Article of the Month - March 2022

Data Privacy Protection and Geographic Data Use as an Answer to Covid-19

Rosario CASANOVA, Carlos Andres CHIALE and Mathilde SARAVIA, Uruguay

Rosario Casanova	Carlos Andrés Chiale	Mathilde Saravia

 

This article in .pdf-format (27 pages)

This article aims to reflect on the relevance of geographic data use in the COVID-19 pandemic and its relationshop with the privacy rights of the people involved.

SUMMARY

Based on the importance of the concept of proximity or direct contact associated with the spread of the COVID-19 virus, this article aims to reflect on the relevance of geographic data use in this pandemic and its relationship with the privacy rights of the people involved. Thus, this article includes a study of the international and Uruguayan regulations related to geographical and, in particular, localization data.
Finally, specific considerations about proximity contact applications as a tool for combating COVID-19 are presented, making special emphasis on the Uruguayan case.

1. INTRODUCTION

The spread of the COVID-19 or SARS-CoV-2 virus and the consequent declaration of a pandemic, issued by the World Health Organization in March 2020, are now a problem that exceeds the sanitary issue. It brings deep repercussions at an economic, social, political, cultural and environmental level with impacts on the local, regional and global scale. Consequently, the measures or responses implemented by different countries involve different dimensions that affect the lives of their inhabitants.
According to recent scientific research, established transmission pathways of SARS-CoV-2 are said to be both, close contact with patients with COVID-19 and the absorption of droplets through the airways (Tan and Wang, 2020).
Therefore, the location of a virus carrier is particularly relevant as its proximity to other people is the main factor of infection (Yi, Lagniton, Ye, Li, and Xu, 2020). Thus, geographic data and geomatics tools (GeoSciencie) take a prominent role in addressing this pandemic.
One of the GIS main strengths is the ability to integrate diverse georeferenced data sets, this facilitates the aggregation of health data with contextual characteristics. There are several academic studies of descriptive models that leverage this capability to examine the geographical associations of COVID-19 with the socio-economic and environmental characteristics of the region.
Based on the importance of the concept of proximity or direct contact associated with the spread of the virus, this article proposes a reflection on the role of geographical information as a tool for combating COVID-19 and its relationship with individual and collective law.

2. USE OF GEOGRAPHIC INFORMATION

Incorporating geographic information science and technology into surveillance, modeling, and response to the COVID-19 pandemic, improves not only the understanding but also the control of the disease.
This pandemic has highlighted the usefulness of applying geosciences to visualize cases and identify the most vulnerable areas, as well as the use of location-based intelligence tools to improve data representation deficiencies. (Rosenkrantza, Schuurmana, Bellb, & Amramc, 2020).
Therefore, in this article two different uses of geographic data are presented, one related to mobile applications and the other to the use of the geographical information as response in the fight against this pandemic.

2.1 Using Location in Apps

Nowadays, there is a wide number of mobile applications that require the geolocation of the devices as an input to carry out their function. This is the case of those which allow home delivery (PedidosYa[1], Rappi[2]), request transfer in vehicles (Uber[3]) and even messaging applications in which the location can be sent in real time to other contacts (WhatsApp[4]). All applications that require this type of geolocation ask the user for permission to gather this data.

Fig. 1: Screenshot on a mobile device from the PedidosYa app when location use is requested. Source: Own elaboration.

The use of localization by applications can be diverse. There are many applications in which the user's location data is key for them to operate. On the other hand, there are other applications in which the user's location is not essential but still requested. In those cases, location data is used to promote commercial stores when proximity is detected. In all cases, the use given to this information by application providers is uncertain.
In this sense, a case that has gained a lot of popularity in Spain refers to LaLiga mobile application. This Spanish football application provides information about football competitions, fixtures, teams, and players as well as national and international results.
When using this app, access to the location and microphone of the user's mobile device is requested. With these permissions, the place where the user was watching the game could be clearly identified because the device's microphone and geolocation were activated. With microphone access granted, anytime the user was near a television broadcasting a football game was detected, registering its location. Having gathered this information, it was possible to localize bars and restaurants which broadcasted football matches without paying royalties.

