COVID & Digital Surveillance: Common Legislative Protections for Proximity Apps, Attendance Tracking, and Status Certificates (Part II) (Presentation Slides)
UN Special Rapporteur on the Right to Privacy Session: ‘COVID-19 and Privacy in Asia, Australasia and Europe’ 23 June 2021 (Presentation)
9 Pages Posted: 30 Jun 2021
Date Written: June 23, 2021
This presentation to the UN Special Rapporteur’s conference on the Right to Privacy Session: ‘COVID-19 and Privacy in Asia, Australasia and Europe’ was given on 23 June 2021. Graham Greenleaf presented this second part, and Katharine Kemp presented a first part at https://ssrn.com/abstract=3878659.
Three forms of COVID data surveillance are considered: Proximity Tracking; Attendance Tracking; and COVID Status Certification. Our argument is that legislative protections based on common principles are needed for all types of COVID surveillance.
Our starting point is that emergency measures pose risks requiring emergency-quality protections. Unfortunately, emergencies tend to reduce normal legislative oversight. We consider two desirable principles which are often difficult to deliver if maximum effectiveness against COVID is sought: no compulsion (voluntary); and no central database.
We use three points of comparison to illustrate the legislative protections needed (and in some cases, absent):
1. Australia’s bluetooth proximity tracing app (COVIDSafe Act)
2. Australian QR Codes for attendance check-ins (no model law)
3. EU’s COVID status certificates (EU Digital Covid Certificate Regulations)
We argue for 10 common principles which can and should be implemented in legislation applying to all types of COVID surveillance systems:
1. Put controls within the country’s data privacy law
2. Guarantee access to avoid discrimination
3. Minimise & define authorised uses of COVID data
4. Minimise data collection
5. Anti-coercion provisions
6. Prevent ‘surveillance creep’
7. Continuous deletion program (if data is collected)
8. ‘Sunset clause’ for whole system
9. Supervision by independent DPA
These 10 principles are applicable even where COVID surveillance systems are developed which are compulsory and involve centralised databases. Various international organisations are advocating similar sets of principles.
The presentation examines the application of these ten principles in relation to each of the three examples of legislative protections (or their absence), and concludes that essentially the same legislative controls are necessary & possible to mediate all three types of COVID surveillance.
Keywords: COVID-19, data protection, privacy, proximity app, QR Code, Status Certificate, Vaccination We
Suggested Citation: Suggested Citation