Data traffic and surveillance during a state of emergency

We are facing perhaps the biggest world crisis that today’s tech society has ever seen. The hurricane will pass but the choices we are making right now could change our lives for years to come. Measures and actions currently shaping our economic, political and cultural lives will continue doing so in the future. Acting fast is essential, but long-term consequences should also be considered. Some short-term emergency measures could turn into everyday life in the not so distant future. Decisions, normally taking years are now being made in a matter of days.

Two principal approaches are foreseen to mitigate the consequences of the pandemic – national solidarity and conforming to limitations of social distancing. Another increasingly discussed way of managing risks includes mass surveillance, monitoring of virus carriers and imposition of sanctions on those who violate the measures.

How do governments monitor citizens?

For the first time in human history, technology allows the monitoring of all citizens 24 hours a day. Governments have already undertaken population monitoring actions in the fight against the spread of COVID-19.

The most prominent case is China, where the State monitors people’s smartphones and uses millions of cameras for face recognition. In addition to this, people are obliged to check their body temperature and to inform the authorities about their medical condition. In this way, the competent bodies rapidly identify suspected coronavirus carriers but also follow the movement of the infected by determining every person that they have had contact with. This measure is easily applicable in China because of previous legislative amendments connected to smartphone use and its accompanying services.

In 2010 the government of China introduced the requirement for telecommunication services subscribers to register with their real identities. Additionally, bank accounts and social security numbers are associated with telecommunication subscriptions for services and apps, installed on cellphones, and SIM cards are being checked in the State database to ensure that a given number belongs to the respective user.

On 1 December 2019, China introduced an obligatory face scan for identity approval of each person registering their mobile phone.

On 10 March 2020 as a result of the outbreak, Beijing established the use of “health code”. All Chinese citizens are obliged to install an app on their mobile phones and submit personal information about their medical condition. The app generates a QR code which appears in three colours classifying the health level of the user. Locals can only move around if they have an approved “green health code”, which requires the constant use of mobile phones.

In Singapore surveillance cameras, police officers and surveillance teams assist the government with finding close contacts of already confirmed cases in order to put them in quarantine. Furthermore, the Government Technology Agency (GovTech) and the Ministry of Health developed an app which uses Bluetooth to monitor and record the distance between app users and the duration of their meetings, thus establishing possible contact with virus carriers. Users agree to submit personal information which is encrypted and then sent to the Ministry of Health. The app was released for use by the government on 20 March 2020 but is not compulsory and the encrypted information is erased after 21 days.

On 16 March this year, Israeli Prime Minister Benjamin Netanyahu authorised the Israeli Security Agency to incorporate surveillance technology, used in the fight against terrorists to monitor patients with coronavirus. Data from the mobile devices of Israeli citizens has been collected since 2002. When the parliamentary commission refused to approve this measure, Benjamin Netanyahu authorised it with an “emergency decree”.

In the European Union, telecommunication service providers supply data to health authorities in Italy, Germany and Austria to monitor whether people follow the instructions for keeping social distance, as well as whether they stay in proximity to their homes during the epidemic. Data on their location, which is currently being shared by the telecommunication service providers, is summarized and anonymous.

Another approach in mobile location surveillance is implemented in South Korea, where the government has created a publically available map of mobile device data. Citizens can easily use the data to determine whether they have had contact with someone infected with the coronavirus. South Korea is frequently cited as a success case in its efforts to limit the spread of the COVID-19.

What measures were adopted in Bulgaria?

In the transitional and final provisions of the State of Emergency Measures Act (SG, issue 28, 24.03.2020, amended and supplemented, SG, issue 34, 09.04.2020), additions were made to provisions 251b, 251c, 251d and 251d1 of the Electronic Communications Act.

The additions provide for a part of the data traffic (establishing an identifier of the used cells) of the telecommunication services users to be stored for a period of six months for the needs of the compulsory execution of the obligatory isolation and hospital treatment of persons, who have refused or failed to perform mandatory isolation and treatment under Art. 61 of the Health Act. The National Police General Directorate, the Sofia Metropolitan Directorate of Interior and the Regional Directorates of Interior have the right to request a reference to this data when it is necessary for the exercise of their powers.

