People wearing masks walk downtown amid the new coronavirus pandemic in Quito, Ecuador on Monday, June 29, 2020. © 2020 AP Photo/Dolores Ochoa

(Washington, DC) – Ecuador should pass a Data Protection Law to ensure that the use of personal data to contain Covid-19 does not lead to violations of the right to privacy, Human Rights Watch said today.

The Ecuadorean government is collecting and processing the personal data of users to monitor compliance with its quarantine and isolation measures, identify people who may have Covid-19 or may have come into contact with an infected person, and identify places where there are large gatherings. However, Ecuador does not have legislation to protect the personal data the government collects. A draft bill submitted by President Lenín Moreno to the National Assembly in September 2019 is pending before one of the legislative commissions.

“Carrying out Covid-19 surveillance measures without data protection legislation and an independent oversight body poses a huge threat to Ecuadoreans’ privacy rights,” said José Miguel Vivanco, Americas director at Human Rights Watch. “The National Assembly should prioritize debating President Moreno’s proposed bill and adopt a law establishing clear guidelines on the consent needed to collect personal data, as well as limits on processing, using, and retaining the data, including during times of emergency.”

As of June 30, 2020, Ecuador had 56,342 confirmed cases of the novel coronavirus and 4,527 deaths. The actual death toll is estimated to be much higher than the official one.

In response to the Covid-19 outbreak, on March 16, President Moreno issued an executive decree declaring a state of emergency and allowing the government to use “satellite and mobile telephone platforms ... to monitor the location of people in a state of sanitary quarantine and/or compulsory isolation.” This effectively would allow the government to monitor people who tested positive for the coronavirus, those who have been in close contact with someone who tested positive, people with symptoms, and those who are subject to 14 days of mandatory isolation after entering the country from abroad.

In a virtual news conference on March 17, Interior Minister María Paula Romo said that the decree authorized satellite tracking of people suspected of having Covid-19 to ensure they are complying with isolation requirements. She said that the government’s tracking technology can provide information about where a person is located through using the GPS on their smartphones.

On March 19, the Constitutional Court of Ecuador ruled that the decree and its surveillance measures were constitutional. It specified, however, that these technologies should only be used to address the health emergency and track the virus and should not be used to infringe on rights to privacy or nondiscrimination. The court also said the technologies should only be applied to people whom the authorities have specifically established should be in isolation or subject to similar measures and required the government to inform them about the use and scope of these technologies. The court stressed that the government was required to protect the personal data of patients or people whose health was being monitored in connection with the pandemic.

On March 25, President Moreno announced that the national government and its health ministry had developed an application, called Salud EC App, through which users can self-report Covid-19 symptoms. The application connects the patient with a healthcare worker from the 171 emergency phone number created for the Covid-19 crisis or other services provided by the public health system, depending on the severity of the reported symptoms.

To use the application, users must provide their name, year of birth, national identity document, phone number, e-mail, and geolocated address. The scope of information required appears to run counter to the principle of data minimization, under which only the data that is necessary and directly related to the stated purpose of the app should be processed and it should not be held or used for other purposes, Human Rights Watch said.

If the app’s purpose is to allow people to self-report virus symptoms and connect with health services, it is not clear why it would require extensive personal data, like a geolocated address. The app’s terms of use should specify the purpose for which this data is being collected and used and set the default settings to be protective of privacy, not collecting any data beyond what is strictly necessary for the app’s functioning.

The application’s terms of use say the information will be used only under the terms established in its privacy policy, and the data will not be sold, shared, or distributed without the user’s consent. However, the terms of use contain no specific reference to the protection of data such as health and medical information, which is particularly sensitive.

They also say that the health ministry can change the privacy policy at any time, which could allow the authorities to use the data without the user’s consent. The authorities can track a user’s location even when they are not using the app, according to the terms of use. Human Rights Watch has not analyzed the application from a technical point of view, but bases its analysis on an evaluation of its terms of use.

On April 12, President Moreno announced that his government was introducing the “Covid-19 platform,” a database developed by private and public entities under the supervision of the Telecommunications and Information Ministry (MINTEL). The platform analyzes data to monitor compliance with the quarantine, identify people who may have Covid-19 or have come into contact with an infected person, identify areas where there are large gatherings, and direct health authorities to carry out massive Covid-19 tests in these areas.

The information gathered through this platform is shared with national and local authorities, who could potentially share it with law enforcement agencies responsible for enforcing restrictions on gatherings and curfew compliance.

Telecommunications and Information Minister Andrés Michelena said the data the platform analyzes comes from several sources, including calls to the 171 emergency phone number, data obtained from the application Salud EC, phone number information on users provided by cellphone service providers (“big data”), satellite tracking and geolocation of smartphones carried out by MINTEL, and video surveillance by authorities charged with monitoring emergencies through a nationwide camera system.

The minister asserted that information such as addresses, names, or phone numbers would not be revealed, and that the government would use an algorithm to detect the movement of cellphones between mobile phone antennas.

Given that so much sensitive personal data is being collected, aggregated, processed, and shared without specific legal protections, there is a high risk that this initiative could lead to misuse of this data and failures in proper control and handling of sensitive information, Human Rights Watch said. Collecting and aggregating personal data can facilitate tracking a person in real time, which could lead to breaches of privacy or the use of the information for commercial or illegal purposes, such as extortion.

Because the use of surveillance and monitoring technologies inherently interferes with privacy, international human rights law requires the Ecuadorean government to adhere strictly to the criteria of necessity, proportionality, legitimate purpose, and limited duration to prevent violations of the rights to privacy, respect for physical and mental integrity, and nondiscrimination.

The Inter-American Commission on Human Rights has reminded states that during the Covid-19 emergency, data should “only be stored for the limited purpose of combatting the pandemic, and the data must not be shared for commercial or other purposes. Affected people and patients shall retain their right to delete their sensitive data.”

To protect these rights, the authorities should establish clear limitations on with whom and for what purpose the data can be shared, and ensure that data is anonymized, secured, and deleted once the original purpose for its use has expired, Human Rights Watch said. Data collection efforts should include means for free, active, and meaningful participation of relevant stakeholders, in particular experts in the public health sector and the most marginalized populations.