Consequently, the Spanish Data Protection Agency fined LaLiga with 250.000 euros (July 2019) for the intrusion of at least 50.000 Spaniards' mobile phones, due to a violation of the principle of transparency in not reporting microphone access in the application.
This event highlights the risks brought by the misuse of the data accessed by some apps. Although prior consent to have access to location data is requested, users do not always become fully aware of the implications and consequences of this authorization. Thus, it is important to stand out the relevance of including the ethical use of geographic information on the collective agenda.

2.1  The geoinformation use in the fight against the pandemic

2.2.1 Exposure Notification

With the global health emergency as a framework and considering the fact that epidemiological monitoring is thought as a key to contain the pandemic, two leading companies in terms of technology in mobile devices, Apple and Google, joined forces to develop a system that facilitates the crisis monitoring, by sending alerts of proximity to infected users. This system, called exposure notification, is based on the premise of taking care of the security and privacy of users. The app strictly focuses on carrying out the required epidemiological monitoring and does not directly use the user's location data.
Exposure notifications can then be enabled in different apps on both iOS or Android mobile operating systems. These apps require a strict authorization from Apple and Google in order to provide the user with exposure notifications. Authorization which is only given to official institutions in each country, in the case of Uruguay, the app is called Coronavirus Uy[5].
Exposure notifications do not use location data, they work using bluetooth to share codes with other devices that are nearby and have downloaded and activated this app. Each mobile device constantly broadcasts a random number and simultaneously records those codes coming from nearby devices. (Betarte, et al, 2020). These indicators are stored in each device for 14 days. In the event that a user tests positive for COVID-19, he can inform the application, which will request permission to upload the numbers generated by its device to a central server. Every day, the indicators received by each mobile are compared with those uploaded to the central server and in case of a match, an exposure alert notification will be given. From this alert, each person can use the application to request more information or assistance but can also choose not to tell anyone that they received the alert.
From our point of view, exposure alert applications are an efficient and decentralized mechanism for people to collaborate and receive virus exposure alerts quickly, while at the same time, respecting the privacy and willingness of all involved. In the case of Uruguay, the Coronavirus UY application also allows citizens with possible symptoms of the SARS-CoV-2 virus to be connected to health care providers, in order to reduce waiting times for medical attention. Despite the possible efficiency of this application, its success depends exclusively on the population's active use (Cascón, 2020).

Although in the next section we will go into the legal aspects, it is important to clarify that all the information collected in the application is covered by the Law on Protection of Personal Data and by the privacy policy of the application itself (Figure 2).

Fig. 2: Screenshot of the notification about the exposure alert in the Coronavirus Uy application. Source: Own elaboration.

2.2.2 COVID-19 situation mapping

The global understanding of this pandemic´s impact has proportionally grown with the use of mapping apps in public and private sectors. The most popular uses of mapping tools are the daily publications of news agencies or online dashboards in near real time (Boulos and Geraghty, 2020). Although many dashboards have been made, the most widespread example has been developed by the Johns Hopkins University[6]. These maps provide a clear visual representation of the impact of COVID-19 on morbidity and mortality and represent an effective political and social tool to communicate the impact of the disease (Rosenkrantza, et al, 2020).

There is no doubt that the SARS-CoV-2 virus has unleashed a world full of uncertainties, not only about its origins, forms of propagation, treatment, or possible vaccine, but also about the use of individual data as a tool to combat the pandemic. The privacy of data, the ethics in the use of information, particularly geographic information at the service of decision makers, raise many concerns and questions that are not easily answered (Pérez-Colomé, 2020).

This emergency situation should not imply a suspension of the fundamental right to personal data protection.  Nor could the data protection regulations be used to hinder or limit the effectiveness of the measures adopted by the health authorities. It is possible to think that a dichotomy is being created between individual freedom and community well-being. This discussion is not new but, at this time, is becoming more visible because of globalization, the wide access to international news, the Internet, the rapid spread of the SARS-CoV-2 virus, the widespread ignorance and uncertainty about the pandemic itself.
Therefore, this article includes aspects related to the international and Uruguayan legal framework regarding the privacy of personal data, focusing on the analysis of the protection of location data and the use of geographic information as a tool to combat the pandemic in the country.

