The public is finally a known proposal for a law which again attempts to give control authorities the power to obtain data on the locations of the devices of individuals in quarantine and provides for fines in the event of failure to comply with the provisions on the mandatory application for tracking contacts.
The Information Commissioner has today taken note of the proposal for a law on intervention measures to prepare for the second Val COVID-19, which is publicly available on the website of the National Assembly. Many warnings regarding the proposed introduction of the contact tracking app have already been published in previous DNEH1, especially regarding the conflicting use of the application for those who are certified infected and those in quarantine. In view of the European legal order and given that in other EU countries such an application is only on a voluntary basis, we urge the legislator to weigh this issue carefully and follow the arrangements in other EU Member States. Today’s published draft law also reveals that, for offenders, a fine of Eur 200 to 600 is foreseen for infringers, which in particular concerns us in terms of disproportionate prejudice to the rights of individuals. Such applications only work reliably on newer smartphones and forcing them to load under the threat of the fine by all the laws which the law identifies, even if they do not reliably work on their device, is disproportionate and does not contribute to the objectives pursued by the legislator. The disproportionate and ineffectiveness of such an action is also apparent from the fact that many people do not even have a suitable device to respect such a measure. We also note that the provisions of the Application Act are in no way sufficient in terms of legal bases for the processing of personal data arising from the application by the competent authorities (e.g. NIJZ, Ministry of Health, Ministry of Public Administration, as well as that the draft law does not derive the division of obligations and responsibilities of the competent authorities in relation to ensuring the safe and proper functioning of the application. The law should clearly determine who the data controllers are, what data can be processed, for what purpose, what are the storage times, who may have access to them, and in particular that data outside the intent to prevent the spread of COVID-19 should not be processed (e.g. by law enforcement authorities, other entities).
The draft law also sets out a new provision regarding the processing of identification data and the location data of the individual (in the field of electronic communications) (article 24), which establishes the basis for the acquisition and use of such data on persons temporarily limited by personal freedom as a result of measures taken under the law regulating infectious diseases (e.g. persons quarantinted). The Information Commissioner is extremely concerned over this provision, as it is read in the sense that the competent authorities may, for the purpose of controlling quarantine or self-isolation from an operator of electronic communications or another information society service provider (e.g. applications or services that record the location of the individual), obtain information about the location of that person, i.e. the location of its telephone or other device Such an authorisation undoubtedly constitutes a major interference in a number of constitutionally guaranteed rights of the individual, with the merits, proportionality and necessity of such an interference in a concrete situation of limiting the spread of COVID-19 very questionable. In particular, such a power to the supervisory authorities is alarming in the light of the public’s submission that the surveillance of quarantine will also be involved.
Law enforcement authorities may obtain information on the location of an individual from an electronic communications operator only subject to strict conditions (if this is part of traffic data, they also need a court order). In this context, it is inadmissible that, in order to obtain the same information beyond the purposes of prosecution of criminal offences, i.e. for the purpose of controlling the individual’s quarantine, it creates a lower standard for the acquisition of data, without safeguards for the individual’s rights and without taking into account that, in certain cases, a court order is required to obtain information on the location of the Such a lower standard may also imply a pathway for the bypass of stricter provisions to obtain data on the location of the individual to be followed by law enforcement authorities.
In relation to the intervention of the constitutional rights of the individual and the processing of data on the location of their devices, we have given their negative opinion on the first intervention Act at the time of COVID-19 measures (104. Article) 2 The legislative service of the National Assembly, which we believe to consider, will also have a very careful consideration of the solutions provided for in this proposal and the warnings of possible discrepancies with the Constitution of the Republic of Slovenia. The Information Commissioner will also provide an official opinion on the draft law and transmit it to the applicant.