My phone number is now supposed to be shared with the Moscow government, along with the numbers of everyone in the city working remotely because of the Covid-19 pandemic.
My organization asked if I was fine with that, but according to the Moscow authorities, they don’t need my permission and the employers don’t have a choice.
Responding to the rapid spike in Covid-19 cases this autumn, Moscow Mayor Sergey Sobyanin earlier this month ordered all organizations to ensure at least 30 percent of their staff work remotely.
On October 6, the mayor ordered employers to file weekly updates with the city that include remote employee information, such as phone numbers, vehicle registration information, and metro pass numbers. Failure to provide this information can result in fines up to RUB 200,000 (US$2,600).
Many employers, legal professionals, and activists have criticized the new regulations as infringing on the right to privacy.
In response, the deputy head of the Moscow IT Department claimed the requested data will be used solely in order to evaluate the effectiveness of preventive measures aimed at containing the spread of Covid-19.
But mobile location information, which authorities will most likely gather for such analysis, can contain sensitive and revealing insights about a person’s identity, location, behavior, and associations, which governments can use to crack down on populations.
On October 12, three major Russian IT associations sent a joint letter to the Ministry of Information arguing that the requested data should be treated as personal – and according to Russia’s labor law, employers cannot hand over such information to a third party without the employee’s consent.
The Ministry responded that the information could qualify as personal data, but argued that short of declaring a state of emergency, the mayor has the power to introduce ‘a special regime of movement’ in line with the President’s order related to Covid-19, which enables regional authorities to restrict pedestrian and transportation flow. The order does not envisage any data processing safeguards.
While the importance of protecting public health during the pandemic cannot be underestimated, the authorities’ response should be legal, necessary, and proportionate. The government should ensure personal data is only collected and used for the Covid-19 response and is subject to full and transparent regulation and oversight.