3.1 Personal and sensitive data international legal framework

The protection of personal data has been the object of regulation of several international treaties to which our country has adhered.  However, the approach of such international standards precedes the "Internet" phenomenon, and consequently, although they are an unavoidable antecedent, they do not provide sufficient legal support to modern data traffic in the ICT era. On the other hand, there is no international body that "manages" data privacy on a global scale (Elgar, 2011). Consequently, in order to analyze international law on personal data protection, we must resort to comparative law at a regional level (the case of the European Union) and at the national level of some countries, such as the United States and China.
The protection of personal data in the European Union is presented as the paradigm in the matter and has been a reference for our country. In this sense, it is positioned in the human right to data protection in the digital era by enshrining in the Charter of Fundamental Rights[7] itself that everyone has the right to the protection of personal data concerning him or her, fair processing, for specific purposes and based on the consent of the person concerned and enshrines the right of everyone to access the data collected concerning him or her and to rectify it.
Unlike the European system, the United States data protection is regulated on a sectoral basis: it focuses on consumer protection from an economic perspective and not as a personal right. In North American law, data protection is part of the consumer protection law and the supervision of its compliance is a Federal Trade Commission´ responsibility. The Patriot Act of the United States was enacted after the terrorist attacks on September 11, 2001 and enabled security authorities to have access -in suspicious cases-, to local servers’ data stored without a court order. Internet and cloud providers could also be forced to disclose personal data even without informing those affected. In 2015, the United States Freedom Act was enacted again restricting the powers of the investigating authorities.

However, the Cambridge Analytica scandal in 2016[8] prompted the state of California to draft a strict law to protect user data, liable since January 2020. The California Consumer Privacy Act aims to allow consumers to be aware of which companies collect and use their data, as well as to demand, if necessary, to be deleted. In any case, nowadays there is no national law protecting the entire country, but some steps have been taken towards European standards of regulation on data general protection (GDPR-General Data Protection Regulation) (Thielemann, 2020).
Moreover, another great power such as China does not have, to date, a general data protection law. In 2017, the personal data regulation was given through a Cybersecurity Law that aimed at the network security and strengthening of data protection. The China Cyberspace Administration (CAC), the highest internet administrative law, enacted in June 2019 the Data Protection Regulatory Directive that sets the standards for customer data collection and processing, thus it represents future orientation basis to law. (Thielemann, 2020)
From the above, it can be concluded that although data privacy issues have been placed on the public agenda, several countries -at a national level as well as the world in its global concept- do not have specific regulations which include all aspects of privacy and data security intimes of pandemic (Cascón, 2020). The following section addresses the study of the Uruguayan case and the relationship between the regulation in force and the geographic and health data use.

3.2 The protection of personal data in Uruguay

Uruguay's commitment to personal data protection arises from the ratification of different international instruments that address this issue. Since 1948 Uruguay has ratified the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights (1966), and at a regional scale, the American Convention of Human Rights Pact of San José, Costa Rica.
The Uruguayan personal data protection main rule is the Personal Data Protection Law (Law No 18,331)[9] which establishes the right to personal data protection as “inherent to the human person” and refers to the Constitution of the Republic.
According to the referred law, personal data is defined as "information of any kind referring to specific or determinable natural or legal persons"; this is "... any numerical, alphabetic, graphic, photographic, acoustic or any other information that refers to them."[10]
In short, personal data is “... any type of information that can directly identify us or makes us identifiable, as our name, address, telephone, identity card, RUT, fingerprint, member number, student number, a photograph or even DNA "
However, as sensitive data the law considers: "personal data that reveal racial and ethnic origin, political preferences, religious or moral convictions, union affiliation and information regarding health or sexual life."