Telecommunication operators must provide immediate access to the data traffic, upon request of the respective head of one of the aforementioned public bodies. Subsequently, the Chairperson of a Regional Court or a judge authorised by him are notified. If within 24 hours of the notification, the relevant judge refuses the request, the data should be destroyed immediately and the operator providing the electronic communication networks and/or services should be notified.

Misleading information has already appeared in the public space, stating that the police, without proving interest, can now access citizens' data and that this could extend to all and apply even after the state of emergency is lifted without judicial review.

Firstly, access to data traffic may be granted only with respect to persons under Art. 61 of the Health Act – persons that are sick and infected with cholera, plague, smallpox, yellow fever, viral hemorrhagic fevers, diphtheria, typhoid fever, polio, brucellosis, anthrax, malaria, severe acute respiratory syndrome and tuberculosis with bacillus. The list of diseases may be supplemented by an order of the Minister of Health.

Second, by order of 25.03.2020, the Minister of Health introduces mandatory registration, notification and reporting of COVID-19 under Ordinance № 21 of 2005 on the procedure for registration, notification and reporting of communicable diseases, as each case of COVID- 19 should be communicated and registered in accordance with the Ordinance.

Third, for access to data traffic to be required, the person must be diagnosed with one of the listed diseases, registered as such and refused, or failed to perform mandatory isolation and treatment.

Fourth, there is judicial control, whereas the respective authorities immediately notify the competent judge and enclose a reasoned request. In order to avoid refusals due to lack of reasons, the request must be accompanied by data and evidence of the circumstances listed above, including the indication of the legal basis and the purpose for which access is required; user data; the data to be reflected in the report; the period; a full and exhaustive indication of the facts and circumstances determining the purpose of the request; the designated official to whom the data is provided.

If no information is provided, the court can make an official check whether the person has been diagnosed with any of the listed diseases and whether they have refused treatment.

Fifth, the possibility to monitor data traffic in cases besides criminal prosecution was provided in the Electronic Communications Act even before the state of emergency - in case of a signal for a person who has encountered or may encounter himself in a situation endangering his life or health and for the implementation of search and rescue operations. This change was imposed due to the significant importance of time in conducting rescue operations (for example in mountains). Often in such cases, administrative delays in allowing access to data traffic can be fatal in rescuing people.

What is data traffic?

Data traffic is the data created or processed within the activity of telecommunication operators, which is necessary for: tracking and identification of the source, duration, type and date of the connection; the user's end electronic communication device, as well as for establishing the identifier of the used cells.

It is impossible to reveal the content of a conversation or message by consulting data traffic. Data traffic is provided for a previous period. It is currently unclear whether law enforcement agencies have the technical capacity to monitor real-time data traffic with the assistance of telecommunication operators.

Taking into account the purpose of the law to bring to justice those who refused or failed to perform mandatory isolation and treatment, law enforcement authorities should make reasoned requests for data access only to establish the identifier of used cells of a particular person for the period of compulsory isolation or treatment.

It is important to note that the competent authorities cannot request all the information that falls within the scope of the so-called data traffic - the data that telecoms can provide.

How can we find out if our data has been accessed?

Data traffic, as well as data concerning health, is personal data and falls within the scope of EU law and Bulgarian legislation. More specifically, the processing and access to personal data is subject to (Directive (EU) 2016/680), which has been transposed into the Bulgarian Personal Data Protection Act.

According to the applicable legislation, Bulgarian citizens have the right to:

    ► receive information from the Ministry of Health as to whether they have been registered in the list of sick persons under Ordinance № 21 of 2005;

    ► receive information from telecommunication service providers as to whether their personal data has been provided to law enforcement agencies;

    ► last but not least, Bulgarian citizens have the right to receive confirmation from the law enforcement authorities whether personal data concerning them is being processed, and if so, they have the right to receive access to information regarding the legal basis for the processing, the processed categories of personal data, the recipients or categories of recipients to whom the personal data is disclosed, the envisaged term for which the personal data will be stored, the right to submit a complaint with the supervisory authority.

