IP - 07120-1/2020/278

From GDPRhub
IP (Slovenia) - 07120-1/2020/278
LogoSI.png
Authority: IP (Slovenia)
Jurisdiction: Slovenia
Relevant Law:
Articles 37 and 38 of the Constitution of the Republic of Slovenia
Type: Advisory Opinion
Outcome: Violation Found
Started:
Decided: 10.04.2020
Published:
Fine: None
Parties: anonymous
National Case Number/Name: 07120-1/2020/278
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Slovenian
Original Source: Informacijski Pooblascenec (in SL)
Initial Contributor: n/a

The Slovenian Data Protection Authority (IP) issued an advisory opinion on the lawfulness of a telephone application which would track individuals for the containment of the COVID-19 spread. The IP stressed that any such solution should respect the Constitution, the GDPR, the the Electronic Communications Act (ZEKom-1) and the Data Protection Act (ZVOP-1) and its effectiveness should be assessed in advance.

English Summary

Facts

The IP received a request to issue an opinion regarding tracking individuals with a telephone application to ensure that infected individuals do not move outside their residences. The request concerned in particular the right to privacy and data protection. The proposal for the telephone application was made by a health care professional.

Holding

The IP opined that such an app should fulfill certain requirements. It found that the description of the technology does not explain:

- what kind of technology is going to be used (location tracking via base stations, GPS, WiFi, etc.),

- the data to be processed,

- whether the app would allow the individual to exchange messages or just to track their location,

- the purpose of the application (to check whether an individual is taking isolation measures or to communicate with healthcare professionals).

The IP stressed that a DPIA must be carried out first and that attention must be paid in particular to the transparency of the personal data that is to be processed, the purposes of the processing, the place and duration of storage, the identification of the controller, the legal basis, manner of deletion.

The measure should respect the Constitution of the Republic of Slovenia, the Electronic Communications Act (ZEKom-1), the GDPR and the Data Protection Act (ZVOP-1). The principles of Article 5 of the GDPR must be followed and attention must be paid to the principles of necessity and proportionality. Safeguards for the rights of individuals before drafting the legal basis must also be implemented.

The IP concluded that an assessment of the effectiveness of such a measure to achieve the objectives of epidemic containment is also necessary and that an epidemic should not be a reason to nullify constitutional principles.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.

Date: 04/10/2020
Title: Tracking Individuals Who Have COVID-19 Disease Through Applications on Mobile Phones
Number: 07120-1 / 2020/278
Subject matter: Definition of OP, Modern technologies, Specific types, Legal bases, Telecommunications and mail, Health personal information
Legal act: Opinion

The Information Commissioner (hereinafter: IP) received your letter asking us for an opinion regarding tracking individuals with a telephone application to ensure that infected individuals do not move outside their residences. Tracking with a phone app should be as follows:
the application would be downloaded by an individual on a mobile phone when a quarantine decision was issued or when isolation was imposed due to illness;
the application would contain a certain radius of motion of the individual still permissible;
the app would only capture location data without access to other content on your mobile phone;
the application would also provide the user with support in the form of easy contact with a physician;
after the expiration of the period (14 days) all data related to the application would be destroyed.

As the proposal suggests, the application would only be used for the duration of the infectiousness of the patients, for 14 days, with the possibility of extension at the suggestion of a physician if there were a more severe course of the disease.
In particular, you are interested in the appropriateness and admissibility of the proposal in terms of the right to privacy and the protection of personal data, and ask us for guidance on what content protection matters should be given particular attention when regulating the launch of the application. You are wondering whether the proposal for the application is questionable from the point of view of guaranteeing the individual's right to communication privacy and protection of personal data in connection with Article 37 of the Constitution of the Republic of Slovenia (Official Gazette RS No. 33/91-I, 42/97 - UZS68, 66 / 00 - UZ80, 24/03 - UZ3a, 47, 68, 69/04 - UZ14, 69/04 - UZ43, 69/04 - UZ50, 68/06 - UZ121,140,143, 47/13 - UZ148, 47/13 - UZ90,97,99 and 75/16 - UZ70a) since "in-app tracking" would be performed without a court order.

