by Alessandra Silveira, Joana Covelo de Abreu (Editors) and Tiago Sérgio Cabral (Managing Editor)
1. During the previous week there as been plenty of controversy regarding a proposal by the Portuguese Government to make the installation of the App “StayAway COVID” (“App”) – a mobile contact-tracing application designed to fight the pandemic – mandatory for large sections of the population. While the Government appears to have backed down from this idea (for now) the issue of European Union Law (“EU Law”) has been surprisingly absent from most of the debate around a measure of this nature, even though it should be front and centre and precedes even the issue of constitutionality.
As we will show in this text, it is difficult to argue against the conclusion that this subject should be considered as a matter of EU Law – and, consequently, that this is a question of fundamental rights protected by the European Union (“EU”). In the EU’s legal framework, privacy and personal data protection are fundamental rights enshrined within Article 16 of the Treaty on the Functioning of the EU and Articles 7 and 8 of the Charter of Fundamental Rights of the EU (CFREU). Since it is a matter regulated at EU level, the EU’s standard of fundamental rights’ protection is applicable before and above even the national constitutional standards of protection[i]. So, this is not just a Portuguese constitutional problem that can be solved in the light of the Portuguese Constitution – it is an issue of relevance to all European citizens which needs to be resolved in the light of the EU´s (jus)fundamental standards (see Article 51 CFREU).[ii] It is important to be aware that the Court of Justice of the EU (“ECJ”), in the past, struck down constitutional provisions from Member States to ensure the adequate protection of fundamental rights of privacy and personal data protection[iii]. This is because all Member States do not have the same level of (jus)fundamental protection.
2. Under the current legal framework in the EU, enforcing the use of any contact-tracing application to the general public (or to large sections of the general public such as the entire population inserted within the labour market, academia, schools and public administration) would always face some serious challenges.
3. For it to work as required, any application would have to store information and/or gain access to information already stored within the terminal of the user (the user’s smartphone). Therefore, it would fall within the scope of application of Article 5(3) of the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (as amended, also known as the “ePrivacy Directive”[iv]). As established by the ECJ in Planet49 – and in an opinion that is also shared by the European Data Protection Board (“EDPB”) in its “Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR [General Data Protection Regulation], in particular regarding the competence, tasks and powers of data protection authorities” –, if the controller is required to obtain consent under Article 5(3) of the ePrivacy Directive, it “cannot rely on the full range of possible lawful grounds provided by article 6 of the GDPR”.
4. There are two exceptions to the necessity of obtaining consent under Article 5(3) of the ePrivacy Directive: a) technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and b) [storage or access that is] strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service. None of them can be considered fulfilled for a mandatory contact-tracing application such as StayAway COVID.
5. Again, as established above, at this stage, the controller “cannot rely on the full range of possible lawful grounds provided by article 6 of the GDPR” and, therefore, legal basis such as the existence of a legal obligation or public interest (under Articles 6 and 9 of the GDPR) are not available.
6. It is not impossible for the data controller to argue that the operations of such an App would fall within the exception of Article 1(3) of the ePrivacy Directive. However, arguments that seek to rule out the application of EU Law based on national security/safety have a fairly low success rate before the ECJ. Recently the Court argued that “the mere fact that a national measure has been taken for the purpose of protecting national security cannot render EU law inapplicable and exempt the Member States from their obligation to comply with that law”[v].
7. Similarly, any attempt to argue that the mandatory installation of the App is a lawful restriction under Article 15 of the ePrivacy Directive would likely fail. Said Article contains a reference to Article 23 of the GDPR, meaning that any such restriction would need to be necessary, adequate and proportionate and also respect the essence of the rights and freedoms that are restricted. It is very unlikely that such standard could be met, especially if we take into account that there is no conclusive proof about the App’s effectiveness and, in fact, there are some doubts around it (also resulting from the experience from other countries where similar applications have been implemented). In addition, creating an entirely new legal basis and completely bypassing consent under Article 5(3) of the ePrivacy Directive appears to go beyond what is permitted under Article 15 of the ePrivacy Directive.
