Wojciech Wiewiórowski felt like his entire life had been leading up to the moment when Covid-19 hit Europe like a tidal wave back in March. His youth in Soviet Poland. His doctorate in constitutional law. His four-year stint as Poland’s data protection authority. “It was all there to prepare me for the challenge that we have now,” he says.
Yet despite his years of experience, the 50-year-old confesses that the coronavirus still presented a steep learning curve. When the pandemic was officially declared, Wiewiórowski – who had at that point only been Europe’s Data Protection Supervisor (EDPS) for three months – found himself plunged head-first into the strange science of epidemiology. As governments across the EU began experimenting with different digital solutions to try and stop the spread of the coronavirus, it was his job to figure out, what does this mean for privacy?
To answer that question, Wiewiórowski believed he needed to think like an epidemiologist. Only then could he assess if the new Covid-19 technologies spreading across the bloc were legal, proportionate and even effective. His role – which would ordinarily entail overseeing how European institutions processed personal data – now involved trying to wrap his head around the theory of how coronaviruses spread and what exactly immunity from Covid-19 would entail.
There was a lot to learn. Even the language used by the scientists clashed with his own vocabulary. “We first had to learn to understand each other,” he said, speaking through square-framed glasses over Skype. “I found out, for example, that the epidemiologists who are talking with me [refer to] surveillance as something good. For me, the Data Protection Authority, surveillance is something that I’m scared of.”
The scramble for personal data
Over the past six months, Wiewiórowski’s office has been assertive, issuing a series of statements that offer advice on how to process personal data during the current crisis. Days after temperature checks were introduced for people entering the European commission’s building in Brussels, the EDPS warned this could interfere with individuals’ rights if the temperature data was stored alongside a person’s name.
But unlike the EDPS, many national DPAs are not adequately funded and have become entangled in their own countries’ politics, distracting them from enforcing Europe’s much-lauded privacy regulation, the GDPR.
“I have to say most of the data protection authorities were not ready to be this specialist in the field,” Wiewiórowski told me.
The challenges facing these national regulators are huge. The coronavirus has inspired a scramble for personal data from governments, companies, researchers and even schools. The Correspondent’s Track(ed) Together database reveals 55 coronavirus smartphone apps are either in development or have already been introduced by governments and companies in 27 countries in Europe alone. At the same time, data protection regulators are tasked with overseeing a barrage of new emergency laws and decrees – which do not have to be approved in parliament. According to the International Center for Not-For-Profit Law, at least 90 countries worldwide have passed emergency declarations and 47 have introduced legal measures that affect privacy.
“We need to help organisations understand that sometimes their spontaneous pandemic tools violate the rights of individuals and are pointless, eg one resort municipality decided to register all incoming tourists, but did not have a legal basis for such registration and clear purpose for such a registration,” a spokesperson for the Lithuanian DPA told me over email. “The main task for us, as the supervisory authority, is to help to maintain respect for human rights to the protection of personal data even during this period.”
The pandemic has shoved data regulators into the spotlight – and found them wanting
The introduction of so many new surveillance tools means these usually obscure regulators have been lurched into an unfamiliar limelight and in many countries, that new scrutiny has found them wanting. In the UK – which is still adhering to the EU’s GDPR until December 2020, when the Brexit “transition period” ends – opposition members of parliament wrote an open letter to the watchdog in August, criticising the DPA’s effectiveness. “The government not only appears unwilling to understand its legal duties, it also seems to lack any sense that it needs your advice, except as a shield against criticism,” the letter reads.
Francesca Fanucci, a lawyer working with the European Center For Not-For-Profit Law, says data protection authorities can be strong assets. But during this crisis, she has watched national DPAs introduce privacy guidelines that vary state-to-state or are essentially overruled by their government’s emergency legislation. “I haven’t seen a particular rise to arms from data protection authorities against these Covid emergency measures,” she says. “And overall, data protection authorities have been lax, or at least they do not really go against their own governments.”
