Disasters and first responders: data protection issues

28 Luglio 2022
Redazione DIMT

Adriana Peduto e Fabiola Iraci Gambazza

1. Who are the first responders, and which are the main purposes of the project?

Nowadays, the First responders’ organisations (“FRs organisations”), such as medical emergency services, firefighters’ departments, law enforcement teams, civil protection professionals, cooperate in order to deal with difficult catastrophic and disastrous situations, due to natural or human causes. In some cases, the disasters can be more complex and amplified because of, for example, climate change or terrorist attacks.

The consequences of these events could be enormous for the European Member States’ regions and for the people involved. The First responders’, with their constant work, try to mitigate the impact of these events and to protect the personal integrity of all the individuals.

The ASSISTANCE project^[1] (“ASSISTANCE” or the “Project”) follows this background.

ASSISTANCE is a project funded by the Horizon 2020 Programme of the European Commission, in the topic of Critical Infrastructure Protection (Grant Agreement 832576), involving the participation of different companies, experts and universities, as partners of the Project (“Partners”).

The main purposes of the Project are, on the one hand, to increase the protection of the individuals involved in disastrous situations and, on the other hand, to increase the efficiency of the FRs organisations interventions.

Indeed, ASSISTANCE elaborates a solution, in particular a SA application as a core of a wider SA platform, capable of offering different configuration modes for providing the tailored information outcome needed by each FRs organisations, while they work together, cooperating to manage and mitigate a disastrous event. The solution allows, for instance, to take real time video and resources location for firefighters, evacuation routes status for emergency, health services and others, with the use of drones, robots equipped with different sensors, and robust communications capabilities.

ASSISTANCE also permits to improve the FRs skills and capabilities, through the establishment of a European advanced training network for the FRs organisations that provide tailored training based on new learning approaches. The training is customised on the FRs organisations needs and gives the opportunity to share virtual training environments and exchange experiences.

In order to assess the efficiency of the ASSISTANCE solution, three pilots (“Pilots”), such as simulations of disaster events were organised, reproducing the following scenarios: i) an earthquake in an urban environment; ii) chemical plant explosion; iii) terrorist attack in a crowded environment.

The ASSISTANCE solution, including all the technologies developed, such as the SA platform, the drones, the robots equipped with sensors, may involve, during their use, also in the Pilots, the processing of personal data and, therefore, may have an impact to the rights and freedoms of individuals. For that reason, under legal and ethical aspects, an assessment on legal and ethical aspects was necessary in order to evaluate the compliance with the most relevant legal EU framework.

In particular, regarding the most relevant legal EU framework, the following regulations were taken into account to complete the aforementioned assessment:

the Teatries of the European Union^[2];
the Charter of Fundamental rights of the European Union^[3];
the General Data Protection Regulation no. 2016/679 (“GDPR”)^[4];
the European Data protection Board decisions (“EDPB”);
the Regulation on Privacy and Electronic Communication (ePrivacy Regulation)^[5];
the European and national legal framework on drones and other device;
Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (“LED Directive”)^[6].

Specifically, this paper aims at reporting the main observations on the privacy aspects analysed during the carrying out of the Project, including the Pilots, and the results of the privacy assessment, regarding the impact of the ASSISTANCE technologies on the rights and freedoms of the individuals involved during the disastrous events and the consequent rescue operations.

2. Which data are involved?

The first relevant aspect analysed in the privacy assessment of the ASSISTANCE solution is the category of data that the different ASSISTANCE technologies are able to process.

As it is known, pursuant to Article 4 (1) of the GDPR, a personal data is any information relating to an identified or identifiable natural person that is a data subject. A data subject is an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The notion of personal data is based on four elements: i) natural person; ii) any information; iii) identification/identifiability; iv) balance of probability.

The Article 4 of the GDPR, provides also a specification about the different categories of personal data:

genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question (Art. 4, (13) of the GDPR);
biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data (Art. 4 (14) of the GDPR);
data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status (Art. 4 (15) of the GDPR).

These data are included in the special category of data, provided in the Article 9 of the GDPR, which also involves the data revealing racial or ethnic origin, the political opinions, religious or philosophical beliefs, data concerning a person’s sex life or a sexual orientation. The processing of the aforementioned data – as better specified in the next paragraph – can be processed only if additional protective conditions are integrated.

