COVID-19: The Effect of Digital Measures Taken for the Tracking of COVID-19 on Personal Data
While New Coronavirus Disease (“ Covid-19 ”) , which affects the whole world , brings life to a standstill in many countries, states continue to take strict measures to ensure that individuals return to normal life as soon as possible. While it is possible to come across examples of some measures taken by government officials, some measures are experienced for the first time as the benefits of the digital age together with Covid-19 .
Thanks to the new technology , mobile applications, facial recognition systems, etc. whose purpose is to reduce / terminate the propagation speed of Covid-19 . methods, by governments and / or technology companies; identity, communication, location, health, biometric, visual and audio data can be processed.
Although an extraordinary situation is experienced globally, all these personal data processing activities must be carried out in accordance with the legislation of the relevant country and / or region regarding personal data.
1. Personal Data Processing Activities with Mobile Applications in Terms of Personal Data Protection Law ("KVKK")
As a result of the joint project carried out by the Ministry of Health, Presidency of Information Technologies and Communication Authority and all GSM operators, Pandemi Isolation Tracking Project (“ ITP ”) was launched as of April 9, 2020 .
1.1. What is ITP?
Isolation emerges as a measure applied by governments to slow down the rate of spread of the Covid-19 outbreak. With the ITP application;
People who do not comply with the insulation at home due to Covid-19 risk by the Ministry of Health stated that “You have gone out of your isolation zone by SMS . For everyone's good, please stay at home . ” message is being transmitted,
The situation of people who do not comply with the insulation application despite the warnings is shared with the security units as a second step
The necessary administrative measures and sanctions are provided by the police units,
The road control police teams can learn the details of the isolation violation by the people by questioning the information of the people who should be under isolation.
Accordingly, the name and surname information (identity data), telephone numbers (contact data), information about whether Covid-19 has passed (health data) and location information (location data) by the administrative authorities through ITP. It may be processed.
1.2. Evaluation of ITP within the framework of KVKK
1.2.1. Health Data
Health data, KVKK 'clearly is having the character of a private nature of personal data as specified Regulations on Personal Health Data' as defined in "identity-specific or identifiable natural person information about the health services available to people with all kinds of information about the physical and mental health" statement It is.
As a rule, personal and / or special personal data cannot be processed without the explicit consent of individuals, while in the presence of any exceptions set forth in Articles 5 and 6 of KVKK , they can be processed without seeking explicit consent.
Health and sexual life data, which have the characteristics of special personal data, are limited to the purposes of protecting public health , preventive medicine , conducting medical diagnosis , treatment and care services , planning and managing health services and financing ( persons , physicians, experts). physician, workplace doctor, etc.) or authorized institutions and organizations (Ministry of Health, etc.) without the explicit consent of the person concerned .
In addition, in the subparagraph (d) of paragraph 1 of Article 28 of the KVKK , “ preventive, protective and protective activities carried out by the public institutions and organizations authorized by law in order to ensure national defense, national security, public security, public order or economic security. it is regulated that the provisions of KVKK will not be implemented if it is processed within the scope of intelligence activities .
As stated in the public announcement titled What should be known under the Law on the Protection of Personal Data in the Process of Combating Covid-19 published by the Personal Data Protection Authority (" Institution ") , the public security of the current situation in accordance with paragraph 1 (ç) of Article 28 of KVKK and because it threatens public order , there is no obstacle to the processing of personal data by the Ministry of Health and public institutions and organizations covered by the above article .
Although there is no clear explanation about which institutions and organizations are authorized by the institution , the authorized institution for sending public health-related messages to people through telephone, message or e-mail within the framework of " relevant health institutions and organizations " Covid-19 in the above-mentioned public announcement. and it was described as an organization . In this context, Provincial Health Directorates affiliated to the Ministry of Health can be described as authorized institutions and organizations, limited to the purposes for the prevention of Covid-19. In addition , within the scope of preventive, protective and intelligence activities, intelligence units operating in order to ensure public security or public order can be cited as an authorized institution and organization, limited to activities aimed at preventing Covid-19.
1.2.2 Location Data
Location data , as defined in the Regulation on Processing of Personal Data and Protection of Confidentiality in the Electronic Communication Sector , means “ specific data that determines the geographical location of a device belonging to the public electronic communications service user and processed in the electronic communication network or through electronic communication service ” It is clear that there is personal data within the scope of KVKK as it makes people identifiable . In this context, in order to process location data, either open consent of individuals or one of the exceptions of explicit consent must be found.
The regulation on the powers of the Information Technologies and Communications Authority, announced on 25 March 2020, and by the administrative authorities, earthquake, etc. In emergency situations, it is regulated that people's phone and location information can be obtained. Although this arrangement aims to carry out the search and rescue activities quickly, the monitoring of Covid-19 cases can also be achieved in this way when we evaluate the situation. The relevant regulation also meets the exemption regulated in article 5 of the KVKK that personal data can be processed without explicit consent if it is seen by law .
On April 9, 2020, the Authority issued another public announcement on the Covid-19 Combating Position Data and What You Need to Know About Monitoring Mobility of Persons . A legal basis regarding the personal data to be processed through mobile applications and public announcements published by the Authority was created.
1.2.3. Compliance with General Principles of KVKK
Although, due to the nature of the pandemic situation and the arrangements made, it is possible for authorized institutions and organizations to process personal data, every personal data processing activity must comply with the general principles of KVKK . For this reason, personal data (identity, communication, health, location data, etc.) processed within the scope of the measures taken against Covid-19 should be processed for certain, clear and legitimate purposes in accordance with the rules of law and integrity, limited, and measured. . In addition, if the reasons requiring the processing of personal data disappear, the personal data in question must be deleted, destroyed or anonymized.
