How digital data can be a determining asset to fight against a pandemic? The current health crisis urges public authorities to figure out the tools they need to fight back. The globalization of the world’s economy may be responsible of the quick spread of the new Covid-19, but it could also be a part of the solution. Today’s interconnectivity can represent an opportunity to limit the spread of the virus. In a context of significant digital exchanges due to globalization, operating and using digital information as a resource could be valuable to analyze the populations’ moves. By using algorithms and artificial intelligence (AI), it is possible to predict future Covid-19 outbreaks and monitor the evolution of the pandemic. 

However, collecting digital data to follow the propagation of Covid-19 displays several crucial issues and challenges. First, in order to get substantial results, the collected data must be very specific and amassed in a broad number. Fighting the disease by processing digital data would present satisfying results only if enough quality data is gathered. Second, a massive stockpile of sensitive digital records comes with serious questions about a legal framework and security issues. This data could easily be abused and diverted from its initial purpose. Worries about privacy must be appeased. Many countries are already trying to cope with digital tools to monitor the evolution and spread of the Covid-19, but this usage seems like a thorn on the side of the European Union, whose General Data Protection Regulation (GDPR) adopted in 2018 represented so far the best known protective legal text regarding online privacy. 

This paper aims to give a clear picture of monitoring data in the fight against Covid-19, on how such a practice works and its legal consequences. Several countries are already experiencing examining data to fight Covid-19, and the results for now seem disappointing. While using data to predict future virus outbreaks offers a great deal of hope, it seems that processing a sufficient amount of data and respecting online privacy currently remains an extremely delicate balance. This paper is divided in the different ways of using data in the fight against the pandemic, in order to explain what could be expected from the EU, regarding the pioneering legal framework of the GDPR. 

Why using digital data to fight Covid-19? 

Facing the coronavirus outbreak in the last months, numerous parts of the world’s population experienced massive lockdowns in order to stop the spread of the virus. Travel restrictions and self-quarantine measures are the best way to avoid human contact and infections yet. However, the consequences on the world’s economy are disastrous, as most business activities considerably slowed down, tourism faces huge losses and the severest recession seems to have yet to come. The urge would be to restart the economy as soon as possible, while minimizing the risks of spreading the virus, as no satisfying medical treatment has been found yet. 

Digital instruments have already been developed in order to supplement resuming business activities. The first ones to settle these methods are Asian countries, which were the first to get back on their feet after long months of restrictive measures.(15) These countries seem to be way ahead in the use of digital tools to reopen their businesses, but it is important to remind that they are already very familiar with collecting data for surveillance’s purposes, and they tend to benefit from their preexisting infrastructure. Those countries demonstrate the most obvious use of data monitoring in the fight against a pandemic: digital surveillance.

In China, getting back to normal life came with the implementation of a new mandatory identification code system. Alibaba and Tencent have deployed a scheme which provides an individual QR Code identification, redirecting to medical information. For example, in the cities of Shanghai and Nanjing, presenting this QR Code is mandatory to eat in public places, or to take public transportation. Plus, this system is completed with the social credit notation put in place in the previous year. This approach is designed to enhance better governance by granting a score to each citizen and associating loss of points to a specific banned behavior. In practice, people who got lower than a certain score were banned from using some type of public services (1). During the pandemic, this system has been and is still instrumentalized to blacklist people who do not respect the medical rules imposed by local authorities such as restrictions of travel, self-quarantines, or people refusing to share medical information. China is a typical example of what could go wrong in the use of digital instruments in an authoritarian surveillance goal. But in Taiwan and South Korea as well, national security systems are used to determine if people respect restriction measures and it comes with several punitive consequences as well. Those repressive methods are quite unpopular in liberal societies as they invade citizens’ private lives and are completely against the spirit of European digital regulation. Digital surveillance also creates unwelcomed social side effects. For example, in South Korea, sharing publicly medical information of infected individuals is obligatory. The result is that some people refuse to get tested because of their fear of being ostracized.(2) 

A more liberal mean to limit the spread of Covid-19 using digital tools is the contact tracing method. The idea is to point out interactions between people to bring to light possible ways of infections. The method relies on three stages: first, the identification of a contaminated individual, then listing all the contacts he/she had in the past days, and finally ensuring an effective follow-up of these people to figure out who is infected. Contact tracing does not require the use of digital data, but new technologies offer a great source of information to collect information and greatly facilitate the detection of transmission chains. 

