An article written by Michelle Ariana Ospina Giraldo*
In efforts to reduce the spread of the virus and save lives amidst the COVID-19 pandemic, daily life activities such as education, work, shopping, and social life migrated almost completely towards digital platforms. This sudden and unexpected shift however has created an excessive reliance on digital services and platforms, which has resulted in numerous cases of privacy[1] violations and data breaches. The initial increase of data breach cases in 2020 is likely linked to the unexpected pandemic and cybercrimes exponentially increased from 432 cases in 2019 to 756 cases in 2020.[2] This has generated alarm among data subjects, as they begin to question just how much privacy they really have in this new digital age. Incidents such as video conference hacking, sale of user data, and surveillance of employees during their work from home (“home office”) have only increased the concerns regarding privacy and the collection and processing of personal data.
Even the new COVID-19 track apps are not free from data subjects’ doubt. Most of these apps are ineffective unless their users accept a high risk of exposure. Additionally, self-reporting can be biased caused by the desire of social approval or inconsistency of the information provided.[3] All this has added to the long list of concerns that has opened the debate on the importance of data privacy as well as the serious implications towards human rights and freedoms of data subjects.[4] While massive vaccination rollouts have been deployed all over Europe, only 54.7% of the adult population in Europe are fully vaccinated.[5] This means that there still is a significant part of the population vulnerable in case of returning from online activities to activities attended in person. Furthermore, the new variants of the virus that have recently appeared can still affect those vaccinated, and with the winter season approaching, it is advisable to continue implementing digital means in order to prevent further lockdown measures. Moreover, vaccination itself could eventually become a privacy issue for employers who decide to reopen their offices: while they have a duty to ensure a secure workspace and minimize contagion risks, the question whether an employee is vaccinated or not is considered sensitive data under article 9 of the General Data Protection Regulation (GDPR),[6]and in several Member States employers do not have a valid legal basis to ask for vaccination status.[7]
The transition to this new digital reality would be easier if the corresponding legal framework was solid and complete, because although the GDPR is considered the world’s toughest[8] privacy and security law,[9] it alone is not enough to ensure data subjects’ rights. Its purpose is limited to the collection and processing of data.[10] Recent updates to legal tools such as the standard contractual clauses under the recent Schrems II[11] decision broaden the protection that GDPR provides to data subjects’, but as for electronic communications, Europe stands in a gray zone between an outdated directive,[12] and a promised but long overdue regulation that would act as lex specialis to GDPR in the aid of confidentiality of electronic communications, privacy controls through electronic consent, browsers, and cookies.[13]
The longer this legal framework remains incomplete, especially now under the increased use of online platforms, the more data subjects are exposed to privacy violations. During 2020 privacy violations skyrocketed with an increase of 37% of data breach cases, amounting to a total of €158.5 million Euros in fines.[14] This initial increase of data breach cases is certainly linked to the unexpected pandemic for which the world was unprepared. However, it has been one and half years since the pandemic began, and so far in 2021 data breaches have increased by 19%, amounting to a total of 303 million Euros in fines.[15] While there are still months before this year comes to an end, and the number of cases remains alarming and the sharp escalation in severity of the fines is evidence enough that the Data Protection Authorities are being stricter towards infringers. This severity in the fines is especially important when it comes to Big Tech companies which tend to mishandle user data. Facebook is one of the most recently fined Big Tech companies, for which Ireland’s Data Protection Commission found that WhatsApp was not properly informing European data subjects how their data was being handled or shared with its parent company.[16]
Nonetheless, the protection of privacy especially in the digital sphere should use an approach similar to that established in article 25 GDPR: “data protection by design and default”; design being technical and structural measures at the foundation of data protection in Europe, and default being the highest standard of protection.[17] It is reassuring that the fines and sanctions to infringements are enforced, however the legal framework for the protection of privacy must be strong enough to avoid most cases from happening in the first place. So, while the pandemic has promoted an overreliance on digital platforms, more than generating new problems, it has only accentuated the already preexisting structural issues present in security and privacy laws and practices. Structural reforms are therefore urgently needed. The pandemic must not serve as an excuse for the flaws in our system but as a motivator to enforce the rules that we have and set an obligation of constant improvement, for even as we shift more towards a digitalized world, privacy should not be a term that is forgotten. As the pandemic continues, reassuring data subjects of their fundamental right to privacy as set forth in Art. 8 ECHR and Art. 8 of the EU Charter of Fundamental Rights is the best way to continue the efforts of saving lives and stopping contagion. And even long after the pandemic is over, we must not forget the lessons learned, for the future is digital.
* Ariana Ospina, LL.B., is an LL.M candidate at the Europa Institute of Saarland University, where she is specializing in European Economic Law and Dispute Resolution. Ariana is city chapter president of DEGIS, a German NGO and currently works as the IT Compliance manager of a European start-up company.“
[1] Privacy is a fundamental human right, however each country has taken different approaches towards its definition. It generally encompasses to be free from interference and intrusion, to associate freely with whom you want, and to be able to control who can see or use information about you. This brief takes an approach towards the information privacy (how your personal information is handled) and surveillance (where your identity cannot be proved or information is not recorded). https://www.oaic.gov.au/privacy/your-privacy-rights/what-is-privacy/ (accessed 08.09.2021).
[2] https://www.bbc.com/news/technology-57583158 (last accessed 28/08/2021).
[3] https://www.hertie-school.org/en/news/detail/content/how-effective-is-germanys-covid-19-contact-tracing-app (last accessed 04/07/2021).
[4] Council of Europe, Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos. 11 and 14, 4 November 1950, ETS 5, available at: https://www.refworld.org/docid/3ae6b3b04.html(28/08/2021).
[5] https://www.france24.com/en/europe/20210722-more-than-half-of-adults-in-eu-are-fully-vaccinated-against-covid-19-data-shows (last accessed28/08/2021).
[6] Regulation (EU) 2016/679 of the European Parliament and of the Council on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), of 27/04/2016.
[7] https://www.insideprivacy.com/covid-19/covid-19-processing-of-vaccination-data-by-employers/ (last accessed 05/09/2021).
[8] https://www.nytimes.com/2018/05/06/technology/gdpr-european-privacy-law.html (accessed 08.09.2021).
[9] https://gdpr.eu/what-is-gdpr/?cn-reloaded=1 (last accessed 03/09/2021).
[10] Article 2, Regulation (EU) 2016/679 of the European Parliament and of the Council on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC (General Data Protection Regulation), of 27/04/2016.
[11] ECJ, case C-311/18, Schrems, ECLI:EU:C:2020:55.
[12] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201 31/07/2002 p.37.
[13] Proposal for a Regulation of The European Parliament and of the Council concerning the Respect For Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation On Privacy And Electronic Communications) of 10/01/2017.
[14] https://www.privacy-ticker.com/gdpr-fines-and-data-breach-reports-increased-in-2020/ (last accessed 28/08/2021).
[15] https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/ (last accessed 28/08/2021).
[16] https://www.dw.com/en/ireland-fines-whatsapp-225-million-for-eu-privacy-breach/a-59065206 (last accessed 08.09.2021).
[17] https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en (accessed 08.09.2021).