It is worth mentioning that the anonymous data are not covered by the GDPR. Recital 26 states that all the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. The GDPR does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

The employment of ASSISTANCE solution and the related technologies shows that personal data can be collected during a rescue operation.

During the testing of the ASSISTANCE solution in the Pilots, some volunteers participated to carry out the aforementioned scenarios. These volunteers were informed about the processing of personal data, thought an Information Sheet and a Consent form, providing the following information: i) a description of the Project, its purposes and the Pilot, in which the volunteer participates; ii) the information and the contact details of the data controller, that is the partner or the partners of the Project^[7]; iii) the processing of personal data. In all the pilots, name, surname, contact information of the volunteer are collected, in order to ensure the participation in the pilot. Other data, such as geolocation, data concerning health and body temperature are collected anonymously. For these data, the partner cannot link the information to the identity of the volunteers. Also, the images, captured in photographs and videos, are anonymised and cannot be linked to the identity of the individual; iv) the transfer and the storage of personal data; v) the exercise of the rights.

Indeed, the data involved during the Pilot are: personal data, such as name, surname, contact information, as well as images, videos^[8] and in some cases also the sound recording and data concerning the health of the individual, without any linking and connections to the identity of the volunteer. Indeed, the direct identification of the individual was possible only on the basis of the name, surname and contact information.

On the other hand, during a real rescue operation, the drones and the robots collect personal data, in order to acquire an overall picture of the disaster and comprehend by the FRs organisation the extent of the disaster and the impact on individuals and eventual critical infrastructures involved. In particular, the ASSISTANCE technologies can acquire:

the images of the individuals involved in the rescue operations or in the Pilots, captured in photographs or in videos;
in some cases, the record of the voices of the individuals;
data concerning health of the individuals, such as the body temperature and, in general, the vital functions.

Taking into account these remarks under a data protection perspective, the ASSISTANCE solution might collect, during the rescue operations, personal data. Indeed, even if the image of the individual or the record of his or her voice are not directly connected to the identity of the individual, they have to be considered personal data, because an indirect connection and linking to the identity of the individual is possible^[9]. Moreover, during the Pilot, other data related to the morphology of the territory concerned, scientific and/or chemical data, and other general information do not fall within the objective scope of data protection legislation, as they are not personal data.

Thus, the assessment conclusion is that the ASSISTANCE solution and technologies does process personal data.

3. What is the legal basis for the processing of the personal data?

3.1 Legal basis for pilots and training activities

Due to the fact that, as stated in the previous paragraph, the ASSISTANCE solution processes personal data, a legal basis or more than one must be identified.

Indeed, pursuant to GDPR, Personal data can be processed only if a valid legal basis for the processing of personal data exists.

Under the Article 6, GDPR, processing is lawful only if and to the extent that at least one legal basis applies:

consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes [ 6 (1) (a)];
performance of a contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [art. 6 (1) (b)];
legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject [art. 6 (1) (c)];
vital interest: processing is necessary in order to protect the vital interests of the data subject or of another natural person[art. 6 (1) (d)];
public interest: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller [art. 6 (1) (e)];
legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child [art. 6 (1) (f)]^[10].

The list of Article 6 of the GDPR does not provide for any priority of one legal basis over another, since all conditions are equivalent with regard to the lawfulness of the processing, except – according to Recital 46 – for the processing of data in order to protect a vital interest that should exist only when the processing cannot be based on another legal basis.

Therefore, each of the legal basis is valid to legitimate the processing in compliance with the GDPR principles and provisions, although a processing could be lawful by virtue of more than one condition.

Specifically, the consent of the data subject is correlated only to the purposes specified and an assessment of necessity of the processing is not required, given to the fact that the data subject expresses unequivocally his or her will. Otherwise, with regard to the other conditions, Article 6, GDPR binds the lawfulness of processing to its necessity assessment in order to pursue its purposes.