In this sense, it is important to specify that as one of the forms of protection the law requires to publicize personal data, the express consent of the person involved must be given and in the case of sensitive data, an express and written consent is required. (Betarte et. Al, 2019).
Likewise, categories of specially protected data are regulated, such as health and telecommunications data, among others. Regarding health data, the law empowers public or private health institutions and health sciences professionals to “… collect and process personal data related to the physical or mental health of patients who have been under treatment…” provided that professional secrecy principles are complied with, and that the law itself establishes the need for express consent.
Within this framework, and in accordance with transcribed legal definitions, location data fits into the personal data category, while the data on the health status of a person, such as being infected by COVID-19 must also be considered as sensitive and specially protected data.
It is clear from the above that location and individual health data are protected by international and national regulations but can be limited when the community health good takes precedence, only with regard to the requirement of prior consent. Limitations that always protect the anonymity of the person so that the security and confidentiality in the treatment of the data is preserved.
Therefore, it can be assured that Uruguayan legal requirements, in terms of personal data protection, are at the level of the highest international standards, which is materialized in the imposition of legal obligations to be contemplated in the technical requirements.

4. CONCLUSIONS

Even though there are many uncertainties surrounding the pandemic, it is unquestionable that proximity between people is the main factor of contagion, thus the location of an infected person becomes particularly relevant for himself and for others. The spread of infectious diseases is mainly a spatial process; therefore, geospatial data, technologies and analytical methods play a key role in understanding and responding to the COVID-19 disease pandemic.
The opportunities to incorporate geomatic tools into monitoring, modeling and response to this pandemic, range from developing spatial data infrastructures for surveillance, incorporating mobility data into infectious disease forecasting, using geospatial technologies for digital contact tracing, integrating geographic data into COVID-19 modeling, investigating geographical health disparities and social vulnerabilities, and reporting disease status or infrastructure status in order  to return to normal operations.
Additionally, in recent times, the pandemic daily monitoring has been done through the use of geographic data in dashboards. In this sense Uruguay is not unaware of global activity by implementing its own visualizer (MIRA), in which the number of contagions is daily shown, but with a level of data disaggregation due to protect privacy data of the people involved.
Regarding normative aspects, for the Uruguayan legal system, the location data falls into the category of personal data whose protection, following the European model, has a fundamental human right status. The location of a person carrying the SARS-CoV-2.2 virus also falls into the specially protected personal data category according to the national law personal data definition. Thus, it is necessary a dual requirement for its diffusion, which is an express and written consent. For this reason, Uruguay has national regulations that strongly protect and ensure the protection of individual and health data.
The geographic data used as a spatial analysis tool to support public decision-making in the fight against the pandemic are also protected in Uruguay, since the anonymity of those affected is preserved. While this is a strength, it can also be a weakness since it limits the generation of academic specific research. This impact can be minimized by providing these data with a higher level of disaggregation, as the one used for the national population and housing censuses (in which the anonymity of the data is also protected).
According to this research and regarding other location data apps, we can state that the registration of contacts via bluetooth used in the proximity alert applications, is the most advanced technique and also the one that works best for tracking those who are infected. This tool is not only recommended in terms of its positional quality, but also and mainly, because it is more efficient in protecting individual privacy.  In particular, the Coronavirus Uy application plays a fundamental role since it provides the above-mentioned benefits and, at the touch of a button, professional healthcare assistance to the community in general and to those infected in particular. Additionally, it is a tool that solves, or at least gives a very big and invisible hand, to the weakest link in the fight against COVID-19, which is the "epidemiological monitoring".
From a legal point of view, the application complies with the requirements of express and written authorization, requested in national regulations. Since it requires the user´s consent: specifically, the willingness and action to communicate that they contracted the virus and the acceptance of generating an alert for exposure to the users of the application who were close.
In other words, from our point of view, proximity alert tools are very suitable and comply with people's privacy rules. Therefore, it is a recommended tool to be used in several countries, even if they do not have a specific national regulation that protects the privacy of personal data.
It is fair to say that while the tool has these strengths, it has a great weakness that refers to the need for massive use by all residents. A fact that can be a problem because it requires mobile phones that support this technology and users who know how to use them properly.
In any case, these limitations can be overcome, but a strong public policy is required to promote, train, facilitate and ensure that a very high percentage of the inhabitants use it. To this end, strong communication campaigns, training plans, problem-solving centers for users, and even the possibility of designing and constructing simple special devices, free of charge for the inhabitants, created solely to fulfill the functions of data exchange and proximity alerts, could be considered. The academy has a lot to contribute in this sense.

