COVID-19 has presented many new challenges for data privacy and protection. On 17 and 18 June 2020, I had the honour to be invited to participate in the 5th Data Privacy and Protection Conference. It’s an annual event that has gained increasing popularity within the Data Protection Officers (DPO) community. This year, due to the COVID-19 restrictions, the event was 100% virtual.
So online, distinguished thought-leaders from around the world presented how the reality of coronavirus affects privacy and data protection.
The presentations touched on topics such as:
- Business development through reasonable and legal use of data
- New challenges in managing personal data and complying with GDPR
- Critical factors in securing IT systems against cyber-attacks
- The role of DPOs in dealing with various legal issues with regards to using IT solutions in data privacy
I am going to present the highlights of this very interesting conference in a three-part series of blog posts. This is the first part.
COVID-19 and Digital Rights in Greece
The first speaker was Elpida Vamvaka, Chair on the Board of Homo Digitalis. Homo Digitalis is a Greek non-profit organisation dealing with the protection of digital human rights. Vamvaka presented the latest study written by members of the organisation. The study deals with the recently elevated challenges in digital human rights caused by the use or proposed use of certain technologies in the containment of the COVID-19 pandemic.
The study covers four thematic areas:
- Development and use of contact tracing apps
- The use of drones by law enforcement agencies in Greece
- The various national measures, like the COVID-19 Patients Record or sending SMS to allow movement
- Fake news during the pandemic
Technology as an Ally
Asked for a comment, Elpida Vamvaka said:
We want technology to be an ally in any effort, especially in health. The guide, of course, for the choice of instruments should be the principle of proportionality. The subsequent choice should be the milder medium that leads to the desired effect.
As the National and European Authorities have pointed out, the legislation on the protection of personal data does not prevent the implementation of measures against the spread of the virus. Legislation even gives us the tools we need. And it has explicitly instilled the exceptions for public health cases.
Transparency, respect for the principle of accountability, and temporality are key elements in accepting measures in a state of emergency. Perhaps my greatest anxiety lies in the actual temporality of these measures. We must not tolerate or get used to these measures taking longer than the health crisis. The pandemic will eventually become a thing of the past. It is important to get out of this situation with as few casualties as possible in all areas.
Data Protection In Times Of COVID-19: The Death Of Privacy Or A New Challenge?
Next to speak was Professor Lilian Mitrou from the University of the Aegean. She started her presentation saying that the COVID-19 pandemic began just when the cybersecurity and privacy community was discussing important data privacy issues. These issues included AI challenges, the GDPR two-year assessment, use of facial recognition and the Clear View app, and also the extensive use of personal data for law enforcement purposes.
The declaration of the pandemic gave birth to some really hard questions: is the pandemic the end of data protection? And is respect for fundamental freedoms at odds with the efficient monitoring of the spread of COVID-19?
GDPR Requirements Are Still Binding And Applicable
In response to these questions, Professor Mitrou elaborated that GDPR requirements are still binding and applicable. She added that data controllers must ensure personal data protection even in this most exceptional case. She also said that a democratic emergency state should be based on clear, precise, and accessible rules. These rules must respect the principles of necessity, transparency and proportionality.
Professor Mitrou concluded her presentation offering some thoughts for further consideration. Her main note was that the COVID-19 and data protection exceptional measures should not become the rule. Fundamental rights such as the right to data protection can be restricted but not denied. While general, extensive, or intrusive restrictions that result in voiding a fundamental right of its basic content cannot be justified. According to the Professor, the question that needs to be answered is if we will find our way back to institutional normality or if in the future we will exercise “constitutional distancing”?
In their presentations, the two speakers highlighted the emerging and expanding challenges to privacy. These challenges arose because of the use of technology and personal data in containing the COVID-19 virus. In the next post, I am going to give a more global perspective about privacy and how the hospitality industry is affected.