The legal challenges posed by the new technologies emerging from the health crisis

By Xavier Ribas

Authors: Xavier Ribas & Ramon Baradat

In every crisis, there are some who come out stronger. The great beneficiary of the current health crisis is clearly the tech industry, as companies have been forced to accelerate the process of technological transformation. Yet, whilst new technologies are our main allies in the fight against Covid-19, their use clearly comes at a price, from a legal perspective as well.

Professionals from this sector must thus analyse the proposals put forward each day, identify the risks and take the necessary steps to minimise the impact of technology on people's rights and freedoms. Let’s look at a few examples.

First, we have the much talked-about Covid-19 self-assessment apps, which involve a high volume of personal data processing, including sensitive data such as health data. Some of these tools use geolocation to verify that users are in the autonomous community they claim to be. Both the European Commission and the Spanish Data Protection Agency (AEPD) have already expressed their opinions of these tools, provided they comply at all times with the guidelines and criteria they have issued, as well as current data protection regulations. The control authorities agree that the legitimate bases for this type of processing are the public interest and the vital interest of containing the pandemic.

Lawyers must take the necessary steps to minimise the impact of technology on people’s rights and freedoms

More controversial was the announcement of the new DataCovid19 study, which also involves geolocation. The study uses data from mobile phone operators to analyse the population's mobility during the crisis. It aims to determine whether, following the entry into force of the containment measures, movement between territories increased or decreased, whether there are areas with greater population build-ups or influxes, and whether there are areas with a high population concentration in relation to their healthcare capacity. According to reports, the data are provided in aggregate and anonymised, to prevent individualised tracking of our movements, but that has not staved off criticism of a lack of transparency and information.

Coronavirus controls
Related content: How to win against Covid-19? Digital infrastructures

The business sector has also been revolutionised. In a matter of days, many companies that, for years, had been sceptical of telework have embraced this measure as one of the few that can help cushion the economic impact of the state of emergency.

But obviously, its use involves an exposure to new risks that must be considered and to which some organisations have already fallen victim. In particular, both the Spanish National Cryptology Centre's Computer Emergency Response Team (CCN-CERT) and the AEPD have warned of an uptick in phishing campaigns and issued security recommendations for remote jobs, placing special emphasis on social engineering.

As a result of the shift to teleworking, companies must guarantee the real implementation of rights to preserve workers' privacy

Organisations must put new internal policies and procedures into place, as well as review existing ones, to adapt to this new reality and help eliminate or, at least, mitigate the risks associated with working from home. These strategies take into account that it is easier to fool someone working in isolation than a team that works cohesively, despite the distance.

As a result of the shift to teleworking, the digital rights introduced under the Spanish Data Protection Act of December 2018 have also taken on more importance. These rights establish guarantees to preserve workers' privacy and guarantee their right to disconnect, that is, their right not to answer calls or messages until their workday begins and for companies to respect their rest periods.

Companies must guarantee the real implementation of the policies specifying the ways in which the right to disconnect can be exercised, as well as train workers on how to make reasonable use of the corporate devices made available to them.

Zoom Covid-19
Some video-conferencing apps have come under fire for privacy vulnerabilities (Photo: Daria Ni/Twenty20)

It is also very important to appropriately choose the tools we use to communicate, whether to work from home or for personal matters. The last month has seen several cases of video-conferencing apps that have come under fire for vulnerabilities that compromised the privacy and security of communications. One of the most widely reported cases was probably that of Zoom, which has had to constantly patch and update its services to meet minimum guarantees.

Ultimately, the CCN-CERT issued a document deeming the risk of using Zoom acceptable for meetings whose content is not highly sensitive, school classes and non-office situations concerning routine matters. The document also contains recommendations for use that companies must follow.

These are only some of the most immediate legal challenges posed by new technologies involved in the management of the health crisis. Nevertheless, it hardly seems farfetched to think that the changes we are experiencing are here to stay. Professionals from the legal sector must thus rise to the occasion and contribute our knowledge in this technological transition that it has been our lot to experience.

All written content is licensed under a Creative Commons Attribution 4.0 International license.