Category: COVID-19-Virus
28. May 2020
In today’s blogpost, we will finish the miniseries on COVID-19 contact tracing apps with a final part on the issues that are created by them with regards to data protection and users’ privacy. As we have presented in the first part of this series, different approaches to contact tracing apps are in use or are being developed in different countries. These different operating approaches have different data protection issues, some of which can, in the European Union, be mitigated by following data protection regulations and the guidelines the European Data Protection Board has published, which we presented in the second part of this series.
The arising data protection issues that come with COVID-19 contact tracing apps and their impact highly depend on the API design of the apps used. However, there are common points which can cause privacy problems that may apply to all contact tracing apps due to the sensitivity of the data processed.
The biggest risks of contact tracing apps
While contact tracing apps have the potential to pose risks to data protection and their users’ privacy in all terms of data protection aspects, the following are the risks politicians, scientists and users are most worried about:
- The risk of loss of trust
- The risk of unauthorized access
- The risk of processing too much data
- The risk of abuse of the personal data collected
The risk of loss of trust: In order to work properly and reach the effectiveness necessary to contain the spread of the virus and break the chain of transmission, scientists and researches have pinpointed that at least 60% of a country’s population has to use the contact tracing apps properly. But for this to be able to happen, user satisfaction and trust in the app and its use of their personal data have to remain high. A lot of the research done on the issue shares the concern that lack of transparency in the development of the apps as well as in regard to the data they collect and process might cause the population to be sceptical and distrustful to the technologies being developed. The European Data Protection Board (EDPB) as well as the European Parliament have stated that in order for contact tracing apps to be data protection compliant, their development as well as processing of data need to be transparent throughout the entirety of the use of the apps.
The risk of unauthorized access: While the risk that the apps and the data they process can be hacked is relatively low, there is the concern that in some cases unauthorized access may result in a big privacy issue. Especially in contact tracing apps that use GPS location data as well as apps that use a centralized approach to the storage of the data processed, the risks of unauthorized access is higher due to the information being readily available. In the case of GPS data, it is easily possible to track users’ movements, allowing for a very detailed potential to analyse their behaviour. The centralized storage stores all the collected data in one cloud space, which in the case of a hacking incident may result in easy access to not only information about social behaviour and health details, but also, if used in conjunction with GPS tracking data, an easy to identify user behaviour analysis. Therefore, it has been recommended to conduct a Data Protection Impact Assessment before launching the apps, and ensure that the encryption standards are high. The Bluetooth method of phones pinging each other anonymized IDs that change every 15 minutes in case of contact closer than 10 feet has been recommended as the ideal technology to minimize location data being collected. Furthermore, most scientists and researchers recommend that in order to prevent damage, a decentralized storage method is better suited to protect the data of the users, as this method only stores the information on the users’ device instead of a central cloud.
The risk of processing too much data: In the case of contact tracing apps, one of the big risks is the processing of too much data. This is an issue which can apply to apps using GPS location tracking, the necessity to collect sensitive health data other than the COVID-19 infection status, transactional information, contacts, etc. In general, contact tracing apps should not require much additional information except the user’s contact information, since it is only necessary to log the other devices their device has come in contact with. However, there are some countries that use contact tracing apps through GPS location tracking instead of Bluetooth exchange of IDs, in which case the location data and movements of the user are automatically recorded. Other countries, like for example India, have launched an app where additional health data is being processed, as well as other information unnecessary to follow up on the contact tracing. Contact tracing apps should follow the concept of minimization of data collection in order to ensure that only personal data necessary to the purpose of the contact tracing apps are being processed. That is also one of the important ground rules the EDPB has portrayed in their guideline on the subject. However, different countries have different data protection laws, which makes a unified approach and handling of personal data difficult in cases like these.
The risk of abuse of the personal data collected: One of the biggest fears of scientists and users regarding contact tracing apps is the potential risk of abuse of the personal data collected once the pandemic is over. Especially with the centralized storage, even now there are apps that give access to the data to the government, like in India, Hong Kong and Singapore. A majority of critics is demanding regulation which will ensure that the data cannot be used after the pandemic is over and the need for the apps has ceased. This is a specifically high risk in the case of tracing apps that locate the user through GPS location tracking rather than through Bluetooth technology, since the movements of the devices lead to a very detailed and easy to analyse movement tracking of the users. This potential risk is one the most prominent ones regarding the Apple and Google project for a joint contact tracing API, as both companies have been known to face severe data protection issues in the past. However, both companies have stated that they plan on completely discontinuing the developed API once the pandemic is over, which would disable the apps working with that API. Since the Bluetooth approach they are using stores the data on users’ devices, the data will be locked and inaccessible once the API cannot read it anymore. But there are still a lot of other countries with their own APIs and apps, which may lead to a risk of government surveillance and even abuse by foreign powers. For Europe, the EDPB and the European Parliament have clearly stated that the data must be deleted and the apps dismantled after they are no longer necessary, as the purpose and legal basis for processing will not apply anymore once the pandemic is under control.