In order to emphasize the voluntary basis of sharing data with public health services, the prospect of using an app is interesting to Western societies. The voluntary basis comes naturally with the choice to whether download the software or not. The most sophisticated existing example of a tracing app is the Australian “CovidSafe” mobile software(3). It was launched on April 26 and is designed to identify every physical contact of an individual. The aim is to analyze the risks of contamination. In a more practical way, for each mobile device, the app collects a phone number, a pseudonym, and an age group. This information is associated with a crypted identification number, which is automatically renewed every two hours. When the user spends more than 15 minutes at less than 1.5 meters from another one, it collects information about the encounter. This material is saved for two days, then it is automatically deleted. If one gets infected with Covid-19, he/she receives a call from national health services, asking the consent to share the associated data on the National Data Store. If the transfer is approved, every person that got in contact with this person will get a notification, inciting to be tested and to self-isolate. Several technical processes can operate, such as GPS tracking, localization via cellular towers, or Bluetooth. GPS and cell towers location data are not precise enough and tend to only work outdoors. Bluetooth looks to be the more suitable option because it is able to record real physical proximity between people. 

The amount of collected data through the app is huge and raises many concerns about the risks of abusive use of sensitive information, including misappropriation and cyberattacks. In order to protect the users, the Australian government chose to follow several rules. The app is collecting a minimum of personal info, which is always crypted and follows a strict procedure of automatic delete as soon as the information becomes useless. The data is stored on the mobile device of its user and transferred to the national storage only when necessary. Plus, the launch of the app was paired with a legislative draft bill, aiming to criminalize the misuse and misappropriation of sensitive records to another goal than initially settled. There is also a severe interdiction to incite using the app in any form. In brief, the Australian solution is very complete and appears to have covered it all. Today it is a source of inspiration for many developers:  it is close to the Singaporean “TraceTogether” app (4), and also is used as a template for Quebec Artificial Research Institute (MILA), currently working on a beta version. (5)

European Research Institutes also tend to follow the same scheme. The app solution is popular because of its accuracy to support the resume of business activities. Tracing electronic data is a great help to reopen economies and societies after several weeks of shutdown. Since the beginning of the lockdown in March, several European telecommunication companies already began to share with governments anonymized users’ data in order to better understand how the lockdown works and to anticipate future outbreaks. However, there are basic concerns about the legality and regulation of data sharing with public authorities. The European Commission has encouraged forms of privacy-protective contact tracing and has asked the relevant competent bodies to issue precise guidelines in order to frame digital contact tracing. Both the European Data Protection Supervisor and the European Data Protection Board have published several statements and guidelines setting the standards to be followed by these digital solutions.(6) Digitize the fight against Covid-19 is greatly supported, but it deeply relies on the respect of European legal texts about online privacy. 

GDPR vs. digital contact tracing in Europe: the complex operation

The European Union has shown a progressive approach dealing with privacy and digital regulation by adopting the GDPR in 2018 and the ePrivacy directive (7). These texts are known to be the most privacy-protective regarding collecting digital data. Since the beginning of the pandemic of Covid-19, those texts have strongly been questioned by specialists. Some consider they do not constitute a sufficient protection against intrusive misappropriation of collected data while some are sharply criticizing the boundaries the GDPR settles to fight Covid-19 (8). Anyhow, the GDPR may be imperfect in the protection of data rights, it remains the most protective text and is a part of the European Union legal frame. Therefore, digital civil rights and online liberties must be protected at any cost in the fight against Covid-19. Plus, the Parliament adopted on April 17 a resolution stressing that any digital measure against the pandemic must be in full compliance with data protection and privacy rules. The use of contact tracking must stay deliberate and systems should include suppression clauses once the crisis is over. 