About consent, Article 4 (11) of the GDPR provides the following definition of the consent: “consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

The requirements for the validity of consent are:

freedom, which means the absence of constraints in the formation as well as the expression of the consent^[11];
specificity, that is each expression of will must refer to a specific processing;
informed nature, due to the required awareness by the data subject about the implications and features of the processing to which his or her data will be used;
unequivocality, that is, there must be no doubt with regard to the intention of the data subject, in any form used to give consent.

Moreover, pursuant to Article 7 of the GDPR, the data controller shall be able to demonstrate that the data subject gave his or her consent to the processing of data. The consent may be expressed in any form: if the data subject’s consent is given in the context of a written declaration, the request for consent shall be presented in a manner which is clearly distinguishable from other matters, in an intelligible and easily accessible form, using a clear and plain language. The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on the consent before its withdrawal. Prior to giving consent, the data subject shall have been informed of the right to withdraw his or her consent.

With regard to the consent, the Guidelines 5/2020 on consent under the Regulation 2016/679 of the EDPB specifies the scope of such legal basis, providing description of specific cases, such examples in which the consent must be identified as legal basis^[12].

With regard to the special categories of personal data – as specified in the paragraph 2 of this Paper – the Article 9 (1) states that this processing is prohibited, unless one of the following conditions is satisfied:

consent: the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provides that the prohibition referred to in paragraph 1 may not be lifted by the data subject [Art. 9 (2) (a)];
employment and social security: processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject [Art. 9 (2) (b)];
vital interest: processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent [Art. 9 (2) (c)];
safeguards and social protection: processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects [Art. 9 (2) (d)];
data manifestly public: processing relates to personal data which are manifestly made public by the data subject [Art. 9 (2) (e)];
defensive and investigative activities: processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity [Art. 9 (2) (f)];
public interest: processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject [Art. 9 (2) (g)];
public interest and national and regional health system: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 [Art. 9 (2) (h)]; and processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy [Art. 9 (2) (i)];
statistical, historical and scientific purposes: processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject [Art. 9 (2) (j)].

Furthermore, concerning the legal basis, alongside the GDPR, the Law Enforcement Directive (“LED”) must be analysed.

Precisely, the LED applies to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. The scope is the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Under the Directive, the personal data shall be processed lawfully only for the purposes listed above. On the contrary, if the purposes are different from the one specified in the Directive, the GDPR will apply instead.

In the context of the Pilot and training activities, as specified above, volunteers participate in order to help the implementation of the scenarios. Indeed, through their participation, the actual functioning of the ASSISTANCE solution, including the SA platform, drones, and robots, was tested, verified and assessed. Therefore, during the Pilot, using the aforementioned technologies, the volunteers’ data were collected and processed.

Before all the three pilots, the volunteers receive an Information Sheet in which – as explained at paragraph 2 of this Paper – all the information related to the processing of data were specified, also in relation to the legal basis for the processing of data.

Precisely, the Information Sheet provided detailed information about:

the ASSISTANCE project, such as a description of the Project and its purposes;
the pilot to which the volunteer participates, such as a description of the Pilot, including, the scenario, the place and the date in which the pilot takes place;
the information and the contact details of the data controller. Pursuant to the Article 4 of the GDPR and the privacy structure of ASSISTANCE Project, the data controller is the partner leading the pilot, which is interested in collecting and processing the personal data of the volunteer;
the processing of personal data. In all the pilots, name, surname, contact information of the volunteer are collected, in order to ensure the participation in the pilot. Other data, such as geolocation, if data concerning health and body temperature are collected, the data were collected anonymously. For these data, the partner cannot link the information to the identity of the volunteer;
the images, videos and sound recordings was anonymized and therefore, not linked to identity the individual;
the transfer and the storage of personal data, specifying that the data could be transferred only to comply to legal obligation and are stored for the length of the project;
the exercise of the rights, provided in the articles 15-20 of GDPR, such as the access to personal data, the alteration, the erasure etc.

Also, a Consent Form was given to the participants and aim to collect, on the other hand, the following statements, providing evidence of participant’s agreement, including:

a statement of declaration to have read the Information Sheet and to have had the opportunity to ask questions;
a statement of agreement in participation;
an authorisation to take and use images, videos and sound recordings during the Pilot and for the purposes of the ASSISTANCE project.

