Edoardo Celeste (Dublin City University)

The Covid-19 pandemic has often been compared with the Spanish Flu of 1918. Over the past few years, media circulated black and white images of people lying in hospital beds or wearing face masks, which spoke for their similarity with what the world witnessed over the past couple of years.

However, one of the biggest differences between the Covid-19 and the Spanish Flu pandemic lies in the use of digital technology. The pandemic that we have just lived through was a ‘technological’ one as demonstrated by the use of digital technology for a variety of aims, such as contact tracing, symptom checking, quarantine and lockdown enforcement, mobility monitoring and telemedicine.

The technical choices related to the use of these digital solutions had a series of constitutional implications. Whether to make the use of contact tracing apps mandatory or voluntary, based on an opt-in or opt-out by the user, using location or proximity data, storing data in a centralized or decentralized way, resorting to private or public companies: these were all key questions that had to be addressed when deploying these digital technology instruments and that had a direct impact on the fundamental rights of individuals, and in particular on their rights to privacy and to data protection.

In the worst-case scenario, specific technical choices could lead to a higher risk of state systematic surveillance of individuals, for example through a continuous monitoring of people’s location or by altering the original purpose of a digital app. A similar threat of function creep can be also mentioned in relation to private actors, who might easily reuse data collected for the original purpose of fighting the spread of the pandemic thanks to opaque privacy rules.

Of course, not only the rights to privacy and to data protection had been under threat during the recent pandemic, but also other types of basic freedoms. In this context, it is interesting to observe different constitutional approaches among states. In some Asian countries, for instance, the rhetoric insisted on the need to sacrifice the privacy of individuals on the altar of public health. Despite some incautious statements, in the EU the approach was and had to be radically different. Fundamental rights are inalienable; they possess an inner core -what the EU case law has called the ‘essence’- that cannot be totally trampled.

In the EU, certainly, the first few months after the advent of the pandemic were quite confused, but the response adopted by EU institutions was clear. As stated by the EU Commission and the EU Data Protection Board, the bulk collection, access and storage of health and location data is prohibited. What contact tracing apps in the EU can do therefore is limit their processing to proximity data, i.e. information about the likelihood of virus transmission based on the epidemiological distance and duration of contact between two individuals. Data should be collected only for specific purposes and apps should be dismantled at the end of the pandemic to avoid risks of function creep.

However, despite the formal legality of the digital solutions adopted in the EU, the PRIVATT project funded by Science Foundation Ireland showed how people in Ireland continued to reserve a significant lack of trust in the digital technologies deployed by the government. This not only highlights a discrepancy between formal legality and legal reality, but also a worrying degree of data protection illiteracy among the population. This is an issue which the EU legislator tried to address with the General Data Protection Regulation (GDPR) but that it is manifestly still an unsolved problem.

Other lessons learned related to the use of digital technologies during the Covid-19 pandemic are relevant also from a federalist perspective. Covid-19 was a test – or better, a ‘stress test’ – for federalism and its institutions. One of the main questions was that of the choice between harmonisation or interoperability of digital solutions in federal settings. Comparing the EU and the US, it is possible to observe that in both contexts, surprisingly, no federal single contact tracing apps were deployed, leading to a fragmentation of national digital solutions. The EU only adopted a series of common, non-legally binding guidelines. Almost all EU member states apart from France adopted the same approach to digital technology solutions in Covid times, allowing for the creation of an EU gateway for member states’ apps to interact. Yet the gateway was used by only 19 states at its peak, raising doubts in relation to the effective success of EU harmonisation in this field.

Certainly, a full harmonisation of digital solutions to tackle the spread of the pandemic would hardly be seen as fully within the remit of EU law. However, advantages could have included a higher level of data protection compliance, increased social awareness and literacy about digital rights and the removal of a series of obstacles to a more ‘secure’ freedom of movement. What could instead be criticised is the de facto delegation of the duty to develop fundamental rights compliant digital solutions to fight the spread of Covid-19 to private companies, often non-European, in apparent contrast with recent EU digital sovereignty strategies and with the primary objective of the EU to preserve fundamental rights not only offline, but also online.