COVID-19 has reignited concerns and debates over privacy and data protection. Tracing, tracking, massive data collection, ‘war’ against the (invisible) ‘enemy’, ‘front-line’ workers—as in every crisis, many governments have used war rhetoric to justify curtailment of important human rights in the sacred cause of public safety. Data protection is frequently one of the first rights to undergo significant erosion when disaster strikes, yet its function as a shield for other human rights and democracy, especially at times like these, is often overlooked.

A brief history of data protection
Personal data is any data related to an identified or identifiable individual. This may be a first name, surname or email, but also an IP address, geolocation data or other information. Concerns over protection of such data have been around for more than 50 years. New technological developments in the late 1960s led to discussions within the Council of Europe (CoE) Parliamentary Assembly. This resulted in the first international instrument to explicitly address data protection, Convention No.108, for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (1981). Even before this, several European countries, including Portugal, Spain and Austria, had already granted constitutional status to the protection of personal data.

The European Court of Human Rights (ECtHR) started to rule on data protection issues through Article 8 of the European Convention on Human Rights (ECHR), the right to private life, after the adoption of Convention No. 108. However, this little-known Convention does not enter the ratione materiae remit of the ECtHR as it is not an additional protocol to the ECHR.

In the mid-1990s, the European Union followed in the footsteps of the CoE and adopted Directive 95/46/CE on the protection of individuals with regard to the processing of personal data. Some years later, the Charter of Fundamental Rights of the European Union (CFREU) became the first legally binding international instrument to include protection of personal data in Article 8, which now reads ‘everyone has the right to the protection of personal data concerning him or her’. Most recently, in 2018, the European Union General Data Protection Regulation (GDPR) entered into force, forming the cornerstone for personal data protection in Europe.

Personal data protection, the poor relation of human rights
Despite the consensus of national and supranational authorities acknowledging the importance of personal data protection, there is a tendency not to consider it a fundamental right.

On the one hand, it is seen as one of the many corollaries of the longstanding and well-established right to privacy. Yet this is insufficient to substantively address all relevant issues. As Kokott and Sobotta highlight, data protection covers all personal data during its entire lifespan. However, while there is an undeniable and intrinsic link between privacy and data protection, the right to privacy alone may not adequately protect personal data, which can fall outside the scope of private life, depending on context.

On the other hand, data protection is often linked with financial objectives. The World Economic Forum stated in 2017 that ‘the global data economy is pegged at $3 trillion’, and according to the European Commission, one of the main reasons for harmonisation of data protection law within the EU is commercial benefit for European companies. Yet these considerations are far from human rights concerns.

The importance of data protection in times of crisis
The COVID-19 pandemic has put data protection back in the spotlight. It has emphasised the current trend of digitalising our environment and personal relationships. As the United Nations High Commissioner for Human Rights stated:

Increasingly powerful data-intensive technologies, such as big data and artificial intelligence, threaten to create an intrusive digital environment in which both states and business enterprises are able to conduct surveillance, analyse, predict and even manipulate people’s behaviour to an unprecedented degree. While there is no denying that data-driven technologies can be put to highly beneficial uses, these technological developments carry very significant risks for human dignity, autonomy and privacy and the exercise of human rights in general if not managed with great care.

The monitoring tools set up by governments, such as contact tracing and tracking applications and the implementation of massive cross-sectional databases, are all measures set to tackle the pandemic which seriously interfere with personal data protection. Human rights law allows for interference when the latter are prescribed by law, proportionate and pursuing a legitimate aim. Whereas tackling the COVID19 crisis is undoubtedly legitimate, many governments forget the principle of proportionality, which aims at restricting interference with fundamental rights to what is strictly necessary to attain the legitimate objective set. In the context of the pandemic, or in a broader picture, in time of crisis, interference must be circumscribed to the time of the crisis. Instead, currently several countries such as Belgium, Bulgaria and the Czech Republic are establishing legal frameworks allowing long-term massive data collection, matching and mining, and the possibility of the Digital Green Certificate acting as a ‘health passport’ is already under debate. The potential drift of such measures is the danger that they could lead to discrimination against individuals on the basis of health characteristics. Many questions have rightly been raised about COVID-19 vaccination campaigns, such as: ‘Will I be able to travel if I haven’t been vaccinated?’, ‘Will my child be accepted in school without vaccination?’ and ‘Can my employer impose vaccination on me?’ Despite some worries, curtailing the right to data protection is usually easily accepted by the population as most consider they have ‘nothing to hide’. Unlike the right to freedom of association, the right to education or the right to health, data protection is considered less important, and currently even more so given the objective pursued by governments, namely, tackling the crisis. However, the collection of numerous pieces of personal data on individuals, notably related to their health, may result in inequality and important threats to other human rights. Now that COVID-19 has made it acceptable to massively collect, store and cross data, trace and track the population, it will not be difficult to cross a further step in monitoring individuals’ private lives at the occasion of a next crisis, building on what is being established during this pandemic.

Aside from the implications of data protection in the context of a pandemic, data protection is essential in other emergencies. In times of political tension, democratic crisis or conflict, data protection acts as a shield for other human rights. For example, social media now plays a major role in denouncing human rights violations and democratic flaws. Using personal data such as pseudonyms, IP and email addresses, geolocation data and so on, to identify, track and muzzle opposition or criticism and to prevent peaceful demonstrations is a major infringement of freedom of expression and association. Individuals may also be subject to arbitrary detention, degrading and inhuman treatment or even be killed. Personal data can also be used to identify and target particular groups such as environmental campaigners or within the context of genocide or ethnic cleansing.

A culture respectful of personal data
Without oversimplifying these complex situations and despite the fact that little will stop a government deliberately deciding to ignore human rights, creating and cultivating a culture respectful of personal data in the first place can prevent further human rights violations.

On too many occasions, history has shown the disastrous consequences of the misuse of personal data. Yet, few individuals and governments understand and acknowledge the importance of this right in protecting democracy, the rule of law and human rights, which demonstrates the real lack of education pertaining to data protection.

In an era where, according to UN High Commissioner for Human Rights; ‘digital technologies that continually exploit data linked to people’s lives are progressively penetrating the social, cultural, economic and political fabric of modern societies’, it is important to reflect on the role of data protection in contemporary and future society.

Cite as: Bockstael, Cassandra. "Rethinking the Significance of Data Protection Rights in Times of Crisis", GC Human Rights Preparedness, 20 May 2021, https://gchumanrights.org/preparedness/article-on/rethinking-the-significance-of-data-protection-rights-in-times-of-crisis.html