Council of Europe Publishes a Report on Shortcomings in the protection of privacy and personal data

A new Council of Europe report has identified a number of shortcomings in the protection of privacy and personal data in some of the legal and technical measures adopted by governments to prevent the spread of the COVID-19 pandemic among the 55 African, Latin-American and European countries which have joined the data protection “Convention 108”. The reportDigital solutions to fight COVID-19 provides an analysis of the impact on the rights to privacy and data protection of the legislative framework and policies adopted by governments as well as an in-depth and technical review of digital contact tracing applications and monitoring tools.

It calls on governments to ensure transparency of digital solutions in order to ensure respect of the rights to privacy and data protection. It also regrets that in spite of numerous calls for coordination and interoperability of digital solutions to prevent the spread of the COVID-19 pandemic, countries have individually implemented widely diverging systems, thereby limiting the efficiency of the measures taken. Whilst aiming to assess how the measures adopted comply with the data protection convention, the report also contains recommendations on how to ensure the efficiency and resilience of the data protection framework.

In most countries, governments adopted emergency measures that gave governments extensive powers, usually only for a limited period of time. The report identifies shortcomings in a number of countries concerning compliance with the principles of “Convention 108” with regard to issues such as the requirement for a legal basis of the measures adopted, their proportionality and aspects such as their justification by public interest and the consent of the data subject for data processing. A particularly challenging aspect is the limitation of the purposes for data processing – the report points out that in some countries the boundaries between healthcare and police enforcement purposes have been sometimes blurred. The report also points to data protection risks related to the security, storage and sharing of data, which has led to the withdrawal of certain measures in some countries.