A tense birthday

Legal Watch No. 24 – May 2020

A tense birthdayThe GDPR is celebrating its second anniversary in a particularly turbulent context for fundamental rights.

How resilient will the European data protection system be in the face of current health challenges?

Already put to the test in the fight against terrorism, is the foundation of rights that protects individuals in Europe adapted to the developments we are experiencing today?

• Emergency laws and technological “solutionism”

Emergency laws and technological developments enabling the tracking of individuals are multiplying in Europe and the rest of the world.

On closer inspection, not all of these initiatives are alike.

Within the European Union itself, the French and Hungarian emergency laws, for example, are very different in terms of restrictions and scope of application.

In France, the government has faced heated parliamentary debate, particularly over the issues of tracing infected people and the preventive quarantine of sick people. Some provisions have even been censored by the Constitutional Council.

Hungary goes further by generally restricting the role of its parliament, as well as, more specifically, the protections provided by the GDPR concerning profiling, the right of individuals to access their data and the right to be forgotten.

There are also significant differences when comparing the German "covid" tracking app, which is based on a decentralised system with minimal data collection, and the UK app, whose (identifiable) data is stored by the government for twenty years without any prior impact assessment.

The European Union Agency for Fundamental Rights (FRA) has published two reports assessing the impact of measures taken by European states on fundamental rights.

She warns against the development of intrusive measures and theaddiction to this new state of affairs.

While individuals must obviously benefit from the most complete information possible, as well as means of control (consent, rights of opposition and erasure) within the framework of the implementation of tracking systems, Data protection authorities point out that the legality of these systems cannot be based solely on the consent of the persons concerned..

As the CNIL points out in its opinion on the now operational StopCovid application, "the real usefulness of the device will have to be studied more precisely after its launch."

The duration of implementation of the system must be conditional on the results of this regular evaluation.”

Will such ex post evaluations be sufficient? A thorough examination of the usefulness of new tracking devices should in principle precede the implementation of processing, even (and especially) in emergency situations, when sensitive data is processed.

• Institutional safeguards

In addition to Parliament and institutions such as the CNIL, French courts and tribunals are called upon to rule on data collection.

This is the case with the Council of State, which ordered the State by an Order of May 18 to cease all measures of drone surveillance to control the confinement in Paris.

The same applies to the Rennes judicial court, which described theusing the ADOC file (fines file) to check for repeat offenses of non-compliance with confinement rules.

It should be noted that these recent decisions are based on the existence or absence of a legal basis, without calling into question in a more fundamental way the proportionality of the coercive measures.

So what about the proportionality of these measures? Have the ethical questions raised by a possible drift in surveillance methods been sufficiently taken into consideration?

Recent WHO recommendations regarding the ethics of tracking technologies point to the fine line between health surveillance and population surveillance, and the increased risks faced by marginalized people.

The WHO advocates for effective supervision of public and private actors involved in the management of population data.

The document lists the essential principles to be respected in the current context and provides a very useful list of recent communications from public authorities and international organizations (an extensive compilation is also available on the Global Privacy Assembly website).

• The essential role of the actors behind the treatments

These considerations highlight the need for in-depth reflection on the responsibility of the actors involved in surveillance systems, at the level of public bodies but also private actors.

Before projecting ourselves into “the world after,” let’s first look at the tools we have today.

The originality of the GDPR compared to the previous legal framework lies in particular in the accountability measures that it provides.  The data controller, whether state or private company, must be held accountable.

It is responsible for evaluating the development of data management tools in light not only of economic or political issues, but also of fundamental rights, in particular through a prior analysis of the impact of processing on the rights of individuals.

And this obligation is accompanied by fines, as Finland Post has just suffered, having been convicted for failing to carry out such an impact analysis before implementing data processing.

Integrating data protection into the design of a processing device, and configuring the device to limit the data collected, also known as "privacy by design" and "privacy by default", constitute two other essential elements of taking into account the rights of individuals before any data processing.

It is this key role of the GDPR that the President of the European Data Protection Board, Andrea Jelinek, recalls in her message on the occasion of the anniversary of the Regulation.

The GDPR is adapted to the crises we are going through, but it is the responsibility not only of the supervisory authorities but also and above all of the data controllers play the game.

THE respect for fundamental rights is undoubtedly, today more than ever, an essential step to ensure the trust and has itacceptance by individuals of new technological developments.

Without trust, the effectiveness of health measures is at stake, and the very outcome of the crisis we are going through. 

Anne Christine Lacoste

A lawyer specializing in data law, she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.