The bottom line
Needless to say, the pandemic has driven the need for new technologies and approaches to handle the spread of viruses. However, in a modern world this brings risks to the personal data used to contain the pandemic and break the chain of transmission, especially due to the fact that it is not only a nationwide, but also an international effort. It is important for users to keep in mind that their right to privacy is not entirely overpowered by the public interest to contain the virus. However, in order to keep the balance, it is important for the contact tracing apps to face criticism and be developed in a way that is compliant with data protection regulations in order to minimize the potential risks that come with the new technology. It is the only way to ensure that the people’s personal freedom and private life can continue without having to take high toll from the potential attacks that could result from these risks. Transparency is the bottom line in these projects, and it can ensure that regulations are being met and the people’s trust is kept in order to be able to reach the effectiveness needed for the tracing apps to be successful in their purpose.
25. May 2020
Today we are continuing our miniseries on contact tracing apps and data protection with Part 2 of the series: The EDPB Guideline on the Use of Contact Tracing Tools. As mentioned in Part 1 of our miniseries, many Member States of the European Union have started to discuss using modern technologies to combat the spread of the Coronavirus. Now, the European Data Protection Board (“EDPB”) has issued a new guideline on the use of contact tracing tools in order to give European policy makers guidance on Data Protection concerns before implementing these tools.
The Legal Basis for Processing
In its guideline, the EDPB proposes that the most relevant legal basis for the processing of personal data using contact tracing apps will probably be the necessity for the performance of a task in the public interest, i.e. Art. 6 para. 1 lit. e) GDPR. In this context, Art. 6 para. 3 GDPR clarifies that the basis for the processing referred to in Art. 6 para. 1 lit. e) GDPR shall be laid down by Union or Members State law.
Another possible legal basis for processing could be consent pursuant to Art. 6 para. 1 lit. a) GDPR. However, the controller will have to ensure that the strict requirements for consent to be valid are met.
If the contact tracing application is specifically processing sensitive data, like health data, processing could be based on Art. 9 para. 2 lit. i) GDPR for reasons of public interest in the area of public health or on Art. 9 para. 2 lit. h) GDPR for health care purposes. Otherwise, processing may also be based on explicit consent pursuant to Art. 9 para. 2 lit. a) GDPR.
Compliance with General Data Protection Principles
The guideline is a prime example of the EDPB upholding that any data processing technology must comply with the general data protection principles which are stipulated in Art. 5 GDPR. Contact tracing technology will not be an exeption to this general rule. Thus, the guideline contains recommendations on what national governments and health agencies will need to be aware of in order to observe the data protection principles.
Principle of Lawfulness, fairness and transparency, Art. 5 para. 1 lit. a) GDPR: First and foremost, the EDPB points out that the contact tracing technology must ensure compliance with GDPR and Directive 2002/58/EC (the “ePrivacy Directive”). Also, the application’s algorithms must be auditable and should be regularly reviewed by independent experts. The application’s source code should be made publicly available.
Principle of Purpose limitation, Art. 5 para. 1 lit. b) GDPR: The national authorities’ purposes of processing personal data must be specific enough to exclude further processing for purposes unrelated to the management of the COVID-19 health crisis.
Principles of Data minimisation and Data Protection by Design and by Default, Art. 5 para. 1 lit. c) and Art. 25 GDPR:
- Data processed should be reduced to the strict minimum. The application should not collect unrelated or unnecessary information, which may include civil status, communication identifiers, equipment directory items, messages, call logs, location data, device identifiers, etc.;
- Contact tracing apps do not require tracking the location of individual users. Instead, proximity data should be used;
- Appropriate measures should be put in place to prevent re-identification;
- The collected information should reside on the terminal equipment of the user and only the relevant information should be collected when absolutely necessary.
