This article originally appeared (in French) in newsletter no. 17 of the VP-IP Chair, Data, Identity, Trust in the Digital Age for April 2020.
First, as we are all going through this peculiar time, we would like to wish you and your family all the best in your daily lives.
The coronavirus pandemic and the unprecedented measures to fight it have indeed provided us with an opportunity to measure and assess the impact of digital technologies on our societies, including their legal and ethical inconsistencies.
While digital technologies offer undoubted potentialities, including at a time of major crisis, risks to our fundamental freedoms appear even more clearly.
Without taking the easy, self-delusional way and adopting an ad hoc techno-solutionist approach, it seems relevant to analyse the current situation and look back forty years ago, at a time when the internet and digital technologies could not support us in mitigating the impact or providing a prompt and collective international response to the crisis.
The essential benefits of digital technologies in the current health crisis
Whether by helping pursue business through distance working and videoconferencing or maintain family ties and friendships, digital technologies, in their various uses, have proven extremely useful in the current outstanding circumstances.
Without such technologies, the picture would clearly have been much worse, and the way of life during the lockdown has made us embrace would have been much harder to adapt to. Besides, without them, outpatient care would have been much harder to ensure, and learning continuity for students in elementary, secondary and higher education would have been impossible to uphold.
Compared to past decades and centuries, networks and their subsequent opportunities for distance communication as well as for access to knowledge are tremendously powerful assets in organising life today.
The current health crisis also reminds us – quite forcibly, given the emergency of the situation – of the importance of research in today’s societies, which are characterised by new and unforeseeable facts in a context of unprecedented globalisation and human mobility.
Whether focusing on coronavirus testing, immunity, treatment of the disease or potential vaccines, research proposals responding to tenders from France and Europe also feature aspects related to computer science and social sciences; in particular, aspects related to mapping the pandemic and its developments, helping improve healthcare delivery, or managing extreme situations.
Digital technologies are allowing all researchers involved in such projects to keep networking and exercising collective and prompt thinking, while providing through telemedicine – although still at an early stage – an impulse allowing to better manage, or at least to significantly offset, the current crisis and its developments.
Economically, although many aspects of the economy have been completely upset and France’s reliance on imports has created certain tensions – e.g. the discussions on protective masks, widely covered by the media. However, other sectors are far from being in crisis and even experienced a surge in demand. Specifically, it is the case for companies in the field of telecommunications and related sectors such as e-commerce.
Risks related to personal data
While this crisis has entailed a significant increase in digital use, the current situation also poses flagrant risks when it comes to personal data.
Technically, the amount of data currently flowing is unprecedented. Almost all information pertaining to teleworking is stored on companies’ servers and transits through third-party interfaces to workers’ homes; and so is the amount of data related to our privacy, including friendships, social and family lives, that is provided to internet and telecommunications companies. Indeed, aside from the people we are confined with, all our communications are now taking place through networks more than ever.
This demonstrates how widely the data currently produced and processed can be disseminated and manipulated and, in turn, how threatening the situation could become, both at the individual and collective level, if it were used in violation of the fundamental principles regulating.
Yet, in this regard, very few guarantees exist at the moment, as the relevant social contract is still a work in progress.
Non-GDPR compliant Companies have not put an end to their practices [1] and the massive use of new types of online matchmaking systems keeps creating generating risks given the sensitive data that is or may be collected. Examples include debates on data protection policies for online medical consultation and prescription-writing platforms [2]; the urgent implementation of online classes provided through platforms whose privacy policies are questionable, or even downright dubious – among many others Collaborate or even Discord, qualified by some as a ‘spyware’ –[3] as well as the increasing use of videoconferences, for which some platforms don’t provide sufficient guarantees as regards personal data protection issues or have come under extremely serious attacks after their capacities in terms of cybersecurity and communications confidentiality were assessed.
As for Zoom, in particular, a very popular platform at the moment, it was “exposed that the company was sharing information on some of its users with Facebook and could surreptitiously search their LinkedIn profiles without their knowing.”. [4]
Some risks are even more global, for instance as regards the uses that could be made of geolocation, on which France’s data protection authority, the CNIL [5], as well the European Data Protection Board [6] and the European Data Protection Supervisor [7] issued clear opinions and are currently being consulted.
Generally speaking, mobile tracking apps, such as the French government’s StopCovid app [8], and, particularly the issue of personal data aggregation should be given particular attention, as widely reflected by French [9], European [10] and international media [11]. The CNIL has called for vigilance and issued recommendations on the matter [12].
The current situation is exceptional, thus calling for exceptional measures that should only affect our freedom to travel, our right to privacy and our right to data protection as long as they stay strictly in line with our fundamental principles: necessity, proportionality, transparency and loyalty, to name but a few.
