The human rights impact of digital surveillance during COVID-19

Introduction

As the coronavirus pandemic takes its terrible toll on both human life and livelihoods, governments, public health authorities, companies and individuals have responded with extraordinary measures. To protect the health of people, governments and institutions put in place restrictions on movement and mechanisms for tracking and reporting on infections. In Togo, the pandemic has led policy makers to expand public health surveillance by taking advantage of new technologies to control the spread of the virus.

This report discusses the rights challenges that have emerged in the implementation of the TOGO SAFE contact tracing app[1] and a travellers’ health registry,[2] and the use of artificial intelligence (AI) to determine the vulnerable households likely to receive state assistance.[3] 

Background

Togo is a Sub-Saharan West African country sandwiched between Ghana to the west, Burkina Faso to the north, Benin to the east and the Atlantic Ocean to the south. It had an estimated population of 8.5 million inhabitants as of 2021,[4] with a demographic growth rate of about 2.5%. Over 50% of the population lives below the poverty line (under USD 1.25 per day).[5] Poverty is strongly linked to under-nutrition – food insecurity at household level is prevalent across the country and is particularly high in the northern regions.

Togo’s constitution, adopted in 1992 and last revised in 2019, calls for a bicameral legislature, but the Senate has not been established yet. Members of the 91-seat National Assembly, which exercises all legislative powers, were elected for a five-year term in December 2018, with the Union pour la République (UNIR) party retaining in clear majority.[6]

UNIR leader Faure Essozimna Gnassingbé, the incumbent 54-year-old president who was re-elected in presidential elections two years later, has been in office since 2005 after the death of his father Eyadema Gnassingbe, who led the country for 38 years after seizing power in a coup in 1967.

The Togolese constitution lays the foundation for data protection and explicitly guarantees the protection of personal information, anonymity, and confidentiality of communications. According to article 29 of the constitution, “the State guarantees the secrecy of correspondence and telecommunications. Every citizen has the right to the secrecy of his correspondence and of his communications and telecommunications.”[7]

This article was supported by the Data Protection Act of 29 October 2019,[8] which provides a comprehensive framework for the protection of the individual's privacy and of personal data. This was preceded by a right to information law[9] passed by the National Assembly in 2016, which safeguards freedom of access to public information and documentation.

Although these laws are a major step forward, the absence of the Data Protection Commission,[10] which is the national independent authority responsible for upholding the fundamental right of individuals to have their personal data protected, leads to violations.

Unlawful data-driven measures to mitigate the impact of COVID-19

In times of crisis, such as the current COVID-19 pandemic and its economic and social repercussions, public governance matters more than ever. On 1 August 2020, in its statement on the reopening of the Gnassingbe Eyadema International Airport, the Togolese government urged citizens to download the TOGO SAFE app[11] to supplement the state’s efforts in battling the pandemic. Its download was once pitched as a voluntary step taken by citizens, but a directive now makes this compulsory for travellers and those who wish to do a PCR test. The “success” of contact tracing apps in developed countries such as France has been cited as a reason for the introduction of this app in Togo.

The move has raised questions on the efficacy of the contact tracing app, and of the balancing of the right to privacy and the right to health.

Most epidemiologists and health experts in the country have emphasised the importance of contact tracing in containing the speed at which the virus spreads. However, civil society organisations across the globe and digital rights experts in Togo have argued that effective contact tracing “needs to engender trust and respect human rights.”[12] Frameworks for contact tracing must be evidence-based and, more importantly, align with constitutional thresholds for the right to informational privacy.

In this context, many experts highlighted the violations of the app, and the state’s obligation entrusted by the constitution to preserve the anonymity of the individual in order to legitimately assert a valid state interest in the preservation of public health. First, it must have a legitimate basis. Second, it must pursue a legitimate aim. Third, it should have a rational nexus to the aim. Fourth, there must not be any less restrictive ways to achieve this aim. Fifth, it must outweigh the harm caused to the rights holder.

The TOGO SAFE app failed the very first prong of the proportionality standard because it does not have a regulatory framework to govern its functioning and to ensure procedural safeguards. While the country has a data protection law, the absence of an agency to uphold the law means that regulations, even if they were drafted, cannot be properly implemented. In the absence of these regulations, sensitive personal data collected by this app about the health and movement of a substantial number of the population could be misused for profiling and mass surveillance even after the COVID-19 outbreak is over.

