AI Help Prevent COVID-19

Can AI Help Prevent COVID-19?

Can AI help prevent COVID-19? Can it be used to predict or detect outbreaks, and would this be ethical?

Can AI help prevent the spread of COVID-19? Recently, we released an article on the technological initiatives being put in place across Europe to help control the spread of the novel COVID-19. In our latest vlog series, we aim to explore any AI initiatives which may have been implemented globally in this regard, to what extent AI can help fight this global pandemic, and what the privacy implications of these would be in Europe. As the virus spreads globally, and cases have shown up in over 200 countries worldwide, even more initiatives are popping up around the globe to help combat this pandemic.

Last December, a Toronto based startup, through analyzing the data published on the local newspapers and the information available on the internet, identified a cluster of unusual pneumonia cases happening around a market in Wuhan. Thus, the AI based platform, BlueDot was able to identify what would commonly be known as COVID-19, nine days before the World Health Organisation released its statement informing people of the emergence of this virus, mere hours after health officials diagnosed the first cases of coronavirus. 

Currently, countries like South Korea, using apps which track location data, are able to constantly monitor infected and non infected persons, and their movements. AI can also be used to analyze the way in which the disease is being discussed on social media, to paint a more vivid picture of the impact of the virus. It is no secret that AI can help prevent COVID-19’s spread and flatten the curve, but what are the privacy implications of such measures being used in Europe? Do they fall in line with the GDPR? 

In our latest vlog, part 1 of a two part series on the use of AI in the fight against COVID-19, we explore how AI can prevent or predict the spread of this viral disease:

Be sure to subscribe to our content on YouTube,  to make sure that you catch Part 2.

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including Data Protection Impact Assessments, AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Dutch DPA Imposed a Fine

The Dutch DPA Imposed a Fine on the Dutch Tennis Association under the GDPR for Illegally Selling Personal Data for marketing purposes.

The Dutch DPA Imposed a fine on the Dutch Tennis Association (The KNLTB) of EUR 525,000, for the unlawful sale of personal data of its members to two sponsors.


The Dutch DPA recently imposed a fine on the Dutch Tennis Association (KNLTB) under the GDPR, for the illegal sale of their members’ information to two of its sponsors. The information shared included personal data such as their names, addresses and genders. This information was then used by the two sponsors, to market offers to these individuals by both phone, and the post. One sponsor purchased the information of 50,000 members, while the other sponsor purchased the data of over 300,000 members. While the KNLTB argued that it had legitimate interest in selling its members data, the Dutch DPA does not agree and believes that financial gain was the basis of the KNLBT’s decision to infringe on the basic rights of its members under the GDPR, by selling their data. 


Previous Fines by the Dutch DPA.


The Dutch DPA had, prior to this most recent fine on the Dutch Tennis Association, imposed two fines under the GDPR. The first of which was ruled against the Dutch UWV (Employee Insurance Agency) in 2018. As a result of the fine the UWV was required to improve its logging security level by October 2019, however this has now been postponed by a year, which could carry a fine of EUR 150,000 per month, up to a total of EUR 900,000. The second fine, imposed on the Dutch Haga Hospital, was because of the insufficiency of their internal security of patient records, resulting in approximately 200 employees having unauthorized access to medical records of a Dutch celebrity, and this person’s private, personal information being leaked to the press. For this, the Dutch DPA imposed a fine of EUR 460,000.


On another note, the DPA has launched an investigation in the past into Facebook’s failure to adequately inform users that their data was being used for targeted advertising. This did not result in a fine, but did inspire a change in Facebook’s personal data policy. 


The Dutch DPA’s Policies for Determining Administrative Fines. 


In an effort to maintain consistency in the fines it imposes, the Dutch DPA has specific policies for determining the level of these administrative fines. Infringements are divided into categories, determined by the relative GDPR article. As reported by the INPLP in their article, the fines imposed based on this policy can be increased or reduced, depending on the following relevant factors: 


  • The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of persons affected and the extent of the damage suffered by them.
  • The deliberate or careless nature of the infringement.
  • The measures taken by the controller or the processor to limit the damage to the data subjects involved.
  • The extent to which the controller or the processor is responsible, considering the technical and organizational measures that had to be taken under articles 25 and 32 of the GDPR. 
  • Previous infringements, where relevant, by the controller or the processor.
  • The level of cooperation with the Dutch DPA to remedy the infringement and reduce the possible, negative consequences of it.
  • The categories of personal data affected by the infringement.
  • The manner in which the Dutch DPA has been notified of the infringement and whether the controller or the processor has reported the infringement.
  • In how far the controller or the processor has complied with any previous measures imposed by the Dutch DPA, as referred to in article 58 (2) of the GDPR.
  • Compliance with approved codes of conduct in accordance with article 40 of the GDPR or with approved certification mechanisms referred to in article 42 of the GDPR.
  • Any other circumstances that may be regarded as aggravating or mitigating factors, such as financial gains realised, or losses avoided, whether or not directly arising from the infringement.


Their general guide for imposing fines it’s based on the following categories, as determined by the corresponding GDPR infringement:


Category Range of Fines  Standard Fine
I €0 to €200,000 €100,000
II €120,000-€500,000 €250,000
III €300,000-€750,000 €525,000
IV €450,000-€1,000,000 €725,000


The fine imposed on the Dutch Tennis Association, KNTLB, was based on a category III infringement and therefore incurred the basic fine for that category; €525,000. So far this year, we reported on two fines issued by the Italian DPA (Garante) on TIM Spa ,and Eni Gas E Luce, for Euro 27.8 million and 11.5 million respectively, and more recently, on CRDNN Ltd, of half a million pounds, by the UK’s DPA, the ICO. 


