The Information Commissioner has been informed through the media about the proposal for a law which, in order to prevent the spread of infectious disease COVID-19, set out the establishment and provision of mobile applications to inform persons about contact with the SARS-CoV-2 virus. The draft law provides that the installation and use of the mobile application is voluntary and free of charge, except in cases where the individual is confirmed positive on the virus – in these cases, the mobile application must be required to install and enter a random code in it. As is apparent from the press release of the Government of the Republic of Slovenia, the application is designed to record anonymously the information about the relevant contacts between mobile users, which is why it is not the processing of personal data, but only anonymous data.

Until the issue of this communication, the Information Commissioner has not been aware of the proposed law by the applicant, neither the text of the proposal is accessible to the public, the club is a very delicate matter in the light of the protection of the fundamental right of individuals to protect personal data, which requires consistent compliance with decision-making standards in a democratic society, in particular the transparency of legislative proposals, which allows the interested public to comment on legislation proposals and to open a public discussion on the issue.

Depending on the baseline from the media, the Information Commissioner cannot provide a comprehensive opinion on the draft law or the application itself, as the details of the operation, technical details and the proposal for a legal basis are unknown. Therefore, at this point, in particular, we draw attention to a few key points regarding the applications for tracking contacts from our opinions (opinions available at this link), from the opinion of the European Data Protection Board and the Views (available on this link), highlighted by the European Commission in its context of the application development tools (available on this link).

The Information Commissioner understands the expectations of the applications in terms of health protection, while it is necessary to properly understand their functioning, as this is key to trusting them. Contact tracking applications mean the processing of citizens ‘ personal data, the amount and nature of the personal data being processed depends on the technical performance. Even if the application would only work on contact information, close to people, and this information would not be disclosed to users in a way that someone could find out who exactly was in a risk contact, that does not mean that it is an anonymous data. Information on the name and surname of the person – user – only replaces another identifier (e.g. a number) that cannot be easily identified, but the contact details of each of us are nevertheless personal data and protected by law and stop the RS. Likewise, in particular in view of the fact that the application of the application would be mandatory for those who actually get sick, the background of the personal data of those who are confirmed to be infected (and that is their sensitive personal data) is indeed the case. At a certain point, contact details could be obtained by the least authorities that the law would have authorized to process this data. Any indication that the use of the application would imply the use of anonymous data or would not interfere with the personal data of individuals is misleading. As is clear from all the abovementioned sources, the data are personal and must be protected in accordance with the general Regulation, ZVOP-1 and the Constitution of the Republic of Slovenia.

Only the voluntary installation of the application can be accepted under the European legal order. The new legal bases that would impose the use of the application (e.g. confirmed infected) must respect the fundamental standards of protection of the rights of individuals: they must be lawful and constitutional, time-limited, necessary and proportionate in the light of the objective pursued, i.e. the restriction of the Covid epidemic 19, and cannot be achieved by means of milcer. In particular, proportionality and urgency are extremely difficult to justify in the case of mandatory applications, as we have already pointed out in the opinion of the competent ministry (available on this link), since many individuals who have proven to be infected might not even be able to load the application because they do not have a newer smartphone. Only on these applications are reliable as they show experience, which means that a large part, even the most vulnerable populations, is excluded from this action (older, all of which do not have the latest mobile phones, children, socially weaker). Given that the application can only be effective if it is ordered by more than half of the population, the fact that a large part of the population does not have adequate phones for it, puts an assessment of necessity and proportionality under a big question.

Tracking applications raise extremely high privacy issues and the protection of their personal data, and they must be appropriately addressed in a transparent democratic decision-making process before the application is introduced. In addition to the considerations on the extent to which it can be effective in limiting the spread of the virus and the processing of such data by individuals is proportional to the opinions of the supervisory authorities and the European Commission, the following starting points, which we believe will be taken into account by the lawmakers and applications:

• Applications cannot be replaced, but can only support manual tracking of contacts carried out by qualified public health staff, who can determine whether close contacts are likely to cause virus transfer, or not (e.g. interaction with a person protected by appropriate equipment – treasuators, etc. – or not protected). In particular, the task of providing advice on the following steps should not be based solely on automated processing.
• Tracking individuals ‘ locations is not proportional, priority is given to contact tracking;
• As contact tracking applications can operate without direct identification of individuals, appropriate measures should be taken to prevent re-identification;
• The information collected should be stored on the terminal equipment of the user and only relevant information should be collected where this is absolutely necessary.
• The legal basis or legislative measure, which represents the legal basis for the use of contact tracking applications, must include meaningful safeguards, including reference to the voluntary nature of the application. A clear definition of the purpose and explicit restrictions on the continued use of personal data should be included and clearly identify the operators involved. The types of data and entities to which the personal data may be disclosed (and for which purposes) should also be defined. Depending on the level of intervention, additional safeguards should be included, taking into account the nature, scope and purpose of the processing.
• Prior to the introduction of such a tool, a data protection impact assessment should be carried out, as the processing is considered to be a likely high risk (health data, projected extensive adoption, systematic monitoring, use of a new technological solution). The European Data Protection Board strongly recommends that data protection impact assessments be published.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA SLOVENIA