In Poland, those required to quarantine are given a choice: either receive unexpected visits from the police or download the “home quarantine app.” The app requires users to first register with a “selfie.” The app then sends randomly scheduled requests to upload selfies from their homes within 20 minutes. The selfies are processed through facial recognition software, and the location is checked against the existing GPS information from the user’s phone. This data is shared with government agencies and the police. If the selfies are not uploaded in time or do not confirm the user is at home, police will be dispatched and might fine an individual with 1.5 times his or her monthly salary.
In South Korea, the government uses smartphone location history, credit card transactions, immigration records, and CCTV footage to create detailed accounts of an individual’s whereabouts. This information is combined with data from South Korea’s existing surveillance system and network of CCTV cameras to produce detailed accounts of individuals’ lives, including buses they took and even whether they were wearing masks when around other people. This information has been published, resulting in online harassment. This has led the country’s National Human Rights Commission to express concerns about the excessive exposure of private information of patients and call for new guidelines on pandemic surveillance.
Hong Kong has implemented mandatory self-isolation for all inbound travelers. To monitor their movements, individuals are required to download the “StayHomeSafe” app and wear an electronic wristband connected to that app. Individuals are instructed to walk along the perimeter of their homes, which provides authorities with a blueprint of their private spaces. The app requires users to take and upload photos of themselves wearing the wristbands at random times. Personal surveillance devices of this kind allow states to access the personal details and whereabouts of citizens and residents at any time.
In Armenia, telecommunications companies are required to provide authorities with their customers’ phone records, including phone numbers and the location, time, and date of their calls and text messages. It is not clear how knowing who someone calls or messages will help authorities identify people with COVID-19. While the epidemiological uses of this data are not immediately apparent, the privacy implications of such a sweeping measure are.
These are just some of the examples of surveillance overreach by governments. Our COVID-19 Civic Freedom Tracker and other trackers provide additional examples of the epidemic of new surveillance powers and methods governments around the world are deploying, often with little consideration for the impact on the right to privacy and other human rights.
The International Covenant on Civil and Political Rights (ICCPR) protects the right to privacy and the freedoms of expression, association, and peaceful assembly. In non-emergency periods, the ICCPR permits states to restrict these rights in certain, limited situations to achieve a “legitimate aim.”
One legitimate aim is the protection of public health. Even when acting in furtherance of a legitimate aim, states must ensure that restrictions are “prescribed by law” and are “necessary in a democratic society.” The former requirement implies that the restrictions must be accessible and formulated with sufficient precision as to be understandable. The latter requires states to limit restrictions to those that are narrowly crafted and proportionate to the pursuance of the legitimate aim.
The ICCPR, in Article 4, grants states flexibility to tackle emergencies, including public health crises. In emergencies, the ICCPR permits temporary derogations from its obligations. Many states have determined that the COVID-19 pandemic constitutes a public health emergency allowing exemptions, but only a fraction have formally derogated from human rights treaties.
Even cases where derogations have been made, states are still limited in their ability to act outside their human rights obligations. These obligations mirror those that pertain to non-emergency situations. States must continue to ensure that their actions are established by law, necessary to meet the threat faced, and proportionate to that threat. To meet the proportionality requirement, emergency measures must be narrowly tailored in terms of duration, geographical coverage, and material scope.
These restrictions apply to surveillance technology, which the UN Human Rights Council has identified as having implications for the right to privacy:
States must respect international human rights obligations regarding the right to privacy when they intercept digital communications of individuals and/or collect personal data and when they require disclosure of personal data from third parties, including private companies.
These legal requirements, however, do not prevent states from incorporating surveillance in their COVID-19 responses, but rather suggest safeguards that governments should include in any surveillance measures adopted.
These obligations, established by states themselves, are key to protecting human rights when they are most in need of protection: in emergencies such as the COVID-19 pandemic. The new digital surveillance powers over citizens and residents in Poland, South Korea, Hong Kong, Armenia, and other countries must be carefully scrutinized against these standards and, where they overreach, they should be amended. The following suggestions are intended to help states and citizens craft emergency surveillance measures that will protect human rights and meet state human rights obligations.
- First, the legislation providing new surveillance powers should include sunset provisions. This will ensure that measures only last for a specific time, and their necessity is regularly reassessed. Ideally, surveillance powers expire after a set period, i.e., 30 days, and the legislation can then be extended if the state of emergency continues. This limits the ability for states to use the new powers for other purposes, such as getting notified when multiple flagged ‘dissidents’ meet at the same place.
- Second, the legislation should require that the collection, procession, retention, and aggregation of personal data, including sensitive health data, is only used to respond to the COVID-19 crisis. The European Data Protection Board provides guidance about data protection during health emergencies in the European Union, stating that any measure taken in response to COVID-19 must respect the general principles of law and must not be irreversible. The data collected by governments should be stored securely, and the host or aggregator should never be a private, for-profit company. The sharing of data must be limited to official health ministries or agencies, and health care providers, like hospitals. The legislation should also prohibit the sharing or selling of data, including metadata, to third parties, regardless of whether or not it has been anonymized. This will help protect individuals from misuse of their data by governments or others who might use it to intimidate, harass, or exploit.
- Third, data-sharing between private, for-profit actors, and governments should be based in law and agreements made public immediately. The agreements should clearly define the data to be shared and that it will be used only for confronting the COVID-19 pandemic. Every agreement should include sunset provisions. Private entities should be required to take affirmative steps to respect privacy and other human rights. Furthermore, they should be prohibited from profiting from the data-sharing agreement and firewall this activity from other business interests. This protects individuals from governments and companies monetizing personal data after the pandemic.
The COVID-19 pandemic has caused great suffering. Those infected with the virus need to be identified through testing so they can be treated, and others can be protected from infection. Reasonable and carefully crafted surveillance measures as part of a response strategy can help governments stop the spread of COVID-19 while at the same time protecting human rights. However, this will require governments and their citizens to work together to ensure that emergency measures comply with international human rights law. Without reasonable and carefully crafted surveillance measures, there is a risk that these surveillance measures will be used for other, less benevolent purposes in the future.