Principle of Accuracy, Art. 5 para. 1 lit. d) GDPR: The EDPB advises that procedures and processes including respective algorithms implemented by the contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives. Moreover, the applications should include the ability to correct data and subsequent analysis results.
Principle of Storage limitation, Art. 5 para. 1 lit. e) GDPR: With regards to data retention mandates, personal data should be kept only for the duration of the COVID-19 crisis. The EDPB also recommends including, as soon as practicable, the criteria to determine when the application shall be dismantled and which entity shall be responsible and accountable for making that determination.
Principle of Integrity and confidentiality, Art. 5 para. 1 lit. f) GDPR: Contact tracing apps should incorporate appropriate technical and organisational measures to ensure the security of processing. The EDPB places special emphasis on state-of-the-art cryptographic techniques which should be implemented to secure the data stored in servers and applications.
Principle of Accountability, Art. 5 para. 2 GDPR: To ensure accountability, the controller of any contact tracing application should be clearly defined. The EDPB suggests that national health authorities could be the controllers. Because contact tracing technology involves different actors in order to work effectively, their roles and responsibilities must be clearly established from the outset and be explained to the users.
Functional Requirements and Implementation
The EDPB also makes mention of the fact that the implementations for contact tracing apps may follow a centralised or a decentralised approach. Generally, both systems use Bluetooth signals to log when smartphone owners are close to each other. If one owner was confirmed to have contracted COVID-19, an alert can be sent to other owners they may have infected. Under the centralised version, the anonymised data gathered by the app will be uploaded to a remote server where matches are made with other contacts. Under the decentralised version, the data is kept on the mobile device of the user, giving users more control over their data. The EDPB does not give a recommendation for using either approach. Instead, national authorities may consider both concepts and carefully weigh up the respective effects on privacy and the possible impacts on individuals rights.
Before implementing contact tracing apps, the EDPB also suggests that a Data Protection Impact Assessment (DPIA) must be carried out as the processing is considered likely high risk (health data, anticipated large-scale adoption, systematic monitoring, use of new technological solution). Furthermore, they strongly recommend the publication of DPIAs to ensure transparency.
Lastly, the EDPB proposes that the use of contact tracing applications should be voluntary and reiterates that it should not rely on tracing individual movements but rather on proximity information regarding users.
Outlook
The EDPB acknowledges that the systematic and large scale monitoring of contacts between natural persons is a grave intrusion into their privacy. Therefore, Data Protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures. It further underlines that public authorities should not have to choose between an efficient response to the current pandemic and the protection of fundamental rights, but that both can be achieved at the same time.
In the third part of the series regarding COVID-19 contact tracing apps, we will take a closer look into the privacy issues that countries are facing when implementing contact tracing technologies.
20. May 2020
In order to combat the spread of COVID-19, as more and more countries are phasing out of lockdowns, the eye is on the use of contact tracing apps to help facilitate breaking the chain of transmissions. Contact tracing apps hope to bring a safer way to combat the spread of the pandemic and enable people to go back to a life that is closer to their previous normal. In this miniseries, we would like to present to you different contact tracing apps, as well as European Guidelines and the data protection problems arising from the technology.
Contact tracing apps mostly rely on localising the users of the phones and trace their whereabouts to analyse if they have gotten in contact with someone that has later tested positive for the coronavirus. Individuals who have been in close proximity of someone who is confirmed to be a carrier of the virus, will then be notified and asked to self-isolate for a certain period of time.
Due to this function, however, privacy is a big fear for a lot of users. It comes not only with the processing of personal data, but also tracing of movement and the collection of health data in order to be effective.
It is also important to note that there are different approaches to the purpose and use of anti-coronavirus apps all over the world. While this post focuses on portraying different contact tracing apps, there are also technologies that have a different purpose. For example, there’s apps that require the localisation of mobile data with the purpose to track movement streams and localize a potential future outbreak area. Another option currently in use in Taiwan would be using the localisation data of mobile devices to control and ensure that the lockdown and quarantine measures are being followed. In Hong Kong, the mobile app is paired with a wristband to track movement of the user and alert officials if they leave their dwelling.
However, as there are a lot of contact tracing apps used in different countries, with varying technology and also varying issues in the light of data protection. While a lot of countries immediately developed and released COVID-19 tracing apps, some are still trying to develop or test the technology with a commitment to data protection. In order to see the variety of different approaches to the matter, we are going to present some of the countries and the apps they are using or developing.