The least intrusive strategies should be prioritised. In this respect, the CNIL President, Ms Marie-Laure Denis reminds that “[p]roportionality may also be assessed in relation to the temporary nature, required by crisis management only, of any considered mechanism.” [13]
Exceptional measures therefore should only be implemented for the duration of this exceptional situation. They should not be long-term nor undermine our fundamental rights and freedoms. This threat requires specific vigilance, as previous cases of transitional measures adopted in response to exceptional situations (e.g. the Patriot Act in the United States; the state of emergency in France) have sadly shown that such measures were prolonged notwithstanding some reservations as to their necessity, and that part of them were embedded in general law, thus becoming a part of our daily lives [14].
The VP-IP Chair is developing – “Data, Identities, Trust”
Naturally, this situation will be scrutinized in the studies provided by our multidisciplinary research Chair. In this respect, we would like to announce several decisions we have taken, whether or not related to the current crisis, as evidence of our continuing work.
First of all, the Chair is adapting to the new circumstances required by COVID and lockdown measures. Instead of simply postponing our open events, we have decided to maintain most of them by implementing new organisational arrangements. Therefore, we will still be holding the meeting that was meant to take place on 25 June, through means that do not require physical presence yet still allowing for exchange.
Besides, we have discussed ways of developing our Chair with our partners, both in terms of form and substance; as a result, our graphic charter is likely to change, and a subtitle will be added to our name.
We are now called the Chair VP-IP – which still stands for Valeurs et Politiques des Informations Personnelles, or Values and Policies of Personal Information) – and our subtitle will be “Data, Identities, Trust in the Digital Era”. This choice aims to increase the visibility of our research subjects in what has become the second phase of our history.
We have indeed launched a process of reflection on ways to develop our research topics, still in keeping with the issue of values and policies of personal information – which is, more than ever, a topical issue, as can be noticed day by day.
Since 2013, the scope of this issue has kept widening as uses and technologies have developed, among which the Internet of Things and algorithmic constructs, to name just a few.
In the Chair’s next letters, we will introduce these research topics more precisely.
Last, the Chair is internationalising even more, including by involving a certain number of European researchers and academic institutes in its works, in an open spirit of networking and multidisciplinary interactions, reflecting current and future issues and in keeping with what has always been the Chair’s main focus: respect for our common values.
Claire Levallois-Barth, Associate Professor of Laws at Télécom ParisTech (France), Coordinator of the Chair Values and Policies of Personal Information
Maryline Laurent, Professor in Computer Science at Télécom SudParis, co-founder of the VP-IP Chair
Ivan Meseguer, European Affairs, Institut Mines-Télécom, co-founder of the VP-IP Chair
Patrick Waelbroeck, Professor of industrial economics and econometrics at Télécom Paris, co-founder of the VP-IP Chair
Valérie Charolles,Researcher in philosophy at the Institut Mines-Télécom Business School, member of the VP-IP Chair, Researcher associated with Institut Interdisciplinaire d’Anthropologie du Contemporain (EHESS/CNRS)
[1]While the CNIL imposed a €50m fine on Google LLC on 21 January 2019, Sweden’s data protection authority fined the firm approximately €7m on 11 March this year, blaming it for not complying with data subjects’ right to have certain search results removed when using the Google search engine, even as the Datainspektionen had ordered Google to remove a number of search result listings in 2017. Moreover, the Swedish authority considers that Google does not have a legal basis for informing site owners when search result listings are removed, and especially which webpage link was removed and who was behind the delisting request,
https://www.datainspektionen.se/nyheter/the-swedish-data-protection-authority-imposes-administrative-fine-on-google/.
[2] Comment Doctolib se sert de nos données de santé ? [How is Doctolib using our health data?], FranceInfo Survey, 18 February 2020, https://www.francetvinfo.fr/sante/professions-medicales/enquete-franceinfo-comment-doctolib-se-sert-de-nos-donnees-de-sante_3825805.html
[3] Coronavirus. Faut-il suivre ses cours via Discord ? [Coronavirus : should you use Discord for classes?], Ouest France, 22 March 2020, https://www.ouest-france.fr/sante/virus/coronavirus/coronavirus-faut-il-suivre-ses-cours-discord-6788715.
[4] See, in particular, https://www.lemonde.fr/economie/article/2020/04/07/la-fulgurante-ascension-de-l-application-de-visioconference-zoom-freinee-par-des-failles-de-securite_6035862_3234.html.
