May 04, 2020
By Ilia Siatitsa and Ioannis Kouvakas
In his recent interview on The Intercept, Edward Snowden questioned whether the measures implemented by authorities amid the pandemic are necessary to safeguard people, as well as, whether the pandemic is seen by governments as just another opportunity to make us acquiesce to mass surveillance. In a scramble to track, and thereby stem the flow of new cases of Covid-19, governments around the world are rushing to track the locations of their populace. One way to do this is to leverage the metadata, including location data, held by mobile service providers (telecommunications companies) in order to track the movements of a population, as seen in Italy, Germany and Austria, and with the European Commission.
This is the first of two blog posts that will examine whether indiscriminate location tracking could ever be justified under the Convention, in light of the global pandemic. By applying the European Court’s case law on mass surveillance and by focusing on the interpretation of what is necessary in a democratic society to justify a limitation of the right to privacy under Article 8, it is argued that the Convention poses certain limits on the deployment of such blanket measures. Article 8 has traditionally afforded a certain margin of appreciation to state authorities, allowing the Court to defer to states on several instances, however, their powers are not unlimited. This post will argue that blanket mobile phone location tracking measures to contain the spread of COVID-19 cannot be regarded as strictly necessary due to their indiscriminate nature and the existence of less intrusive alternatives with similar effectiveness. In a second to this post part, the authors reflect on whether states could derogate from Article 8 in order to impose indiscriminate location tracking.
Indiscriminate location tracking in the time of Covid-19
The location tracking measures suggested so far fall within two broad categories; those relying on location data held either by electronic communication service providers, such as mobile phone operators which collect and retain this data in the course of the provision of their services, or service providers that offer mobile phone applications whose functionality may also require the collection and/or retention of location data, such as GPS coordinates, used, for example, for navigation, transportation services etc. What all these types of data have in common is that they constitute communications data or metadata, namely not actual content of communications, but data often surrounding a communication. Moreover, such measures will ultimately be of a blanket nature – meaning that they will have to collect the data of everyone indiscriminately – as governments will claim they cannot be limited to what is strictly necessary because the authorities are not in a position to pre-emptively identify the individuals that need to install the app or the individuals that will consequently get infected.
Blanket surveillance measures under Article 8
When determining whether an interference with the right to privacy was necessary in a democratic society, the European Court of Human Rights will examine whether the interference was necessary and proportionate to the aims pursued. This involves a balancing exercise between competing interests (Z v. Finland ). In that regard, “national authorities enjoy a margin of appreciation, the scope of which will depend not only on the nature of the legitimate aim pursued but also on the particular nature of the interference involved” (Leander v. Sweden ).
In Uzun v. Germany [51-152], the Court had already noted that the systematic collection, storing and, in general processing, of the applicant’s GPS data amounted to an interference with his private life. More widely on metadata, in Big Brother Watch and Others v. UK, which has been referred to the Grand Chamber, the Strasbourg Court was not persuaded that “the acquisition of related communications data is necessarily less intrusive than the acquisition of content”. Additionally, with reference to their bulk acquisition, it underlined that:
the degree of intrusion is magnified, since the patterns that will emerge could be capable of painting an intimate picture of a person through the mapping of social networks, location tracking, Internet browsing tracking, mapping of communication patterns, and insight into who a person interacted with. 
The Court of Justice of the EU has also reached the same conclusion, in the context of examining national and EU data retention schemes. In Digital Rights Ireland case, among others, it noted that, communications data,
taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. 
The location tracking measures as such constitute a serious interference with the right to privacy. The question remains whether they could be justified as necessary in a democratic society.
When examining the necessity of bulk surveillance measures, the Court has been quite critical of measures that are of a blanket or indiscriminate nature, due to their inability to adhere to the Court’s “necessary in a democratic society” requirements. It is worth highlighting that already in its early case-law on surveillance measures, the Court has favoured a higher standard of review of surveillance legislation, namely strict necessity and not just necessity. In Klass and Others v. Germany, it underlined that secret surveillance powers “are tolerable under the Convention only in so far as strictly necessary for safeguarding the democratic institutions”  (emphasis added).
