by Maria Chiara Meneghetti
Italy, alongside other European countries, has now entered the post-lockdown phase, relaxing its pandemic-related restrictions. After weeks of planning and discussions, the time has come to see contact tracing apps in action and assess their effectiveness in those European countries – like Italy, Spain or the United Kingdom – mostly affected by the pandemic.
Immuni, the designated Italian contact tracing app, has made its grand debut at the beginning of June. It is too soon to tell whether this choice will be useless or valuable to curb the virus contagion. However, the debate on people tracking technologies has once again confirmed that, even when confronted with a global emergency that affected the European Union as a whole, Member States have chosen to move in different directions. The fragmented national solutions taken by European countries on the necessity and proportionality of tracking measures is just one such example. At the same time, despite copious case-law on the concepts of “necessity” and “proportionality” in various legal contexts and jurisdictions, their practical assessment has proven to be challenging. When different interests need to be balanced against the background of complex technological solutions, proportionality turns into a delicate juggling act.
Back to the origins: what are tracking technologies?
Tracking technologies have dominated the headlines ever since “contact tracing apps” became a thing. Despite the current spike in popularity, this kind of technology has been around for longer than this pandemic.
“Tracking technologies” is a broad umbrella-concept that encompasses a range of systems whose main function is to track the location of objects, vehicles, or devices and, consequently, the position of their owners or users. They span from passive systems like radio-frequency identification (“RFID”) tags on packages, which only transmit data when prompted by a reader, to more active systems such as GPS tracker that send location data in real-time. As our lives became increasingly digitized, this technology evolved into cookies, web beacons and other tracking systems that enabled to monitor not only locations of Internet users’ (e.g. through IP addresses), but far more valuable information like user behaviors and preferences. Whether consciously or not, our data is already ingested and processed daily when we use city-mapping or food-deliveries apps, as we navigate from one website to another or when we use our smart devices.
Many argue that privacy concerns around contact tracing apps are at odds with people’s inclination to sell (off) their personal data for the business purposes of hungry digital companies. Yet, I would argue that if such measure stems from state law rather than a private action, it has a different impact and it needs to be subject to specific legal safeguards. With contact tracing apps we are in fact facing the deployment of tracking technologies that enable governments to massively collect and access citizen sensitive data and monitor segments of their lives at an impressive scale and degree.
Why digital contact tracing?
The speed and intensity of the Covid-19 spread has created a number of trade-offs among different rights and liberties that governments have been trying to address. Freedoms of movement and association were the first rights to suffer severe restrictions to safeguard public health. However, the limits of self-isolation and social distancing measures have led many to believe that “digital contact tracing” mechanisms were the optimal alternative to monitor and contain the virus. Contact tracing is nothing new for the public health sector. This is generally the process of manually tracing and identifying persons who may have come in contact with an infected person (i.e. “contacts”) to alert them, test them and thus monitor the spread of a virus.
The digital translation of contact tracing procedures was therefore believed to improve and speed up the identification, tracking and management process, providing a better control on the virus spread. This in turn would have allowed a swifter loosening of lockdown restrictions. Nevertheless, a state measure that may ultimately give central governments the means to monitor people’s movements and social interactions risks severely impacting the citizens’ rights to privacy and data protection, raising the fears of a new NSA-like scandal.
Countries around the world approached contact tracing in different ways. Pioneers in the roll out of tracking technologies were Asian countries (like China, South Korea, and Singapore), partly as they experienced the first virus outbreaks, partly due to their lax privacy protection frameworks. Other countries soon followed with contact tracing solutions that spanned from deeply intrusive measures to milder alternatives. Hard-hit European states have also moved towards tracking technologies. However, contrary to other legal systems, in the European Union the deployment of intrusive state-backed measures that entail massive data processing and expose individuals’ privacy needs to meet a high threshold of legitimacy that finds one of its pillars in the principle of proportionality.
The European threshold of the proportionality principle
Under the EU framework, while privacy and data protection bear the status of fundamental rights, there are cases in which they can be legitimately limited as a result of a balancing against other conflicting rights. Article 15 of the European Convention of Human Rights, as well as Article 52 of the EU Charter of Fundamental Rights allow for limitations to fundamental rights, as long as they (i) are provided by law; (ii) leave the essence of the right intact; (iii) pursue an objective of public interest or safeguard the rights and freedoms of others; and (iv) comply with the proportionality principle. Hence, limitations are “appropriate” to protect the interest that require protection, “necessary” as there is no less restrictive alternative to achieve the same result, and “proportionate” stricto sensu, namely the restriction must not be disproportionate to the result to be achieved. If during a health crisis, the first three conditions are not difficult to meet, what is “appropriate”, “necessary” and “proportionate” to tackle this health crisis is the question which the debate on contact tracing technologies has been revolving around. The European Court of Human Rights and the Court of Justice of the EU case-law provide guidance on how this assessment needs to be conducted.
