NGOs threaten litigation over covid-19 data-sharing

A coordinated effort by nine European civil liberties organisations to force governments to protect privacy while sharing data to tackle covid-19 may lead to litigation. 

Members of the Civil Liberties Union for Europe in nine EU countries today filed freedom of information requests with the government departments in charge of contact-tracing apps in those states. The information requests relate to contact-tracing, symptom-tracking and quarantine-enforcing apps introduced by national governments intended to tackle covid-19.  

“The initiative … aims to ensure that EU governments are not processing more personal data than what is necessary to protect public health, and that they pay appropriate attention to minimising the risk of data leakage and other privacy breaches,” an announcement by the group of NGOs said. 

Orsolya Reich, a senior advocacy officer with the Civil Liberties Union, said: “Human rights organisations need to make sure that European governments take their responsibility to prepare impact assessments seriously and no European government uses the pandemic as a pretext for normalising the expanded use of invasive digital surveillance technologies.”

The group said today that if their member organisations – based in Bulgaria, Croatia, Hungary, Italy, Lithuania, Poland, Slovenia, Spain and Sweden – do not receive “quality information” from national governments, they will litigate. 

Eva Simon, a senior advocacy officer with the organisation, said that governments must follow GDPR principles when designing apps to tackle covid-19, and argued that courts are likely to side with the group if the issue moves to litigation. “Liberties expect the courts to remind authorities that European Union member states stand for democracy, and without unsurveilled public and private spheres no democracy can flourish,” she said.   

The move follows months of concern and criticism over the civil liberties issues – in particular, privacy – related to the mass use of telecoms and location data to tackle covid-19. The Hungarian government came under particularly pointed criticism, including from the European Data Protection Board, for its decision to suspend the GDPR as part of its package of emergency measures in response to the pandemic. 

Data protection authorities in many European countries have also played a large role in both the consultation and oversight stages of contact-tracing app and data-sharing policies. The Belgian and Dutch regulators recently chided their governments’ data-sharing efforts while the Italian watchdog greenlighted its country’s contact-tracing app.