Example 1 : The transfer of health information collected through ITP to third party companies for purposes other than preventing Covid-19 will constitute an illegal personal data processing activity.
Example 2: Disaster and emergency situations in the Information and Communication Technologies Authority obtained by the phone number to people in order to carry out marketing activities will lead to an unconstitutional kullanılmasıhukuk personal data processing activities to be sent via SMS.
Example 3: Covidien-19 outbreak of the collected health and location information for the prevention, Covidien-19 outbreak be disposed after an end, for the purpose of their processing of personal data will be contrary to the principle of maintaining up time required.
As a result, mobile apps for ending the Covid-19 outbreak etc. personal data obtained by methods;
- It should be processed in accordance with the general principles of KVKK,
- Personal data should be deleted, destroyed or anonymized after the outbreak process ends,
- Necessary administrative and technical measures should be taken by authorized institutions and organizations and companies that carry out personal data processing activities.
2. Other Applications in Covid-19 Framework
In order to control the Covid-19 outbreak, many countries have started to use tracking methods provided by mobile applications and digital technology. China, Singapore, Hong Kong, South Korea, Israel and the Russian government also force just bought these applications, in Europe, the pan-European Privacy Protection Proximity Monitoring Initiative 's ( "PEPP-PT") continues preparations for the activation.
2.1.1. Face recognition system
In China, which is one of the most crowded countries in the world , metro service has been made free for the citizens who have registered face scanning in order to spread the facial recognition system that has been actively used since 2019 . While the widespread surveillance network in the country includes around 350 million closed circuit camera systems, closed circuit camera systems have been installed in front of the houses of the people under isolation within the framework of the measures taken by the government within the scope of Covid-19 .
Thanks to the facial recognition systems in China, the identities of the people whose images are recorded with the camera can be easily identified, and the images and information of the individuals can be reflected on the large screens in the squares even in small crimes such as passing in the red light . In addition, with the regulation issued in the country in 2019, the use of facial recognition feature on smartphones has become mandatory. Accordingly, it is possible to say that the Chinese government actively uses the facial recognition system in daily life.
So, what personal data of individuals are processed with this facial recognition system?
In line with the definition included in the General Data Protection Regulation No. 2016/679, biometric data in Turkish Law , “ the physical, physiological and behavioral characteristics of an individual, which enables the unique identification and confirmation of a real person with unique identifiers such as facial images or typewritical data. Personal data arising from specific technical processes related to the product.
In this context, although the visual data of the individuals are not evaluated as biometric data directly , biometric data processing will be in question if the images provide specific identification and confirmation of the person with specific technical procedures (facial recognition system, fingerprint reader, etc.).
As we mentioned above, with the artificial intelligence supported closed circuit camera systems in China; their faces can be identified and identified. In the light of this information, both the health and biometric data of people will be processed by using camera systems placed in front of the houses within the framework of Covid-19 measures, if their faces can be identified by specific technical procedures.
2.2. Singapore and Hong Kong
In order to prevent the spread of the Covid-19 outbreak, the Singapore government has launched the application Trace Together since 20 March , and the application can detect whether Covid-19 patients are in contact with others via Bluetooth signals . With this application, only phone numbers and Bluetooth signal information of individuals are collected.
In Hong Kong, wristbands that can be connected to smart phones are used. Through these wristbands, information is provided to governments about whether people leave the house and when the wristband is broken, removed or the wristband is disconnected from the smart phone, a warning message is sent to the Health and Safety Unit along with the person's location information. This warning message includes the age, gender, address and medical symptom information of the person, and the names and surnames of the infected people are not transmitted to the administrative authorities. In this context, we can say that the governments of Singapore and Hong Kong are trying to control the situation with a more individualistic approach that emphasizes the fundamental rights and freedoms of individuals.
2.3. Contact Tracking Technology with Apple and Google Collaboration
In recent days, Google has announced that it has documented people's trends and started publishing them using location information to assist with outbreak planning . Although location information is kept anonymously by Google, this personal data must be processed by Google by taking the necessary administrative and technical measures.
Following this announcement , Apple On April 10, 2020 , it announced that it has partnered with Google for contact tracking technology . The announcement is about Apple and Google developing applications and operating systems to assist with contact tracking. Although users can access these applications from the app stores on Android and iOS devices, it is stated that in the second stage of the study, this function will be integrated into basic platforms and a wider Bluetooth based contact tracking platform will be created.
As found in the technical document drafts published on Apple's official website , contact tracking method will alert users if they have recently contacted someone diagnosed with Covid-19 via Bluetooth signals, thereby preventing the spread of Covid-19 . Accordingly, it is possible to say that Google and Apple have joined the companies to which our personal data will be transferred together with Covid-19.
In summary, states resort to various digital measures to prevent physical, social, economic and psychological destruction caused by the Covid-19 outbreak. While applying these measures, personal data can be collected by authorized institutions and organizations and technology companies. In some countries, individuals' health, biometrics, communication, location, etc. are used with digital measure methods. While many data are collected, some countries use only location and disease information, taking milder measures.
Although public security and public order are under threat, personal data collected by authorized institutions and organizations and companies to prevent the Covid-19 outbreak ;
It should be preserved by taking the necessary administrative and technical measures,
It should be processed in a limited and connected manner for the specified purpose,
If the reasons that require the processing of the data disappear, the data should be deleted, destroyed or anonymized.
Although it is not yet clear when we will overcome the Covid-19 epidemic, the digital measures implemented / implemented due to this epidemic seem to bring more issues to data security and data privacy.