In that aim, many technical rules must be followed in the development of those digital devices. The choices of tracing mechanisms, storage systems and basic characteristics have many consequences regarding users’ privacy and effectiveness of the process. In that sense, offering an effective way to track physical contacts while respecting the right to privacy implemented by the GDPR constitutes a tricky balance. 

EU Law is considered very protective of online civil liberties, even if there is still a long way to go in data protection. The GDPR spirit focuses on clear consent and on full transparency throughout the process. Recital 5 of GDPR imposes strict necessity to define a purpose when data is collected and to hold on to it throughout the process (9). There are some specific rules about data monitoring related to the workplace, as well as in matters of public health. However, specific derogation of EU and national Law can be made for certain kinds of information, in particular concerning health, according to Article 9-2 GDPR. In that sense, Recital 46 clearly stipulates the eventuality of epidemics(10). But crisis situations should not be an excuse to damage civil liberties and break all the progress achieved by the implementation of the current regulations. The basic right of online privacy is protected by Article 8 of the Charter of Fundamental Rights of the European Union.(11)

The European Commission has demonstrated its concerns regarding privacy and data protection relating to the Covid-19 crisis. In March, the Commission repeated essential guidelines while observing populations’ moves and the spread of the virus. In April, the Commission asked countries to develop a common approach of the use of personal data and adopted a toolbox targeting companies and research institutes.(12) That toolbox sets out the main essential requirements for compliance with EU privacy regulations and data protection. First, digital tools should be developed in close cooperation with public health authorities. Then, sharing data must remain at all stages voluntary and the collected information should be anonymized and deleted as soon as the crisis is over. Finally, the use of GPS location tracking is strictly forbidden. Bluetooth systems should be preferred, considered more privacy-protective. Most importantly, the objective of data monitoring to fight the virus must be clear and unique: take efficient and targeted isolation measures to help lifting general lockdowns, to restart the economy and relax controls of liberties. This general guidance was completed by a more technical statement from the European Data Protection Supervisor (EDPS). Its representative sets out that collected data in the health sector must be transparent, anonymized, and aggregated in order to respect privacy. Also, data storage must be well protected. 

However, even with the EU guidance, there is a strong lack of coordination in Europe during the crisis. Currently no common approach has been found by Member States in monitoring data against the spread of the virus. The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) was created at the end of March, including French, German, Swiss research institutes. However, this plan is strongly contested, and several participants have quitted. Today, the whole consortium has split. Several technical aspects divide contributors, such as protocols and storage systems. Collected data can either be centralized on national storage system or decentralized on users’ mobile devices. Centralized systems are more efficient for public health authorities but require many controls and imply risks towards eventual leaks of information. PEPP-PT is in favor of a centralized mechanism, which Swiss developers’ teams strongly denounce as an invasion of privacy.(13) The result is that, in Europe, each country ended up proceeding its own structure of digital contact tracing. 

European initiatives in data monitoring against Covid-19 

Most of European countries have chosen to develop apps to record personal data. People are able to decide whether they want to download it or not, which is a proof of the deliberate basis. The main issue was for developers to find the right balance between privacy and efficiency.In several countries, such as France and Belgium, telecommunication operators began to share anonymized mobile location data with public authorities to monitor the population moves and see how the virus could spread. But in Austria, mobile providers have shared anonymized data with the government to create statistics about whether people respected or not traveling restrictions. In Germany, Deutsche Telekom has also decided to share location data, not with public authorities but with the National Disease Robert Koch Institute. This center intended to collect users’ data by recognizing early symptoms and record all kinds of information about Covid-19. 