The following countries are some of the countries that have already implemented a contact tracing app to be able to counteract the spread of the virus quickly:
- Austria – As one of the first European countries to jump to action, Austria has implemented the use of the tracing app project DP3T, which is backed by European scientists to be the best choice in terms of data protection. The handling of the data is transparent, as well as minimal and voluntary. The technology is based on Bluetooth identifiers in idea similar to the Google and Apple technology, and the data is stored in a decentralized manner.
- India – The Aarogya Setu app has been downloaded over 13 Million times within the first week of its release. It uses Bluetooth as well as GPS signals to trace devices, and collects a lot of sensitive data like names, birthdates, and biometric information. Due to a backlash in regards to data protection, it has been stated that the technology uses unique IDs to keep the data anonymized, that there is no access by third parties and that the data is only stored securely in case of a positive COVID-19 test.
- Singapore – In Singapore, the TraceTogether app is a voluntary tracing app that uses Bluetooth and the mobile number of users in order to track their proximity to other devices. It does not use location data, however, and exchanges temporary encrypted user IDs in order to know who a device came into contact with. The encrypted IDs can only be decoded by the Ministry of Health, which holds the only decryption key.
- South Korea – In South Korea, two apps are being used in conjunction, though the focus is rather to keep away from areas with infected people. One app, Corona 100m, was made by a private developer and notifies you if you come within 100 metres of a person that has tested positive for the virus. The app collects data such as diagnosis date, nationality, age, gender and location. The other app, Corona Maps, shows the location of diagnosed patients so you can avoid them.
On the other hand, some of the countries still working on the development include the following:
- France – The StopCovid app under development in France is supposed to be ready by June, and is being criticized by many French politicians for the lack of regulation in the case of what happens with the data after the pandemic. France has also denied Google and Apple’s help with the development of the app, stating that the risks of misuse of the data are too high.
Update: In the meantime, the French Data Protection Authority (CNIL) has released its second review of the contact tracing app on May 26, 2020, giving it a green light to continue after not seeing any major issues with the data protection concept. Despite using a centralized system which relies on pseudonymized and not anonymized data, the CNIL has stated that the government promises that there will not be any disadvantages and that the data can be deleted from the app. - Germany – Germany, much like France and other EU countries, has abandoned the joint PEPP-PT project in favour of coming up with their own national tracing app. As opposed to other countries, Germany sets much more hope in the joint venture with Google and Apple in an attempt to develop a privacy regulated app which is up to EU standards.
- United Kingdom – The UK is currently planning on testing their contact tracing app system on the Isle of Wight, before they plan on rolling out the use of the app later in May. The app developed is using a more centralized approach for the storage of the data, which has been criticized by data protection lawyers. However, some have conceaded that in such a situation, the “greater justification” for the use of the data is given in the public interest and health of the citizens.
- USA – As announced by tech giants Apple and Google, the joint development of a tracing app is on the way. The app will be operating over Bluetooth, and will exchange identifiers when two devices are near each other for 10 minutes. These identifiers change every 15 minutes to minimize extended tracing, and in case of a positive test the Public Health Authority may broadcast an alert with the consent of the infected person. For more detailed information, please see our previous blog post on the joint announcement.
While the use of contact tracing apps increases, the data protection issues do as well. Most of them deal with the question of governmental access and misuse of the data, as well as transparency and voluntary use of the apps. The European Parliament and the European Data Protection Board (EDPB) have published guidelines for location tracing apps to conform with data protection laws and regulations, which we will be presenting in an upcoming blogpost as part of this miniseries.
Overall, tracing apps seem to be becoming the focus of the pandemic containment. It is important to remember as a user that, while the pandemic is starting to become a new state of normal, a lot of countries will still try to counteract the spread of the virus, and location tracking technology is one of the most effective ways to do so. In such a light, users need to remain conscious of their country’s approach to tracing apps and the privacy issues they may cause.
In the second part of the series regarding COVID-19 contact tracing apps, we will be going further into detail on the EDPB’s Guideline on location tracing apps, and focus on the European expectations and regulation in regards to data protection on the issue.
12. May 2020
In the face of the Corona pandemic, Hungary is currently in an indefinite “state of emergency”. Originally, Prime Minister Victor Orbán decreed the state of emergency on 11 March 2020 lasting for a period of 15 days. However, on 30 March 2020, the Hungarian Parliament passed emergency legislation (Bill on Protection against Coronavirus or Bill T/9790) extending the state of emergency until terminated by the Prime Minister and allowing the Prime Minister to rule by decree during the state of emergency. The Bill was passed thanks to the two-thirds majority of Orbán’s Fidesz Party in the Hungarian Parliament.
