To combat the coronavirus pandemic, some governments have been tempted to monitor their citizens using Big Data. In Germany and Austria, there are concrete ideas, but to be truly effective, the methods would have to be deeply invasive, say privacy activists. EURACTIV Germany reports.
To get the spread of COVID-19 under control, governments in Germany and Austria have relied on the self-isolation of citizens. Both governments are now turning to Big Data to monitor adherence to the rules and track the chains of infection.
Although the solutions implemented so far are harmless, they are virtually useless, say data protection activists. To effectively monitor, one would have to intervene deeply in the private sphere. However, this hurdle of proportionality could be difficult to overcome.
The debate began when major mobile phone operators in both countries offered to provide their governments with the movement data of their users free of charge.
However, these were not the movement patterns of individual users, but so-called aggregated data sets. Several users (20-30) were bundled together into one data package. This means that although it is not possible to track individual persons, it is possible to track flows of movement.
This type of monitoring has been in use for a long time and in a wide variety of areas – for example, travel portals find out when restaurants are particularly well frequented. Mobile phone providers usually sell these data sets as a product.
The German data protection commissioner Ulrich Kelber (SPD) considers this approach to be harmless. Rainer Rehak, deputy chairman of the group Computer Scientists for Peace and Social Responsibility, echoed this belief in an interview with EURACTIV.
Thanks for nothing
According to Rehak, these datasets are “a nice thing,” but the authorities don’t know what to do with them. For the aggregated data says little about individual behaviour – only whether there are large gatherings of people in public spaces, and the state already knows this from surveillance cameras and police patrols.
Georg Markus Kainz, President of the data protection organisation quintessenz, confirmed the same for Austria. In an interview, he says that aggregated data has “no added value” for monitoring the adherence to social distancing measures.
Individual monitoring would be more effective in determining which individuals are disobeying lockdown orders. However, this would require completely different data, either from the GPS or mobile phone data from the devices.
The former would be very accurate, but GPS data is not held by the telecom providers, but by Google. The second would be feasible with the cooperation of the providers but less accurate. Apart from these technical hurdles, any kind of individual monitoring would probably be a disproportionate intrusion into privacy, Rehak says.
Although the GDPR allows such interventions, they are only permitted if the ends justifies the means. While the coronavirus pandemic is a matter of life and death, Rehak and Kainz doubt that the concrete added value of individual surveillance (compared to the status quo) would justify such a massive intervention.
They also agree with data protection commissioner Ulrich Kelber, who tweeted: “So far, there is no proof that the individual location data of mobile phone providers could help to identify contact persons. They are far too imprecise for that”.
Alle Maßnahmen der Datenverarbeitung müssen erforderlich, geeignet und verhältnismäßig seien. Bisher fehlt jeder Nachweis, dass die individuellen Standortdaten der Mobilfunkanbieter einen Beitrag leisten könnten, Kontaktpersonen zu ermitteln, dafür sind diese viel zu ungenau.
— Ulrich Kelber (@UlrichKelber) March 22, 2020
Digital handshake by app
Kelber’s Tweet was a reaction to a planned amendment of the infection protection law. According to media reports, Health Minister Jens Spahn (CDU) has tried to allow the location of individual mobile phones by means of mobile phone data. Rehak suspects this to be true, and judging by the tweet, Kelber probably does, too.
As can be seen from the tweet, the official purpose of the surveillance would not have been to monitor the adherence to the social distancing rules, but rather to follow possible chains of infection. Instead, work is now underway on a smartphone app that citizens can install and use to voluntarily report their contacts with other users.
This app already exists in Austria. “Stop Corona” was launched Wednesday by the Red Cross. Kainz praises the design of the app from a data protection perspective. Everything happens on a voluntary basis.
However, the problem is the same as with the aggregated transaction data: It would only be effective if it were tightened up, so that, for example, everyone (must) have this app and contacts between users are recorded automatically rather than manually.
The Red Cross has considered the latter suggestion. Commander Gerry Foitik tweeted the app’s update plan, and the last step (for the time being) is to automate the recording of contacts, but according to the opt-in principle: users must agree to this once.
So far, these steps are privacy-compliant, but Kainz notes only the real compulsion would be truly effective. That is, also in this case, hardly proportional.
— Gerry Foitik (@GFoi) March 24, 2020
Never say never
Data protection is not above human life. If it is truly necessary and proportionate, invasions of privacy are justified, Rehak and Kainz agree. This is not the case with the measures planned so far, compared to existing methods of surveillance via video or police.
Even if governments still find solutions that would be so effective that they justify an intervention, an expiration date would be essential. Otherwise, although a crisis would have been overcome, hard-won rights would have been lost in the long run.
Edited by Samuel Stolton