights and liberties in favor of the actions of the state. Daoudi (n 6) 9 34 Sears (n 11) 3
97 Applying the foregoing to the Philippine response to COVID-19, the costs of foregoing civil liberties seemingly outweigh the benefits of securitization. This is apparent in three points.
Before these points are interrogated, however, it is important at the outset to mention that a state of public health emergency or securitization could be consistent with the rule of law or the protection of human rights.
As Gil pointed out, the human rights paradigm (which some criticized as wanting the practicality of being widely applicable in the real world) is “actually quite pragmatic and envisions situations like the one we are facing now.”35 Under Article 4 of the International Covenant on Civil and Political Rights (to which the Philippines is a state party),36 state parties may, in times of public emergency which threatens the life of the nation and the existence of which is officially proclaimed, take measures derogating from their obligations under the present Covenant to the extent strictly required by the exigencies of the situation.37 However, such measures ought to be consistent with their other obligations under international law and do not involve discrimination solely on the ground of race, color, sex, language, religion or social origin.38
The Siracusa Principles likewise find application herein. The Siracusa Principles “state that restrictions on human rights under the ICCPR must meet standards of legality, evidence-based necessity, proportionality, and gradualism.”39 Specifically, “limitations on rights must be, among other provisions, ‘strictly necessary’, meaning that the limitations respond to a pressing public or social need and proportionately pursue a legitimate aim, and are the least restrictive means required for achieving the purpose of the limitation.”40
Furthermore, no less than the Philippine Constitution, as interpreted by Philippine jurisprudence, recognizes that while
35 Gil (n 24) 1–2 36 Except for a number of rights wherein derogation is not allowed. 37 International Covenant on Civil and Political Rights (adopted 16 December 1966), entered into force 23 March 1976) 999 UNTS 171 (ICCPR) art 4; Gil (n 24) 1–2 38 ICCPR, art 4; ibid 39 Katherine W Todrys, Erin Howe and Joseph J Amon, ‘Failing Siracusa: Governments’ Obligations to Find the Least Restrictive Options for Tuberculosis Control’ [2013] 3 Public Health Action 7, 8 40 “Additional protections include that the restriction is provided for and carried out in accordance with the law, that it is neither arbitrary nor discriminatory, and that the burden of justifying a limitation upon a right lies with the state seeking to impose the limitation. Specific to limitations on the basis of ‘public health’, the Siracusa Principles note that public health can be used as a ground for limiting certain rights if the state needs to take measures ‘aimed at preventing disease or injury or providing care for the sick and injured’.” ibid
98 rights are generally inviolable, there are exceptions to the rule such as when public safety, public order, or public health requires it.41 There is likewise the recognition of the exercise of the sovereign power of the state through police power to promote the health, morals, peace, good order, safety, and general welfare of the people.42 As the Supreme Court held, what is important is that there is a public necessity that “demands the adoption of the proper measures to secure the ends sought to be attained,” and that there is a determination of not only what public interest requires but “what measures are necessary for the protection of such interests.”43 The measures undertaken ought to have a correlation to the end in view, “for under the guise of police power, personal rights and those pertaining to private property will not be permitted to be arbitrarily invaded,” and there must be a reasonable relation that exists between purposes and means.44
First, the limitations on freedom of movement have provided the motivation and opportunity for abuse and human rights violations.
Even with that premise, it is important to point out that securitization limits the exercise of the freedom of movement and abode as enshrined in Section 6, Article 3 of the Philippine Constitution. The state imposed quarantines, curfews, and lockdowns throughout the country, whereby the state enforces restrictions on the movement of people for purposes of security.45 The IATF-EID has even established a joint task force led by police and military to enforce these measures and ensure compliance.
