Lithuanian pandemia containment measures will test the immunity to privacy risks

Only the exhaustion of MPs at a late evening plenary session on 31 March 2020 stopped the Lithuanian Parliament from a final vote on the draft amendment to the Electronic Communications Law. The speed of this draft in legislative corridors leaves little doubt that the enactment will be decided at the next plenary session scheduled for 7 April 2020. The proposed amendment aims to grant governmental authorities with access to mobile location data. The draft does contain privacy safeguards, however so nominal, that many commentators voiced their fears over mass surveillance. The outrage in the presence of a global health threat reflects the level of disappointment with the current Lithuanian privacy policy where particular interests outweigh privacy. Contrasting international precedents, opinions of privacy professionals and a few bright political objections have already repeatedly proven to be insufficient in this arena.

Existing retention rules for traffic data, including mobile location data, genuinely illustrate low national ambition in the privacy field. Back in 2014 the Court of Justice of the European Union has annulled the so-called data retention directive 2006/24/EC. It has done so with a strong stance “that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.“ A few years ago the same court had reminded us that the EU law precludes “national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication”. Such reminders have encouraged some European countries to put these rules before constitutional courts, yet a Lithuanian statutory traffic data retention list stands resistant to these developments since 2009 - when it was first mandated by the now annulled directive. Fuelled by public security advocates, the scope of location-specific data retention meanwhile keeps expanding (e.g., data related to location area identity (LAI), Cell ID, etc. were newly enlisted for retention in 2018).

Moreover, this proposed legislative initiative is hardly reconcilable with the recent unusually liberal recommendations by the European data protection board. In a statement adopted on 19 March 2020, the board suggests that as regards location data based pandemia containment solutions, a EU member state’s “Public authorities should first seek to process location data in an anonymous way <…>, which could enable generating reports on the concentration of mobile devices at a certain location”. These recommendations would allow to resort to proportional tracking only when anonymous location processing is “impossible”. It remains to be seen whether the Austrian and Italian choice of anonymised mobile location data technologies in their struggle to contain the pandemic will convince Lithuanian MPs to any privacy-friendly measure.

National legislative procedures require to assess the effects of the proposed new legislation whenever the legislation is introduced into new areas not subject to legal regulation before. There is no available information that the suggested legal regulation has undergone any substantial risk assessment process, including data privacy impact assessment required by the GDPR for any massive tracking. It therefore seems that the ultimate clearance of proportionality and consequences of the proposal will be performed in-field on COVID-19 patients and related individuals - who will have nothing but their immunity to shield them from both viruses and privacy risks.