Armenia’s parliament on March 31, 2020 passed amendments giving the authorities very broad surveillance powers to use cellphone data for tracking coronavirus cases, Human Rights Watch said on Friday. The amendments impose restrictions on the right to privacy and allow the authorities access to confidential medical information related to people exposed to the virus.
As of April 2, Armenia had 663 identified cases of COVID-19. The government declared a state of emergency from March 16 to April 14, imposed a nationwide lockdown on March 26, and took other measures to contain the spread of the virus.
“The Armenian government is facing a public health emergency, and technology has an important role to play in communicating public health messages and promoting access to health care,” said Giorgi Gogia, associate Europe and Central Asia director at Human Rights Watch. “But at the same time, the authorities need to address the ways that using mass surveillance undermines rights.”
Parliament adopted the law on March 31 after voting it down earlier that day.
The law requires telecommunications companies to provide the authorities with phone records for all of their customers, including phone numbers and the location, time, and date of their calls and text messages. The authorities would use that data to identify, isolate or put in self-isolation, and monitor anyone infected with COVID-19 or those who had been in close contact with infected people. The authorities would obtain information by obliging health care providers to report data to the authorities on “people tested, infected, persons having disease symptoms, persons treated in hospitals or persons who had contacts with the patient”
The government says that the law would allow the authorities to collect only phone records, and that they will not have access to the content of customers’ private communications. But such information can contain sensitive and revealing insights about an individual’s identity, location, behavior, associations, and activities, Human Rights Watch said.
While restrictions on the right to privacy to contain the pandemic may be permissible, the government must ensure that such restrictions are lawful, necessary, and proportionate.
The law requires the destruction of call records and other obtained data after the state of emergency ends. However, the government should also consider imposing strict limits on the collection of phone records, the purposes for which they are used or aggregated, and the agencies or officials that may access such information. People should also be made aware when their data has been collected.
The government should also establish stringent security protocols that minimize the risk of data breaches and protect people’s digital safety, Human Rights Watch said.
If the state of emergency persists over a prolonged period, the government should regularly review whether phone records that are no longer relevant should be destroyed. Activists criticized the bill for not being necessary and effective to prevent the virus’s spread.
Armenia’s Ombudsperson has also expressed concerns that the law lacks adequate human rights guarantees.
Armenia’s constitution protects the right to privacy of telecommunications and medical information. International law, including the European Convention on Human Rights and the International Covenant on Civil and Political Rights, also protect against arbitrary or unlawful interference in “privacy, family, home or correspondence.” Armenia is a party to both, but deposited derogations, or exceptions, on March 20, after it declared the state of emergency.
“Armenia’s authorities have been respecting COVID-19 patients’ privacy rights thus far,” Gogia said. “But, so they do not undermine the trust that is needed for an effective public health response, they should explain how they will continue to do so and ensure that these digital surveillance measures are strictly in line with long-established human rights safeguards.”