Thus, in an overall assessment on the practices adopted by ASSISTANCE, the Information Sheet was an adequate measure to inform all the volunteers about the processing of their personal data, pursuant to Article 13 of the GDPR and the Consent form also adequately provided evidence of the consent to the participation and to the collection of images, videos and sound recording, pursuant to Articles 6 and 7 of the GDPR. Indeed, the participants were informed about the voluntary nature of their participation, the degree of risk and burden involved in the participation and the procedures that will be implemented during the pilot scenarios. The participants were also informed of the possibility to ask questions and receive understandable answers before deciding to participate in the pilot.

Under the legal basis perspective, the legal basis for the processing of personal data could identified in the:

6 (1) (a) (consent), in conjunction with art. 9 (2) (a), with regard to images, videos, voice recording in order to collect a general picture of the simulation of the disaster event;
6 (1) (b) (performance of a contract) with regard to the collecting of name, surname and contact details in order to allow the participants in the Pilot.

The privacy structure adopted by ASSISTANCE was deemed to be compliant with the GDPR and the EDPB guidelines. In particular, ASSISTANCE required a first agreement to the participation in the Project and also an authorisation to take and use images, videos and sound recordings. Indeed, in both cases, the legal basis has to be considered proper and in line with the specific purposes of the processing.

In particular, in light of the Articles 6 and 7 of the GDPR, art. 9 (2) (a), the consent is deemed to be the legal basis requested in case of processing of images and biometric data. On the other hand, in order to participate in the event, it could be sufficient to inform the participant about the voluntary participation. The request to a specific authorisation in the participation constitutes, in terms of accountability, an additional measure to ensure that the participant is fully informed and aware about the Pilot and his or her participation.

3.2 Legal basis in case of disasters (natural or man-made)

In emergency contexts, full compliance with data protection legislation needs to be coordinated with the need to act in time and effectively. In these circumstances, the legislator is first and foremost asked to strike a balance between opposing rights and interests, i.e., the right to data protection and privacy on the one hand, and the right to life and physical integrity on the other. These considerations led the European and national legislators to devise a specific legal basis in the context of the processing of personal data necessary to safeguard the vital interests of natural persons.

Pursuant to Article 7(1)(d) of the GDPR, the processing of personal data shall indeed be lawful where it proves “necessary in order to protect the vital interests of the data subject or another natural person”. Additionally, concerning the special categories of data, Article 9(2)(c) of the GDPR provides that the processing of such data is lawful if it is “necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”, thereby limiting the application of such a requirement to cases where it is impossible to obtain the consent of the data subject.

On this issue, the Article 29 Working Party (the “WP29”) had already expressed its views before the GDPR came into force, analysing the corresponding provisions of the then applicable Directive 95/46/EC. In fact, in its Opinion 06/2014, the WP29 noted that the Directive (as indeed Art. 6(1)(d) of the GDPR) did not specify precisely whether the threat to a natural person’s life had to be immediate or not^[13]. This raised some questions as to how and when personal data are collected and processed according to the purposes/legal basis outlined above. In this respect, the WP29 had already clarified a general principle, namely, that consent of the data subject should be sought whenever practicable. Consequently, a restrictive interpretation of the relevant provision was (and is) to be given, limiting the applicability of the legal basis in question to cases of life and death, when the data subject is unable to give consent to the processing, or when the process of obtaining consent is likely to delay a data processing that, if timely, could save his or her life.

This approach appears to be confirmed by the text of Recital 46 of the GDPR, which states: “the processing of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natura person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters”.

As a result of the assessment of the technology used in the Project, as well as the feedback from the Pilots conducted, it is found that the practical circumstances in which interventions are needed are precisely those covered by the provisions under review (e.g. natural disasters, such as earthquakes, landslides or floods, and man-made disasters, such as terrorist attacks)^[14]. It follows that, with the exception of remote cases in which it is possible to obtain the consent of the data subject, in the vast majority of cases the processing of data underlying the operations referred to in the Project may lawfully be founded on the legal basis of safeguarding vital interests.

4. Privacy by design and privacy by default in the designing of platforms and tools

In the evaluation of ASSISTANCE solution, under a data protection perspective, the principles of privacy by design and privacy by default must be analysed.