Some digital measures were locally taken and do not depend on national authorities. In Italy, the Lombardy region released “Cerca Covid” app to map the risks of contagions. Data was collected through a questionnaire on a voluntary basis. In Spain, the Community of Madrid launched “Asistencia Covid-19”, which collects citizens’ basic information allowing health authorities to contact them to figure how symptoms evolved.  Other measures were created by NGOs and civil society representatives. For instance, the Red Cross app “Stopp Corona” has been downloaded more than 400 000 times.(14)

These initiatives follow the EU institutions guidance and online privacy rules. They work closely with public health authorities and are based on the consent of users. However, digital tools must remain a deliberate initiative and cannot be imposed. In Poland, the situation is very alarming since the very controverted “Home Quarantine” app is requiring people to send localized selfies: so, authorities can check if they are respecting restrictive measures. The app is connected to a database of people who are forced to self-quarantine. The system uses facial recognition and location-checking. This kind of process questions GDPR and ePrivacy rules as it overcomes the use of data as a help in the fight against Covid-19 and becomes an oppressive mean of civil surveillance.  

Using digital tools for surveillance can have tremendous consequences for our society, particularly during crisis periods. They must be avoided at all costs with strict regulations. The delicate aspect of monitoring data, even when the goal is strictly restricted to health security, is that the process of switching mode is very easy. In other words, collecting data to monitor the spread of the virus represents an unthinkable opportunity to hijack the results towards a less honorable goal. As an example, France is using AI tools to check masks wearing in public places. Security camera systems in Paris subway are completed with a software able to check if passengers are wearing a mask or not. The company in charge, DatakaLab, is a French start-up whose aim is to help authorities anticipate new outbreaks and better understand how the population behave.(16) The only goal is to get statistical results, and many guarantees are put in place in order to limit the transfer of the collected data. But it is crucial to emphasize on the risks of such a practice, as wearing a mask in public transportation is mandatory and involves a fine of €135 if not respected. The practice itself respects current regulation in data monitoring, but it remains extremely hazardous. Once the data is collected, the line between statistical and oppressive purposes is very thin. 

Conclusion: what could be expected from the EU?

The most obvious acknowledgment of this pandemic so far is that the use of digital tools is inevitable. Monitoring data in the EU is a challenge most of all because it has to comply with the GDPR and ePrivacy directive. Still, adopting the GDPR in 2018 is a major advantage for the EU. It offers a preexisting legal framework to compensate for the lack of preparation in crisis management. The Commission begs for a coordination without having the mandate to organize it. 

A common approach would secure a generally approved method to record data. The lack of harmonization may increase the risk of abusive uses. Monitoring data could have disastrous consequences over democratic and liberal values. In the context of crisis, political tensions are high, and citizens tend to easily mistrust their governments. This absence of faith can have serious long-term consequences on the strength of democratic regimes. In that sense, respecting the European legal framework on data and privacy is an assurance of confidence. Civil liberties must be respected at any time, and the EU credibility relies on it. The GDPR is an ambitious text which was constantly questioned since its adoption in 2018. 

The incapacity of the EU to find a common response to the pandemic leads to a missed opportunity to create an independent digital structure, in order to no longer depend on American tech companies.(17) After the failure of the PEPP-PT, German government decided to turn to Google and Apple common approach of tracing using their devices. Moreover, in order to be effective, the system would need a considerable amount of data to examine. The significant means invested to develop those digital tools, in respect of the strict GDPR and ePrivacy directive, make the whole operation nonprofitable if the results are not satisfying. 

