This post is also available in: Español

On May 7, 2020, the Spanish Data Protection Agency (“AEPD”) published a technical note on data protection regarding the use of different technologies in the fight against COVID-19.

In this technical note, the AEPD stresses the need to assess and analyze the costs and benefits for society and the individual’s rights and freedoms to prevent the current uncertainty of the situation from leading to the misuse and abuse of personal data, causing loss of freedoms, discrimination or other harm.

The technologies briefly reviewed in this technical note are the following:

Geolocation by telecommunications operators

Telecommunications operators provide anonymized geolocation data about their customers at the request of the Government and the European Commission.

  • Threat? Since the information is anonymized at the outset, the AEPD considers that this increased use of data does not pose a greater threat than already existing risks (e.g., incomplete anonymization, poor control of contractors and cyberattacks).  
  • Benefits? Knowing population mobility patterns can be helpful for public authorities in any sector (infrastructure, health care, police). Any use of geolocation data to monitor global movements—with the police being able to request re-identification in certain cases—must comply with the criteria established by the health authorities.

Geolocation of mobile phones through social media

  • Threat? Geolocation of individuals from an IP address can be a threat to privacy, just like its regular use is in social media, but it could be more critical if enriched with other information on the use of social media by the user or by his or her profile. The AEPD considers that the terms of use of social media do not cover such processing.
  • Benefits? The AEPD refers to the health authorities, who should define (a) the purpose; (b) the granularity and format for prevention and control strategies; and (c) whether this represents an improvement over other sources already available. 

Apps, webs and chatbots for auto-test, information or appointment

  • Threat? They might pose a threat, depending on (a) how they are implemented (e.g., if launched hastily without proper controls); (b) their purposes; (c) the usual server-related risks; and (d) the risk of shutting down people who do not know how to use a computer or do not own one.
  • Benefits? If they are well built, they represent a great benefit: (a) they bring information and services closer to people; and (b) they free other channels such as the telephone from traffic.

Infection control apps

These apps (COVAPPS) collect infection data voluntarily provided by users based on selfless cooperation that, in theory, is not filtered by the authorities.

  • Threat? They might pose a threat, depending on (a) how they are implemented (e.g., if launched hastily without proper controls); and (b) whether their purposes are really altruistic. Also, (c) they could lead to stigmatizing neighborhoods or areas, if there is enough data quality and quantity. It is essential that the sample be significant in size and that nobody provides false or manipulated information.
  • Benefits? Unknown. Unreliability due to voluntary and uncontrolled use, which could contribute to the dissemination of fake news.

Contact tracing apps

These are contact tracing apps based on Bluetooth technology. Infected users can “declare” their condition, and people who have been in contact with them will receive a warning. Questions have arisen about who has control (centralized or decentralized) over each user’s identity and contact network.

  • Threat? Main threats: (a) personal relationships mapping; (b) re-identification through location; (c) protocol vulnerability regarding contact anonymization; and (d) public dissemination of signals. Centralized control poses greater risk of abuse.
  • Benefits? It depends on numerous factors: (a) the number of users; (b) whether users issue a sworn statement supervised by professionals (if possible); and (c) broad access to testing. The AEPD considers that, in the current situation, they will not be widely used.

Immunity passports

Digital immunity passports are based on color or QR codes to access establishments (e.g., similar to boarding passes).

  • Threat? They anticipate future mobile ID cards with health information. Common system risks (e.g., hackers, data cross-checking, metadata). According to the AEPD, this “pass” should be in paper format: mobile passports only make sense when remote downloads are available, or when the underlying information changes quickly, which is not the case.
  • Benefits? Only in specific areas. We are far from reaching the whole population. The AEPD favors apps for keeping health certificates and records up-to-date, safe and interoperable, and always managed by qualified personnel according to public control policies.

IR cameras for temperature screening

These are infrared cameras for massive temperature screening through facial recognition.

  • Threat? The AEPD insists on having a previously defined criteria by the health authorities and is concerned about the widespread use of this technology. Health data cannot be spontaneously collected and processed by any manager (risk of discrimination, stigmatization, and even public dissemination or leakage of sensible information). It can be useful in the work environment, with more extensive processing and additional guarantees.
  • Benefits? A false sense of security in the absence of criteria from the health authorities on (a) the value of a fever; (b) what other symptoms should be checked (there is a high percentage of asymptomatic carriers without a fever, and a fever is also a symptom of other pathologies); and (c) this technology is handled by unqualified personnel.

Each situation should be analyzed individually, carefully weighing the advantages and risks of adopting the least harmful measures to citizens’ rights and freedoms. As the saying goes, “haste makes waste.”

By Alejandro Negro and Adaya Esteban

This post is also available in: Español



45 artículos

Alejandro Negro



51 artículos