Liberty is an essential part of life. Globalization has provided us with the freedom to move from nation to nation with ease, travelling widely. COVID-19 has had an unquestionably dramatic effect on the liberty of the global population to do so. So far, approximately 2.5 billion people have now been put into a form of ‘lockdown’ during the pandemic. Justified by preventing the tragic daily death toll being even higher and preventing the impact on heroic medical staff and health systems being even more severe. The difficulty of trying to get out of the lockdown is now the next global problem posed by the virus.
While we are seeing each State formulate their own strategy, we are also seeing some, albeit piecemeal, responses at the supranational and international level. These generally centre around two overarching strategies, the first relating to tracking infections and contact tracing, through use of apps and other technological means, and the second, to vaccination. One certainty in these uncertain times is that we are all using a lot more technology and have greatly increased our reliance on the internet. With the addition of bleak forecasts about the economic effect of the lockdown, one can understand the narrative justifying the development and implementation of these strategies broadly and quickly. The ramifications for our liberties are not, however, just limited to trying to liberate us from the lockdown. These two strategies could foreseeably involve an extensive increase in both the power of the State and other institutions to monitor and regulate our movements, and an extensive increase in the amount of personal physical data obtained and retained by States and international tech and pharmaceutical companies and their funders.
The question is, whether the necessity to liberate the world from the lockdown is being accompanied by an acceptance that it is equally necessary to ensure protection of our liberties.
Surveillance or Safety?
The first strategy includes varying apps and anonymised aggregated location data to help identify those infected and warn others that they may have come into contact with the virus.
The EU Commission has recently published its Recommendation on the use of mobile data for contact tracing. The Commission has created a Toolbox to use digital means to address the crisis effectively. This Toolbox is to be part of the Roadmap announced by the EU Commission on 15 April 2020. Notably, the EU law instruments referred to in the Recommendation, such as Decision 1082/2013/EU, Directive 2011/24/EU and Regulation (EU) 2016/679, were enacted some years back when the circumstances were very different. By the Commission’s own account of the current situation, the circumstances are unprecedented. One therefore questions whether these instruments are an appropriate legal basis. But even if they are, there are still significant concerns about the implications for protection of rights and liberties.
The EU Commission’s proposition is to develop a pan-European approach for mobile apps with the Commission providing guidance, including on data protection and privacy implications. Member States are to report on their actions and make measures accessible to other Member States and the Commission for ‘peer review’. The Commission’s proposal is that it will then assess the progress made and publish periodic reports, starting in June 2020 and throughout the crisis, recommending “action and/or the phasing out of measures that are no longer necessary”. Although the Commission proposes the use of sunset clauses and states that once data processing becomes no longer “strictly necessary”, it will be terminated and personal data destroyed, what its assessment of “strictly necessary” means is not detailed. The Commission does say, however, that destruction of data will not occur if the “scientific value in serving the public interest outweighs the impact on the rights concerned”. This is purportedly subject to appropriate safeguards, but again the Commission does not state what these safeguards are.
The Recommendation states that it is essential for the Member States to report to the Commission and for the Commission to review the approach taken in the Recommendation, “for as long as the crisis persists” but again this is not defined. It may be very hard to define this now, but there is the concern that this could be extended, especially in the interests of effective coordination, for a considerable period of time, if not indefinitely, if the crisis is eventually defined as preventing the recurrence of COVID-19 infections. The Recommendation also states that data will be deleted “in principle after a period of 90 days, or in any event no later than when the pandemic is declared under control”, but again no definition of “under control”, which is assumed to be the more likely application of that timescale, is provided.
The EU has supposedly called for a coordinated pan-European approach in order to protect the fundamental rights contained in the EU Charter of Fundamental Rights, which the Recommendation contemplates as including the right to respect for private and family life. Despite the many assurances given that the Recommendation respects fundamental rights, promotion of these common and coordinated solutions at speed has its concerns. If data is to be stored for as long as the crisis is ongoing, how and who defines when the crisis ends? Is it when lockdown restrictions are eased or when the economic situation has improved, or when the entirety of the population is vaccinated?
