Paulina Gutiérrez

It is unquestionable that governments need information to respond to the pandemic, particularly to design evidence-based measures to control the contagion and save lives. Likewise, it is undeniable that the use of technology to collect that information has major implications on individuals’ human rights. Any argument otherwise would overlook the requirement for governments to demonstrate that limitations imposed on our rights are legal, necessary and proportionate, especially restrictions on free movement, privacy, protection of personal data and freedom of expression.

But what does that requirement mean and what does it involve? And, more importantly, how do we make sure that during and after the pandemic the restrictions on our rights are limited only to the purpose for which they were adopted? How do we protect ourselves against any abuse and violation of our human rights?

The deployment of technology-based initiatives to address public problems is not new and has been subject of controversy in the past. In the context of the pandemic, the difference lies in the invisibility and lack of knowledge about a virus whose social, economic and health impact demands immediate and focused attention. Although there is a general understanding that technological means must go hand-in-hand with a variety of non-technological measures, the need to make the virus visible and preventable has made technology seem as the only means to control it.

Some of the technological responses range from “chatbots,” informative mobile apps that provide diagnoses based on user-identified symptoms, body temperature readers and symptom monitoring, to mechanisms that control and track movement, contact and isolation through mobile phone services, georeferencing and the use of drones.

Each of the technological measures and tools designed to control and prevent the spread of the virus benefit from different levels of invasion of privacy. They record access, activities, interactions, symptoms and illnesses, whose technological and digital processing requires access of personal information by third parties – personal information generated through the collection, storage, transmission, use, study and management of data. Hence, presumably, it is not difficult to imagine a situation in which the solution to the pandemic’s impact would be the product of information we provide, waiving our privacy and data protection. However, the formula is much more complex, especially if we start by acknowledging that the restrictions are not confined only to the State accessing our information; we must also consider the active participation of the private sector. We are then facing privacy invasions in the name of public health. Although a health emergency can be invoked to impose restrictions on human rights, it will never be a legitimate justification when applied in isolation. In other words, combating the health crisis by accessing and using our individual, personal and collective information imposes an inadmissible surveillance system, unless the measures adopted comply with States’ mandatory observance of a set of conventional and legal protections, specifically those that safeguard the immunity afforded to privacy against arbitrary or abusive invasion by public authorities or non-public entities.

This means that States must strictly comply with the legitimacy test when adopting surveillance practices, especially those with the purpose of tracking and containing the spread of a virus. Any government that decides to opt for technological responses based on information generated by the activities of individuals must ensure that (a) the legally stipulated restriction is clear and precise and that there is a legal framework for protection of the affected rights, as well as effective legal remedies against abuse and violations of rights restricted by public and private parties – legality; (b) the restrictive measure is suitable and effective to achieve the intended purposes, demonstrating that it is the only available method – necessity; and (c) there are no other available measures and methods that would be less detrimental to the right to privacy and other rights, and that there are strict limits on the duration of the invasive measure – proportionality.

In Latin America, the legitimacy test for limitations over the right to privacy has never been more relevant, primarily due to the existing technological capacity prior to the pandemic and its abuse through targeted and mass surveillance practices, extensively documented in the last six years.
Argentina, Bolivia, ChileColombiaEcuadorGuatemalaMexicoParaguay, and Peru are some of the countries in which governments have decided to adopt surveillance technology measures and collection methods to respond to the health crisis. There is still no evidence supporting the effectiveness of these measures, hence, public scrutiny alongside legal and judicial controls are critical to contain arbitrariness and abuses from governments and non-public entities.

Existing data protection frameworks in the region seem to be insufficient for the challenges posed by the pandemic. However, if we regard them as improvable, they will be invaluable for imposing controls over both governments and private entities. Aware of the fact that their development and implementation in Latin America is asymmetrical and inconsistent – and in some cases non-existent, special regulations may provide legal avenues to demand justification of the limits imposed on individuals’ power to know what information third parties have about them, to limit the duration and purpose of processing their information, and to decide whether to provide their most sensitive data – that is information that may reveal information about their health, race, sexual preference, among others.

Although these legal frameworks include exceptions on the basis of public health, the principles of temporality, necessity and legality remain applicable. Above all, they are essential for knowing the destination, purpose and use of the information collected and processed, as well as preventing practices from becoming permanent once the pandemic is under major control.

Therefore, we must be clearly informed on whether the use of technological tools and measures contributes to effectively contain the virus, whether these tools request or access more information than they claim to need to control the spread of the virus, and what legal framework or remedy we can resort to if our data is shared with government bodies or non-public entities not involved in containing the pandemic, just to name a few practical scenarios.

In Latin America and in other regions of the world, the legitimacy test and data protection legal frameworks have already prevented the invasive, unnecessary and disproportionate use of technology to control the health crisis:

  • In Brazil, Provisional Measure (Medida Provisória – MP) 954/2020 was suspended by the Federal Supreme Court on May 7, 2020, to prevent irreparable harm to the privacy of individuals. Measure 954/2020 was issued by the Executive Branch to order telecommunications companies to provide information from mobile users to the Brazilian Institute of Geography and Statistics (Instituto Brasileño de Geografía y Estadística – IBGE), which would prepare statistics on the pandemic. Under necessity, suitability and proportionality analysis, a judge from the Supreme Court ruled that, without underestimating the severity of the health crisis and the need to develop public policies based on certain data, the constitutional rights of individuals must not be violated and, therefore, it was necessary to suspend the measure as it did not provide nor existed suitable mechanisms to protect individuals’ data against unauthorized access or undue use of their information.
  • In Chile, a short-term or special temporary law was proposed to safeguard the data of individuals whose state of health is exposed and subject to processing by a variety of parties during the pandemic. The Transparency Council proposed this initiative in April, recognizing that health related data are not only constitutionally protected but also have a special protection due to the information they reveal. Something similar happened in the United Kingdom, where the Parliamentary Joint Committee on Human Rights proposed special legislation focused on precisely regulating the purpose and limits for obtaining and processing information collected through a contact monitoring app, requiring the government to delete the information collected after the end of the health crisis, and imposing measures against abuses by the government and third parties.
  • In India, the Kerala High Court admitted three petitions against mandatory use of a contact monitoring app and the imposition of criminal sanctions for not using it. In addition, on April 24, 2020, the Kerala High Court issued an order instructing the to safeguard the confidentiality of data of patients at risk of coronavirus, collected by a digital system operated by the government of Kerala and Sprinklr Inc. It also prohibited this company from committing any act that compromises the confidentiality of the data.
  • In Slovakia, the Constitutional Court suspended the special legislation that allowed authorities to access user data collected by telecommunications companies to monitor individuals infected with coronavirus. On May 13, 2020, the Court determined that the legislation was ambiguous and the purposes of the processing were not sufficiently clear; the legislation would allow processing of personal data without clear intentions and lacked the necessary safeguards against abuse of the information collected and processed.

The challenge is not simple but the obligations of governments are very clear: our rights to privacy and protection of personal data remain applicable during the health crisis. The burden to demonstrate that our rights may be subject to limitation must not be driven by technology-centered approaches, whose benefits enable the exercise of our human rights. Rather, States must observe their human rights obligations in terms of transparency and accountability, as well as its duty to prove the legitimacy of the measures; allowing their abuse make them arbitrary.