On 4 May 2020, Prime Minister Orbán issued Decree No. 179/2020 which contains several provisions affecting Data Protection in Hungary extensively for the time of the state of emergency.
Most importantly, the decree suspends the individual data subject’s rights pursuant to Art. 15 to 22 of the European GDPR when processing personal data for the purpose of preventing, recognising, and stopping the spread of the Coronavirus. It also stipulates that the one month time limit for Controllers to provide the necessary information (Art. 12 para. 3 GDPR) will only begin after the termination of the state of emergency for any Coronavirus related data subject requests. Furthermore, the data collection information requirements for Controllers pursuant to Art. 13 and 14 GDPR will be satisfied by publishing an electronic privacy notice providing the purpose and the legal basis of data processing which the data subjects may take notice of.
The emergency decree received much criticism from various European Data Protection authorities and civil rights groups. The head of the European Data Protection Board (“EDPB”) Andrea Jelinek stated that she is “personally very worried” about the developments, and described the Hungarian government’s decision as “unnecessary [and] detrimental”. In its most recent plenary session, the EDPB also specifically discussed Hungary’s emergency measures in light of European Data Protection Law.
8. May 2020
The Coronavirus is affecting South America, like the rest of the world, and it is spreading rapidly in its largest country: Brazil. Brazil’s Government and Legislators try to handle both the public health crisis and the economic crisis that the country is facing. Now both branches have adopted emergency measures to alleviate the effects of the virus, even impacting the enforcement of the country’s new national Data Protection Law (“Lei Geral de Proteção de Dados Pessoais” or “LGPD”).
The National Congress of Brazil only passed the LGPD in August 2018. It was originally scheduled to come into effect on 15 August 2020 (we reported). As the effects of the Coronavirus began to impact Brazilian businesses, many companies called for the postponement of the LGPD’s effective date due to the difficult economic environment and due to the fact that Brazil’s national Data Protection Authority (“ANPD”) is still not fully functional.
On 3 April 2020, the Senate of Brazil unanimously approved of the Law Bill “PL 1179/2020” which includes a provision to delay the effective date of the LGPD until 1 January 2021. Furthermore, the Bill sets forth that non-compliance with the LGPD shall not be sanctioned by the Data Protection Authorities until 1 August 2021.
The second chamber of Brazil’s National Congress, the House of Representatives, debated “PL 1179/2020” all throughout April 2020 and considered the implications of the LGPD’s postponement for the privacy rights of individuals, especially with many emergency measures on the way that were increasingly restrictive on privacy rights. A vote on “PL 1179/2020” by the House of Representatives was still pending by the end of the month.
On 29 April 2020, the President of Brazil took matters into his own hands when he issued Provisional Measure #959/2020. The measure postponed the effective date of the LGPD to 3 May 2021, without segmenting the postponement into two stages like the Senate’s Law Bill “PL 1179/2020” stipulated.
Provisional Measures issued by the President of Brazil serve as temporary law and are valid for a period of 60 days which the President may extend for another 60 days. During this time period, both chambers of the National Congress must approve of the Provisional Measure in order to become permanent law. If Congress disapproves, the measure will be invalidated.
27. April 2020
The European Data Protection Board (EDPB) adopted a new Guideline on the processing of health data for scienon the most urgent matters and issues in relation to the processing of health data. Those matters include the tific purposes in the context of the COVID-19 pandemic on April 21, 2020. It aims at providing clarity on the most urgent matters and issues in relation to the processing of health data. Those matters include the legal basis for processing, the implementation of adequate safeguards as well as data subjects’ rights.
The Guideline states that the GDPR contains several provisions for the processing of health data in relation to scientific research. The first one would be the consent in Art. 6 (II) a GDPR in combination with Art. 9 (II) a GDPR. The EDPB emphasizes the necessity of the consent having to meet all the necessary conditions in order to be valid, notably consent must be freely given, specific, informed, and unambiguous, and it must be made by way of a statement.
Further, the EDPB clarifies that Art. 6 (I) e or f GDPR in combination with the enacted derogations under Art. 9 (II) (i) or (j) GDPR can provide a legal basis for the processing of personal (health) data for scientific research. National legislators can implement their own derogations, setting ground for national legal bases in regulation with the GDPR.
