German police has started using coronavirus tracing lists from restaurants for criminal investigations. A look at the limits of the GDPR and other data protection regulations in the face of what everyone alleges is an overriding health crisis.

I realise I had announced at the beginning of the month that I would wind down the coverage of coronavirus-related privacy topics for now. But what can I do? Just when I thought I was out, they keep pulling me back in.

I’ve had issues with the data collection in restaurants and similar establishments from the start and I’ve never really understood how that is possible under the GDPR. But now the police has started using this data – in Hamburg where I live, no less – and I can’t really sit still and not shine a light on this topic. So, for good or ill, here’s another episode of The Private Citizen on COVID-19 and its impact on privacy and personal liberties.

Hoppy Joe This fish looks like me when I’m in a ranty mood so this seems to be the right beer to start a ranty podcast episode with.

The European Commission states on its website about data protection in the EU:

The EU Charter of Fundamental Rights stipulates that EU citizens have the right to protection of their personal data.

Notice the word “right”. Privacy is a right in the EU, not a privilege.

So if this is the case and with broad protections for personal information in place under the GDPR – legislation which the German government pushed and influenced greatly – how come it’s suddenly okay to force restaurants to do mass data collection on their customers? And how come the executive is suddenly furnished with this data, even so we were explicitly told that would never happen? And why is there no huge public outcry about this?

I did read in several places that the GDPR doesn’t apply to records that are kept with pen and paper. But that is clearly nonsense. The GDPR is technology agnostic.

Article 4 of the GDPR says:

“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Which clearly means that the GDPR also applies to paper records that are never processed by a computer system.

Max Schrem’s privacy organisation NOYB now argues:

The GDPR explicitly provides for data processing in the fight against epidemics. Data protection laws must therefore not be “waived”, but simply observed. Articles 6(1)(d) and 9(2)(i) of the GDPR allow, according to the recitals of the GDPR, the processing of data for instance for the fight against “cross-border threats to health” or to combat “epidemics”.

The relevant commentary in the GDPR says:

The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

What I find worrying here is that Schrems, and many other privacy experts and techies, just blankly accept that this data collection is necessary to prevent life-threatening situations. There isn’t even a discussion about that happening. Everyone is in agreement. But isn’t it the job of privacy advocates to push back against this opinion?

Schrems and NOYB say:

The laws provide for the use of data in the fight against corona, but only in reasonable ways. The law limits the use of data to what is absolutely necessary. Together with concepts such as “Privacy by Design” it is possible to develop legally sound apps and systems that help fight this epidemic. So the question is not if it’s possible to use personal data, but how to do this properly.

So collecting everyone’s name and full contact details every time they visit a restaurant is OK? Is it absolutely necessary?

These systems are not meant to guess what advertisements we may be interested in, but to ensure the health of the population. We therefore need specific, accurate and correct information. For a statistic, rough and anonymous data is often sufficient. For attempts to record chains of infection, however, you need highly accurate data – that may be stored locally and encrypted at the users' premises.

The problem is that most of the time the data is not encrypted at all. It’s either stored on paper or, increasingly, digitally. More and more online reservation systems are adding features where guests can scan a QR code and enter their details on a website. And these systems often are very, very unsecure.

Case in point: The startup LunchGate in Switzerland . Their table reservation system forAtable allows anyone to access any private COVID-19-related registration data stored in the system. The IDs in the URL are simply incrementing. Even worse, data isn’t deleted after 14 days as advertised. It seems to not have been deleted at all. According to LunchGate, the vulnerability was fixed immediately after it was reported by the security researchers who found it. Data was kept longer than advertised due to backups, the company claims. The tool is used by 900 restaurants and similar establishments in Switzerland and the data of 200,000 guests was affected.

Hamburg Police Uses COVID-19 Registration Data for Investigative Purposes

But even if a restaurant uses pen and paper to collect this data, it can still be misused. As happened in Hamburg, where I live. When the state governments started requiring people to register for restaurant visits, we were promised the data would only be used to do contact tracing and that only the local health authority was allowed to access it. That is clearly bullshit.

Last week, Hamburg police accessed the guest registrations of the vegan restaurant Loving Hut in Hamburg’s Neustadt . An unknown man supposedly threatened bystanders with a boxcutter. Since the police was looking for witnesses they were ordered by the DA to call everyone on the list and ask if they’d seen anything. One of the guests was an attorney who made the whole thing public via Twitter .

According to Hamburg’s data protection officer, conducting investigations like this is legal. Police is allowed to ask for such data from third parties as a way of finding witnesses. German data protection laws stipulate that data can be accessed “for the prosecution of criminal offences and misdemeanours” but only if those interests “trump the interests of the affected person to keep the data undisclosed”. When asked whether this was the case here, the data protection officer’s office said it didn’t have enough information to decide that.

Not to mention the fact that tests in Hamburg show that at least a third of all restaurants and other establishments that have to keep lists like that aren’t securing them properly and “basically allow anyone access” because the lists are just laying around.

Looking at all of this, one does wonder why we’ve spent all this time and effort to come up with rules and regulations to prevent companies to misuse our data and as soon as the government does it, all these rules are null and void. What good is the GDPR if governments are not held accountable under it? What good are highfalutin statements like “EU citizens have the right to protection of their personal data” if that right is worth nothing as soon as somebody in the government decrees that we are now in an emergency and the data has to be handed over?


Paul Quirk from Canada disagrees with previous reports from another Canadian listener.

I’m from southern Ontario, listening to ep. 21 and found you’ve been fed misinformation. Nobody has been arrested for going outside where I live; my wife and I went for our walk everyday during lockdown. Also, the assault rifle ban wasn’t a power grab, it was debated in Parliament for years and the timing is a coincidence. I still have my hunting rifles, I’m just not allowed to buy an assault gun designed to indiscriminately kill dozens of people in a matter of seconds.