---

[1] Web site of Pedidos Ya: https://www.pedidosya.com.uy/
[2] Web site of Rappi: https://www.rappi.com.uy/
[3] Web site of Uber: https://www.uber.com/
[4] Web site of Whatsapp: https://www.whatsapp.com/
[5] Web site of Coronavirus Uy: https://www.gub.uy/ministerio-salud-publica/politicas-y-gestion/informacion-sobre-aplicacion-coronavirus
[6] Web site of the Dashboard of John Hopkins University: https://coronavirus.jhu.edu/map.html
[7] The Charter of Fundamental Rights is a document including a set of personal, civil, political, economic and social rights of citizens and residents of the European Union, proclaimed by the European Parliament, the Council of the European Union and the European Commission in December 2000.  https://www.europarl.europa.eu/charter/pdf/text_es.pdf
[8] Cambridge Analytica is a data analysis company that accessed data from 87 million Facebook users.
[9] Law of Personal Data, Law 18331 of August 11, 2008: https://www.impo.com.uy/bases/leyes/18331-2008
[10] Regulatory Decree (of the Law) No. 414/009 of August 31, 2009: https://www.impo.com.uy/bases/decretos/414-2009/40

REFERENCES

Adekunle, I. A., Onanuga, A., Wahab, O., Akinola, O. O. (2020). Modelling spatial variations of coronavirus disease (COVID-19) in Africa. Science of The Total Environment, 138998.
 
Betarte, G., Campo, J. D., Delgado, A., Ezzatti, P., Forteza, Á., González, L., Martin, M. Muracciole, B. y Ruggia, R. (2020) Desafíos de seguridad y privacidad en el diseño e implementación de soluciones de rastreo de proximidad.  Retrieved from: http://www.pedeciba.edu.uy/docspd/covid_CT_position_betarteetal-1.pdf
 
Boulos, M. N. K., Geraghty, E. M. (2020). Geographical tracking and mapping of coronavirus disease COVID-19/severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) epidemic and associated events around the world: how 21st century GIS technologies are supporting the global fight against outbreaks and epidemics.
 
Brito, M. (1985). “El principio de legalidad e interés público en el derecho positivo uruguayo”, La Justicia Uruguaya.

Cascón-Katchadourian, J. (2020). “Tecnologías para luchar contra la pandemia Covid-19: geolocalización, rastreo, big data, SIG, inteligencia artificial y privacidad”. Profesional de la información, v. 29, n. 4, e290429.  Retrieved from: https://doi.org/10.3145/epi.2020.jul.29
 
Economic Commission for Latin America and the Caribbean (UN-ECLAC) and United Nations Committee on Global Geospatial Information Management for the Americas (UN-GGIM: Americas) (2020) Questionnaire on geospatial response to COVID-19 in the Americas.
 
Edward (2011). Research Handbook on Governance of the internet, Edition I.
 
Kuhn, C., Beck, M., Strufe, T. (2020). Covid Notions: Towards Formal Definitions--and Documented Understanding--of Privacy Goals and Claimed Protection in Proximity-Tracing Services. arXiv preprint arXiv:2004.07723.
Pérez-Colomé, J. (2020). “Apple y Google se alían para facilitar que las apps para rastrear el coronavirus estén en todos los móviles”. El país, April 10, 2020.  Retrieved from: https://elpais.com/tecnologia/2020-04-10/apple-y-google-se-alian-para-crear-un-sistema-de-rastreo-del-coronavirusque-no-necesite-descargar-una-app.html
 
Rosenkrantz, L., Schuurman, N., Bell, N. & Amram, O. (2020). The need for GI Science in mapping COVID-19. Health & Place, 102389.
 
Santirso, J. (2020). “Corea del Sur: contra el coronavirus, tecnología”. El país, March 14, 2020.  Retrieved from: https://elpais.com/tecnologia/2020-03-13/corea-del-sur-contra-el-coronavirus-tecnologia.html
Schwartz, P. M., Peifer, K. N. (2017). Transatlantic Data Privacy Law. Geo. LJ, 106, 115.
 