The legal basis would otherwise be regulated in the relevant health care regulations (eg the Infectious Diseases Act). According to the Legislative and Legal Service of the National Assembly of the Republic of Slovenia, the right to communication freedom should be interpreted broadly, so it not only refers to the content of the message, but also covers a set of related traffic and location data.

As you explain, the proposal for a telephone application was made by a health care professional, who considers these measures essential for the protection of the health of all residents of the Republic of Slovenia. Notwithstanding the foregoing, this is an encroachment on the inviolability of human privacy, so please also ask our opinion whether, subject to the necessity and proportionality of the measure, it is permissible to regulate it at legal level.
On the basis of the information you have provided, hereinafter referred to as Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Directive 95/46 / EC (hereinafter: the General Decree), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07, officially consolidated text, hereinafter ZVOP-1), and 2 Article 43 of the Information Commissioner Act (Official Gazette RS, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your question.
IP initially explains that personal data protection authorities are closely monitoring the development of applications and services to curb the spread of coronavirus infections and control the epidemic. In the meantime, many countries and organizations are rushing to develop technological solutions that will allow a better understanding of the epidemic's course and more effective planning and implementation of containment measures. Some NGOs and other organizations have also produced limited analyzes on this, such as: Privacy International [1], Future of Privacy Forum [2], NYOB [3].
The technological solutions currently under discussion at EU and global level are very diverse, both in terms of their purpose and expected outcome, in terms of how information is obtained to control the epidemic, as well as in terms of interfering with fundamental rights of individuals, notably privacy and privacy. protection of personal data. The purpose of some is to analyze patterns of mobility in society, to help plan actions and monitor their effectiveness. The information used for these purposes is allegedly anonymized, of which IP has already issued an opinion no. 07120-1 / 2020/25, available at: www.ip-rs.si/vop/. Some are intended to provide individuals with better information and self-reporting of symptoms and communication with healthcare professionals. Discussion is also being made about the contact seeking applications of the infected individual, which can be implemented in different ways and with differently invasive interferences with the rights of individuals, and also taking into account different legal frameworks in different countries. Questions are also being raised regarding non-voluntary applications and are prescribed by the state, where issues of interference with the rights of individuals are most pressing. IP topics follow and actively contribute to discussions and papers on this topic at the level of the European Data Protection Board.
Your description of the technology solution does not exactly follow:
what kind of technological implementation of tracking an individual should be with the application you are planning (location tracking via base stations, GPS, WiFi, etc.),
the data set of the individual to be processed is also unclear.
It is not clear whether the app would allow the individual to exchange messages or just to track their location.
It is not clear what the purpose of the application is to be established (to check whether an individual is taking isolation measures or to communicate with healthcare professionals).
Therefore, we would like to emphasize, first of all, that (as we explain below), in the light of the experience of some other countries, it is imperative to first carry out an impact assessment with clear technical parameters of the application in relation to the objectives pursued and in the light of the principle of proportionality (only elements, which you cite are not sufficient) and then think about creating a legal framework. Some of the elements that need to be addressed are listed below. In particular, we draw attention to the need for due diligence in terms of transparency about what personal data the application will actually process, for what purposes (they need to be narrowly and clearly defined), where they will be stored, who will be the controller of that data, on what legal basis, how this data will be stored, how long, and how the data will be deleted.
IP should not be defined as a supervisory authority for the purposes of processing personal data outside the inspection process, nor may IP act as a validator of such applications. In the light of the above, we also cannot give a more specific opinion on the proposed solution. Different approaches mean significantly different types of privacy and individual rights interventions. In the following, we therefore explain the basis of the legal framework for the protection of personal data, which should be taken into account when developing technical solutions to help curb the COVID 19 epidemic based on telephone applications.
In any case, we suggest that when drafting a law to enforce any form of compulsory tracking of individuals through the proposed application, you will strictly respect the fundamental principles of the Constitution of the Republic of Slovenia and the European Convention on Human Rights, as summarized, inter alia, in a Council of Europe document (available online : https://rm.coe.int/sg-inf-2020-11-respecting-democracy-rule-of-law-and-human-rights-in-th/16809e1f40). The document details the basic standards for the protection of the rights of individuals, which should not be overlooked by States in formulating statutory and any other emergency response measures. The country must follow:
