The primary deployment of digital technology that Ukraine used to combat the novel coronavirus was the introduction of an application Act at Home for tracking infected citizens and those who are suspected of having the virus. Ukraine also adopted additional legislation allowing the state to process personal data of the above mentioned categories of people without their agreement.
The measures themselves are arguably justified. However, the process of their implementation raises questions. In particular, on the process of providing law enforcement institutions with personal data and how many people will have access to the data.
Does international legislation allow surveillance?
A Ukrainian NGO called Digital Security Lab is helping journalists, activists, and human rights defenders to tackle the most pressing issues within the realm of digital security. The NGO analyzed how various countries responded digitally to the pandemic. Maksym Dvorovyi, a lawyer that works for the NGO, outlines the provisions of the international legislation which regulates the issue of digital security.
Dvorovyi provided two examples from the European Court on Human Rights practice; specifically, the cases of Uzun v Germany and Ben-Faiza v France. According to these cases, surveillance by the state was considered an acceptable interference against the right to privacy as outlined in the law, and it was necessary for the greater social good.
He provided clarification that the measures implemented to tackle the COVID-19 pandemic meet the required criterias as the measures were meant to protect the public’s health. However, there are other criterias that must be followed in order to make sure the restrictions on human rights are as limited as possible. The restrictions on people’s privacy should be defined by legislation and not to rely on the vague discretionary powers of law enforcement or executive bodies.
Dvorovyi also noted that the international standards contain recommendations for technological companies to avoid violating human rights such as privacy.
Does Ukrainian legislation allow surveillance without consent?
The processing of personal data is allowed by the Constitution in particular cases, and by the Law on the Protection of Personal Data within Ukrainian legal legislation. On 13 April, the Ukrainian Parliament passed amendments to the Law on Protection of the Population from Infectious Diseases on the prevention of the coronavirus disease COVID-19, which came into force on 17 April.
Vita Volodovska, another lawyer of the Digital Security Lab explains that Article 11 of the Law on Protection of Personal Data, apart from the consent of a person, contains five more reasons to process personal data. For the authorities, such a reason is “fulfilling the duties and powers foreseen by law.”
As defined by the law, the aim of processing people’s personal data are measures that are only taken in relation to tackling the epidemic. The stipulation within the law states that any data collected must be depersonalized 30 days after the end of quarantine, if that is not an option, then the data must be deleted.
The lawyers caution the public that we need to tread carefully and to take note of the warning signs in the new legislation. The public must be conscious of keeping the government accountable and make sure that the applications of the new law do not allow authorities to use the COVID crisis to cross any red lines and interfere in people’s personal lives outside of what has been authorized.
Concerns of how many people will have access to people’s personal data
The lawyers underline that even if there is legal access to people’s personal data without consent, the law should comply with certain principles. For example, with legal certainty principles and contain preventive measures for violations, especially when the information is sensitive and pertains to people’s individual health.
Volodovska says that the Law on the Protection of Personal Data forbids processing of the information on people’s personal health without permission, except for certain scenarios, such as a need for medical assistance.
The newly adopted law suggests another exception for the processing of such information. However, its wording does not comply with the legal certainty, precision and does not contain any protective measures against any violations.
Volodovska lists the institutions which, according to the Law on the Protection of Population from Infection Diseases, can take measures such as processing personal data on countering the epidemic. Among them are the Cabinet of Ministers, Ministry of Health, and local government bodies.
The government’s decree on countering the spread of the COVID-19 empowers employees of the National Police, the National Guard, the Ministry of Health, and authorized local government officials to control the regime of self-isolation.
- Read also: Coup d’état or necessary measures: Ukraine’s new quarantine restrictions spark opposing views
Volodovska stated that the sheer amount of people involved in the anti-epidemic measures are numerous and providing them all with excessive amounts of data is not justified. The lawyer provides an example of when the Zhytomyr Oblast State Administration released a map marking the streets where those infected with COVID-19 lived, including the information regarding their age and their treatment status.
According to Volodovska, “Not only does not this information contribute to pandemic protection, it can also lead to discrimination and increased social tensions in communities.”
Providing police with detailed information of people’s health to help provide controls over self-isolation or observation regime seems unnecessary. Similar concerns appeared regarding the application Act at Home which monitors observance and self-isolation.
The application controls the observation or self-isolation of a person in the following ways:
During the day, at occasional moments, the app will send push-notifications to a user. Within a 15 minute period, a user has to take a picture of his face. It would be compared to the original photo that the user uploaded when they first signed on, as well as the geolocation needing to correspond to the starting location. If the geolocation or a picture don’t correspond to the initial ones, or if the connection with the app is absent, the National Police receives a notification for the case that the user has violated the conditions of self-isolation.
The Digital Security Lab received an answer on its request from the Ministry of Digital Transformation. It says that starting from 10 April 2020, the Ministry of Health has to provide daily information for the Ministry of Digital Transformation’s databases, including people’s full names, dates of birth, address of self-isolation, phone numbers, whether a person lives alone. Data regarding chronic illnesses and people’s current health conditions are stored even without an agreement from the individual.
At first, the Ministry of Digital Transformation did not envision a process that would send automated information to the Ministry of Internal Affairs during the quarantine period. The lawyers stressed that neither legislation, nor bylaws failed to give a clear answer on the question of who should have access and to how much personal data with regards to those infected with COVID-19, or those who are suspected with the virus.In addition, there were no sufficient restrictions for how authorities will use the data.
However, on 22 April, the government clarified the terms of using the application Act at Home.
- The clarification said that downloading the app is voluntary.
- Those who returned to Ukraine from abroad can be observed not in designated places, but they can instead be self-isolated at home. However, only in certain cases can they give permissions for the use of Act at Home before crossing the state border, or the checkpoints with the temporarily occupied territories.
- The data gathered on people with COVID-19, even those suspected with it, or those who were in contact with the infected are put in the system of Act at Home, regardless if a person downloaded the app or not.
- It’s important that the Cabinet also clarified the types of data which can be processed without consent by representatives of different institutions.
- Sending a notification to the Police alone is not a sufficient reason to allow the government to intervene.
Ukraine is not alone in its attempts to take digital measures to counter the spread of the novel coronavirus. At present, every country faces inherent risk with crossing the red line between balancing privacy and using data to fight the pandemic. However, for countries like Ukraine where the digital space is poorly regulated, people’s personal data is not well projected, and the trust in the government is low, only increasing the dangers of digitization for Ukraine. The inherent risk for Ukraine is that even after the quarantine is over, the legal framework might remain in place to give the authorities unprecedented and unchecked power in the digital world.
The legal experts note that there are a few measures that the country can take in easing the inherent risks that are being posed. First, there needs to be strict regulations around defining who has access to people’s personal data and how much data can be viewed. Second, there needs to be definitive processes in place that provide guidance on how information should be exchanged between governmental institutions, and strict measures on the deletion of data once the quarantine is over. Overall, the measures are meant to provide transparency around how people’s personal data is being handled to preserve people’s individual liberties and privacy.