Privacy implications of Coronavirus tracking mobile apps // DataGuidance.com17 April 2020
The city of Moscow has launched a mobile app, called Social Monitoring for monitoring patients who have tested positive for Coronavirus and are staying in their place of residence rather than a hospital.
Sergey Medvedev and Stanislav Rumyantsev, respectively Partner and Senior Lawyer at Gorodissky & Partners told OneTrust DataGuidance, "Mobile app data can be classified as personal data. The operator must protect such data from unauthorised access, use, or disclosure by implementing different security measures, as required by the law.
The app may have access to about 20 various functions of data of smartphone users, including:
- photos and videos;
- exact and approximate geo-location;
- health state sensors, including heart rate monitor;
- modification and deletion of certain data on drivers; and
- other data.
As a result, a special data protection regime will have to be complied by Social Monitoring, as well as respective data processors regarding the relevant mobile app data. The Federal Service for the Supervision of Communications, Information Technology, and Mass Communications ('Roskomnadzor') has all powers and competence to verify the compliance of the same.''
While this new monitoring system is still nascent, and details have yet to be confirmed, official statements have indicated that the Russian Federation's strategy to combat the spread of Coronavirus includes mobile apps that track user's location data, as well as mobile phone data, and credit card records. In addition, Prime Minister, Mikhail Mishustin, has promised technological solutions to enforce the self-isolation regime.
Medvedev and Rumyantsev noted, "Personal data cannot be shared with third parties, or distributed further, unless the data subject gives their consent. Therefore, if Social Monitoring wants to share certain categories of personal data with third party, written consent will have to be requested and obtained in advance. At the same time, if the processing of certain sensitive data (i.e. health data) is necessary for the protection of life, health, and other vital interests of the data subject, and obtaining the data subject's consent is impossible, the data processing of such data is still admissible and lawful."
With respect of retention requirements for data collected, Medvedev and Rumyantsev highlighted, "Different categories of personal data may have different storage and retention periods. In general, the data controller shall not retain any personal data longer than dictated for the purposes of relevant data processing. After that, personal data must be destroyed or depersonalised."