Beside these global issues, data monitoring has several technical limits. The tools themselves meet mechanical limits and their effectiveness relies completely on the quality of the collected data. The most accurate example we see so far is the Australian CovidSafe app, which actually faces several important limits. First, the records are useless in front of the numerous asymptomatic cases. The key transmission sources seem to be carriers of Covid-19 that do not experience symptoms, and they are invisible to any digital tool. Second and most importantly, the whole effectiveness of monitoring data in European countries relies on adherence of users. Thanks to the GDPR, data sharing can only exist on a voluntary basis, so the success depends on the will of people to take part. The system can only get satisfying results if the data is precise enough and collected in massive quantities. Regarding the Australian CovidSafe app, it has been calculated that to be effective, 40% of the Australian population should use the app. 518)However, today, the results are way below that number. The whole process has therefore been not quite effective, and the results are disappointing. 

Today, it is unclear how data will precisely play a role in the fight against the Covid-19 crisis, but the World Health Organization encouraged digital tracing methods to fight the virus since the beginning of the pandemic.

Mathilde Marcel

¹ Pierre Sel, « L’utilisation par la Chine du système de crédit social pour gérer l’épidémie de Covid-19 », Fondation pour la Recherche Stratégique, Note n°30/20, 28/04/2020. 

² Benjamin Puybareau et Elise Rousseau, «Urgences sanitaires et nouvelles technologies : comment penser le déconfinement ? », La Libre, 10/04/2020 [URL : https://www.lalibre.be/debats/opinions/surveillance-technologique-que-choisiront-les-etats-5e908e40d8ad581631df71a6].

³ Simon du Perron, “COVIDSafe : l’application australienne qui fait bon élève“, Cyberjustice Labatory, Montreal University, 15/05/2020. [URL: https://www.cyberjustice.ca/en/2020/05/15/covidsafe-lapplication-australienne-qui-fait-bon-eleve/].

⁴ Op. cit., Simon du Perron, 2^nd note. 

⁵ MILA official website, [URL: https://mila.quebec/en/covid-19/].

⁶ “European Data Protection Board – Twenty-third Plenary session: EDPB adopts further COVID-19 guidance”, 21/04/2020. [URL : https://edpb.europa.eu/news/news/2020/european-data-protection-board-twenty-third-plenary-session-edpb-adopts-further-covid_en].

⁷ “ePrivacy Directive: assessment of transposition, effectiveness and compatibility with proposed Data Protection Regulation” [URL: https://ec.europa.eu/digital-single-market/en/news/eprivacy-directive-assessment-transposition-effectiveness-and-compatibility-proposed-data].

⁸ Eline Chivot, “EU Quest for COVID-19 Apps, A Blow to GDPR and Digital Sovereignty”, European Views, 13/05/2020. [URL: https://www.european-views.com/2020/05/eu-quest-for-covid-19-apps-a-blow-to-gdpr-and-digital-sovereignty/].

⁹ [URL: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=FR].

¹0 Idem. “Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for […] monitoring epidemics […].”

¹1 [URL: https://www.europarl.europa.eu/charter/pdf/text_en.pdf].

¹2 “Mobile applications to support contact tracing in the EU’s fight against COVID-19” [URL: https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf].

¹3 “Covid-19: How to fight disease outbreaks with data”, International Institute for Sustainable Development, [URL: https://www.iisd.org/library/covid-19-how-fight-disease-outbreaks-data].

¹4 The information regarding the different initiatives in European countries come from: Jens-Henrik Jeppesen, Pasquale Esposito, “COVID-19: European Data Collection and Contact Tracing Measures”, Center for Democracy and Technology, 29/04/2020. [URL: https://cdt.org/insights/covid-19-european-data-collection-and-contact-tracing-measures/].

¹5 Idem.

¹6 James Vincent, “France is using AI to check whether people are wearing masks on public transport”, The Verge, 07/05/2020. [URL: https://www.theverge.com/2020/5/7/21250357/france-masks-public-transport-mandatory-ai-surveillance-camera-software] 

¹7 Op. cit., 8^th note.

¹8 Op. cit., 2^nd note.