It can be gainsaid that while the curtailment of movement is justifiable because of public safety and public health interests, this is a cost that must be weighed with care, as these same measures are misused and abused especially when the needed social control rests among the abusers themselves. Ever since the lockdown started, there have been reports of how severe limitations of movement are being abused by government officials.46 To illustrate, three young LGBTQIA+ persons were questioned for
41 See for example Philippine 1987 Constitution, art 3, s 3 (privacy of communication and correspondence), 6 (liberty of abode), 15 (writ of habeas corpus) 42 See Ermita-Malate Hotel and Motel Operators Association v City of Manila GR No L- 24693, 31 July 1967; Pollution Adjudication Board v Court of Appeals GR No 93891, 11 March 1991; Land Transportation Office v City of Butuan GR No 131512, 20 January 2000 43 Balacuit v Court of First Instance GR No L-38429, 30 June 1988; US. v. Toribio, GR No L-5060, 26 January 1910; Fabie v City of Manila G.R. No. L-6583, 16 February 1912; Kwong Sing v City of Manila G.R. No. 15972, 11 October 1920 44 Balacuit v Court of First Instance GR No L-38429, 30 June 1988 45 See Sears (n 11) 3 46 Aspinwall (n 21) 1–9; Gil (n 22) 2
99 violating the curfew and accused of looking for illicit sex.47 As punishment, a village official publicly humiliated them by ordering them to kiss, dance, and do push-ups on a live video broadcast on social media.48 They were publicly identified and shamed, with their videos going viral online.49 There have also been other incidents reported by the Human Rights Watch wherein violators were either locked up inside a dog cage or ordered to sit in the intense midday sun, and wherein a police officer even killed a man for allegedly avoiding a checkpoint.50
Moreover, government officials have taken the opportunity to target activists and those allegedly connected to armed rebel groups.51 For example, Felipe Levy Gelle Jr. reported several visits in his home by the military after the lockdown started.52 Gelle Jr., a member of a human rights group in Negros, is among those who called for an investigation into the death of Benjamin Ramos, a lawyer who assisted the families of the nine farmers murdered in Sagay City last year.53 This appears to be a continuation of their long-standing campaign against previously identified groups, masquerading as public health measures.
In connection to this, the Human Rights Watch reports that killings increased by 50 percent during the pandemic.54 While a more definite research is necessary to study the correlation between COVID-19 responses and extrajudicial killings, Human Rights Watch reported that according to statistics police allegedly killed 50 percent more people between April to July 2020 than they did during the previous four-month period.55 This number does not
47 Baysa-Barredo (n 16) 3–4 48 ibid 49 ibid 50 Human Rights Watch, ‘Philippines: Curfew Violators Abused; COVID-19 Response Should Respect Detainee Rights’ (Human Rights Watch website, 2020) 3 3–4
100 include deaths outside anti-drug police operations, such as killings of drug suspects by unidentified assailants.56
Second, the freedom of speech and expression is curtailed in favor of state-centric securitization.
The freedom of speech and expression is one of the rights enshrined in the Constitution. It provides a “framework in which the conflict necessary to the progress of society can take place without destroying the society.”57 The basis for one’s exercise of freedom of speech, expression, and assembly is the “substitution of the expression of opinion and belief by talk rather than by force; and this means talks for all, and by all […] [f]or in a democracy, it is the people who count; those who are deaf to their grievances are ciphers.”58
In relation to this, the Bayanihan to Heal as One Act criminalized certain acts. A penalty of either imprisonment or fine (or both) shall be meted out to offenses such as “creating, perpetrating or spreading false information about COVID-19 crisis on social media and other platforms, with no valid or beneficial effect on the population which promote chaos, panic, anarchy, fear or confusion.”59 Albeit its similarity to Article 154 of the Philippine Revised Penal Code, which punishes the “unlawful use of means of publication,” the Bayanihan Act neither defines nor delineates the terms “fake news,” “false information,” and “chaos, panic, anarchy, fear, and confusion.”60 While the criminalization of “fake news” coincides with the zeitgeist, the provision could be problematic on two accounts.
First, the abovementioned prohibition punishes the creation, perpetration, and sharing of “false information.” Unlike Article 154 of the Revised Penal Code which requires criminal intent or is malum in se, the prohibition in this special law is a malum prohibitum. As such, the simple and/or innocuous act of creating, perpetrating, or sharing content later proven to be false is penalized without the necessity of proving intent to cause “chaos, panic, anarchy, fear and confusion” with “no valid or beneficial effect to the population.” This undeniably goes beyond the reasonable means necessary to criminalize the act of “fake news.”
56 ibid 2–3 57 Estrada v. Desierto GR No 146710-15, 02 March 2001 58 Estrada v Desierto GR No 146710-15, 02 March 2001 59 Bayanihan to Heal as One Act 2020, s 6(f) 60 Raphael Lorenzo Pangalanan and Anton Miguel Sison, ‘Bonavero Report - The Philippines’ in Bonavero Institute of Human Rights (ed), A Human Rights and Rule of Law Assessment of Legislative and Regulatory Responses to the COVID-19 Pandemic Across 27 Jurisdictions (Bonavero Institute of Human Rights 2020) 446
101 Second, the subject provision is questionably void for being vague. In the cases of People of the Philippines v Dela Piedra and Romualdez v Sandiganbayan, the Philippine Supreme Court held that “a criminal statute that fails to give a person of common intelligence fair notice that his contemplated conduct is forbidden by the statute or is so indefinite that it encourages arbitrary or erratic arrests and convictions is void for vagueness. The constitutional vice in a vague or indefinite statute is the injustice to the accused in placing him on trial for an offense, the nature of which he is given no fair warning.”61
Applying the foregoing, the criminalization of “false information” under the Bayanihan Act risks a “chilling effect” in speech under the
61 People v dela Piedra GR No 121777, 24 January 2001, 350 SCRA 163; Romualdez v Sandiganbayan, GR No. 152259, 29 July 2004 (J. Tinga, separate opinion). Commonly known as the void-for-vagueness doctrine, which again is influenced by United States doctrine and commonly applied to free speech cases, it could be applied to a certain degree on criminal cases and the Supreme Court had the occasion to provide a test for the same in the Romualdez case:
“A statute establishing a criminal offense must define the offense with sufficient definiteness that persons of ordinary intelligence can understand what conduct is prohibited by the statute. It can only be invoked against that species of legislation that is utterly vague on its face, i.e., that which cannot be clarified either by a saving clause or by construction.