In addition to lacking legislative basis, the app deviates from international best practices for contact tracing apps and fails to comply with data protection standards on the following counts:

• Lack of consent: The use of the app cannot be considered voluntary after the government’s directive. Therefore, there is no scope for people in certain circumstances – i.e. travellers and those who want a PCR test – to refuse consent or opt out.
• Lack of transparency: Unless there is publicly available information about what processes and techniques are followed for aggregation and anonymisation of the personal data collected by the app, it is impossible to ignore the justified worry of re-identification of the personal data collected.
• Lack of algorithmic accountability: The terms of service of the app exempt the government from any liability arising out of the misidentification of an individual’s COVID-19 status. This is highly problematic, as an individual can potentially lose their income and freedom of movement with little recourse in the event of a false positive.
• Unauthorised data sharing: There is no prohibition on the sharing of the personal data with third parties and the privacy policy of the app fails to mention which government departments will have access to the data. Because of this, there exists a risk of sharing such data with law enforcement agencies for punitive purposes.

Law versus practice

Governance arrangements have played a critical role in Togo’s immediate responses to the pandemic, and will continue to be crucial both to the recovery and to building a “new normal” once the crisis has passed.

Through the Data Protection Act, Togo intends to regulate the collection, processing, transmission, storage, use and protection of personal data.

The period of sanitary restrictions to contain the virus was a period during which this law revealed its limits in practice. For example, the collection of data to control the flow of travellers revealed shortcomings in the context of the management of the pandemic.

In this respect, the collection of data by the public authorities is problematic when considering both the principles of necessity and proportionality, while data is also not collected with the informed consent of data subjects.

Necessity

It is appropriate here to ask questions about the need for certain personal data to be collected. This is particularly the case with respect to the health information portal for travellers using Gnassingbé Eyadema International Airport. The portal records data that will be used in the COVID-19 screening test of travellers. This portal collects the same data for all travellers, whether they are leaving the country or entering the country.

In this regard, beyond the information requested on the traveller's civil status and recent destinations, the name of the traveller's father and mother is also compulsory, which is unnecessary information, given that the virus has nothing to do with genetic predispositions to ill health. Even if the virus was hereditary, the request of parents' personal data from travellers is unnecessary.

Furthermore, in the context of the collection of vaccination data, information on the traveller’s profession is also requested, presents risks of non-transparency (what will this information be used for?) and discrimination (unemployed or people from certain professions might be discriminated against). Such information is subject to abuse.

Proportionality

No information is available on the length of time that personal data collected regarding vaccination will be stored and whether it will need to be updated or stored indefinitely for archiving purposes in the public interest, such as for scientific, historical research or statistical purposes. Article 53 of the Data Protection Act offers guarantees against unlimited data retention.

The data collected is also not accessible to data subjects as prescribed by article 39 of the Data Protection Act. In this regard, there is no possibility of data subjects accessing this data or modifying it if necessary as guaranteed by article 46 of the Act.

Of concern, our informal inquiries revealed that data collected by the government was in fact used to feed other government databases. We understand that the data collected was shared for three types of government services, without further information provided.

Data misappropriation

In Togo, all the government agencies that have been collecting people's data have not set a clearly defined agreement for people’s consent. According to the Data Protection Act, processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.

The basic requirements for the effectiveness of a valid legal consent are defined in the Data Protection Act. According to the law, consent must be freely given, specific, informed and unambiguous. However, all government platforms in the country, including the TOGO SAFE app, have no terms and conditions agreements for the data owner to read and approve.

According to the law, for consent to be informed and specific, the data subject must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations, as a safeguard against “function creep”.

Where relevant, the controller has to inform the data subject about the use of the data for automated decision making, and about the possible risks of data transfers in the absence of appropriate safeguards. The consent of the data subject must be bound to one or several specified purposes which must then be sufficiently explained. If the consent should legitimise the processing of special categories of personal data, the information provided to the data subject must expressly refer to this.

The consent must be unambiguous, which means it requires either a statement or a clear affirmative act. Consent cannot be implied and must always be given through an opt-in, a declaration or an active motion, so that there is no misunderstanding that the data subject has consented to the particular processing of his or her data.

The law also requires the data subject must be informed about his or her right to withdraw consent at any time. The withdrawal must be as easy as giving consent.

These guarantees could have been offered to the people in Togo in accordance with the law, instead of directing them to a PDF version of the Data Protection Act, which is a large amount of indiscriminate information that is difficult for the uninformed public to read. Directing people to the legislation governing data clearly does not guarantee that the provisions of the law are observed in the collection and use of their personal data.

There is also a certain lack of transparency in the management of information related to vaccination. To date, there is no open data on the number of vaccines administered in the country.

Failure to regulate the use of artificial intelligence

The legal vacuum on the issue of artificial intelligence (AI) has opened the door to huge disparities in the development of AI-based solutions during the pandemic in Togo. When coronavirus reached Togo in March 2020, the government, like those in many countries, responded with stay-at-home orders to suppress contagion and announced an economic assistance programme to replace lost income. But the way the country targeted and delivered that aid was in some ways more tech-centric than others.