8. Even if, hypothetically, it was possible to overcome the challenges raised by the ePrivacy Directive in a law-abiding manner, compliance with the EU’s legal framework would still be a long way from being guaranteed.
9. Complying with the rules in the ePrivacy Directive allows the App to be installed/to access certain information within the operative system. To further process said information and to collect and process new data, one must take into account the provisions of GDPR.
10. As pointed out by CNPD (the Portuguese Data Protection Supervisory Authority) even if the App is not a geolocation App, and the use of Bluetooth Low Energy (“BLE”) is far less intrusive than, for example, GPS would be, there are still some dangers to the users’ privacy. Firstly, for the App to work the user must go on about his/her life with BLE permanently on. This opens the door to tracking by third parties (even assuming that there is no chance for tracking based on the App itself). In fact, leaving your Bluetooth connected when not using it is generally known as a bad cybersecurity practice. For what is worth, battery life could also be impacted.
12. In addition, since there are legitimate doubts regarding how effective the App is, one could also question whether the data processing operations are adequate, relevant and necessary (limited) for the purpose of stopping the spread of the pandemic. We may also question whether making citizens install this type of App can really be a fair type of data processing… If a complete assessment were to be performed, we seriously doubt that the App could be considered as compatible with the general principles of data protection enshrined within article 5 of the GDPR.
13. What could then happen if an App of this nature were to be made mandatory:
a) The European Commission (which defended that contact-tracing Apps should be voluntary in the EU) could start an infringement procedure against Portugal. Citizens can submit a complaint to the European Commission through this form.
b) National courts are bound to uphold EU Law (even when in conflict with national law), therefore any fine levied against a citizen for not installing the App should ultimately be struck down.
c) Public administration is also bound to uphold EU Law (even when in conflict with national law), and in this manner enforcing the installation of the App could become problematic.
d) Citizens could sue the Directorate-General for Health (“DGS”) as the data controller for infringing data protection law and the Portuguese State for infringing EU Law and be awarded compensation for the damages incurred.
e) CNPD could (and, in fact, as the Portuguese Data Protection Supervisory Authority is legally required to do so) fine DGS as the data controller for infringing data protection law. In addition, it could order DGS to stop all processing operations related to the App until the legal framework is again rendered compliant with EU Law.
f) Since both Google and Apple who developed the underlying technology, only allow its use in voluntary applications, the App could be expelled from both the Google Play Store and the App Store.
However, this is just the beginning of a much needed discussion concerning the impact of digital tools on eHealth settlement in the EU… So, it is a tale to be continued, particularly on the needed administrative interoperability in such areas…
[i] José Luís da Cruz Vilaça/Alessandra Silveira, “The European federalisation process and the dynamics of fundamental rights”, Dimitry Kochenov (ed.), EU citizenship and federalism – the role of rights, Cambridge University Press (2017): 125-146; Alessandra Silveira, “Do âmbito de aplicação da Carta dos Direitos Fundamentais da União Europeia: recai ou não recai? — eis a questão!”, Revista Julgar Online 22 (2014): 179-209, http://julgar.pt/do-ambito-de-aplicacao-da-carta-dos-direitos-fundamentais-da-uniao-europeia-recai-ou-nao-recai-eis-a-questao/
[ii] Alessandra Silveira, “Comentário ao artigo 51.º – Âmbito de aplicação”, Alessandra Silveira/Mariana Canotilho (eds.), Carta dos Direitos Fundamentais da União Europeia Comentada, Almedina, Coimbra (2013): 572-589.
[iii] Judgment of the ECJ in Commission v. Hungary (C‑288/12), especially paragraphs 39 and 40.
[iv] The abovementioned provisions of the ePrivacy are mirrored within Portuguese Law n. º 41/2004, of 18 August 2004 (as amended) and should also be included in other Member States’ national implementing laws.
[v] See the Judgments of the Court in La Quadrature du Net and others (joined cases C 511/18, C 512/18 and Case C 520/18) and Privacy International (case C‑623/17).