the principle of the legality of measures (including the constitutional provisions on the restriction of fundamental rights),
the principle of time-limited measures - this also means selecting measures whose implications for the fundamental rights of individuals are clear in advance,
the principle of proportionality and necessity with regard to the legitimate and legitimate aims pursued (intervention is permissible if it is truly impossible to achieve the legitimate aim by other less invasive means),
ensuring adequate scrutiny (especially of constitutional and judicial scrutiny) of measures.
1. The issue interferes with Article 37 of the Constitution of the Republic of Slovenia and the legal framework for the protection of personal data
With respect to your question whether the application proposal is questionable in terms of guaranteeing the individual's right to communication privacy and protection of personal data in connection with Article 37 of the Constitution of the Republic of Slovenia, we emphasize that the question whether the location of a mobile phone should always be understood as integral some of the content of the communication content goes beyond IP competencies and capabilities. Namely, it is an interpretation of the boundaries of Article 37 of the Constitution of the RS, which determines the right to secrecy of letters and other media. We also offer our understanding that the Constitutional Court's decision Up-106 / 05-27, which otherwise refers to the context of electronic communications operators, understands their processing of traffic data (hence location data) as an integral part of the content of communications. According to your description of the operation of the application, which is also intended to enable communication of an individual regarding the state of health, and not only to capture location data which would not be an integral part of the content of the communication, we certainly see similarities with the interpretation of the Constitutional Court and the interpretation given by the Constitutional Court. regarding the encroachment on Article 37 of the Constitution, also mentioned by the Legislative and Legal Service of the National Assembly, which you mention in your letter.
To the extent that the operation of the application as you propose would not interfere with Article 37 of the Constitution of the Republic of Slovenia, then we explain the legal framework for the protection of personal data, as defined by Article 38 of the Constitution of the Republic of Slovenia, which should be taken into account in the design of the technical solution, as well as in its application, and in the development of possible legal bases.
A special regulation in this area is the Electronic Communications Act (Official Gazette of the Republic of Slovenia, Nos. 109/12, 110/13, 40/14 - ZIN-B, 54/14 - dec. US, 81/15 and 40/17, in ZEKom-1) transposing Directive 2020/58 / EC into Slovenian law, which places restrictions on the processing of location data of a terminal equipment / smartphone user for electronic communications operators, as well as for other information society service providers. Article 157 of ZEKom-1 stipulates that technologies for obtaining data from users' terminal equipment (including applications that obtain location data from a user's smartphone) can only be used if the individual so agrees or in cases of urgent exceptions. Directive 2002/58 / EC, in Article 15, allows Member States to take legal measures restricting the scope of rights and obligations, inter alia, laid down in the article relating to the retrieval of data from an individual's terminal equipment, where such restriction constitutes a necessary, appropriate and appropriate action in a democratic society to protect national security, defense, public security and the prevention, investigation, detection and prosecution of criminal offenses or the unauthorized use of the electronic communications system referred to in Article 13 (1) of Directive 95/46 / EC.
The operation of such applications usually involves the processing of individuals' personal data (eg name, surname, telephone number, other terminal equipment identifiers, location, etc.) and sensitive health information, isolation / quarantine measures, etc., so compliance is essential the provisions of the General Regulation and ZVOP-1, which prescribe the conditions for the lawful processing of such personal data and the obligations of the controller of personal data and other entities. Below, we explain the fundamental principles set out in Article 5 of the General Regulation, which should be based on a technological solution.
2. Basic principles of personal data protection and applications for the latter for the purpose of curbing the COVID epidemic 19
Personal data must be processed in a lawful, fair and transparent manner. The principle of legality means that for the processing of data via an application there must be a clear legal basis, with particular reference to the bases laid down in Article 6 of the General Regulation (in the case of the processing of personal data by public authorities, point (f) of Article 6 (1) does not go into and the bases and restrictions laid down for the processing of sensitive personal data by the General Regulation in Article 9. We emphasize that in the case described above, it is most likely that the processing of specific types of (sensitive) personal data (this includes health data) , as the application would necessarily directly or indirectly contain / collect / process information about the individual's infection.
