TR 
EN 
Due to the COVID-19 outbreak and its significant impacts in our daily lives, extremely intrusive data processing activities have been negotiated and taken into place by governments, public institutions, and organizations. In this respect, due to the measures taken in order to mitigate the risk regarding pandemic, many governments have decided to use geolocation tools to determine possibly infected ones by checking the routes that have been used by infected people. Moreover, most of patients are being tracked by governments via such systems to manage successful quarantine processes and enforce lockdowns.
In light of recent updates, European Union has initiated some actions to combat COVID-19 by virtue of the tracing applications and addressed the issues and aspects of data protection in this respect. In this information note, we will address recent measures concerning tracing applications and relevant privacy concerns.
Common EU Toolbox for Member States by eHealth Network on April 15, 2020 (“Toolbox”)
European Member States published a pan-European approach to define requirements and elements which will be considered necessary in terms of COVID-19 mobile applications for best practices. The Toolbox focuses on two main aspects regarding the contact tracing applications: contact tracing and social distancing effectively, and by virtue of anonymized and aggregated data, modelling and predicting the evolution of the virus.
The Toolbox stated that proximity tracing using Bluetooth Low Energy on mobile devices can be used to warn the individuals that they have been in close proximity with a COVID-19 positive patient. Therefore, the use of location data is not necessary nor recommended and the processing through such applications have to be done in line with the Guidance of April 16, 2020. Moreover, use of such applications have to be done in a voluntary basis and informed consents of the individuals should be taken. The applications should generate with pseudo-randomly ephemeral and periodically changing identifiers of the phones of users for privacy concerns. There are two types of retention for these arbitrary identifiers mentioned in the Toolbox. First option enables that these arbitrary identifiers, so the proximity data, related to contacts generated by the app only remains on the users’ own devices (“Decentralized processing”). The other option can provide that these arbitrary identifiers are stored on the server to which the health authorities have access (“Backend server solution”). Both of them can be used for designing such applications, yet, the European Data Protection Board (“EDPB”) stated that the decentralized solution is more in line with the minimization principle in regard to the privacy issues. However, hence information will be stored in users’ mobile devices, the second main focus of the Toolbox, modelling and predicting the evolution of the virus by virtue of anonymized and aggregated data, cannot be accomplished.
The Toolbox includes an annex that directs all essential parts and recommendations for mobile contact tracing applications and cross-border interoperability of them for uniting. The effectiveness of such applications and recommendations will be reviewed by European Commission (“Commission”) until June 2020 and Commission will publish a report evaluating the progress made which may include proposals for further follow-up actions.
Background
European Commission Recommendation of April 8, 2020 (“Recommendation of April 8, 2020”)
Commission adopted a recommendation sets up a process to address the crisis by digital means regarding practical measures for the use of COVID-19 mobile applications and mobility data for modelling and predicting the evolution of the virus. Such recommendation focused on building a common approach for the use of mobile applications on European Union level and a scheme for using anonymized and aggregated data on mobility of populations. Three main points highlighted by the Commission that should be taken into consideration to provide data protection in terms of the data processing during the outbreak: purpose limitation, data minimization, and storage limitation. The Commission stated that the data processing may only be performed for the purposes of combating the COVID-19 crisis, necessity of such processing should be checked regularly, and once the processing is no longer necessary, personal data concerned has to be irreversibly destroyed.
The Commission stated that in any event, pursuant to the Charter of Fundamental Rights of the Union, restrictions on the exercise of the fundamental rights and freedoms must be justified and proportionate. Such restrictions should, in particular, be temporary, in that they remain strictly limited to what is necessary to combat the crisis and do not continue to exist, without an adequate justification, after the crisis has passed.
European Data Protection Board’s Response Letter to European Commission of April 14, 2020 (“Letter of April 14, 2020”)
Following a request for consultation from the Commission, the EDPB adopted a letter on the Commission's upcoming draft guidance of April 16, 2020 emphasizing that all application initiatives must comply with the data protection principles. It is stated that to promote accountability of such applications, concerned applications should document their data protection impact assessments including all the implemented privacy by design and privacy by default mechanisms.
The EDPB stressed that the main motive of tracing applications is to discover the connections between the individuals that reasonable enough to cause an infection and so, COVID-19 to spread. Since, such discovering process can be conducted through bluetooth proximity technology, location tracking is not required. Moreover, the importance of a verification system, which checks whether a COVID-19 positive notification from an individual is accurate, emphasized. Hence, many notifications may be triggered to warn possibly infected ones, accuracy of COVID-19 positive information have to be certainly verified via, for example, one-time scan code presented by health authorities with the test result. Furthermore, the EDPB underlined that the individuals should be free to install or uninstall the applications and the individuals which do not choose to use them should not face any negative consequences. The EDPB also plans to publish its guidelines in the upcoming days on geolocation and other tracing tools in the context of the COVID-19 out-break.
European Commission’s Guidance of April 16, 2020 on Apps supporting the fight against COVID 19 pandemic in relation to data protection (“Guidance of April 16, 2020”)
The Commission released its non-legally binding guidance, which does not cover mandatory applications for enforcing quarantine requirements, on the data protection aspects of the voluntary applications that may support the fight against COVID-19 by categorizing significant functions of such applications. According to the Guidance of April 16, 2020, there are three types of functions in context of the voluntary application regarding COVID-19 which are informative ones, symptom checkers, and contact trackers. The Commission highly stressed that these three functions should not be bundled as one option which forces the individuals who downloaded such application to use all three functions. Informative applications only provide information regarding the pandemic. Therefore, such applications are not considered to be the ones that require collection of personal data. On the other hand, the symptom checkers preferably process health data and the contact trackers process proximity data.
The Commission advised that these voluntary applications should be designed in such a manner that the national health authorities are the data controllers and data subjects are provided with the necessary information in line with Articles 12 and 13 of the General Data Protection Regulation (“GDPR”) and Article 5 of the ePrivacy Directive. Moreover, data subjects should be provided with a platform that they can use their rights under the GDPR, in particular deletion. It is also stated that once the pandemic is declared to be under control, deactivation of such application and deletion of such data should be done without data subjects’ requests.
Measures in Turkey
The Republic of Turkey Directorate of Communications has announced that the Pandemic Isolation Tracking Project developed by the Ministry of Health against COVID-19 will be used in cooperation with the Ministry of Health, Information and Communication Technologies Authority and all mobile phone operators. Within the scope of the project, it is planned to track infected patients via their live location data provided by their mobile phone operators in order to ensure that they comply with the isolation rules. Under the project if the people who must be isolated at home leave their isolation places, a warning message will be sent to their phones and if they do not comply with the instructions, they will be reported to the law enforcement units. It is also stated that such location data obtained under the project will not be used for any purpose other than combating the epidemic and will be destroyed when risk regarding pandemic risk is over.
Turkish Personal Data Protection Authority also stated by an announcement that the processing activities which includes location data by the authorized public institutions within the scope of intelligence activities, national defense, public security and order shall be exempted from the provisions of the Law on the Protection of Personal Data No. 6698.
Author: Aslı Naz Ünlü