The EDPB also addresses the case of further processing of health data for scientific purposes, which means the case when health data has not been collected for the primary purpose of scientific research. In these cases, the Guideline states that the scientific research is not incompatible with the original purpose of the processing, as long as the principles of Art. 5 GDPR are being upheld.
In regards to international transfers, the Guidelines make specific emphasis on the transfer to countries with no adequacy decision by the European Commission. In such cases, it is possible for the exporter of the data to rely on the derogations of Art. 49 (I) a, explicit consent, and d, transfer necessary for important public interest, GDPR. However, these derogations do not entitle continuous or repeated transfers, and are only supposed to be used as temporary measures. The EDPB states that this is a sanitary crisis like none before, and therefore the transfer to other countries in cases of scientific research form an international emergency in which the public interest may take first priority. But the Guideline makes clear that in case of repeated transfer, safeguards according to Art. 46 GDPR have to be taken.
The Guideline further emphasizes that situations like the current pandemic outbreak do not restrict data subjects to exercise their rights. However, Art. 82 (II) GDPR gives national lawmakers the possibility to restrict data subject rights, though these restrictions should apply only as is strictly necessary.
Over all, the EDPB states that it has to be noted that any processing or transfer will need to take into consideration on a case-by-case basis the respective roles (controller, processor, joint controller) and related obligations of the actors involved in order to identify the appropriate measures in each case.
17. April 2020
Apple and Google two of the biggest internet giants announced that they will partner on the development of a COVD-19 contact tracing technology.
According to a statement, both of them published on their blogs, aim of the partnership is to develop an App respectively a technical tool which should support the protection of people and to help combat the virus. Furthermore, the tracing technology should help governments and health agencies reduce the spread of the virus.
Apple and Google want to develop a Bluetooth technology which can be used on iOS and Android devices as well as that it can be implemented in Apps of other providers via an API (Application Programming Interface) – which should be published in May.
The tracing technology, using the Bluetooth function and encryption, is designed to detect the distance between two devices in order to identify potentially vulnerable people who have been in close contact with a person tested positive for corona. Therefore, the devices should exchange temporarily ID numbers. In case, one person is tested positive he or she should change the status in the used app in order to inform all persons to which the data subject had contact in the past two weeks.
Both, Apple and Google, ensure that they take data protection requirements seriously. According to the provided information the data should firstly be stored on the respective devices and deleted automatically after two weeks. The data should only be uploaded to a server after change of status to tested positive and obtaining consent of the data subject. The exchanged ID numbers are planned to be uploaded to a list anonymously. In order to increase trust, it is planned to publish the software source codes. This would allow everyone to understand how the data is handled. In addition, this is to ensure that no data will be used for advertising purposes.
14. April 2020
The French Data Protection Authority (CNIL) has released a guidance on teleworking on April 1st, which is intended to help employers master the new working situation. In particular, it is supposed to bring clarity on the IT requirements in order to ensure a safe and well-functioning remote working environment.
In particular, the guidance touches on these following points to form a basis for coping with teleworking from an employer’s perspective:
- It is recommended that employers formulate an IT Charter or internal regulation on how to use the teleworking systems which are to be followed by the employees,
- Necessary measures have to be taken in case the systems have to be changed or adapted to the new situation,
- It should be ensured that employee work stations have the minimum requirements of a firewall, anti-virus software and a tool blocking access to malicious websites,
- To keep from being exposed on the internet and ensure security, a VPN is recommended to be put in use.
Furthermore, the CNIL has also given guidance on the cases where an organization’s services are mainly performed over the internet. In such cases, it recommended to follow a few necessary requirements in order to make sure the services can be delivered safely and smoothly:
- Web protocols that guarantee confidentiality and authentication of the processes (such as https and sftp), and keeping them up to date,
- Double factor authentication,
- No access to interfaces of non-secure servers,
- Reviewing logs of access to remotely accessible services to detect suspicious behaviors,
- Ensuring that the used equipment follows latest security patches.
The CNIL also offered some best practices for employees to follow in cases of working remotely, to give both sides pointers on how to deal with the changing situation.
Specifically, employees are being recommended to ensure their WIFI is secure by using encryption such as WPA 2 or WPA 3, along with a secure password. In addition, the CNIL recommends work equipment given by the employer, as well as using a VPN provided by the company. In the case of using own devices, a firewall and an anti-virus software are the necessary requirements to ensure security of the equipment, as well as updating the operating system and software to the newest patches.
