Not just apps: privacy, personal data and COVID-19 in the western Balkans

The measures adopted by some Balkan countries to contain the pandemic have raised perplexity in associations and researchers who deal with privacy and digital rights. Emergency actions, derogating from the national rules of law, could translate into mass surveillance tools.

Published On: 18 Μαΐου, 2020
Not just apps: privacy, personal data and COVID-19 in the western Balkans_62d021e0bd060.jpeg

Not just apps: privacy, personal data and COVID-19 in the western Balkans

The measures adopted by some Balkan countries to contain the pandemic have raised perplexity in associations and researchers who deal with privacy and digital rights. Emergency actions, derogating from the national rules of law, could translate into mass surveillance tools.

Image: © elenabsl /Shutterstock

The use of health data to track infections and protect citizens has become one of the central issues of the coronavirus pandemic. In many countries, the restriction of movement has been accompanied by the use of surveillance, which in some cases has led to violations of privacy. While contact tracing and the collection of epidemiological data can be useful instruments for government and healthcare institutions, excessive discretionary power can endanger citizens’ fundamental liberties, and in certain countries even threaten democratic stability. In recent weeks, a variety of associations concerned with digital rights have stressed that the current state of exception should not become an excuse to introduce permanent control of the population.

Currently, much journalistic attention is focused on contact tracing apps. But these apps – the efficacy of which has been disputed – are not alone in posing problems for privacy and the protection of personal data. The European Data Protection Board (EDPB, the independent European agency for ensuring the respect of data protection laws) has recently stressed the importance of sharing health data between countries for research purposes. There are those who ask if GDPR (the General Data Protection Regulation) could be an obstacle in such situations, and won’t end up being set aside, at least temporarily. The EDPB’s response is that the regulation does not prevent collaboration between states for the purposes of scientific research – to develop a vaccine, for example. It also allows transferring data outside the European economic area. In such cases, the EDPB recommends adopting solutions which guarantee the fundamental rights of the subjects concerned.

For about two months now, the Balkan Investigative Reporting Network (BIRN), together with the SHARE foundation, has been monitoring the situation from the perspective of digital rights in central and south-eastern Europe. Privacy International is doing the same on a global scale . Let’s take a look at what has been happening in specific Balkan countries.

Problematic initiatives

In Serbia, president Aleksandar Vučić has made some rather controversial declarations in recent weeks. For example, Vučić has said that citizens’ phones were being tracked, including the phones of people from countries at risk, Italy in particular. This gave rise to confusion as to the legal basis of such actions. On March 26, on the health ministry’s website , data was published on two patients who had died of the coronavirus (initials, gender, date of birth, hospital, and other general clinical data). This was a problematic decision, given that it could lead to the identification of the deceased. 

The SHARE foundation then revealed on April 20 that the password for the Informacionom sistemu Covid-19, the centralised system gathering all data on monitored individuals, had been left public for eight days. This was discovered after a basic Google search performed by the foundation on April 17 (the password had been visible since April 9). The authorities were immediately notified, and the problem was fixed. “It is the responsibility of the healthcare institutions to appoint a person for the protection of personal data”, declared SHARE, “but due to scarcity of resources these positions are often filled by people who are not properly trained, and whose expertise is often in a completely different field”. Furthermore, the foundation discovered that for each health institution there was just one user profile, making it impossible to establish direct responsibility for what had happened. On May 8 the parliament voted to end the country’s state of emergency, which had been in place since March 15, following a reduction in the number of confirmed cases.  

In Bosnia and Herzegovina, an aggressive policy condemning violations of quarantine measures was put in place by the government. On March 24 a list of people who had violated the self-isolation order was published. These lists (containing the names and towns of people concerned) are still being published. This is despite the fact that national authorities for the protection of data have repeatedly declared such practices illegal.

In Croatia, at the end of March, the government proposed an amendment to the law on electronic communication, which concerns authorities’ ability to ask phone companies for geolocation data. The proposal caused concern, not so much for the aim, but rather for the lack of clarity and the insufficient protection of privacy. For example, the text of the proposal did not establish who could be monitored and for how long, or what the authorities would do with the data and how the individual would be informed of being tracked.

The proposal was suspended after the president of the parliament, Gordan Jandrokovic, requested that the constitutional court provide a judgement. The latter responded a few days ago that the parliament is not authorised to ask for an opinion, and that it should therefore proceed with legislation. If questions of constitutionality were to arise later, the court would then intervene with a verdict. Another notable occurrence in Croatia was the publication of a, a website allowing users to anonymously report people who violate the stay-at-home order, promising that reports would be sent to the Interior Ministry. Shortly after its publication, the site was removed.

In late March, with a tweet , the Montenegro government revealed a website with the names of people under quarantine. The page was later removed (though it is still cached at Internet Archive ). A number of rights organisations expressed their concern for this and other government decisions, fearing an intention to exploit the current situation to limit freedoms long after the pandemic. Sofija Todorović, project coordinator of BIRN, was not able to confirm that the removal of the site was due to the actions of civil society. The investigative network has submitted a series of questions to the government, and is currently awaiting clarification.

In any case, the government’s action has already led to serious consequences. There is a website enabling users to geolocate people under self-isolation, demonstrating the risks associated with the careless handling of sensitive data. The coordinator of the NGO Građanska Alijansa , Zoran Vujicic, has said that on social media people tend to discuss individuals placed under isolation, even when no rules are being violated, thus contributing to stigmatisation.

North Macedonia leads the way in the Balkans when it comes to the development of a contact tracing app. The StopKorona! app was made available for download on April 13. According to the developers (Skopje-based company Nextsense), the app is built around bluetooth connections and a decentralised data collection system. Those testing positive for COVID-19 can announce it with the app, thereby informing all users with whom they have been in recent contact.

Only then is data sent to “a secure server belonging to the health ministry”, explained the minister for information Damjan Manchevski. “No other user will have access to telephone numbers, nor will any other personal data be stored”. On April 28 the government asked the health minister to establish a working group to have the code of StopKorona! analysed by independent experts. The aim is to verify that the code is in line with the scope of the application, and that security can be guaranteed.

Going back

What many fear is that what happened with nuclear weapons could happen with the coronavirus containment measures. As Marina Favaro explains in Outrider, “current and unknown future security threats in the world require extraordinary measures. These measures usually go against societal norms and rules. In other words, they result in enormous investments in weaponry over other public goods like healthcare. And, they result in persistent threats of mass violence against civilians. Nuclear weapons are so closely associated with national security that nuclear deterrence proponents are easily able to frame themselves as being on the side of security and opponents as security threats.” The term used to describe this process is securitization. One major problem is that, once the “security” measures have been put in place, going back (desecuritization) is extremely difficult.

Following the end of the cold war, a long process of disarmament was begun, but never finished. The fear is that with the coronavirus something similar can happen, or is already happening. “If extraordinary measures like widespread surveillance don’t end with the state of emergency, then these measures start to constitute the new normal,” writes Favaro. “If COVID-19 is indeed war, then we need to plan now for its desecuritization. We must plan to move the issue out of the sphere of security and back into the realm of appropriate democratic debate.”

We discussed this question with Łukasz Krol, researcher and lecturer at the College of Europe in Warsaw, concerned with technology and how it interacts with social realities. “One of the problems relating to privacy and the use of personal data during the pandemic is the difference between the technical and political dimensions of choices being made. Governments often focus attention on technical questions (as in the case of contact tracing apps) to avoid having to justify the political choices underlying the development and implementation of the technologies in question. States should involve the relevant civil society organisations, in this case those concerned with privacy, data protection and digital rights”.

Stay up to date with our newsletter!