Smith, C., Mennis, J. (2020). Peer Reviewed: Incorporating Geographic Information Science and Technology in Response to the COVID-19 Pandemic. Preventing Chronic Disease, 17.
Orellano, D., Toledano, B. (11 de junio de 2019). Multa a LaLiga de fútbol por usar el móvil de 50.000 españoles para espiar. El Mundo.
 
Retrieved from: https://www.elmundo.es/tecnologia/2019/06/11/5cff9a0ffdddff531a8b466e.html
Tang, L. Y., Wang, J. (2020). Anesthesia and COVID-19: What We Should Know and What We Should Do. Seminars in Cardiothoracic and Vascular Anesthesia, 24(2), 127–137.   Retrieved from: https://doi.org/10.1177/1089253220921590
 
Thielemann, S. (Novembre 27, 2020). Protección de datos fuera de la UE. HornetSecurity.  Retrieved from: https://www.hornetsecurity.com/es/seguridad-de-la-informacion/proteccion-de-datos-fuera-de-la-ue/
 
Yi, Y., Lagniton, P. N., Ye, S., Li, E., & Xu, R. H. (2020). COVID-19: what has been learned and to be learned about the novel coronavirus disease. International journal of biological sciences, 16(10), 1753.

BIOGRAPHICAL NOTES

Rosario Casanova (Uruguay) is a Land Surveyor Engineering, expert in geomatics, geo-technologies, urban planning, she has a master's degree and a doctorate in these areas.
Since 1994 she is a professor at the Institute of Land Surveying of the Faculty of Engineering of the University of the Republic, Uruguay. Being the Director of the Institute of Surveying from 2014 to March of this year.
She is the chair of the United Nations Academic Network for the Americas for Geospatial Data Management (UN-GGIM) since it was created in 2017.
She has served as professor in the Lincoln Institute of Land Policy (LILP) in the Latin America and Caribbean Program and carried out several research projects on the informal land market.
She has presented research in regional and international events.
 
Carlos Chiale (Uruguay) has graduated as Cartography Technologist (2015) in  the University of the Republic, Uruguay, and as Bachelor degree of Sytems (2020) in ORT University.
He works as consultant in information in National Emergency System of Uruguay.
He is a member of Geomatic Department at Surveying Institute, Engineering Faculty of the University of the Republic, Uruguay.
 
Matilde Saravia (Uruguay) has graduated as a lawyer (2006) and as planning and urban development magister (2017) in the University of the Republic. She has specialized herself in planning, integrated water management and environment since 2009 and she works as a consultant in these areas. She is a member of the Technical Legal Department of the Land Surveyor Institute, Engineering Faculty, University of the Republic.

CONTACTS

Rosario Casanova
Instituto de Agrimensura, Facultad de Ingeniería, Universidad de la República.Montevideo
URUGUAY
 
Carlos Andrés Chiale
Instituto de Agrimensura, Facultad de Ingeniería, Universidad de la República.
Montevideo
URUGUAY
 
Matilde Saravia
Instituto de Agrimensura, Facultad de Ingeniería, Universidad de la República.
Montevideo
URUGUAY
Email: matildes@fing.edu.uy

Subscribe to FIG e-Newsletter

Email address:

GO

CONTACT International Federation of Surveyors, FIG Kalvebod Brygge 31-33 DK-1780 Copenhagen V DENMARK  FIG@fig.net  + 45 3886 1081 FIG Office	PUBLICATIONS FIG Publications Surveyors Reference Library Conference Proceedings Article of Month e-Newsletter FORTHCOMING EVENTS FIG Regional Conference 2024 FIG Working Week 2025 All Forthcoming Events	FEDERATION Organisation Members Commissions Young Surveyors Network Capacity Building Network Task Forces FIG Foundation	ABOUT FIG International Federation of Surveyors, FIG, is a United Nations and World Bank recognized non-governmental organization of national member associations and covers the whole range of professional fields within the global surveying community. It provides an international forum for discussion and development aiming to promote professional practice and standards. More: FIG Profile
Follow FIG:

Our Data Privacy and Transaction Security Policy | Transactions on this site are secured by THAWTE

©2025 FIG | Page last revised: 2022-2-24