She believes these problems arise when DPAs are not well-funded, don’t have effective sanctioning powers or aren’t truly independent, adding these are long-standing issues the pandemic exposed but did not create. The state of DPA finances – most are funded entirely via central government budgets – was raised in a little-noticed 2019 report by the European Data Protection Board, which found that almost none of the 17 DPAs surveyed received the budget increases they asked for. Czechia even saw a 5% decrease in the number of staff the watchdog could afford. This problem is ongoing despite these regulators’ growing workload. In September, the Dutch government became the latest to announce it would slash its DPA’s budget by around €1m.
While the EU strives for consistency, financing is just one area where data protection varies across member states. The famous GDPR is in fact layered on to a mesh of country-specific legislation that meant in some countries, health agencies were not allowed to use data from non-medical sources, such as telecom operators or contact-tracing apps on personal devices until a new law had been passed.
This fragmentation is causing headaches for businesses that intended to keep their offices virus-free by watching workers closely for signs of the virus. A Scottish-built app called Tracepass is just one platform being marketed that enables employers to “assess” their employees’ symptoms by asking them to answer a series of questions about any symptoms they are experiencing as part of the “daily screening” feature.
Alejandro del Río Betancort, Data Protection and Privacy senior manager at the law firm EY Luxembourg, says he hopes Europe’s Data Protection Board finds a way to create a more consistent system because his clients are finding the variety confusing, especially if they have offices in different countries.“For example, in Spain [employers were] allowed to do questionnaires to the employees about their health condition. You could ask whether they have fever, if they feel sick or not,” he said, speaking over Zoom from Luxembourg City. “But other authorities [in Luxembourg or Belgium, for example] were much stricter, saying only doctors are allowed to have this kind of information.”
Governments, not data regulators, should be in charge of a country’s virus plan
Another point of difference exists in the weight data protection authorities carry when criticising the technology introduced by government, not business. “There is not the same culture of enforcement everywhere,” Estelle Massé, policy analyst at digital rights organisation Access Now, told me.
When Norway’s data protection watchdog ordered the country’s Institute of Public Health to stop collecting citizen data through the national contact-tracing app, Smittestopp, because of privacy concerns, the Folkehelseinstituttet not only complied but went a step further – deleting all the data it had already collected. Although representatives for the health institute grumbled online – without the app, “we are less equipped to prevent new outbreaks that may occur locally or nationally," director Camilla Stoltenberg said in a statement – the incident demonstrated what it looks like when the system works as it should.
However, when Germany’s DPA issued a statement advising the government to create a law to ensure the country’s contact-tracing app would not be made mandatory by third parties such as employers, that advice was ignored. The Dutch government also ignored its DPA’s advice not to roll out the national CoronaMelder contact-tracing app until its use had been regulated and its servers secured. In response, the Dutch state attorney said he found the regulator’s arguments "not necessarily convincing".
To the EDPS’ Wiewiórowski, it is not appropriate for DPAs’ advice to be binding during this crisis. “They neither have the knowledge, nor the expertise, nor the skills to deal with the pandemics,” he says, adding central governments should remain in charge of a country’s overarching virus plan.
The EU’s data protection standards are not being enforced
However, in a speech in June, Wiewiórowski did raise the issue of DPA independence. “I wish to take action, when, for example, the independence of other DPAs is compromised,” he said.
Estelle Massé, policy analyst at digital rights organisation Access Now, says it’s unclear how the EDPS could “take action” because like national DPAs, it only has a consultative role. However, she interpreted this comment as an acknowledgement that there is an issue with how DPAs operate once they become enmeshed in local politics. “We also see cracks in the supposed independence the DPA was meant to have from the state,” says Massé, pointing to how Hungary’s state of emergency law – which suspended data protection rights – was defended by the country’s supposedly independent DPA. “The reaction of the DPA was to try to ease the concern that was happening in Brussels [among European officials] by saying, don’t worry, it’s only temporary. You don’t expect that from independent regulators.”
