Paulina Gutiérrez

There is no argument against governments needing information to effectively respond to the pandemic, particularly to design evidence-based measures that control the contagion and save lives. Similarly, it is undeniable that the collection of such information through the use of technology has substantial implications on people’s human rights. Any counter-argument would undermine the government’s burden to prove that the limitations imposed on our rights are legitimate, necessary and proportional, particularly concerning restrictions on freedom of movement, right to privacy, data protection, and freedom of expression.

But what does this burden mean and what does it entail? And most importantly, how do we ensure that restrictions on our rights are strictly limited to the purpose for which they were adopted, both during and after the pandemic? What protections do we have against abuses and violations of our human rights?

The deployment of technology-led initiatives to address public problems is not a new approach, and it is one that has been challenged in the past. The difference between those instances and the context of the pandemic lies in the invisibility and the lack of understanding of a virus whose impact on society, the economy, and public health requires immediate and targeted attention.
Although there is a general understanding that any technological measures  implemented to contain the virus must be complementary to a variety of non-technological measures, the need to make it visible and preventable has disguised  technologies as the sole option to control the pandemic.

Among the technological responses that stand out, we find, on one hand, informative mobile applications, diagnosis “chatbots” based on users’ reported symptoms, body temperature readers, and symptom monitoring; and on the other, devices that control and trace movement, contact, and isolation through the use of cellphone and telecommunication services, georeferencing data, and use of drones, among others.

Every technological tool and measure used to control the spread of the pandemic is dependent on some level of intrusion into private life. Each technological tool records some form of highly sensitive personal data, including people’s activities, interactions, travels, contacts, symptoms, and diseases – which is then processed by third parties – both private and public actors, with little (if any) clarity on how it will be subsequently used or shared. Therefore, with the collection of this personal data, It is not hard to imagine a situation where the “solution” to the impacts of the pandemic is the product of waiving our privacy and data protection. Notably, such a solution is more complex. Especially if we start by acknowledging that the restrictions on our rights are not confined to the State’s access to our information; we must also add the active participation of the private sector.

We thus face intrusions on our right to privacy in the name of public health. Although public health is legally invokable, it will never be a legitimate justification to restrict human rights if adopted in isolation. In other words, combating the health crisis through access and use of our individual, personal, and collective information imposes an inadmissible surveillance system, unless the measures adopted to obtain it are conducted within a set of legal protections. Specifically those that safeguard the immunity that protects individuals’ scope of privacy against arbitrary and abusive invasions by public authorities or non-public entities.

Therefore, States must meet the legitimacy test that underlies all surveillance practices, especially those aimed at tracing and containing a virus. In other words, governments that opt for technology-led responses based on individuals’ activity and health data must ensure that (a) the restriction is legally clear and precise, which includes the existence of a legal framework that protects the affected rights, as well as effective legal remedies for abuses and violations of the rights restricted by public and private actors (legality); (b) the restrictive measure is appropriate and effective to achieve its purpose, and demonstrate that it is the only means available to achieve it (necessity); and (c) other less restrictive measures and methods to the right to privacy and other rights are inexistent, as well as strict limits on the duration of the invasive measure (proportionality). 

In Latin America, the legitimacy test for restricting privacy has never been more relevant, mainly due to the existing technological capacity prior to the pandemic and abuses in the form of both mass and targeted surveillance practices, extensively documented over the past six years. Argentina, Bolivia, Chile, Colombia, Ecuador, Guatemala, Mexico, Paraguay, and Peru are some examples in which governments have decided to adopt surveillance and data collection measures to respond to the health crisis. There is still no evidence that supports the effectiveness of these technological measures, therefore, public scrutiny, along with legal and judicial controls, are critical to contain arbitrariness and abuses from authorities and non-public entities.

The current legal frameworks on personal data protection in the region appear to be insufficient to meet the challenges posed by the pandemic. However, they can be an invaluable tool to place controls on both governments and third parties if regarded as improvable and actionable. This is said with the awareness that the development and application of these regulations in Latin America has been asymmetrical and inconsistent – and in some countries, non-existent. Specialized regulations dealing with this issue can provide pathways to demand legal justification for the limits imposed on the power of individuals to know what personal information third parties have access to, to limit the temporality, use, and purpose of data processing and treatment, and to decide whether or not to provide sensitive data – identifying information related to their health, race, or sexual preference, for example.

Although these legal frameworks include public health-related exceptions, the principles of temporality, necessity, and legality remain applicable. Above all, data protection regulations are indispensable to determining limitations, purpose, and use of collected and processed personal data, as well as to ensure these practices do not become permanent, when they are no longer required.

States are therefore responsible for providing clear answers regarding the effectiveness of technological measures and tools to adequately contain the virus; ensuring any measures or tools do not request or access more information than necessary to control the pandemic; as well as enabling legal frameworks and remedies to which people can appeal in the event their data is shared and processed by entities beyond those required to respond to the health crisis..

There are examples in Latin America and other regions of the world where the legitimacy test and data protection frameworks have prevented the invasive, unnecessary, and disproportionate use of technology to control the health crisis.

  • In Brazil, the provisional measure (Medida Provisória (MP) 954/2020) was suspended by the Brazilian Supreme Court on May 7, 2020, to avoid irreparable damage to the right to intimacy and private life of individuals. The measure was issued by the executive branch, ordering telecommunications companies to provide users’ data to the Brazilian Institute of Geography and Statistics (IBGE), who was instructed to generate statistical data about the pandemic. Under a necessity, appropriateness, and proportionality assessment, the Supreme Court justice ruled that, without underestimating the gravity of the health crisis and the need to develop data-driven public policies, the constitutional rights of the people should not be undermined and, consequently, it was necessary to suspend the application of the measure 954/2020, as it does not provide adequate mechanisms (nor are there existing mechanisms) to protect people against unauthorized access to or misuse of their data.
  • In Chile, a short-term special law has been proposed to safeguard the data of people whose health status is exposed to a variety of entities during the pandemic. The Chilean Transparency Council proposed this initiative in April by recognizing that health data is subject not only to constitutional protections but also to additional protections due to the sensitive nature of the information it contains. Similarly, the Joint Committee on Human Rights of the Parliament of the United Kingdom presented a special legislation proposal focused on regulating the purpose of and limits on obtaining and processing information collected through a contact monitoring application. It requires the government to delete the collected information after the health crisis ends and establishes measures against abuses from authorities and third parties.
  • In India, the High Court of Kerala admitted three petitions against the mandatory use of a contact monitoring application, as well as the criminal sanctions for not using it. The same Court issued an order on April 24, 2020, instructing measures to be implemented to safeguard the confidentiality of the data belonging to patients susceptible to the coronavirus, collected by a digital system operated by the Government of Kerala and the company Sprinklr, Inc. It also prohibited the latter from committing any act that would compromise the confidentiality of the data.
  • In Slovakia, the Constitutional Court suspended the special legislation that allowed authorities to access users’ data collected by telecommunications companies for the purpose of monitoring people infected with the coronavirus. On May 13, 2020, the Court found that the legislation was ambiguous, the purposes of the processing were not sufficiently clear, it allowed for the processing of personal data without clear intentions, and it lacked the necessary safeguards against abuses.

The challenge posed by the pandemic is not simple but the obligations of governments are very clear. Our rights to privacy and personal data protection continue to apply during the health crisis.

The burden to prove that our rights can be restricted must not lie solely on technology, the benefits of which enable the exercise of our human rights. Demands must focus on the State’s obligations on transparency and accountability, as well as on governments’ duty to demonstrate the legitimacy of any restrictive measures – to allow any abuse would make them arbitrary.