As previously announced, I am releasing the second part of the series “Corona virus - license for mass surveillance?” today. In the first part I gave my opinion as a data protection specialist and tried to look critically at this topic. In the second part, I want to leave the scepter to the Austrian data protection officer, lawyer and consultant Michel Sharbin, whom I mentioned briefly in the first part, who uses the GDPR to take this issue apart.
March 31, 2020 - Guest contribution from Michel Sharbin
In various European and international countries, the state now accesses the previously and continuously collected data from the movement analysis of users.
As already discussed, in my opinion, this data processing is not GDPR-compliant. Since, on the one hand, the consent of the person concerned is mandatory for data processing, and in this specific case of application, the data must be sufficiently anonymized in the required technical respect to ensure that identification of the natural person is not technically possible. It is doubted that pseudonymization is sufficient.
Due to the increased risk for natural persons, the data controller must prepare a corresponding data protection impact assessment and, if necessary, consult the data protection authority. An increased risk is defined in Art. 35 GDPR as an example Art. 35 Para. 3a GDPR „systematic and comprehensive assessment of personal aspects of natural persons, which is based on automated processing including profiling and which in turn serves as the basis for decisions that have legal effects against natural persons or impair them in a similarly significant way;“
Another possibility of legitimation can be seen in analogy to recital 54 of the GDPR; „The principles of data protection should apply to all information relating to an identified or identifiable natural person. Pseudonymized personal data that could be attributed to a natural person through the use of additional information should be considered information about an identifiable natural person. In order to determine whether a natural person is identifiable, all means should be considered that are likely to be used by the controller or another person, in the general judgment, to identify the natural person directly or indirectly, such as discarding. All objective factors, such as the cost of identification and the time required to do so, should be taken into account when determining whether funds are likely to be used to identify the natural person, taking into account the technology and technological developments available at the time of processing. The principles of data protection should therefore not apply to anonymous information, i.e. for information that does not relate to an identified or identifiable natural person or personal data that has been anonymized in such a way that the data subject cannot or can no longer be identified. This regulation does not affect the processing of such anonymous data, including for statistical or research purposes. “The statistical evaluation of anonymized mass data could thus be compatible with the GDPR in analogy to the protection of public health and thus be legitimized.
According to the authorities in Brussels, it is then the task of the respective national legislation to determine a corresponding legal framework for such deviations from the GDPR. (Report: https://www.nachrichten.at/politik/aussenpolitik/corona-nutzung-persoenlicher-daten-laut-eu-kommission-rechtens;art391,3243928 ) It is also listed on the homepage of the EU Council / Council of the European Union; „ Protecting the health of its citizens is a top priority for the EU.“ https://www.consilium.europa.eu/de/policies/covid-19-coronavirus-outbreak/
As already discussed, in the course of various measures decided by the government, it would have been possible to put this on the agenda accordingly and also to create an exceptional legal framework for this extraordinary measure, for the safety of the citizens and the state itself. Whether this will come on the agenda afterwards with possible further packages of measures remains open, I doubt a broad approval because the opposition parties have already been extremely critical and rejecting this specific data processing measure. The data application is now active in exchange with the government and provides the analyzes for the desired purpose. With the hopefully foreseeable coping with the Corona crisis and an end to the threatening situation for public health, this data processing will hopefully also come to an end.
Unfortunately, I have to make a comparison to the devastating attacks of September 11th. The world was not the same even after that day. Months afterwards, various measures were taken, be it legally, factually or - as the discoveries of various secret service scandals prove - behind closed doors - "the program", and this to protect national security or to combat terrorism and, among other things, at the expense of privacy in the most diverse areas of natural and legal persons worldwide. This shows that the risk of terrorism now manifests itself in the sense of collective risk perception and is perceived as inherent. As a result, intergovernmental “differences” or national interests are now disguised as counter-terrorism in order to pursue their goals. A large number of losses in privacy as well as a large number of abuses must now be “accepted” by the person concerned in order to protect them and to protect national and international security.
Do we now have to “put up with” something again in order to protect public health? In recent history there has already been a risk with some pathogens that they have spread uncontrollably and that a dangerous situation for public health has arisen. Will risk perception manifest itself here as well and establish a basically short-term measure as a tried and tested method, and further erode data protection and privacy?
It is now essential that, on the one hand, a position is taken on this and, on the other, that the crisis is ended and dealt with expressly and demonstrably in the sense of public health, that is to say the ending of curfews, at the state level. Furthermore, it must be ensured that these measures do not set a precedent and the states are obliged to create a legally compliant framework for such serious interventions and measures.
The data processing itself will continue to exist after a hopefully foreseeable end to the transmission to the states. The various telecommunications companies have previously collected and processed this data and will continue to do so.
It should be explicitly mentioned here that any approval that was potentially given is to be viewed very critically as to whether it is GDPR-compliant in the present form.
The data processing for the movement analysis is not relevant to the fulfillment of the contract, and it is the good right of every customer of various telecommunications companies to request information about this data processing, to object to the data processing, and to have this data demonstrably deleted.
It should be noted that the topic is not dealt with conclusively and the author provides a contribution to raising awareness of data protection law "privacy".
About the author
- Mag. Michel Sharbin
- Certified data protection officer (DKU)
- Lawyer (KFU)
- Adviser to various national and international companies, investment companies, UHNWI and state institutions