With officials cracking down on companies which mismanage their data, it is imperative that companies ensure that they are in line with the GDPR, PECR 2003, and the DPA 2018. While this is only the third fine being imposed by the Dutch DPA under the GDPR, the Dutch DPA is the first in the EU to define its own policy for imposing fines, which may inspire other countries to do the same. 


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

technology privacy: COVID-19 pandemic

Technology and Privacy in the Fight Against the COVID-19 Pandemic

With thousands of new cases popping up each day globally, many health authorities are turning to technology in the battle against the global pandemic. But can these apps be used without privacy concerns? What are the links between technology and privacy in the fight against the COVID-19 pandemic?

Several nations within the European Union have very recently announced their intent to use an app that enables contact tracing of anyone who tests positive for coronavirus, and contacting anyone to whom they may have transmitted the virus, therefore it seems there may be strong links between technology and privacy in the fight against the COVID-19 pandemic The Pan-European Privacy Preserving Proximity Tracing (PEPP-PT) initiative brings together 130 researchers from eight countries to develop applications that can support contact tracing efforts within countries. This joint initiative is set to be launched on April 7th. The app is expected to indicate to people whether they are low or high risk based on their contact level with the person who has tested positive and instruct them on whether they should get tested or self-isolated for the two week incubation period, based on their level of risk. The proximity to the infected person is tracked by bluetooth technology or the scanning of QR codes posted in public amenities. The app is also expected to track public places and transit systems used by the infected person, and notify their proprietors to do a decontamination clean up. It has also been suggested that the app be used as a hub for all coronavirus related services like to request food or medication, and it is believed that this will help encourage more downloads. According to the article published in The New York Times, the platform will be designed considering GDPR requirements and principles. Connections made between smartphones on a device will be logged for two weeks using strong encryption and, apparently, only local health authorities, deemed ‘trusted’ persons, could download data in order to notify people at risk of infection.

The UK will be launching its own app close to the time their lockdown is lifted. Sky News reported, based on information sources with close knowledge of the project, that while the app has been in existence for some time, key technical details have only recently been agreed by NHSX, the NHS England innovation unit leading the project. The NHSX intends to appoint an Ethics Board to oversee the project, and the app is intended to exist in line with the GDPR. The digital contact tracing app will operate on an opt-in basis. 

In Spain, three measures will be developed: a self-assessment app, a chatbot and the study of the mobility data gathered by telecommunications operators. While mobility data may be processed relying on public interest in the area of public health, which is one of the legitimate bases covered by the GDPR, according to the Spanish Government, mobility data will be collected and matched in an aggregated and anonymised form. However, considering the  data from telecommunications operators is largely pseudonymised rather than anonymised, the GDPR should still apply. Otherwise, the techniques used and the safeguards applied should be further clarified in order to ensure that said data is indeed anonymised. 

While the use of these apps will be optional for now, this study conducted by researchers at Oxford University’s Big Data Institute concluded that in order for them to be effective at keeping infection rates down, they should be used by at least 60% of a population. The UK NHS is hoping that they get at least 50% of the population on board for their new app which will soon be launched.  A very similar app was used to combat the virus in Asian countries like China, where the app was mandatory to go into the general public. There lies a chance now, that people may be required to present the app and prove that they are low risk prior to being admitted into a very populated area, like a crowded restaurant, or to scan a QR code to be allowed access to certain public areas. 

This technology could help governments to ease off on the conditions of their lockdowns, but one should be aware of the privacy implications of technology like this. “Whereas it may be necessary to give up some privacy in times of this huge pandemic threat, the governments should also reassure people that such measures are proportionate and temporary,” comments Dr Bostjan Makarovic, Aphaia Managing Partner.

What do you think? Would you use this type of apps voluntarily? What would you like to know about how your data is handled before you do?  

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including Data Protection Impact Assessments, AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

CCPA set to move forward

CCPA set to Move Forward as Scheduled Despite COVID-19 Challenges.

California Consumer Privacy Act (CCPA) is set to move forward, as scheduled on July 1, 2020, despite the challenges presented by the COVID-19 pandemic.


As various states and countries implement lock downs and stay at home orders in effort to deal with the coronavirus pandemic, many events, initiatives and processes are being cancelled, or at best delayed. Many businesses and other organizations have resorted to shutting down, or digitising their operations to cope with the uncertain times. However, for California Attorney General Xavier Becerra, there is no intention to delay the implementation of California Consumer Privacy Act, which is expected to be enforced on or before July 1, 2020. Despite pushback from a coalition, who is asking for this initiative to be postponed, as businesses and organisations focus on dealing with challenges presented by COVID-19, Becerra seems, so far, unmoved. 


The California Attorney General plans to proceed with implementation of the law despite pushback.


An advisor for the California Attorney General affirmed that they are committed to enforcing the law upon finalizing the rules or July 1, whichever comes first, and stated “”We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.” The coalition, which is now comprised of 60 groups, stated “A temporary deferral in enforcement of the CCPA would relieve many pressures and stressors placed on organizations due to COVID-19 and would better enable business leaders to make responsible decisions that prioritize the needs and health of their workforce over other matters.”


The Civil Code allows for an enforcement of the CCPA on July 1, but not prior to that.


According to one of the groups which is part of the coalition “The law, Civil Code Section 1798.85(c), states that ‘The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.’ So that means July 1, period.”

CCPA was approved on September 2018

Initial Proposed Regulations were first published on October 11, 2019 and two sets of modifications, on February 10, 2020 and March 11 2020, have been released since then.

According to Cristina Contero Almagro, Aphaia’s Partner, “one should note that CCPA was approved on September 2018, commencing on January 1, 2020, subject to the publication of the final regulations. This means that businesses have had more than a year so far to adapt their processes to the main requirements of the CCPA”.


Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and CCPA consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.