The Information Commissioner provided an opinion to the National Assembly on a proposal for a law on intervention measures to prepare for the second wave of COVID-19, which introduces an application for tracking contacts as obligatory for the infected and quarantined ones and a new legal basis for processing the identification data and the locations of persons against whom a measure of restriction of movement under the Law on infectious diseases is applied.

In the opinion of the members, we draw attention to the contested provision of the article 24, that has to be read in the sense that an indefinite set of authorities may, for the purpose of controlling the quarantine, from an unspecified set of data sources, for example the various providers in the field of electronic communications, obtain an indefinite set of identification data and location data of that person, i.e. about the location of its telephone or other device.

Thus, the standards for obtaining information on the location of the individual, even under the standard, which are applicable to the acquisition of similar data in criminal proceedings, are therefore inadmissible (usually the Court’s order is required). The article 24 also shows the possibility for different providers of e-communications (operators, application providers, other electronic services, views or other smart devices) to record identification data and data on the location of individuals, even if they have not consented to it.

The concern of the Information Commissioner is further that the provision also allows you to record location data in the intended application to record contacts that you should not even record the location. Such an action during summer holidays and frequent border crossings in neighbouring countries with a less favourable epidemiological picture may concern a potentially large number of individuals, citizens of Slovenia, whose location data could be monitored.

A similar measure to the latter location would be proposed in the first intervention act at the time of the COVID-19 crisis (contested Article 104), which was not adopted because of the great opposition. The National Assembly of the Information Commissioner therefore proposes not to support such provisions this time.

In the opinion, we note in detail the aspects of the protection of personal data which must be taken into account in the intended application for the tracking of contacts and suggest that they do not support provisions imposing the obligation to use such an application and a fine to disregard that obligation.

As they show experience from other EU Member States, app implementation models, which largely take into account the fundamentals of personal data protection, there are other good practices in this area, such as Public announcement of the detailed documentation of the impact assessments on privacy and the protection of personal data (DPIA) of concrete applications before their application, public publication of the dossier on technical implementation, etc.

It is essential to provide transparency and trust to the public that the application will benefit from the lack of a disproportionate amount of personal data and does not allow the sharing of such data beyond the purpose of use and which individuals are willing to impose voluntarily, rather than forcing individuals into compulsory accommodation with very doubtful effect. However, there is a warning that none of the applications introduced in our behaviour have proved to be very effective, either because of a small number of users or unreliable technical activities, in some countries (e.g. Norway) have even stopped working

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA SLOVENIA