We would like to point out that the legal basis of classical consent, for the solution as you describe it, would not be appropriate, since the validity of consent in the conditions you envisage is highly questionable, since it gives the consent in the individual-state relationship it is difficult to reach the standards of free submission. Even consent defined by law, as defined in Article 9 of ZVOP-1 in the situation as you describe it, does not seem like a realistic possibility. The individual must be able to refuse such consent without legal consequences (the question then arises as to whether such an application is consequently necessary). It would be a different situation with applications that would not be mandatory for anyone and that individuals would really choose to participate in alone and at their own choice.
If you choose the statutory option of compulsory choice of an individual between different mandatory measures in relation to a quarantine decision, for example, then the law must also clearly state what the legal consequences are for the individual in the event of a particular choice in such a way that the individual properly informed of what is being decided.
The legal basis which another law would provide for the operation of the technological solution should be in accordance with the provisions of Articles 6 and 6 respectively. 9 of the General Regulation, and the law should specify very clearly and appropriately the purposes of the processing of personal data, the set of personal data being processed, the retention periods and, the controller of the personal data and other restrictions. In addition to narrowly defining the purpose, such privacy interventions should contain safeguards solely in relation to epidemic management - e.g. an injunction to provide information to law enforcement agencies or other users - to ensure that the personal data collected are truly processed by the healthcare profession.
Personal data must be collected for specified, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes. With regard to the principle of the limitation of the purpose of data processing, we also emphasize the question of whether the technical solution, as you describe it, is effective, proportionate and necessary in relation to the objectives you pursue - t. j. the restriction of the COVID 19 epidemic, and more narrowly, the control of persons ordered to exercise restraint. On the broader purpose, t. j. In particular, the COVID 19 IP epidemic is considered to play a crucial role by the profession, which alone can judge how much a technical solution can make a significant contribution to. is a real necessity to deal with the epidemic. This means that certain goals cannot be achieved in another way. As we explain in the last part of the opinion, the introductory recommendations on technical means have also been issued by the European Commission, and these recommendations do not show professional support for applications to monitor compliance with the quarantine.
With regard to the narrower purpose, that is, the control of individuals with a particular measure, we are concerned about the effectiveness of such a measure, especially considering that not everyone has a smart phone to download an application (eg vulnerable groups, children, the elderly) to an individual can leave a mobile phone in a location and go to another location without it, etc. Adding to this the questions of the precision of measuring the location of an individual (which may be questionable within a multifamily building), one wonders to what extent such a measure could at all effectively help control the individual by the measure and the broader objective of curbing the COVID epidemic 19. This, in turn, is called into question. establishes the conformity of such measures with the principle of proportionality, as enshrined in the Constitution of the Republic of Slovenia.
Given the invasiveness of such applications, which are not based on the voluntary use of individuals but are prescribed by law, we would like to draw attention to the need for careful consideration regarding the necessity and proportionality of such a measure and the inclusion of safeguards for the rights of individuals before drafting the legal basis.
The transparency of the processing of personal data refers to comprehensive and clear information that must be received by an individual in accordance with Articles 13 and 14 of the General Regulation, whether it is the basis of consent or is required by law to process certain data. In addition, an individual must be able to exercise his or her rights under Articles 15 to 22 of the General Regulation (pending information, correction and deletion, restriction of processing, objection, transferability).
Having said that, it is important to ensure that the personal data processed are accurate and, where necessary, up-to-date. Accuracy of location measurement is a big issue here, as different location measurement technologies provide differently accurate data - and this involves deciding whether an individual violates the imposed measure, which can have significant legal consequences for him. The choice of tracking technology (which does not follow from your description) is so crucial and should not be made without careful consideration of the capabilities of certain technological solutions.
Personal data must be kept in a form that permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. The retention period must be appropriate for the purposes of the processing of personal data and for the collection of personal data - since this is not precisely stated in your letter, it is difficult to determine the adequacy of the 14-day retention period. In this respect, however, the key is that awareness of invasiveness of the data thus obtained should be deleted (and not just blocked, for example) after a predetermined legal deadline. One of the serious dangers of such databases is, as mentioned above, the subsequent use of such data for other purposes not foreseen by the original law, e.g. in police proceedings, misdemeanor proceedings, etc.