Lastly, the CNIL warns of increased phishing attempts in relation to the COVID-19 outbreak.
Overall, the guidance and best practices the CNIL has published indicate a need for continuous and active vigilance in regards to teleworking, as well as the sharing of personal data in the process.
This guidance is in line with our past assessment of the remote working situation, which you are welcome to check out in the respective blogpost in our Series on Data Protection and Corona.
30. March 2020
The Corona crisis is not only a challenge for the health system, the economy and each and every one of us. People in the so-called ‘systemically important’ professions have been working at their physical and psychological limits for days and are constantly exposed to the virus and its consequences.
The economic damage to be feared has so far only been guessed and is causing additional concern. The issue is currently omnipresent. Everyone is worried about infecting themselves or others and whether you, your family, friends and acquaintances will survive the crisis economically or in terms of health.
In these times, it is understandably difficult to continue dealing with data protection. Quite a few people, especially in times of the coronavirus, simply don’t want to deal with the “annoying” data protection issues and some even see data protection as an additional hurdle, for example when it comes to remote work.
Social assessment of data protection
In the last few days we have made every effort to explain to you the data protection regulations and measures as well as the special features of the current situation. Finally, we would like to mention the general social attitude towards the topic of data protection and want to point out the important role even in times of the coronavirus.
Already at the beginning of March, the German newspaper FAZ published an article on the results of a survey, which contained the results of a representative survey conducted by the market research company Innofact on behalf of Usercentrics. The result of this study was that a large part of the German population is prepared to accept restrictions on data protection and thus the right to informational self-determination in order to combat the corona crisis. In addition, the majority of the respondents also advocate the expansion of data retention (for example, of flight and travel data) in order to be able to track the spread of the pandemic. Moreover, more than 50% are prepared to disclose their health data voluntarily.
When the Robert-Koch-Institute (RKI) announced that it had received several terabytes of anonymised data from a German telecommunications provider in order to trace movement patterns of the users and thus assess the effectiveness of the measures imposed to date, there were also hardly any voices critical of such data transfer. This may be due to the fact that the data was anonymised. In other countries, however, data has not been transfered anonymously. In China, South Korea and Taiwan, for example, phone-tracking technologies and mobile phone apps were used to break down movement patterns to individuals.
A similar but slightly different way, based on the cooperation of the persons, has been established by the Austrian Red Cross. The Red Cross has developed the app “Stopp Corona” (article in German). Users of the app are supposed to track who they have been in contact with and, in case of an infection, also addthis information in the app to automatically inform the contacts of the last 48 hours about the infection and ask them to isolate themselves. According to the Red Cross, the data processing will take place anonymized. The app is available for Android devices in Austria since Tuesday, 24.03.2020. It remains to be seen whether and with what success this and similar apps can help in the spread of the pandemic.
Are these findings new?
But are these findings really new, or do they just appear in a different light due to reference to the corona crisis?
The majority of the population uses the social media services Facebook and Instagram. In addition, messengers such as WhatsApp continue to enjoy great popularity in society and are just as popular worldwide as Google Maps. What all these services have in common is that they have all been in the media because of conflicts with data protection regulations. Users must therefore be aware that they reveal a great deal about themselves personally, their interests, hobbies, whereabouts, etc. This is willingly accepted in order to take advantage of the supposedly free benefits they gain by using the above-mentioned services. However, the operators of these services are all too happy to be compensated with the voluntarily provided data of users, for example in order to place advertising tailored to the individual.
The realization that personal data is provided more or less voluntarily is therefore no news. In the current situation, the undoubtedly important purpose of combating the pandemic only seems a welcome excuse, because it seems ‘desirable’ to put data protection before a higher goal.
But even if certain measures, especially when data is used anonymously, seem to be useful in combating the corona virus, even now interventions in the informational self-determination of each individual should only be made after careful consideration, so that each person can continue to develop freely within the framework of his or her freedoms and rights. That is why, even in times of the corona crisis, it is important to preserve the data protection requirements of the GDPR and local data protection and other laws which carry the idea of informational self-determination, also and above all when sensitive data such as health data are to be processed.
This blogpost concludes the daily contributions of the Series on Data Protection and Corona. From time to time, we will of course add new contributions from the field to this series and will of course continue to keep you informed about data protection news that have no connection to Corona.
