DATA MONITORING IN THE FIGHT AGAINST COVID-19

17 Apr DATA MONITORING IN THE FIGHT AGAINST COVID-19

Currently, we are living one of the greatest global crises – if not the greatest – of our generation. The decisions made shall be the foundation to shape the new economic, political, cultural and technological structures for mankind after the pandemic.

In this sense, we should ask ourselves not only how to overcome the immediate threat, but also what kind of world are we preparing for the future, since many short-term emergency measures may become permanent.

Issues that would take years to be discussed and studied on a regular situation are now being decided and enforced in a matter of hours.

Therefore, overnight, people from all over the world are having to comply with certain security measures and safeguards imposed by each government with the aim to stop the pandemic and in order to protect human health.

To ensure compliance with such measures, governments have been increasingly using data processing technologies, such as location tools (GPS, Wi-Fi, Bluetooth) and algorithms, to monitor people and, in some countries, even to apply penalties for those that do not comply.

The Chinese government, for instance, has been monitoring its citizens through smartphones, using mainly facial recognition functions, location tools and apps that require people to fulfill reports informing their clinical conditions. Such measures allow for the Chinese authorities to identify those who are infected with the COVID-19 and those who had come in contact with such individual, as well as to notify others about proximity with an infected patient.

Germany and Italy have announced partnerships with telecommunication companies to provide location data from its citizens with the aim of tracking the COVID-19 spread and to mitigate its consequences.

As the use of location data has gained the attention of the European authorities, the Chair of the Civil Liberties Committee¹ stressed that, even in pandemic times, privacy and data protection European rules remain into force, that is, e-Privacy Directive and General Data Protection Regulation (“GDPR”). Under European rules, anonymized data may be used freely. The problem is when the data subject’s health and personal data, are processed, even if the consent has been provided. This is because, in a pandemic scenario, the data subject might feel as if he or she is obligated to share data, harming his/her free will.

Despite the suspension of the project due to a request made from president Jair Bolsonaro, in Brazil, the Ministry of Science, Technology, Innovations and Communications (“MCTIC”) had signed, in the beginning of this month, an agreement with the main Brazilian mobile phone companies – Algar Telecom, Claro, Oi, Tim and Vivo – in order to help in the fight against the pandemic.

These companies, as a joint taskforce, would provide MCTIC with aggregated, statistical and anonymous mobility monitoring data of their users, collected from mobile networks, allowing the identification of large  concentrations of people, since these concentrations are a suitable environment for the spread of the virus infection.

As it would not be possible to identify the data subject, in theory, this project would not be subjected to the rules of Brazilian General Data Protection Regulation (“LGDP”).

Additionally, the Telecommunications Secretary addressed a legal advice request to the Federal Attorney General Office (“AGU”) regarding the surveillance of location data. In response, AGU issued an opinion stating that monitoring data could be used, if they are kept aggregated and anonymous. This is due to the fact that anonymized data are also not under LGPD scope, which, must be reminded, has still not entered into force, and Brazilian case law offers protection to data communication, not to “data by itself”. Furthermore, under LGPD, article 13 data processing would be justified on a pandemic context, as long as such processing occurs in order to solely allow public health studies.

All over the world internet users are already being monitored by some large electronic platforms, such as Google and Facebook, and by Android operational system, in order to provide information related to large concentrations of people for their users.

Naturally, in this scenario, the major concern related to data monitoring is not to know for sure how such activity shall be performed, if it will be restrained to the informed purposes and who will have access to such data.

Moreover, there is also a concern regarding how such data shall be processed after the emergency period. Will we keep sharing our data in order to prevent a second pandemic? Will the sharing be regulated and limited?

There are no doubts that the current data processing due to the pandemic is in order to protect the community. However, it is necessary to ensure as of now that processing agents adopt measures, including security measures, to protect subjects privacy and fundamental rights and freedoms, to limit the processing to the minimal necessary to fight the pandemic, to store data for a limited time only and to avoid the usage of such data for discriminatory ends in the future.

This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KGV Advogados concerning the matters herein addressed. Copyrights are reserved to Kestener, Granja & Vieira Advogados.

(¹) Press Releases. Use of smartphone data to manage COVID-19 must respect EU data protection rules. Available at: <https://www.europarl.europa.eu/news/en/press-room/20200406IPR76604/use-of-smartphone-data-to-manage-covid-19-must-respect-eu-data-protection-rules>. Accessed on April 15, 2020.