The principle of adequate data protection means that personal data are processed in a way that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and against unintentional loss, destruction or damage by appropriate technical or organizational measures. We would like to point out that, in our experience, rushing to develop technical solutions often entails the emergence of security flaws that may cause the data to be exposed to unauthorized access. Given that in the context as you describe it, we are talking about the processing of sensitive personal data, the special provisions regarding the protection of such data, which are stipulated by Article 14 of the PDPA-1, should also be observed. In addition, the General Regulation, in Article 25, imposes the observance of the principle of built-in and default protection of personal data, which simply means that by default only the personal data necessary for each specific purpose of processing is processed. This obligation applies to the amount of personal data collected, the extent of their processing, the period of their retention and their availability.
Part of designing such applications should also be the consideration of how and with whom individuals will be able to assert their rights, such as. the right to know your personal information.
The decision on the use and legal introduction of such services certainly requires the carrying out of an impact assessment on the protection of personal data, which addresses the risks to the protection of personal data in a timely and preliminary manner (Article 35 of the General Regulation) and the dilemmas mentioned above. Such an assessment, given the nature of the application described, should be made before the final decision to launch and formulate the legal basis for launching such application. The purpose of the ex-ante impact assessment is to identify and manage risks in a timely manner regarding the protection of personal data (eg with regard to an appropriate legal basis), as well as to carry out the aforementioned procedures for minimizing processing. All information on impact assessments is available on our website:
www.ip-rs.si/legislation/reforma-european-legislative-framework-for-security-private-data/client-area-ordained/account-information-in-connection-with-protection-data/
Depending on the urgency of the situation, the impact assessment can be brief and concise. The Impact Assessment must be carried out by the operator and the IP may deliver an opinion on the Impact Assessment (Article 36 of the General Regulation).
3. In conclusion
In view of the aforementioned foundations of the legal framework for the protection of personal data in Slovenia and the EU, and given the information on the development of various technical means to curb the COVID 19 epidemic, we conclude that you need to think carefully about your solution, both in terms of admissibility in the Slovenian legal order, as well as in terms of the effectiveness of such a measure to achieve the objectives of epidemic containment.
The IP is of the opinion that technology can certainly make a constructive contribution to curbing the COVID19 epidemic, but only taking into account the legal framework for privacy and personal data protection. We also support the understanding that it is essential to coordinate actions within the EU Member States when developing technologies and approaches, as diverse or uncoordinated initiatives by individual Member States cannot be effective. At the same time, the Republic of Slovenia must pursue the high level of respect for fundamental rights as required by the Slovenian Constitution and advocate such solutions at EU level. An epidemic should not be a reason to nullify constitutional principles. We point out at this point that the European Commission (hereinafter referred to as the EC) has just published recommendations on COVID 19 epidemic control technologies [4], identifying solutions that could be effective in this context (including in terms of the various applications that they can more or less effectively achieve the goals) and regarding the fuses that must be put in place to protect the rights of individuals. The EC plays a special role in agreeing on effective EC measures within the EU-based eHealth Network, of which Slovenia is also a member, where the Slovenian authorities can also play a constructive role in finding effective, proportionate and urgent technical solutions. In this context, we are also involved in the involvement of the European Personal Data Protection Authorities, which work within the European Data Protection Board. The committee is also expected to issue a unified opinion on the COVID-19 mobile restriction applications we can provide to you in the coming days. According to a communication from the European Commission, it intends to adopt guidelines on 15 April 2020 for compliance with the legal framework for the protection of personal data in the development of various applications. Accordingly, the IP strongly recommends and urges that Slovenia take measures based on applications and tracking of individuals for invasiveness and interfering with their rights, to follow the development of the theme at EU level and to coordinate with other members through dedicated forums and networks regarding technical solutions. which are effective and pursue the goal of minimizing interference with the rights of individuals to achieve the common goal of limiting the COVID 19 epidemic while respecting fundamental rights. The development of technological solutions can only contribute to these goals, given the high level of protection of fundamental rights of individuals.