Further guidance recently came from the European Data Protection Supervisor (“EDPS”) with the adoption of a “Necessity Toolkit” and, more recently, of its “Guidelines on proportionality”. Yet, its practical application by national legislators has proven to be challenging and lacking a consistent approach. This was especially the case since the object of the proportionality assessment was a technology-driven legislative measure, which led to two consequences. First, there was absence of a clear-cut distinction between the definition of the tracking solution (which has undergone various modifications on the run) and the evaluation of its proportionality (which on the contrary would assume that a measure has already been identified). Second, there was a – fatally – strict connection between the proportionality of the measure and the technical features of the different proposed alternatives. In other words: an assessment process that lacked a clear phase structure and was mainly technically focused.
In fact, while EU countries generally agreed on the appropriateness and necessity to implement digital mass tracking measures to safeguard public health, when it came to identifying in practice what technological solution met these thresholds, in terms of effectiveness and less intrusiveness, countries split. Less intrusive measures based on the collection of non-sensitive data (e.g. Bluetooth low-range device interactions instead of real-time GPS data or telecommunication data), on decentralized data retention models (instead of centralized) and on voluntary adoption (instead of mandatory one) were preferable from the privacy perspective. However, these solutions generally mean less control or less precision, affecting the overall effectiveness of the measure, and thus, the achievement of the public interest objective. Doubts on the effectiveness were raised as far as the digital nature of the chosen solution, as it might be unable to reach precisely the categories of people that most needed to be protected (i.e. the elderly). Also, it has been claimed that traditional manual contact tracing measure were just as effective, while less intrusive.
The result was a puzzle of national solutions, each apparently stemming from a different balancing of rights and none seemingly able to appropriately address the claims of the different views of the debate. On one side, criticisms have been levelled against the un-balanced proportionality assessment of the measure, for privacy concerns unduly overweighed other fundamental rights at stake, leaving the final solution substantially ineffective (thus, unnecessary). On the other side, privacy watchdogs are already voicing their concerns over these apps, claiming they have a number of failures that dangerously expose citizens’ personal data.
What happens next?
Despite the overall proportionality debate, at the end of the day, the success of contact tracing apps will depend on a number of variable and unpredictable factors. Citizens trust in their national authorities will be a fundamental element to ensure the app has adequate take-up. The evolution of the virus will itself determine the usefulness of this solution compared to traditional forms of manual contact tracing (which states are still heavily relying on). Leaving aside any rushed judgment, what this situation has once again shown is the struggle of national legislators to balance different rights when faced with the implementation of complex technological solutions. Although laws and regulations are usually drafted under the principle of technological neutrality, the Covid-19 emergency offered an interesting example of states having to choose a specific technological product. Moving towards an increasingly digital society, we can expect that EU states will be required to assess the impacts of new technologies on the fundamental rights of their citizens in a growing number of cases. The challenges this scenario comes with are not few. The difficulty to assess ex ante the possible impact of complex technological systems will increase. This will add up to the risks that the assessment becomes obsolete – therefore inaccurate – very fast, considering the rapid pace of digital changes. And, above all, the danger still remains that faced with the uncertainties of new technologies, EU states may reach different conclusions on how to balance conflicting rights, leading to fragmented protection regimes and a patchwork of national approaches towards digital developments.
For a general overview on China’s contact tracing “Alipay Health Code”, see https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html and , https://edition.cnn.com/2020/04/15/asia/china-coronavirus-qr-code-intl-hnk/index.html .
 After the deprecation of “Corona100m”, South Korea has currently two apps, namely “Self-Quarantine app” and “Self-diagnosis app”. For more information on how contact tracing works is performed in South Korea see : https://www.technologyreview.com/2020/03/06/905459/coronavirus-south-korea-smartphone-app-quarantine/ and https://www.bbc.com/news/technology-52681464.
 Among the other countries that adopted contact tracing apps: Iceland (“Rakning C-19”, https://www.covid.is/app/en) Israel (“Hamagen”, https://govextra.gov.il/ministry-of-health/hamagen-app/download-en/ ), India (“Aarogya Setu”, https://www.mygov.in/aarogya-setu-app/ ), Australia (“CovidSafe” https://www.covidsafe.gov.au/ ), New Zeland (“NZ COVID Tracer”, https://tracing.covid19.govt.nz/ ) and Saudi Arabia (“Corona Map”, https://www.arabnews.com/node/1652171/saudi-arabia ).
 European Data Protection Supervisor, “Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit”, 11 April 2017, available at: https://edps.europa.eu/sites/edp/files/publication/17-06-01_necessity_toolkit_final_en_0.pdf.
 European Data Protection Board, “Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data”, 19 December 2019, available at: https://edps.europa.eu/data-protection/our-work/publications/guidelines/assessing-proportionality-measures-limit_en.
Maria Chiara Meneghetti is a PhD Candidate in Legal Studies – International Law and Economics curriculum – at Bocconi University. She is interested in studying the impacts of digital and technological developments in several legal areas including privacy & data protection, cybersecurity, and contract law. Her research focusses on the challenges of ensuring the right to data protection in the digital age. She graduated from the University of Bologna and enjoyed her Brussels experience at the European Data Protection Supervisor. She is a qualified lawyer at the Bar of Milan.
Image created by Russell Tate. Submitted for United Nations Global Call Out To Creatives – help stop the spread of COVID-19.