The UN Special Rapporteur on the right to privacy, Ana Brian Nougrères, released a report in December, 2022 suggesting that it was necessary to take a look at all of the data that was collected in the context of the COVID-19 pandemic—from millions of people in all countries—and ask some critical questions: What will happen to the personal data collected from these millions of people for the purpose of combating the pandemic? Will it be deleted? Will it be anonymized? Will it be used for purposes other than those for which it was collected? The Special Rapporteur discussed the principles of purpose limitation, deletion of data, and demonstrated/proactive accountability, made conclusions following a survey of 186 countries, and made some significant recommendations for all States.
What did the report say?
The World Health Organization (WHO) declared a state of pandemic in March, 2020 with respect to COVID-19.
In response, States (public entities in different countries of the world) created emergency response mechanisms, some of which included measures for detecting and combating COVID-19 and tracking its spread, to protect public health and preventing its transmission. To that end, some of the information collected included health-related data such as details of symptoms, test results, and diagnoses. It is fair to say that all of the collected data was considered sensitive personal data.
Questionnaires were sent to 186 countries to determine whether there was compliance with the principles below. Ultimately, 18 countries provided responses concerning these principles, and there were findings regarding whether they complied in their applications and websites (see Table 2 for a summary of findings and Annex II for further details).
The Special Rapporteur noted the following principles:
1. Principle of purpose limitation for the processing of data collected to combat the COVID-19 pandemic
This involves limiting the purposes for which personal data may be used to specific, clear, and lawful purposes, and preventing the arbitrary use of personal data. It also deals with requiring that data only be used for certain purposes such as by law or with consent. It permits things like using personal data for the public interest (for example, scientific or historical research purposes) as long as proper safeguards are established.
2. Principle of deletion of data collected in the context of the COVID-19 pandemic
This deals with the need to delete personal data once the processing is no longer necessary to achieve the purpose. That is, there needs to be a time limit, and once that limit expires, the data must be deleted or anonymized so that it is impossible to identify the data subject. Simply put, the data cannot be retained indefinitely unless it is converted into anonymous form. And it is important to note that as long as there are established safeguards, personal data can be retained for a longer period if it is needed for historical, statistical or scientific purposes.
3. Principle of demonstrated/proactive accountability in the processing of data collected to combat the COVID-19 pandemic
This involves actions that entities should take to comply with relevant regulations, and what they should do to demonstrate that the action taken is appropriate, relevant, and effective. That said, it is noted that in practice, entities face an ongoing challenge to achieve this goal. Therefore, it is recommended that efforts be focused on ensuring that data processing regulations set specific, tangible goals rather than purely theoretical ones, so that they are of genuine benefit. The principle of accountability is of crucial importance since it requires those who control and/or process data to implement appropriate, effective, and verifiable measures through which to demonstrate that they have duly complied with personal data processing regulations.
The thrust of the comments is about using “less rhetoric and more action in fulfilling the obligations established under personal data processing regulations”. This means that there should be appropriate, relevant, timely, and effective measures and procedures to demonstrate compliance and the implementation and supervision of verification procedures.
The Special Rapporteur concluded the following:
- Purpose limitation: All of the public entities applied the principle of purpose limitation in the processing of personal data, as seen in policies and/or terms and conditions for the applications and/or web pages.
- Deletion and anonymization: Only some of the public entities provided information about the deletion or anonymization of data once they ceased to be useful for the purposes for which they were collected (20% did not expressly state that the data would be deleted or anonymized as soon as the purpose had been achieved, 70% stated that the information would be deleted, and 10% indicated that it would be either deleted or anonymized as soon as the purpose for which it was collected had been achieved).
- Demonstrated/proactive accountability: only 55% of entities included this in their policies, and only 15% had committed to implementing measures to comply with the principle of deletion of data.
- Verification of compliance: very few, if any, established transparent mechanisms for verifying whether personal data had been deleted or anonymized. In fact, only one public authority (5% of the total number of entities surveyed) had established a verification procedure for demonstrating or proving that personal data had been deleted or anonymized, and none of them envisaged using an external auditor to certify that personal data had effectively been deleted or anonymized.
The Special Rapporteur recommended that States do the following:
- Ensure that they are genuinely and effectively complying with the principles of purpose limitation, deletion of data, and demonstrated/proactive accountability in respect of the data of millions of people that were collected for the purpose of detecting and/or combating COVID-19 and tracking its spread with a view to protecting public health and preventing its transmission.
- Reinforce the application of the principle of demonstrated/proactive responsibility in all programmes and policies involving the processing of personal data.
- Before commencing the design and development of applications and software that involve processing personal data for the purpose of carrying out State functions, take proactive, preventive measures with a view to establishing a risk monitoring and management system that will ensure that data is processed fairly and lawfully.
- Work to cement a public culture that fosters transparent and ethical processing of personal data, with all due safeguards, so as to ensure that transparency becomes an essential component in the design and implementation of all public programmes and policies that involve the processing of personal data.
- Build and consolidate levels of public confidence in the programmes of public entities that involve the processing of personal data by implementing transparent, publicly accessible mechanisms that allow citizens to verify, through a simple process and at any time, that public entities comply in practice with the procedures and commitments contained in their policy notices and/or terms and conditions for activities that involve the collection, use and exchange of personal data or any other activity in which personal data are processed.
What can we take from this development?
The Special Rapporteur urged States to strive towards cooperation and regulatory harmonization at the international level. Indeed, there are several common elements that we share globally, and these commonalities can help us address several challenges that arise when processing and transferring data. In other words, we need to do our part to ensure that individuals’ privacy rights are safeguarded both virtually and in person.
In a recent article, the Special Rapporteur stated:
“I urge States to view the guiding principles, laid out in my report, as a key structural part of every national legal system that regulate the actions of controllers and processors in the processing of personal data.”
Please note that any views expressed in this article are solely the views of the author.
- The antitrust case against Google - November 17, 2023
- Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems released - October 20, 2023
- Privacy Commissioner of Canada releases Annual Report - September 22, 2023