Funny how this happens in a province where someone gave you misinformation about my province. Shouldn’t people have a right to wear a mask? Something to chew on for your podcast.

Martin writes to continue our discussion of conspiracy theories from a previous episode.

I agree that “conspiracy theorist” is an unhelpful term that is often used to downplay actual conspiracies. The term “fantasist” would be more accurate.

I had to laugh when you brought religion into the conversation! Personally I agree that is fantasy too, but there is an obvious difference: you can prove to most sane people’s satisfaction that the Earth is round, man went to the moon, and a birth certificate isn’t a monetary bond. With religion you are off into the realm of philosophy!

As for Cambridge Analytica, yes their actual influence may have been small and limited to extremists but I mentioned them only in passing because it’s only part of the picture. All these things are connected, whether it be Qanon, sovereign citizens, the alt-right, etc. You often find the same people falling victim to a lot of the same stuff – up to and including Trump! It is disturbing how widely it spreads through social media. Also, I have to say one of the sovereign citizen “fantasists” I’ve been speaking of is a highly qualified engineer. Many intelligent people have fallen victim to cults. All human beings suffer from critical thinking failures, so I’m not sure I agree that education is really that much protection!

I’m not going to get into the FBI entrapment plot thing you mentioned as it would be a whole other email! Suffice to say I’m well aware of the dirty tactics that get employed and when you consider up to half of the IRA high command were actually undercover British agents, it might put what happened to Alex Salmond into some context!

Fadi Mansour gives us another boots-on-the-ground report from the Czech Republic:

The government has relaxed the restrictions, and borders to neighbouring countries have been opened. Masks are not mandatory anymore in closed spaces, but are still encouraged. The metro is an exception, and it’s still mandatory to have the mask there.

I see people in general are more relaxed, and last week we had a good time at a nearby lake, and the same number of people as last year were there. At work, there are still measures, so I have to have a mask when at the premises, but most people are still working from home (still an option), and there are still required “kurzarbeit”.

But in the news you find stories about the number of infections getting higher: at one point it was less than 100 infections per day, then it went back to around 250.

And I had to laugh when I read there on the government’s page about COVID-19: “Current information on Covid-19 caused by the Chinese coronavirus on the website of the Ministry of Health” (emphasis mine). I like that here they don’t mind being politically incorrect.

He also sent me another message with some very thoughtful comments on my discussion with Mike on the most recent episode of the podcast.

Thank you again for the interesting discussion. Actually I had to re-listen to the episode again in order to remind myself of the feedback points. It was an interesting conversation with Mike, so for sure it would be nice to listen to another one.

The question was raised during the conversation about what media to consume and how. I have to say here that Mike’s expectation of a magical pure source that someone can listen to and find the “Truth”, will never be. My point of view could be similar to what you where trying to describe: that the “Truth” have to be sought “between” the lines from different sources.

I believe that it’s a fact of life, that we have to recognize and live with: that nobody have the “Truth”, but only some partial information, that maybe if collected into a Whole would be the “Truth”. But this would be almost impossible to do. You mentioned the trouble with eye-witnesses, and there are other factors and personal biases that makes any source of information somehow questionable.

My strategy is that, first, we need to acknowledge this, and second, to collect as much as possible different views (you mentioned this in the conversation), to somehow build an understanding.

At some point, you used the term “plausible”. This is something that I tend to use also. My strategy is that, I listen to different sources, and based on information that I already have, to assign the information some plausibility score, and try to keep this in mind. Factors such as consistency and “trust” in the source all play a factor in this score, and the important thing is that I try to avoid to think in absolutes.

Mike commented that many people are not “this reflective” (when thinking about information sources). This might be correct, but this is exactly why it’s important to try to remind people to start to think for themselves, and be wary when they ‘Off-load" their thinking to external entities that might not have their best interest in mind!

Another point raised by Mike is what he called “your anchor”: Personal Freedom. Here again, I cannot but agree with this: at the moment, I am no longer able to think about morality in other terms: When is it moral to encroach on personal freedoms? So I would love to understand what could be another “anchor”. For example, I understand that traits such as compassion are needed: But can it be “forced”.

To jump to another topic: During the discussion you mentioned the case when in some cases people have only one “governmental” source of information, and you used the term “trust” here. That absence other sources, people somehow have to “trust” this source. I would disagree with this. People might be forced to “use” this source, as it’s the only one available, but I would avoid to say that they “trust” it. (Some would though.)

I hope I didn’t ramble too much, in any case, let me finally just confirm your suspicion. Out of personal experience: having a child of your own will definitively change your brain chemistry.

Continue to misbehave!

If you also have thoughts on the topics discussed in this or previous episodes, please feel free to contact me.

Toss a Coin to Your Podcaster

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

You can also support the show by sending money to via PayPal, if you prefer.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me, pard. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits

I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show.

Aside from the people who have provided feedback and research and are credited as such above, I’m thankful to Raúl Cabezalí, who composed and recorded the show’s theme, a song called Acoustic Routes. I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

But above all, I’d like to thank the following people, who have supported this episode through Patreon or PayPal and thus keep this show on the air: Niall Donegan, Michael Mullan-Jensen, Jonathan M. Hethey, Georges Walther, Dave, Rasheed Alhimianee, Butterbeans, Kai Siers, Mark Holland, Steve Hoos, Shelby Cruver, Vlad, Fadi Mansour, Jackie Plage, 1i11g, Matt Jelliman, Joe Poser, Philip Klostermann, ikn, Dirk Dede, Dave Umrysh, David Potter, Mika, Vytautas Sadauskas, RikyM, drivezero, Martin, Jonathan Edwards, Barry Williams, Silviu Vulcan and S.J.