According to Massé, this example combined with the way politicians in other countries ignore DPA advice symbolises European watchdogs’ limited effectiveness. Because their advice is non-binding and they have limited sanctioning powers, few regulators appear to have the confidence to issue Norway-style stark warnings against their own governments – perhaps fearing their authority will be further eroded if they are again ignored.
While the Dutch government justifies the roll-out of its contact-tracing app with the current “extraordinary circumstances”, the current crisis explains exactly why a well-functioning data protection regulator is so important – so Covid-19 tech is built according to the high standards Europe has already established and our rights online are not eroded in a moment of panic.
“We’re getting into a position where the EU’s good standards are not enforced,” says Massé. “We’re not experiencing the benefits [of achievements like the GDPR].”
Data privacy safeguards are being re-examined worldwide
Europe is not unique in this sudden self-reflection of its data protection regulators. All over the world, the recent rush for personal data has forced countries to re-examine their own data privacy safeguards. Yet only 66% of the world’s countries have data protection or privacy legislation in place, while countries such as Botswana, Chile, Tunisia, Jordan and Kenya have laws in place but no regulator to enforce them.
“If information [from the contact-tracing app] is used for anything other than contact tracing, in Botswana we would not have recourse because we have a Data Protection Act that was passed but is not in force,” Senwelo Modise, an attorney with data protection specialists Collins Chilisa Consultants, told me in July.
In other places, the crisis has sparked sudden action on data protection. Long-debated data protection legislation has been given new life in Brazil and South Africa, with the two countries passing new laws this summer. Verónica Arroyo, Access Now’s Latin America policy associate, links the motivation behind speeding up Brazil’s legislation directly to the coronavirus.
“The government passed a provisional measure that said, hey, we are not ready for this data protection law, we’re going to just postpone [until May 2021],” she says. “However, civil society pushed to have a data protection law in place because they believed the government and enterprises needed rules, principles in place because they are using a lot of data against the virus.” In response, the Senate rejected the measure delaying the law and Brazil’s data protection law is now effective.
However, Europe’s struggles act as a warning to other countries that even gold-standard legislation is no use without effective regulators that are able to enforce it. In South Africa, where the final sections of the country’s data protection act came into effect on 1 July, there is a sense the regulator has already been sidelined by the government.
Pansy Tlakula told me the government’s decision to appoint a retired judge to oversee national contact-tracing efforts was “confusing” when her data protection office was ready to perform those same duties. Speaking over the phone, she said: “At that time, we were mindful our [data protection] Act is not in operation but the least we expected the government to do was to consult us when they drafted the regulation that dealt with contact tracing. Whatever the judge is doing, it’s something we could have done.”
Tlakula also expressed concerns about the regulator’s potential to be effective on a limited budget of 45 million rand (€2.3m). That means the office can only afford 16 members of staff – a tiny number compared to countries like Germany where there are 250. Tlakula understands it is a difficult time for the organisation to request more money; South Africa’s GDP fell 20% at the height of the country’s lockdown.
“We are aware the country is facing a huge economic challenge,” says Tlakula. “But they should know we are a start up and we need a little bit more to enable us to start this organisation. If you are talking about building the economy – the digital economy – that depends on data, that makes our institution quite central.”
Until publics at large learn to value the independence of their local DPA as a kind of digital police force, there is little incentive for governments to direct more funding towards national regulators. Yet this crisis reiterates, we need them equipped to do their job.
There is no organisation better positioned to scrutinise techno-solutionism located at the heart of governments and to usher societies away from untested Covid-19 tech that could evolve to be harmful in the future. Before we can talk about European consistency, these watchdogs need to cement themselves as protectors of public data in public consciousness at home. But as they become new targets for public criticism, perhaps – like so many things – the virus is speeding up this process.