A few days before it restarts retail and apply the new five-digit number, the 13032 to send a moving text message, which will be exclusively for visiting shops with a specific duration, the views of lawyers are increasing, pointing out that even the most widely used 13033 is on the verge of everything,as far as protection is concerned personal data.
At the same time criticism of its medical suitability, but also the application gathers the protection of sensitive data tracking for smart phones, which is expected to be put into operation in Greece in the near future in view of the start of the next summer season. After a year of pandemic and restrictive measures, the protection of personal data seems to have been "relativized" by invoking reasons of public interest and protection of public health not enough as an excuse. That's because, as lawyers point out, it is precisely these times of crisis, in which the protection of individual rights and personal data acquires greater value.
Already, as she pointed out at the 5th Conference on the protection of her personal data Palladian Conferences (Data Protection & Privacy Law Forum), the lawyer and data controller (DPO) of the Ministry of Health, Dimitris Zografopoulos so far from the codification of the legislation made by the Ministry of Digital Government, have emerged οκτώ τόμοι νομοθετικών μέτρων για την αντιμετώπιση της Covid 19, πολλοί εκ των οποίων έχουν θεσπιστεί με Πράξεις Νομοθετικού Περιεχομένου και κυρώθηκαν ακολούθως στη Βουλή με ένα άρθρο.
Under Article 23 of the General Regulation, Restrictions on the protection of personal data can only be enacted through legislative measures, which, however, should have a content, to define what the purposes are, what data is collected, which data are limited, who the recipients are and for how long the data protection restrictions will apply.
"The logic of this article is missing from critical legislation," he points out Mr.. Zografopoulos citing as an example the its implementation 13033, for which, as he adds, there is no secure legal guarantee, no provision in which the obligation to send a message is legally secured.
Even from the guidelines set by Data Protection Authority for the coronavirus there is no reference to the role of the DPO, as well as in the impact study. For personal data issues arising from its use 13033 has already sent request for an opinion from the Personal Data Protection Authority h Homo Digitalis, a non-profit law firm specializing in digital rights enforcement.
It was preceded by a complaint of the Board. to the Authority following letters on the matter to the General Secretariat for Civil Protection, which remained unanswered. "There was an indifference to our letters and a lack of awareness that posting civil protection is not enough, must be applied ", explains Homo Digitalis co-founder and lawyer, Konstantinos Kakavoulis.
At the same time, he emphasizes that "There is a danger of violating the rights of Greek citizens which are guaranteed by the General Data Protection Regulation 2016/679 (GKPD)And in fact by a service widely used by the citizens since during the first wave of the pandemic they were sent approximately 110 millions of SMS transfers.
Lawyers point out that although the restriction of rights may be justified in view of an overriding public interest, including public health, must be accompanied by certain guarantees and in any case be of an exceptional nature.
"This wording leads us to wonder who has access to the above data, but also what is the expediency of authorized employees of the Ministry and the General Secretariat to have access to personal data ".
They spot another contradiction as well while it is explicitly stated that the data is not transmitted to third parties, there is an indication that the partner providers have access to them, something that - if it happens - the citizen should also be informed.
A third point they make has to do with data retention, which after the response of the service are deleted or anonymized but without "listing the criteria on the basis of which the choice is made to delete or anonymize personal data, creating a lack of predictability and legal uncertainty.
Moreover, the anonymization process is extremely difficult, as if it is not effective the data can be redefined as personal through a process known as “de-anonymization” ΄ή “re-identification” and thus lose the protection provided by anonymization ".
Digital vaccination certificate
It is mandatory to have the vaccination certificate "indirectly but clearly" the existence of the vaccination certificate, according to Mr.. Painter, who, although he clarifies that he believes in the necessity of vaccinations, as a lawyer considers that this should be done in coordinates: "It is a firm position of the State that vaccination should remain optional. However with the certificate we do nothing but we make it indirect but clearly obligatory. As a professional lawyer I would prefer it done right, to come up with a piece of legislation that says for whom it may be mandatory, which categories of the population should precede, what are the exceptions ".
He also pointed out the huge need for cooperation of the co-competent bodies in drawing up a strategy for dealing with the pandemic and launching a public debate on personal data issues., giving as an example the vaccination certificate, which was made public without prior notice to the Ministry of Health: "The Protection Authority sent a document for clarifications to the ministry. The document was not prepared by the ministry. We had to answer that we have no idea ".
The effectiveness of the introduction of one has been considered doubtful in the recent past traceability application for smartphones, which is also developed by Greece and will inform the user with a text message if he came in contact with a reported positive case. Months ago, in a relevant discussion at the Ministry of Health, it was first analyzed from a medical point of view whether the measure is useful., necessary and appropriate and then whether users' personal data is secured: "He did not pass the suitability test, did not pass the personal data test, did not even pass the cybersecurity test. Imagine if some masses wanted to strike at the state and massively falsely stated that they were positive. "The next day, panicked people will run left and right to take a test," explains Mr.. Zografopoulos.
Whatever parameterization is done - according to the experts - leaves a big "window" of error.
For example if one wants to reduce the margin of false voluntary statements of positivity by users, the application should be updated directly from the Covid Registry, but something that would inactivate the non-processing of personal data from the outset. If it remains at the discretion of the user to update the application, there will always be a risk of false statements. He even adds that corresponding applications exist in 21 from the 28 European Union countries, which, however, failed to prevent the imposition of a second or third lockdown.