The COVID-19 virus, which has spread throughout the four corners of the world, has led us to face challenges without precedents. However, I would say that professionals dedicated to the protection of personal data had encountered a whirlwind of new legal issues that perhaps no one has ever imagined.
Undoubtedly, the main worldwide challenge is to control the pandemic by drawing on technology, among other resources. Therefore, most countries have implemented the use of mobile applications (apps) to slow down the virus spread and keep citizens informed.
Following the trend and based on an initiative by the Community of Madrid, the Spanish government launched a project to develop an application inspired by the Korean one and aimed at alleviating calls to 112. In this way, symptomatic citizens have been able to download the application and complete a form with their personal data and symptoms experienced. Based on that information, the application makes a diagnosis and, if necessary, prompts the user to call for carrying out the relevant tests. Another example is ‘Radar Covid’, an application developed by the Secretary of State for Digitalization and Artificial Intelligence. This app shows the level of exposure to Coronavirus of a user according to the times that person crossed paths with other people whose diagnosis was confirmed within the last 14 days.
However, technological resources for the virus containment have also a negative side due to the proliferation of web pages and applications developed by private entities, unrelated to governmental authorities, that offer self-assessments and advice on COVID-19. The medical reliability and data processing guarantees of these apps and web pages are questionable and may pose a risk to the health and privacy of users.
In order to fight against this type of web pages and applications, the Spanish Data Protection Agency (AEPD) published an announcement during the pandemic to warn citizens about the risks involved in providing data through this type of platforms.
- The identity and details of the data controller.
- The contact details of the Data Protection Officer (if any appointed).
- The processing purposes.
- The legal basis.
- The data recipients.
- If international data transfer will take place or not.
- The data storage period.
- The means for exercising rights for data subjects.
- The means for exercising the right to file a complaint before the competent supervisory authority.
From the viewpoint of personal data protection and cybersecurity, another risk that has arisen in recent months is the number of phishing attacks by cybercriminals. Therefore, the AEPD resorted to the publication of another announcement to warn the population about this type of attacks in which cybercriminals try to supplant legitimate organizations (such as the Ministry of Health, the Council of Health, the Law Enforcement Agency, and International Organizations) by providing information on the coronavirus through instant messages and emails in order to access personal information.
This issue is not trivial and reminds us that we must continue working, now more than ever, in order to maintain and strengthen the mechanisms for the protection and management of personal data and cybersecurity.
Besides, over the last few months, our daily lives have also been affected by other issues such as ‘Public interest’ vs ‘Citizen privacy’, namely the fact that we have to be geolocated in our mobile phones in order to determine whether we have been near infected people; or that it is mandatory to have our temperature taken to be granted access to establishments, and whether then the owner of such establishment can exercise the right of admission to deny entry; and whether it should be mandatory to provide a phone number as otherwise we would be denied access to our favorite place. All these are issues that we had not considered until now, basically, because they were not a part of our daily lives, but now they are part of the ‘new normal’.
In addition, the way we work has also changed since teleworking is now a natural part of our lives. Regarding all these issues, we should always remember that companies must comply with the regulation that Spain has had since the entry into force, in 2018, of the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) and, particularly, its articles on ‘Guarantee of digital rights’.
Certainly, the pandemic has changed our lives or, at least, our near future. Therefore, not only professionals in privacy and personal data protection but also companies have to deal with a lot of new questions and unresolved matters.
Estrella Arana, Attorney |Data Protection | Legal Department