We see that various technological devices and procedures are applied in respect of the wide range of precautions and measures taken against COVID-19 Virus by all countries. The measures and precautions are focused in particular on the interaction of people with each other and controlling the limited "new" social life. In this context, the idea of preventing the spread of the COVID-19 by tracing the social lives of people has become quite popular for governments.
Contact tracing applications, which are everyone would probably object in the "old normal", have started to be implemented on citizens within the scope of COVID-19 measures and back to "normal" policies. Hereby with this article, contact tracing applications shall be explained and be argued in the context of the data protection regulations and perspectives of data protection authorities.
2. Contact Tracing
Contact tracing is defined as a process of identifying, assessing, and managing people who have been exposed to a disease to prevent onward transmission. It is said that when implemented systematically, contact tracking is a necessary public health tool to control the transmission chains and virus.1
With today's technological setup and the contribution of companies such as Google and Apple, it is expected to provide contact tracing services with mobile applications and serve the above-mentioned purposes.
3. The Nature of Personal Data Collected Through Contact Tracing Applications and Conditions for Processing
The basis of contact tracking applications is tracking people's location data in order to achieve concerned purposes. As a natural consequence of this practice, citizen's data are obtained by governments.
Location data are defined as "specific data processed in an electronic communications network or through electronic communication service, indicating the geographic position of the device of a user of a publicly available electronic communications service"2 under the Regulation on Processing of Personal Data and Protection of Privacy in the Electronic Communication Sector no. 28363 of Official Gazette. When we take into consideration that the definition of personal data3 in Turkish Personal Data Protection Law No. 6698 ("KVKK"), it is precise that the location data of the people is "personal data". Therefore, collecting location data requires a processing4 of personal data activity eventually.
As a rule, the Controller5 must comply with KVKK while processing personal data. Within the scope of this obligation, the Controller may process the personal data in compliance with General Principles6, Conditions for Processing of Personal Data7, Obligation of Controller to Inform8, Obligations Concerning Data Security9, and other legal obligations. However, one of the exceptions on the matter will be referred in below mentioned perspective of the Turkish Data Protection Authority ("DPA")
4. Perspectives of Turkish DPA and European Countries' DPAs in Regard to Contact Tracing
On 9 April 2020, The Turkish DPA issued an announcement regarding the processing of location data and tracking mobility.10 The announcement states that there is no obstacle to the processing of location data by public institutions and organizations due to public security and public order under the Covid-19 measures in purposes of to prevent the spread of the disease. Referring to the related Article 28/1-ç of the KVKK11, Turkish DPA declared that the processing of location data will be considered as an exception to ensure public safety and public order by the authorized public institutions and organizations for identifying crowded areas and improving pandemic measures.
The French DPA has stated12 that the contact tracing application called "StopCovid" is compliant with the EU and French legislative data protection requirements. The main concerns, mentioned under the statements of French DPA, are the use of a centralized server which increases the risk of possible cyber-attacks and the temptation to exploit this data for purposes other than those provided by law.
On April 29, the Italian Government issued a Law Decree no.28 dated 30 April 2020 regarding the subject. Upon the said decree, the Italian DPA mainly concerned on data minimization, data security, risk of redefinition, and actual prevention of the use of location data for other purposes in tracing of citizens.13
The Dutch DPA stated14 that contact tracing is unclear whether the apps are necessary and effective within the measures of COVID-19. In Dutch DPA's view, individuals must have certain and comprehensive basic privacy rights within the scope of a contact tracing apps where special health data will be processed, considering the stricter requirements under General Data Protection Regulation (GDPR). It is also unclear which government agencies will use the application and who is the data controller in the proceeding of personal data.
On 13 May 2020, the Belgian Government published a draft bill on the use of digital contact tracing applications within the context of measures and precautions against the COVID-19. Nevertheless, The Belgian DPA has quite concerns regarding the draft bill in question. According to Belgian DPA15, the draft bill should provide more information regarding the functioning of the tracing system, clarify the data controller of data processing activities, include the source code of tracing applications and should be improved by including definitions of key concepts (such as tracing apps, users, risky contacts, etc.) Besides, the authority emphasized that the use of such application should be in volunteer basis and there should be merely one contact tracing application at the national level.
Governments have already commenced the contact tracing application in order to reduce the spread of COVID-19 in many countries. However, DPAs stated many hesitations regarding the lawful use of such applications in respect of data privacy. Although public safety has priority and importance, the implementation of contact tracing systems should be designed in accordance with data protection legislations.
1. Contact tracing in the context of COVID-19, World Health Organization
2. Regulation of Processing of Personal Data and Protection of Privacy in Electronic Communication Sector no. 28363 of Legal Gazette; article 3/1-j
3. "Personal data" defined as an all the information relating to an identified or identifiable natural person under the article 3/1-d of KVKK
4. "Processing of personal data" defined as any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic mean under the article 3/1-e of KVKK
5. "Controller" defined as a natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system under the article 3/1-i of KVKK
6. Article 4 of KVKK
7. Article 5 of KVKK
8. Article 10 of KVKK
9. Article 12 of KVKK
10. Kisisel Verileri Koruma Kurumu; Kamuoyu Duyurusu (Covid-19 Ile Mücadelede Konum Verisinin Islenmesi ve Kisilerin Hareketliliklerinin Izlenmesi Hakkinda Bilinmesi Gerekenler, 9 April 2020
11. Article 28/1-ç of KVKK; The provisions of this Law shall not be applied in the following cases where: personal data is processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned to maintain national defense, national security, public security, public order or economic security.
12. Commission Nationale de l'Informatique et des Libertés; Deliberation N° 2020-056 from 25 May 2020 delivering an opinion on a draft decree relating to the mobile application known as "StopCovid"
13. Garante Per La Protezione Dei Dati Personali; Uso dei dati di localizzazione e degli strumenti per il tracciamento dei contatti nel contesto dell'emergenza legata al COVID-19, 16 April 2020
14. Autoriteit Persoonsgegevens; privacy corona-apps niet aangetoond, 20 April 2020
15. The Belgian Data Protection Authority; Avis n° 34/2020 du 28 avril 2020, Avis n° 36/2020 du 29 avril 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.