Privacy and personal data in Covid-19 affected Cyprus

Posted on 15 May 2020, by Constantina Zantira

Recent days have been unprecedented for the vast population worldwide. Governments were called to take immediate measures for the protection of public health and come up with on the spot schemes to combat any problems and social concerns associated with such measures.

Cyprus dealt with the pandemic sufficiently within a relatively short period of time so as to be considered one of the “success stories” among European Union countries.

One of the measures introduced by the Cyprus government in the context of the lockdown imposed was the restriction of movement within the country, with only 1 permitted mοvement by exception on the basis of the exhaustive list of grounds announced by the government (e.g. visit to pharmacy or a doctor, supply of necessary goods etc.). Permitted mοvements by exception were extended to 3 as of 4/5/2020 until 20/5/2020 as the country has now entered the first phase of the lockdown exit roadmap. Technology was successfully embraced to implement the scheme by requiring persons up to 65 years of age to utilise the permitted movements options by sending a text message (SMS) to a text messaging service platform created solely for this purpose (service number “8998”). Persons over 65 years of age may either utilise the service, sign a template document provided by the government or sign a handwritten declaration as to the purpose of their movement. What citizens need to do is to communicate the code corresponding to the ground on which movement is requested (e.g. 1. corresponding to “visit to pharmacy, blood donation centre or doctor”), their ID number and the postcode of their residential address. On sending the SMS, the user receives an automated reply approving the request to the citizen’s movement for a reasonable amount of time depending on the purpose for which the request was made within an area reasonably required to fulfil the purpose. No official guidelines were issued explaining the meaning of ‘designated area’ or ‘reasonable amount of time’ for each purpose. The police have the authority and power to stop citizens to check that their compliance with the requirement to obtain approval and that the movement is indeed utilised for the reason for which approval was granted.

Both the constitutionality of this requirement and the legality of the storage and use of the personal data communicated by citizens have been recently discussed. Αrticle 13 of the Constitution of the Republic provides for the potential to impose restrictions on the right to move freely within the Republic if these are required for purposes of preserving public health, among others, as the present case is. In turn, the Commissioner for Personal Data Protection, Mrs. Irene Loizidou Nikolaidou, has recently explained the legal context of the processing of personal data that citizens are by law required to communicate as above (podcast dated 6/5/2020, available at https://www.youtube.com/watch?v=2keSUxbpsJc&t=2271s). The Commissioner confirmed that the information is only communicated to the user’s respective service provider who already has the relevant information as part of the pre-existing contractual relationship with each respective user. The SMS is only sent for purposes of generating the automated reply to the user confirming the approval for the request, without any further storage of the data being processed for over 72 hours. The procedure is regarded as fulfilling the legal requirement of necessity under the circumstances whereas processing of data is in place only for purposes of generating the automated reply on behalf of the service provider for purposes of confirming that the user has not exceeded the approved limit.

One of the measures promoted in Cyprus, in line with worldwide trends, is a tracing application for smartphones, the “CovTracer”, introduced by RISE, the Research Centre of Excellence on Information and Communication Technologies in Cyprus, a joint venture funded by the EU and the Cyprus government. The application is described as assisting in combating the spread of the pandemic by identifying people who have come into recent contact with confirmed cases of the virus so that they too can be appropriately tested or treated. The government has called on citizens to embrace the endeavour, particularly those who due to the nature of their work were in the front line during this critical period such as nurses, police men, public servants and others. The use of the application is entirely voluntary and the data collected are stored on the user’s device and can only be accessed by the user. Confirmed cases may, on their discretion, communicate their information on locations attended for a period of 14 days prior to the diagnosis, to assist epidemiologists to trace potential contacts, using GPS tracking information.

The above appear in line with the Joint Statement on the right to data protection in the context of the Covid-19 pandemic issued by the Council of Europe dated 30/3/2020 which highlights that “data protection can in no manner be an obstacle to saving lives and that the applicable principles always allow for a balancing of the interests at stake.”.

Any measures or schemes implemented by EU member states must comply with the provisions of the General Data Protection Regulation (EU) 2016/679 (GDPR) so that interference with privacy and personal data is limited to the minimum required for the intended purpose. As per the provisions of GDPR, the processing of personal data for public interest purposes should be subject to appropriate safeguards (e.g. pseudonymisation of the data) so that the rights and freedoms of the data subject are duly protected. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation.

In this line, the European Commission issued its Recommendation dated 8/4/2020 for the issuance of a common EU toolbox for the use of technology and data to combat the Covid-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data. The Recommendation was issued in response to the emerging need for the issuance of guidelines among member states for the proper use of data in such critical times, aiming at protecting the fundamental rights to privacy and data protection. The toolbox focuses on introducing a common approach for the use of mobile applications to empower citizens to take effective social distancing measures, for contact tracing purposes and for appointing a common scheme for using anonymized and aggregated data on the mobility of populations for the purposes of predicting the evolution of the virus through processed mobile location data and monitoring the effectiveness of decision-making by member states’ authorities on measures such as social distancing and confinement.

Accordingly, the Council of Europe issued a Joint Statement on Digital Contact Tracing dated 28/4/2020 outlining the legal and technical safeguards that have to be in place to mitigate the risks at stake. Such safeguards refer to, among others, the effectiveness of digital contact tracing (including the comprehensiveness of a national epidemiologic strategy, the model chosen and widespread access to mobile devices and connection including specific technical functionalities such as “Bluetooth Low Energy", a network technology which is regarded as less intrusive to data), trust and voluntariness, impact assessment and privacy by design, purpose specification, sensitivity, quality and minimisation of data, automated decision-making, de-identification and other safeguards.  

Guidelines on the use of location data and contact tracing tools addressing the above were also adopted by the European Data Protection Board, published on 21/4/2020.

Cyprus is taking active steps in embracing technological advancement for the purposes of securing public health and applying the law whilst at the same time making sure that privacy issues are duly respected and dealt with in line with the guidelines and recommendations issued by the European Union bodies. The balancing act between the two aspects is certainly not an easy one and herein lies the success and effectiveness of the measures taken in such times of crisis.

The content of this article is valid as at the date of its first publication. It is intended to provide a general guide to the subject matter and does not constitute legal advice. We recommend that you seek professional advice on your specific matter before acting on any information provided. For further information or advice, please contact Constantina Zantira, Associate at constantina.zantira@kyprianou.com