The EU is not the only body to adopt this strategy, it is happening worldwide, and indeed the Recommendation states that the Toolbox should be shared with international partners, to help address the worldwide spread of the virus. Technology is said to be at the heart of plans to escape the lockdown and the negative costs of the crisis as much in the UK as in China. The NHS phone app, developed with Google and Apple in relation to their ‘Big Tech’ plan, is said to be instrumental in helping lift the lockdown restrictions in the UK by providing an electronic facility to utilise mobile phones to trace users who have come into contact with infected people, prompting them to get tested themselves. Apple and Google are said to be working together to produce a unification of their ability to provide digital contact tracing.
South Korea has a customised app which alerts officials if people stray outside the lockdown rules. Taiwan uses data from mobile phone masts to track the phones of people who have been quarantined, with the ability to alert both the person concerned and the relevant authorities if it is not followed. Leaving quarantine without your phone can incur a fine, and the possibility of a prison sentence may also become reality in South Korea. In Israel, the internal security service and the police can track and access the mobile phones of those who have been infected.
In Germany, aggregated data is used, which does not identify individuals. In the UK, the Government is believed to be discussing obtaining similar data from phone providers, although powers to obtain data under the Investigatory Powers Act 2016 mean that it does not necessarily have to ask.
These actions by States of course do not include the wealth of data already available to mobile phone companies, internet search engines and operators of map apps. There are also coding competitions to build digital solutions to combat the pandemic’s effects. #BuildforCOVID19 Global Online Hackathon, sponsored by Facebook, Microsoft and numerous other tech companies, include contact-tracing apps and online symptom-screening platforms.
There have been some reassurances that these State and company developed apps will not become compulsory, that the data they collect will not be shared and that data transmitted between users will be anonymised. All are said to be helping to lift the lockdown restrictions, imposed through the assumption of emergency powers by governments. This does, however, create the environment for longer term issues for human rights and civil liberties because these powers, and the new technologies developed alongside them in order to respond to the COVID-19 crisis, are rarely reversed completely when the crisis is over. Surveillance is made easier and more efficient through digitalization, and the nature of this being a health crisis means that the intrusion into our liberties could extend to our physical integrity, with warnings of the emergence of State biopower or “under the skin” surveillance. The EU Commission’s Recommendation, for example, states that contact tracing can help inform de-escalation strategies, therefore liberating us from the lockdown. The actual and potential deprivation of our civil liberties through the powers used to achieve this should not be miscalculated or dismissed as not being equally as high on the priority list. Transparency, opt-ins, consent and safeguards, not just judicial but also democratic, at least as much as the Parliamentary review under the UK Coronavirus Act 2020, are of crucial importance.
Vaccinate or Dominate?
It is said that the usefulness of contact tracing on its own has its limitations because voluntary contact tracing requires a sufficient number of people to download an app for it to be effective. Contact tracing could therefore either become compulsory, which then makes one wonder if de-anonymisation would be required to identify those who have not downloaded the app, or what is said to be necessary to return to anything resembling normal life, is for contract tracing to be combined with medical intervention, such as testing and / or vaccination, again voluntarily or possibly also compulsorily.
The race to be the first to develop and successfully test and trial a vaccine is well and truly on. The World Health Organisation is one of many organisations considering the use of technology, such as its WHO MyHealth app, to track peoples disease status, including immunity through vaccination. There have been calls for a global government to assist, among other things, with the development, production and purchasing of a global vaccine.
However, one cannot help but get concerned at the complete picture which is emerging. National emergency legislation, coordinated, in the interests of efficiency and effectiveness of course, at the supranational and international level, combined with multi-national tech firms which dominate global provision, combined with global governance through international organisations which do not have direct forms of democratic accountability, or indeed judicial oversight. Transparency is also problematic when decisions are being taken quickly, spurned on by economic expediency.
Whether it be modelling how the disease spreads, or might spread when lockdown restrictions are lifted, to tracking people’s movements and even to compulsory vaccination. The situation we face is extraordinary and unprecedented and such powers granted to governments or supranational institutions like the European Commission prior to the outbreak of COVID-19 would have been astonishing and deeply concerning. The outbreak of the virus should not change that perspective. The world may never be the same after the virus, but this should not include normalising such extensive intrusion. The desire of us all to be liberated from the lockdown should not come with acquiescence to the potential for significant long term and potentially permanent deprivation of liberty. Awareness and caution is urged.
The Regulating for Globalization Blog is closely following the impact of COVID-19 on the labour, trade and European law communities, both practically and substantively. We wish our global readers continued health and success during this difficult time. All relevant coverage can be found here.