In Szabó and Vissy v. Hungary, the Court indicated that, given “the potential of cutting-edge surveillance technologies to invade citizens’ privacy,”:
A measure of secret surveillance can be found as being in compliance with the Convention only if it is strictly necessary, as a general consideration, for the safeguarding [of] democratic institutions and, moreover, if it is strictly necessary, as a particular consideration, for the obtaining of vital intelligence in an individual operation. In the Court’s view, any measure of secret surveillance which does not correspond to these criteria will be prone to abuse by the authorities with formidable technologies at their disposal. 
Similarly, in the context of data retention measures, the Court of Justice of the EU has held that, in order to be limited to what is strictly necessary, these measures must be subject to restrictions which “circumscribe, in practice, the extent of that measure and, thus, the public affected” (Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson ).
Could indiscriminate location tracking be strictly necessary?
Based on this jurisprudence governments will have to justify why these measures are strictly necessary and relevant to deal with the pandemic.
There is little scientific evidence to suggest that indiscriminate location tracking will be an effective means to deal with the pandemic. One aspect everyone agrees though is that in order to stand even a chance to be effective, it will have to be applied to the vast majority of, if not the whole, population. However, this is materially not possible. While the number of mobile phones is increasing, not everyone owns a mobile phone and even if they do there is no way to ensure that they will carry it around everywhere they go. This means that if certain regions or groups of the population were to be excluded, location tracking would accordingly prove to be practically ineffective.
However, even if we assume that it is effective, states will have to prove that they cannot achieve the same goal by less intrusive measures available. Bluetooth is arguably one of the more accurate technologies in terms of proximity identification, in this instance, proximity to other phones using a specified app. Arguably, it is also the least intrusive form of tracking given that it is based on proximity to other phones using the app rather than actual location e.g. GPS or cell tower data. In this context, it can be understood more so as an interaction tracking tool.
This does not mean that these measures will not equally have to be of an indiscriminate nature in order to be effective but will at least amount to a smaller degree of intrusion with individuals’ privacy. In Uzun v. Germany, for example, the Court equally dealt with the question whether “other methods of investigation, which were less intrusive than the applicant’s surveillance by GPS, had proved to be less effective” .
It is therefore likely that any blanket mobile phone location tracking measures will fail to adhere to the Convention’s standards of strict necessity. As mentioned above, the Court has been quite critical against indiscriminate surveillance measures, especially when the latter fail to incorporate a series of robust safeguards. Provided that these safeguards existed, it would still not ultimately mean that the severity of the interference posed by constant and systematic location tracking could ever be counterbalanced. In S and Marper, the Grand Chamber held that the collection and retention of DNA and fingerprints of innocent people was contrary to Article 8. In particular, the Grand Chamber was “struck by the blanket and indiscriminate nature of the power of retention in England and Wales” . It concluded that there was no need “to consider the applicants’ criticism regarding the adequacy of certain particular safeguards”. 
As the European Data Protection Board noted in its recent guidelines on location tracking, “[t]he current health crisis should not be used as an opportunity to establish disproportionate data retention mandates”.
Some of the states might consider a derogation from Article 8 to be the safest way to introduce bulk or indiscriminate measures, in an effort to lower or relax the intensity of the Court’s review and accordingly enlarge their margin of appreciation. However, the authors will argue in Part II that derogation from Article 8 will seldom provide them a safe haven from Court’s scrutiny.
The views expressed in this post are the authors’ own and made in their individual capacity and not in their capacity as employees of Privacy International.
Dr Ilia Siatitsa is a Programme Director and Legal Officer at Privacy International (PI). She leads one of the four strategic areas at PI and works on research and litigation related to surveillance and technologies. Ilia is a qualified lawyer in Greece and holds a PhD in International Law from the Faculty of Law of the University of Geneva. In the past, she has been a Research Fellow at the Geneva Academy of International Humanitarian Law and Human Rights, as well as a member of the research team of the Big Data, Human Rights and Technology Project housed at the Human Rights Centre of the University of Essex.
Ioannis Kouvakas is a Legal Officer at Privacy International (PI) and works on a variety of issues at the intersection of PI’s government and corporate exploitation programmes. He is also a PhD candidate at Vrije Universiteit Brussel (VUB, Faculty of Law and Criminology). His doctoral research focuses on new technologies, national security and judicial deference. He holds a Law Degree from the University of Athens (Greece) and an LL.M. in Human Rights Law (University College London).