The Ministry of the Public Administration has prepared an impact assessment concerning personal data protection for the application of the contact notification with who came in contact with the COVID-19 virus (the COVID app), which can not be based on the ZIUPDV adopted.
In its opinion on the impact assessment presented, the Information Commissioner (IP) confirms that serious deficiencies of the personal data legislation and risks arising from the legal personal data processing can not be correct by an impact assessment. The ministry is not a legislator who can use this document in order to repeal or suspend the application of a legal regulation adopted by the National Assembly.
The IP has advised the legislator and the proposer of some problems with the functioning of the app since the beginning of arguments on the app. The advice has not been met and this will probably end in serious problems in the next phases of the implementation of the app for the client, as well as for MPA, NIJZ and the supervisory authorities (in particular IP and inspections).
The impact assessment are intended for the identification and the managing of risks in personal data protection, so in these cases it is better to take them before the adoption of the legislation and they are materials which correct the deficiencies of legislation, they justificate the need or demonstrate benefit of different projects or personal data processing.
From the nature of things, impact assessment are focused on risks, this means “negative” aspects of the personal data processing that we want to reduce or to manage.
The IP task is to draw attention to weaknesses, not identified risks or inadequate measures of risks management and not on aspect which are properly managed.
As we underline before the adoption of ZUIPDV, the ambiguity about the presence of a legal and clear basis, which is constitutionally in compliance with the personal data processing about the functioning of the app, are key problems for the application and the legal implementation of user’s data by NIJZ. This means, talking about the app in ZUIPDV, NIJZ is not listed as a data controller.
This higher risk can not be faced only by organizative measures and declarations on the applications of disposals of ZUIPDV for a specific app, because it asks for an adequate regulamentation of the legislation.
Also the declaration on the “no application of ZUIPDV” is legally not clear. ZIUPDV is a valid regulation which determines additional purposes and in some cases the compulsory use of the app.
For this reason is not clear on which legal base the ministry can ignore or does not apply it.
The question is how the infected person will be obliged to react practically if a government’s representative public declares that the use is freely and at the same time has been approved a law that establishes that as an infected person you shall install the app and insert the code.
Inadequate legal basis, which, inter alia, imposes fines of 100 to 600 Euros for violations in case of compulsory use of the application, poses serious problems for its legal functioning and at the same time puts the supervisory authorities such as the inspectorate responsible for the supervision of ZIUPDV and IP in an unenviable situation. comply with the applicable regulations.
Even if it is an entirely voluntary application, the processing of personal data by several public authorities by means of a ‘state’ application requires a legal basis. The user’s consent to install the application on his or her phone cannot be equated with the individual’s consent to (install what follows) the processing of his or her personal data for the purpose of informing about contacts with infected persons by WAP and NIJZ.
This view is shared by all European Data Protection Supervisors and the European Data Protection Board (EDPB), so the Common Guidelines make it clear that the mere fact that the use of contact tracing applications is voluntary does not mean that the processing of personal data will necessarily be based on consent.
Where public authorities provide a service by way of delegation, granted to them and in accordance with legal requirements, the most relevant legal basis for processing is that the processing is necessary for the performance of a task carried out in the public interest, viz. Article 6(1)(e) of the General Regulation. The legal basis or legislative measure constituting the legal basis for the use of contact tracing applications should include reasonable safeguards, including a reference to the voluntary nature of the application.
A clear definition of the purpose and explicit restrictions on the continued use of personal data should be included and the data processors involved should be clearly identified.
Unfortunately, IP efforts and positions to regulate the use of the application in a precise and fair manner in the law have not been taken into account. Therefore, regardless of the efforts made by the authors of the impact assessment, it cannot remedy the serious shortcomings of the current law.
Last but not least, every application has to be embedded in the legal order and in a specific social environment – even if it is an application modelled on Germany, the fundamental difference is whether the state has a legal basis for the start-up (possibly a completely privacy-friendly application) or not.