"A statute or act may be said to be vague when it lacks comprehensible standards that men of common intelligence must necessarily guess at its meaning and differ in its application. In such instance, the statute is repugnant to the Constitution in two (2) respects - it violates due process for failure to accord persons, especially the parties targeted by it, fair notice of what conduct to avoid; and, it leaves law enforcers unbridled discretion in carrying out its provisions and becomes an arbitrary flexing of the Government muscle. But the doctrine does not apply as against legislations that are merely couched in imprecise language but which nonetheless specify a standard though defectively phrased; or to those that are apparently ambiguous yet fairly applicable to certain types of activities. The first may be 'saved' by proper construction, while no challenge may be mounted as against the second whenever directed against such activities. With more reason, the doctrine cannot be invoked where the assailed statute is clear and free from ambiguity, as in this case.
"The test in determining whether a criminal statute is void for uncertainty is whether the language conveys a sufficiently definite warning as to the proscribed conduct when measured by common understanding and practice. xxx”
The Court clarified however that “the 'vagueness' doctrine merely requires a reasonable degree of certainty for the statute to be upheld - not absolute precision or mathematical exactitude.” “Flexibility, rather than meticulous specificity,” according to the Court, “is permissible as long as the metes and bounds of the statute are clearly delineated.” An act will not be held invalid or void “merely because it might have been more explicit in its wordings or detailed in its provisions, especially where, because of the nature of the act, it would be impossible to provide all the details in advance as in all other statutes.” See further Estrada v Sandiganbayan 421 Phil 290, 430, 19 November 2001; Romualdez v Sandiganbayan G.R. No. 152259, 29 July 2004
102 doctrine of overbreadth: for being vague, it should be declared void.62 As the law does not provide elements of what constitutes “false information” or “fake news,” it becomes highly subjective on the part of law enforcement authorities. Significantly enough, the vagueness of the subject provision is being used to the advantage of government officials with propensity to abuse. Since the onset of the COVID-19 outbreak, multiple actors such as activists and development workers have been “responding to the needs of communities, calling out corrupt and abusive policies and practices, and pushing for health-centered approaches to the crisis.”63 However, the state-centric securitization apparent in the Philippine response deems these opinions as unwelcomed and a threat to the agenda of national peace and security. Naturally, emergency laws and policies have been used to silence and purge these actors and defenders, such as the penal provision on “false information.”64 As expressed by Gil in her same report:
“By going after those who express critical views of the government, authorities are casting a chilling effect on freedom of expression and possibly impeding information that may be crucial in effectively addressing this crisis. Indeed, the right to freedom of expression may be limited during times of emergency, but the limitations on this right should not be interpreted so as to defeat the right itself. If the Philippine authorities are genuinely concerned about rampant disinformation, the best way to address this is counter-speech.”65
In light of the foregoing, there is an obvious weaponization of the vague provisions of the law as regards false information and fake news.
62 Pangalanan and Sison (n 61) 447 63 Baysa-Barredo (n 16) 2. See also Aspinwall (n 23) 2–9 64 Baysa-Barredo (n 16) 2; Coble (n 52) 2; Carlos Conde, ‘Philippine Activists Charged with Sedition, “Fake News”: Government Misusing COVID-19 Law against Its Critics’ (Human Rights Watch website, 2020) 5 2
103 Third, there is the risk of privacy and data protection of the Philippine citizenry to be unduly compromised.
One of the special powers provided to President Duterte and the executive department in general via the expired Bayanihan to Heal as One Act and the Bayanihan to Recover as One Act is to take over or direct the operations of public utilities and privately or publicly- owned medical facilities and other necessary facilities “when public interest requires it.” Additionally, the government recently established Staysafe, a contact tracing app to prevent and monitor the spread of COVID-19 infection. Other than penalizing unlawful disclosure of personal and privileged information, there are no parameters provided by law vis-à-vis the protection and safety of personal data and information under these measures.