Article 25 of the GDPR sets out the conditions that the data controller, in fulfilling the obligations of accountability, shall necessarily take into account.

Moreover, Article 25 of the GDPR also defines the timing of this fulfilment, which leads back both to a preliminary phase of the processing, in which the controller is in charge of organisational and decision-making choices such as the design of the means to use (so-called “privacy by design”), and to an operational moment, i.e. that of the concrete performance of the operations in which the processing itself is carried out (so-called “privacy by default”).

According to Recital 78, this approach also affects the stages developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task. For this reason, developers of products, services, and applications (such as platforms and tools) should also be encouraged to take the right to data protection into account when developing and designing such products, services, and applications and, with due regard to the state of the art, to ensure that data controllers and processors can fulfil their data protection obligations: then, privacy by design is intended to ensure that data protection safeguards are not underestimated either at the initial design of processing systems or in their subsequent operation and development.

Paragraph 2 of Article 25 explains the principle of privacy by default, which requires the data controller to take specific measures to ensure fair data processing, tailored to the quantity and quality of personal data collected, as well as the period of storage and accessibility. In fulfilment of the obligations posed by this Article, the data controller will then have to ensure that, by default, only the personal data necessary in relation to each specific purpose of processing are processed and that the amount of data collected and the duration of their storage do not exceed the minimum necessary for the purposes pursued.

With regard to the principles under comment, the EDPB published Guidelines 4/2019 on Article 25 Data protection by Design and by Default, which provide guidance on how to effectively implement the principles of data protection by taking into account a series of when selecting and implementing the necessary technical and organisational measures^[15].

In this regard, the EDPB points to a variety of elements that must characterise the development of new technologies, including the compatibility of any purposes subsequent to the original purpose in order to guide relevant changes in design, predetermination (i.e., the need for purposes to be identified prior to the design of the processing), and periodic review (necessary to assess whether, during the course of the processing, the data that are the subject of the processing remain indispensable for the achievement of the intended purpose).

The Guidelines recommend using aggregated data whenever possible, as well as pseudonymisation of data, which is explicitly mentioned in the letter of Article 25.

In the development of new technological platforms and tools, then, the EDPB mentions the importance of verifying the source of the data used, as well as the measurability of accuracy, as a means of avoiding false positives and negatives (e.g., in the context of automated decision-making and artificial intelligence).

Within the scope of Project development, the personal data were processed following an approach based on the principles of privacy by design and by default described above. In particular, since the early proposal phase, ASSISTANCE has assessed all data protection issues related to the implementation of the Project, including by forwarding specific questionnaires aimed at focusing on the processing activities that the partners – as autonomous data controllers – would carry out.

Moreover, this approach was also used in the development phase of the Pilot, in which constant discussion among Partners was decisive in ensuring proper processing of the data, in compliance with applicable European and national regulations, also with reference to the issue of data retention, managed as further detailed in paragraph 5 of this Paper.

5. Retention of the data collected within the project

The most critical privacy aspect is the retention period of the data collected not only within the Pilot, but also, and in particular, in the use of the ASSISTANCE solution in a rescue operation.

Article 5 (1)(e) of the GDPR provides the so-called principle of “storage limitation”, requiring that data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Once this retention period expires, the GDPR allows for the further retention of data only for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the appropriate safeguards for the rights and freedoms of data subjects prescribed by Article 89(1) of the GDPR and implementing appropriate technical and organisational measures to protect those rights and freedoms.

With reference to data retention, Recital 39 of the GDPR is also relevant, establishing a significant connection between the principle of minimisation and the principle of storage limitation.

In particular, within the Recital’s perspective, the principle of storage would be a corollary of the principle of minimisation, and in this regard, the data controller is required to define a deadline for erasure or for periodic review of storage.

On this point, the GDPR does not provide rules on storage limitation. Data controllers can instead set their own deadlines based on the purposes for processing the data, on the one hand, and any regulatory or legal requirements for retaining it, on the other hand. As long as one of the purposes expires, data must be deleted.

Anonymising data so that it is no longer «in a form which permits identification of data subjects» is an alternative to erasure.

