An extraordinary or extreme situation often requires special measures. When public security is at risk, the rights of individuals can be restricted. Is the COVID-19 pandemic considered such a threat that it is necessary to restrict the privacy of individuals and their right to personal data protection?
To overcome COVID-19, China used many technological solutions, including the tracking of infected persons. For example, for some time, people, before boarding a train or bus, had to provide their names, phone numbers and take a picture of themselves to be allowed to use public transport. When fellow passengers learned that a person infected with COVID-19 was on the same train, they were asked to self-isolate, and some were compulsorily taken to medical establishments. The Chinese authorities used drones to make sure people stayed home, and those who left their house were chased by a drone and ordered to return home.
The Lithuanian government has published depersonalised data that indicate the movement for persons infected with COVID-19. Hong Kong has created a special website to inform about infected persons, revealing their age and the building in which they live. Is it possible to implement a similar measure in Lithuania as in Hong Kong? Doesn't this contradict the GDPR (General Data Protection Regulation) and the right to privacy of individuals?
As we use electronic communications (the internet, telephones), we are likely to leave many traces. So, it is not difficult to identify who and when we called, what websites we visited, and where we were at some time.
The gathering and processing of such data is governed by the Republic of Lithuania Law on Electronic Communications (which implements E-Privacy Directive), in which personal location data is defined as data processed in electronic communications networks or electronic communications services. This data indicates the geographic location of equipment (mobile phone, smartwatch, computer, vacuum cleaner, etc.) of the actual user of electronic communications services.
According to the Law on Electronic Communications, service providers are prohibited from processing the location data of individuals to provide additional services, except in cases when the person gives their consent, or the data is anonymized.
Yet, electronic communications providers are required that some data (IP address, telephone number, name, location, etc.) of last connection is retained for six months to enable public authorities to have access to this data if this is necessary for solving some serious or very serious crime.
Moreover, it must be ensured that this data is accessible to the police in cases when it is necessary to provide medical or other assistance when a person's life and/or health is in danger and when the location of the person cannot be determined by other means or the use of different measures is impossible or inappropriate because the assistance must be provided immediately and any delay could have irreversible consequences for the person's life and/or health.
When it is necessary to ensure health protection or public safety, public authorities can have access to data on movements of persons. Hence, the question arises whether staying in the same room with a person infected with COVID-19 poses a real threat to an individual's health or public safety.
Lithuania has included COVID-19 in the list of dangerous communicable diseases. So, it would be reasonable to expect that during public quarantine authorities may take extreme measures. For example, Israel has started tracking the location of persons' mobile phones and this data will be used to trace people infected with COVID-19 and the movement of those who contacted them.
This does not mean that such data can be freely published or shared. Besides, the police must inform the person that their data have been collected by officials and if the purpose or which the data was collected does not longer exist it is necessary to stop collecting the data.
The collection and analysis of personal data without the person's consent can only be executed by public institutions when this is necessary for solving a serious or grave crime and protecting the health of individuals.
Public institutions and medical specialists can collect and process data on individuals and their health, but the disclosure of such data to the public must be limited. They may publish aggregated, anonymized, statistical information about persons who are ill, without violating their privacy.
According to the existing legal framework, the state may publish anonymized data about the locations visited by infected persons. However, as long as the number of identified people infected with COVID-19 is not so high, and each case is reported individually, it is unlikely that such data can be completely anonymous. On the other hand, public health and safety in extreme conditions are sometimes more important than a person's right to privacy.
We must be responsible. Those who are infected can announce about themselves and inform other people about the places they have visited. Bear in mind that staying home and self-isolation for those who returned from other countries (which was only a recommendation last week) is now mandatory, and failure to comply with it may even result in criminal liability.
Raminta Bučiūtė is an Associate at the law firm GLIMSTEDT, a media law expert specialising in data protection, intellectual property and technology, media and communications.