For more up-to-date information (in German) you are welcome to follow us on Twitter.
We wish you only the best, stay healthy and protect yourself and others.
27. March 2020
In the process of the spreading COVID-19 pandemic, more and more schools are closing to keep the school staff and children safe. However, this results in the duty of the parents to keep their children educated and preserving their motivation to learn and study.
Online learning tools and platforms have seen a rise in the past few years, as the demand for additional learning rises, as well as the requirement for the schools and students to adapt to a digitalized process gains in importance. In the wake of the current spread of the Coronavirus, these tools may help parents brave the daunting task of suddenly being in charge of their children’s education.
However, it is important to keep in mind that with online learning tools also comes issues and challenges in regards to the protection of the personal data of the children. Not only are registration data a requirement for the use of the tools, in addition a lot of them need to collect the student’s learning data, e.g. learning time, evaluation of tasks or exams as well as social interactions if they are sharing it with, for example, their class.
In the following, we would like to shed some light on different data protection aspects and things to look out for, in two different constellations. On the one side, the use of independent third party apps or tools and on the other, tools procured or offered by the schools and teachers.
Independent Providers
In the case of independent third party providers, there is a big range of online learning tools available. Each of them has a different array of personal data they collect, and it is very important to read privacy notices if you do not want the personal data of your child potentially used for marketing purposes, or transferred to third countries.
The good thing in regards to third party learning tools is that in most cases, only the e-mail address is required for registration. That allows the option to leave the real names and information of your children blank, instead allowing for the use of pseudonyms to shield from potential unwanted data processing and keep anonymity.
Especially in regards to providers based in Germany, the data protection standards are quite high, and therefore pose less of a threat to the child’s personal data. However, even with high standards in their country of origin, there are tools like Studysmarter, which allow in their privacy notice (available in German) for the learning data of the users to be processed for the enhancement of the tool. Furthermore, many of these online learning tools use applications through Google or Facebook, which likely transfer their data to the USA, and thus might be accessible to the American government.
In most of the cases of third party online learning tools, the third parties are the controllers of the data collected. However, some tools like for example Antolin are processors due to the constellation of the platform’s setup. In such cases, the teacher acts as an admin for the students’ accounts, and keeps control of the data collected. That ensures an additional safeguard in the processing of the children’s personal data, since the teacher controls through instructions and customizable online classrooms what data is processed.
Schools
Opposed to the above, schools have increasingly started to develop and offer their own online learning tools, or collaborate with third parties to provide more individualized online learning options. This leads to the positive fact that, since the school is still the controller of the collected personal data, the same safeguards are in place as during a regular school attendance.
In Germany, in such a case the processing is based on the school’s institutional authority to provide education. Because of that, the legal grounds for the processing are Art.6 I lit.e GDPR, Art.6 III sentence 1 lit.b GDPR which refers to the respective state’s school laws and school data protection laws. Therefore, the data protection in such cases is bound to specialized legal obligations.
However, since the school and the teacher usually are the ones administrating their online learning platforms, there is less chance for the students to stay anonymous. In order to fulfil their educational duty and to grade or help the students in specific cases, the teacher needs to be able to identify each student and the class they belong in. Parents might have to keep an eye on the social exchange with classmates over these learning tools as well, since personal data, which is not necessary for the educational duties of the school, does not fall under their processing competence.
In that regard the Datenschutzkonferenz (DSK) in Germany has released an orientation guide on online learning tools that schools are recommended to follow in order to stay GDPR compliant. The guide touches in detail on the different aspects of the processing of students’ personal data, and gives pointers on how school are supposed to process personal data collected in online learning tools.
Overall, it is important for parents and children to be informed by the controller in the terms of Art.13 GDPR in order to be sure about the type of processing taking place, and make sure the necessary consent has been requested in case of profiling or marketing purposes.
Where possible, it is recommended to give the least amount of personal data required, especially if the online learning tool is not handled by the child’s school but rather by a third party provider. In addition, parents should look out for third country transfers, as the safeguards in other countries do not necessarily compare to the standards in their country of origin.
We also recommend keeping an eye on your child’s usage of the tool and monitoring their handling of their own personal data.
The series on data protection and corona will be continued with the last blogpost of the series on the subject of social assessment of the importance of data protection.
For more up-to-date information (in German) you are welcome to follow us on Twitter.
We wish you all the best, stay healthy and protect yourself and others.