In the light of the above, it is clear that the rules on the protection of personal data cannot be applied to information which cannot allow the identification or the identifiability of the person to whom it relates, since this element is the very core of the concept of “processing of personal data”. In this regard, as already highlighted above, Recital 26 of the GDPR states that “(…) the principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”.

The Regulation does not provide a definition of “anonymisation”, but merely gives a definition of “pseudonymisation” which is «the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person» [Article 4 (5) GDPR].

According to this definition, “anonymisation”, by contrast, means an operation that irreversibly prevents data from being linked to the data subject.

In the context of the ASSISTANCE, during the Pilots, the data concerning the individuals, as well as the images, videos and sound recording have been anonymised since collection – wherever possible – in order to ensure appropriate security of personal data. In other cases, the platforms used in the Project do not store data, but only collect data in order to view the preliminary consequences of the disaster event. The other data collected were deleted once the Pilot activities were completed. In this context, the only data currently retained are those necessary to achieve project-related purposes, including, inter alia, dissemination of the pilot’s findings (e.g., images depicting groups of people).

In light of the above, while using ASSISTANCE technologies in the future and possible rescue operations, it is necessary to clarify that the retention period for personal data must comply with the requirements of the GDPR and only for as long as necessary for the purposes informed to the data subject. Retention period must also comply with European security regulation, such as the Law Enforcement Directive.

Lastly, an issue related to the retention is the eventual and possible transfer of data, by means of the ASSISTANCE technology. The ASSISTANCE technology enables communication between all operators whose intervention is required to support the rescue operation. If during a rescue operation, personal data are collected and transferred between the operators, the appropriate security measures must be applied, in order to ensure that there is no unlawful dissemination of data, and possible consequent risks to the rights and freedoms of individuals involved. The transfer of data must be carried out exclusively to comply with the purpose of protecting vital interests threatened or affected during the rescue operation. Once transferred, the data must be stored only for as long as necessary for the vital interest.

6. Policies and recommendations of the unit in charge of the data protection issues

In light of the above outcomes, the conclusion is that the ASSISTANCE solution should be assessed as compliant with the data protection regulation, in particular, with the General Data Protection Regulation no. 2016/679, the European Data protection Board decisions, the Regulation on Privacy and Electronic Communication (ePrivacy Regulation) and LED Directive.

Indeed, the ASSISTANCE solution has been developed, since the beginning, taking into account all the possible privacy issues and questions that could have been raised in the implementation of the technologies and has found the correct and proper answers.

For that reason, following the study and analysis, as well as the design of the privacy-bearing structure of the Project, some policies and recommendations can be identified that could be taken into consideration by every unit in charge of data protection issues, in its capacity as data controller:

preliminarily, a first recommendation is to conduct an audit to determine what information are processed and if these information can be identified as personal data, pursuant to Article 4 of the GDPR;
once it is established that the information processed consists of personal data, a second recommendation is to identify the legal basis for processing personal data, pursuant to Article 6 of the GDPR, considering also that if the consent is chosen as legal basis, also the conditions and the limits pursuant to Article 7 of the GDPR, must apply. If the processing of data includes the ones of the Article 9, one of the condition pursuant to Article 9 (2) must apply;
a third suggestion is to prepare and submit to data subject a privacy policy, pursuant to Articles 13 and 14 of the GDPR, providing clearly the following information: i. the identity and the contact details of the controller and, where applicable, of the controller’s representative; ii. the contact details of the data protection officer, where applicable; iii. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; iv. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; v. the recipients or categories of recipients of the personal data, if any; vi. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available; vii. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; viii. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability; ix. where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; the right to lodge a complaint with a supervisory authority; xi. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; xii. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
in order to ensure a high level of protection of data, the following recommendations have to be followed: i) to consider the data protection regulations all the time, from the beginning of the development of the project, in accordance with the principles of Privacy Default and Privacy Design, pursuant to Article 25 of the GDPR, and consequently, to identify the adequate organisational and technical security measures, pursuant to Article 32 of the GDPR; ii) to adopt encryption, pseudonymisation or anonymisation, if it possible; iii) to create an internal security policy to follow for all the members of the unit that deal with the processing of data; iv) to evaluate the necessity of a data protection impact assessment, pursuant to Article 35 of the GDPR; v) to implement a policy to be followed in case of event of data breach, pursuant to Article 33 of the GDPR.
under an accountability perspective, it is recommended to appoint a Data Protection Officer (“DPO”) pursuant to Articles 37 and 38 of the GDPR; to sign data processing agreements between organisations and third parties that process data on behalf of the data controller, as data processor, pursuant to Article 39 of the GDPR; to assess if a transfer of data outside the European Economic Area (EEA), pursuant to Article 44 of the GDPR;
a last recommendation concerns in informing clearly all the data subject of the processing of their data and the exercise of their rights, pursuant to Articles 15 – 21 of the GDPR. The exercise of the rights must be guaranteed through simple and easy means. The response to the exercise of a right must be given as soon as possible.