This is problematic because the ability to take over public utilities especially service providers vis-a-vis telecommunications and online data as well as use sophisticated surveillance technology such as contact tracing apps and cellphone detection data (with a combined threat of punishment for non-cooperation) without safety nets can provide government unbridled access to personal data and information as well as the opportunity to abuse. The right to privacy and data protection are left vulnerable and at the mercy of government authorities. However, this should not be the case as the right to privacy, or the right to be let alone, was institutionalized in the 1987 Philippine Constitution “as a facet of the right protected by the guarantee against unreasonable searches and seizures.”66 While certain exceptions are allowed, arbitrary interference is not.67
As regards data protection, the Data Privacy Act of 2012 affirms the policy of the State to protect the fundamental human right of privacy. Data privacy “protects the rights of the individual from collection, use, processing, sharing, retention and most particularly
66Disini . Secretary of Justice GR No 203335, 18 February 2014, citing Pollo v Constantino-David GR No 181881, 18 October 2011, 659 SCRA 189, 204-205 67 1987 Philippine Constitution, art 3, s 2, 3. In discussing zones of privacy, the Supreme Court held:
“Zones of privacy are recognized and protected in our laws. Within these zones, any form of intrusion is impermissible unless excused by law and in accordance with customary legal process. The meticulous regard we accord to these zones arises not only from our conviction that the right to privacy is a ‘constitutional right’ and ‘the right most valued by civilized men,’ but also from our adherence to the Universal Declaration of Human Rights which mandates that, ‘no one shall be subjected to arbitrary interference with his privacy’ and ‘everyone has the right to the protection of the law against such interference or attacks.” See Disini v. Secretary of Justice GR No 203335, 18 February 2014; See also In the Matter of the Petititon for the Issuance of Writ of Habeas Corpus of Sabio v Senator Gordon 535 Phil 687, 714-715 (2006)
104 disclosure of personal information. This elemental right does not vary depending on situations.”68 At the heart of data privacy is guaranteeing a full cycle of control over data.69 Generally, processing of data is acceptable on legitimate grounds if one controls the flow, nature, and quality (including assessing the proportionality)70 of data. There is also the importance of notification of the data subject.71
However, the subject provisions of the Bayanihan Act and the usage of the government’s surveillance tracing app are bereft of provisions affirming the tenets of privacy and data protection. Furthermore, unlike countries like Germany, which has the Federal Data Protection Act (“Bundesdatenschutzgesetz”) that contains provisions on the processing of data by appropriate authorities in the handling of criminal and administrative matters, the Philippines does not have this kind of legislation. Non-protection should not be the case. Therefore, absent appropriate standards, any form of personal data should be kept away from the hands of government. Alternatively, legal parameters and safety nets ought to be placed to ensure that privacy, data protection, or other human rights are not compromised. IV. Conclusion; Securitization of COVID-19 produces a “fog of war” that enforces catalysts of delinquent behavior
The present contribution started with outlining the phenomenon of securitization as regards the COVID-19 pandemic across the globe and the notable costs it entails. It thereafter proceeded with discussing the steps taken by the Philippine government in response to COVID-19 and how it reflects securitization. Among these measures is the implementation of restrictions on freedom of movement, the criminalization of false information and/or fake news, and the taking over or directing of operations of public utilities, privately or publicly-owned medical facilities, and other necessary facilities. Having in mind the costs of security, the present contribution highlighted the high costs on freedom of movement, freedom of speech and expression, as well as privacy and data protection. While derogation of rights is allowed in limited circumstances, certain violations were committed amidst the COVID-19 situation. These normally resulted from the opportunity
68 Data Protection Excellence Network, ‘COVID-19: Human Rights and A Data Privacy Perspective’ (Data Protection Excellence Network Website, 2020) 5 2
105 taken by some government officials to abuse and misuse the COVID-19 situation. There have been numerous accounts of activists being harassed by law enforcement authorities in their homes during lockdown, while those who actively expressed their opinions against the government’s responses to the COVID-19 situation were often held liable for “false information,” notwithstanding the vagueness of the law as to what constitutes “false information.”
One can thus highlight herein the difference between the policy as written in the books and that which is done in practice. While the law in the books per se does not raise questionable issues, it is the implementation thereof and the environment in which it is being implemented that give rise to the numerous abuses and violations above-stated. Needless to state, the securitization of COVID-19 can be the threat itself and provides the needed “fog of war” to conceal and distract from abusive acts from the Philippines’ own government authorities. By having domain over all catalysts of action such as means, opportunity, motivation, and social control, violations and abuses can persist as long as present measures exist.
106