    The information listed above could be required when exercising rights by data subjects under the GDPR. And more specifically, when exercising the right of access under Art. 15 of the GDPR.

    In this case, the person may request information from the controllers, which includes: the prices of the processing, the respective categories of personal data to be processed, the third parties/categories of third parties to whom the data was disclosed and others.

    The procedure for exercising rights under the GDPR is described in the Bulgarian Personal Data Protection Act (PDPA) - this can be done through a written application to the respective personal data controller, electronically or in another way determined by them.

    Is our right of access to information absolute and does the controller have the right of assessment when we have submitted such a request?

    Article 37a of the PDPA explicitly states that the controller has the right to refuse the full or partial exercise of rights under the GDPR, for instance when the exercise of these rights may pose a risk to: national security, public order and security, the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the prevention of threats to public order and security, etc.

    It should be noted that according to Art. 355 of the Penal Code, a criminal act is an act by which a person violates an ordinance, rules or measures issued against the spread or emergence of a contagious disease in humans - this category includes quarantined persons in connection with the spread of COVID-19.

    The above shows that if a person has requested access to data traffic from the competent authorities under the latest amendments to the Electronic Communications Act and that person wishes to exercise the right of access to their personal data (including categories of persons to whom it has been disclosed), it is possible that the controller of personal data - the relevant telecom - refuses to provide this information, as these actions could create a risk both to public order and security and to a potential investigation and detection of crimes.

    The Commission for Personal Data Protection (CPDP) exercises control over data protection. The CPDP receives information from each enterprise providing electronic communication services regarding received and processed requests for access to data traffic according to Art. 261a, para. 4 of the Electronic Communications Act.

    Thus, the CPDP has information on the level of interference in the private activity of data subjects by the competent authorities.

    Why should we be weary?

    The World Health Organization has called for stricter measures to monitor those infected with COVID-19.

    In recent years, both governments and political parties around the world have used innovative technologies to track and monitor citizens.

    For example, according to an analysis by a Bulgarian agency based on smartphone positioning technology, which detects devices with Bulgarian SIM-cards and/or using applications in Bulgarian on their smartphone, for the period between 11 and 17 March 2020 over 8000 such users have travelled to Bulgaria.

    The determination of the location, in this case, was made based on the geostationary positioning of the cellphone, access to statistical information of the Communications Regulation Commission on the number of Bulgarian SIM-cards and analysis of user behaviour when using personal mobile devices.

    The pandemic could be an important turning point in the history of surveillance and monitoring of citizens. There is a risk that a state of emergency may normalise the use of mass surveillance tools in countries that have so far rejected such measures. Surveillance and tracking technology is evolving at an extraordinary rate, and what looked like science fiction ten years ago is now readily available. It is currently unknown whether the Bulgarian government has the technology to surveil, monitor and analyse citizens’ behaviour, or to collect data traffic outside the cases exhaustively specified by law.

    On the one hand, it is reasonable to think that tracking infected people could help quickly identify contact persons and limit the spread of the infection. In Bulgaria, however, the aim of the measure is rather to influence the intention of citizens to violate mandatory isolation.

    The negative effect, which must be closely monitored, is that temporary measures sometimes outlive periods of emergency.

    For example, Israel declared a state of emergency during the 1948 War of Independence, justifying certain temporary measures, from press censorship and confiscation of property to special provisions, related to households. The War of Independence is long over, but Israel has not yet issued an act to lift the state of emergency abolishing many of the 1948 "temporary" measures.

    What we can do as a society is to exercise reverse control and request information as to why, for what purpose and on what legal basis our personal data, including data traffic, has been used and processed by third parties or law enforcement authorities.

    If our rights have been violated as a result of illegal access to our personal data, we can seek responsibility and protection of our rights in court.

    Subscribe to our newsletter and follow our LinkedIn page so you never miss important updates and expert analyses.