Following the aforementioned recommendations, in any case, all the processing of data must be based on the principles of the GDPR, pursuant to Article 5, as listed below:

lawfulness, fairness and transparency: the data must be processed lawfully, fairly and in a transparent manner;
purpose limitation: the data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is not compatible with the ones communicated to the data subject;
data minimisation: the data must be necessary for the purposes of processing;
accuracy: the data must be accurate and kept up to date. If some personal data are not accurate, they have to be erased or modified;
storage limitation: the data must be kept in a form which allows identification of the data subject, but no longer than is necessary for the purposes of processing. Only for archiving purposes or public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), the data can be stored for a longer period of time;
integrity and confidentiality: the data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and/or organisational measures.

^[1] https://assistance-project.eu/.

^[2] https://european-union.europa.eu/principles-countries-history/principles-and-values/founding-agreements_en.

^[3] https://www.europarl.europa.eu/charter/pdf/text_en.pdf.

^[4] https://eur-lex.europa.eu/eli/reg/2016/679/oj.

^[5] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52017PC0010.

^[6] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016L0680.

^[7] Pursuant to Article 4 (7) of the GDPR, and the privacy structure of ASSISTANCE, the data controller ( the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law ) is the Partner leading the Pilot, which is interested in collecting and processing the volunteers’ personal data.

^[8] See for further details European Data Protection Board, Guidelines 3/2019 on processing of personal data through video devices (2020).

^[9] See for instance Kröger – Brase – Pape, Personal information inference from voice recordings: User awareness and privacy concerns, Proceedings on Privacy Enhancing Technologies, 2022(1):6-27.

^[10] On this aspect, for further details, see van der Hof – Lievens,, The Importance of Privacy by Design and Data Protection Impact Assessments in Strengthening Protection of Children’s Personal Data Under the GDPR, Communications Law 2018, Vol. 23, No. 1, Available at SSRN: https://ssrn.com/abstract=3107660

^[11] The Recitals 42 and 43 specify the condition of the freedom of consent, as: “where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (1) a declaration of consent pre- formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”; “In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance”.

^[12]https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_it .

^[13] https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf.

^[14] On this aspect see also Alnemari – Arodi – Rodriguez Sosa – Pandey – Romanowski, et al.. Protecting Infrastructure Data via Enhanced Access Control, Blockchain and Differential Privacy. 12th International Conference on Critical Infrastructure Protection (ICCIP), Mar 2018, Arlington, VA, United States. pp.113-125, 10.1007/978-3-030-04537-1_7 . hal-02076303

^[15]https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42019-article-25-data-protection-design-and_en.

Disasters and first responders: data protection issues

Redazione DIMT

Ultimi articoli

Mercati digitali: la Commissione UE contesta ad Alphabet possibili violazioni delle regole sulla concorrenza

Videogiochi e minori: l’UE interviene contro pratiche commerciali scorrette

Audiovisivo europeo e diritti umani.

Antitrust avvia istruttoria su Rfi e Fs per presunto abuso nel mercato Alta Velocità

Prossimi eventi

Contratti di credito e protezione del consumatore nella più recente giurisprudenza europea.

Le sfide e le prospettive dell’innovazione vegetale tra tecnologia e diritto

Le nuove frontiere della protezione dei dati personali in ricordo di Dianora Poletti

La sanità digitale e il trattamento dei dati dei pazienti fra teoria e prassi applicative

Condividi