[5] CNIL, Crise sanitaire : audition de Marie-Laure DENIS, Présidente de la CNIL, devant la commission des lois [Health crisis: hearing of Marie-Laure DENIS, CNIL President, before the Law Commission], 8 April 2020, https://www.cnil.fr/fr/crise-sanitaire-audition-de-marie-laure-denis-presidente-de-la-cnil-devant-la-commission-des-lois.
[6] European Data Protection Board, Guidelines 04/2020 on the use of location data and contact-tracing tools in the context of the COVID-19 outbreak, adopted on 21 April 2020, https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf.
See also, on using health data for scientific research, European Data Protection Board, Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak, adopted on 21 April 2020, .
[7] Wojciech Wiewiórowski, EU Digital Solidarity: a call for a pan-European approach against the pandemic, 6 April 2020, https://edps.europa.eu/sites/edp/files/publication/2020-04-06_eu_digital_solidarity_covid19_en.pdf, in which he states: “Responsibility also means, however, that we should not hesitate to act when it is necessary. There is also responsibility for not using the tools we have in our hands to fight the pandemic”.
[8] Tracking : pourquoi le projet d'application StopCovid est si controversé [Tracking: what makes the StopCovid app project so controversial], La Tribune, 10 April 2020, https://www.latribune.fr/technos-medias/tracking-pourquoi-le-projet-d-application-stopcovid-est-si-controverse-844671.html.
[9] Géo-tracing ? Quels enjeux ? [Geotracking: what is at stake?], Le Monde du droit, 8 April 2020, https://www.lemondedudroit.fr/decryptages/69487-geo-tracing-quels-enjeux.html, or further, « L’application StopCovid retracera l’historique des relations sociales » : les pistes du gouvernement pour le traçage numérique des malades [‘The StopCovid app will trace social contact history’: the government’s ideas to digitally track infected people], Le Monde, 8 April 2020, https://www.lemonde.fr/planete/article/2020/04/08/stopcovid-l-application-sur-laquelle-travaille-le-gouvernement-pour-contrer-l-epidemie_6035927_3244.html..
[10] Covid-19 : les opérateurs européens partageront les données utilisateurs avec Bruxelles [Covid-19: European operators to share user data with Brussels], Zdnet, 26 March 2020, https://www.zdnet.fr/actualites/covid-19-les-operateurs-europeens-partageront-les-donnees-utilisateurs-avec-bruxelles-39901319.htm?utm_term=Autofeed&utm_medium=Social&utm_source=Twitter#Echobox=1585226348,
Bruxelles va encadrer les applications de tracking [Brussels will regulate contact-tracing apps], Les Échos, 8 April 2020, https://www.lesechos.fr/tech-medias/hightech/bruxelles-va-encadrer-les-applications-de-tracking-1193349.
[11] [Covid-19] Chine, Corée du Sud, Allemagne... Comment les applications de « tracking » se déploient dans le monde [Covid-19. China, South Korea, Germany… How tracking apps are spreading worldwide], L’Usine nouvelle, 8 April 2020, https://www.usinenouvelle.com/editorial/covid-19-chine-coree-du-sud-allemagne-comment-les-applications-de-tracking-se-deploient-dans-le-monde.
[12] CNIL deliberation n° 2020-046, of April 24, 2020 delivering an opinion on a proposed mobile application called ‘StopCovid”, https://www.cnil.fr/sites/default/files/atoms/files/deliberation_of_april_24_2020_delivering_an_opinion_on_a_proposed_mobile_application_called_stopcovid.pdf.
[13] CNIL, Crise sanitaire : audition de Marie-Laure DENIS, Présidente de la CNIL, devant la commission des lois [Health crisis: hearing of Marie-Laure DENIS, CNIL President, before the Law Commission], 8 April 2020, p. 15, https://www.cnil.fr/fr/crise-sanitaire-audition-de-marie-laure-denis-presidente-de-la-cnil-devant-la-commission-des-lois.
[14] On the Patriot Act, see, in particular, Comparative Legislation Paper « Le Patriot Act : Coopération entre services chargés de la prévention et services chargés de la répression du terrorisme » [Patriot Act: Cooperation between prevention authorities and authorities in charge of the suppression of terrorism], French Senate, Department of Parliamentary Initiative and Delegations, LC 263, February 2016, which introduces its provisions, extensions and the two subsequent acts, https://www.senat.fr/lc/lc263/lc263.pdf. On the state of emergency in France, its extension and the provisions that have been embedded in ordinary law, see, in particular, website of the Paris Bar lawyers, L’État d’urgence dans le droit commun : quand l’exception devient la règle au mépris des libertés [The state of emergency in ordinary law: when the exception becomes the rule in violation of freedoms], http://www.avocatparis.org/letat-durgence-dans-le-droit-commun-quand-lexception-devient-la-regle-au-mepris-des-libertes.