The government launched an aid system called Novissi,[13] meaning “solidarity” in the local Ewe language, developed during 10 intense days of work starting in late March 2020. The payments that the government sent to the population were targeted, and used machine-learning algorithms to identify signs of poverty in satellite photos, and using mobile phone data.

The turn to satellite and mobile phone data was driven, in part, by a shortage of reliable data on citizens and their needs. The government asked researchers at the University of California at Berkeley who specialise in AI to develop an alternative. According to the information obtained, the use of experts from this university made it possible to develop an algorithm that crosses satellite and telephone data to better target citizens in need. 

According to our information, the algorithm was used to determine the vulnerable households that should receive social assistance.[14] The first filter analysed top-down images of the most precarious habitats, the state of roads, the quality of roofs and the frequency of planting.

The second filter, which is most problematic, is the use of the mobile phone data of citizens. The mobile phone data of citizens was collected from the telcos without the consent of the user. Important data such as frequency and duration of calls, amount of airtime, etc. was used by the algorithm. This led to several biases and serious rights violations, because the use of mobile phone data de facto excludes the rural population that does not use mobile phones because they lack the means to do so. The data also does not indicate the real precariousness of the targeted populations given that mobile money services – which was one of the data points collected – are not present in all rural areas of the country.

The issue of the use of AI is unclear in Togo[15] and the absence of a legal framework is likely to open the door to even more serious abuses. Today, innovative solutions are being developed in Togo but are not regulated. A legal framework would help mitigate the rights violations.

Conclusion

The spread of the COVID-19 novel coronavirus and its rapid escalation into a pandemic in the early months of 2020 marked the first truly major, widespread global health emergency of the information age. In Togo there is much interest in privacy given that the country engaged in collecting massive amounts of personal data of citizens in response to the pandemic. The positive steps taken by the government to mitigate COVID-19 demonstrate the importance of regulating data collection and the impact on the privacy rights of citizens. There may be a justification for gathering, storing, processing and sharing personal data – however, COVID-19 must not be a reason for collecting personal data in a way that the data rights of people are infringed.

The lack of clarity in the purpose for collecting a large amount of data in the first place, and what happens to the collected data once the pandemic is over, has become an issue for public scrutiny. Therefore, to allay any concerns and fears in the minds of the public, the onus is on the government to reassure people that their personal information will remain confidential and secure from unauthorised access.

Also, to be prepared for any privacy concerns likely to arise in the long term and to be response-ready to face future health crises similar to that of COVID-19, it is crucially important for the government to develop a framework for emerging technologies that will be readily available to protect individual privacy during a pandemic. It is also critical that it creates the necessary Data Protection Commission, and ensures that it has the capacity to do its job. Any national-level privacy mechanism should provide safeguards and guarantee the protection of privacy of its citizens.

Action steps

The following action steps should be considered for Togo, drawing on the issues discussed in this report.

In the short term:

• The government should immediately create the Data Protection Commission, and provide it with the necessary capacity to oversee the proper implementation of the Data Protection Act.
• A dedicated regulatory framework justifying and guiding the execution of data-driven measures is also necessary. Apps and other data-driven measures should not be deployed in a vacuum of regulatory guidelines. General principles can be helpful to avoid and identify abuses by authorities.
• The government should ensure that whenever the health emergency has ended, systems that have been developed should be terminated and personal data should be deleted. Specific measures developed to manage the pandemic should be time- and purpose-bound. Safeguards should be put in place to prevent mission creep.
• Civil society organisations should work to prevent illegitimate COVID-19-related digital surveillance.

In the medium-to-longer term:

• The government should maintain a human rights-based approach throughout the application of technologies that collect or work with data. Responses have to be non-arbitrary, necessary and proportionate, as well as non-discriminatory.
• Solutions deployed by the government should not be used as a way to illegitimately target specific groups and individuals or violate their fundamental rights.

• The government should make it a fundamental requirement that future apps or platforms that collect personal data have an opt-in clause. In addition, explicit and individual consent is required.
• The government and stakeholders should make sure that data shared through any app or systems should be collected and used solely for legitimate public health goals that must be clearly and specifically described.
• The government should ensure that apps and other systems should collect, process and store as little data as absolutely necessary to fulfil the public health aim. This also means that the purpose has to be clear from the outset.
• The government should also ensure that the development of future data-driven measures should be carried out with accountability kept in mind. This means that governments should be transparent about the policies in place and about what type of data is being collected, by whom, by which means, and how it is being used. Transparency is necessary for people to understand how the data-driven mechanisms operate, which data is stored, and why. This enables individuals to make an informed decision on whether they want to use the app or participate in a data-dependent programme.
• The government should ensure that data-driven initiatives respect the principles of privacy and data protection by design and by default. Any initiative must support data anonymisation, and use state-of-the-art cryptographic techniques, among other measures, to secure data and prevent harm in case of leaks or breaches.

Footnotes