Starting yesterday, 28 September 2020, anyone visiting a bar, restaurant, or café in Vienna must register their name, telephone number, email address, table number, and time and date of visit. At least 5000 gastronomy businesses in Vienna will be required to collect this data or risk paying a fine. What are the consequences?
It is difficult to guesstimate how much data will be collected as a result of this recent decree. According to the Austrian Chamber of Commerce, there are at least 5000 bars, restaurants and cafés in Vienna that will be affected (take-out businesses are exempt). One can (very) conservatively say that on average 50 people will visit an affected establishment (there is no accurate data available on this). This would mean that daily at least 250.000 names and personal details will be collected through the mandatory contact registration requirement. This is an enormous amount of data. The local authorities have not prescribed a way to collect this data. The collection can either happen by providing each guest with a paper form to fill out, or by using a digital app. The data must then be stored for at least 4 weeks by the gastronomer.
There was little advance notice of the new measurement that seems too hastily introduced and not very well thought through. Two questions that beg to be answered are whether the data protection risks we must enter into are proportionate to the supposed protection of our collective health, and is the local government risking inefficiency, breach, and too much burden on the local gastronomer by not specifying the method of data collection.
Does mandatory contact registration protect our collective health?
Yes, especially in a world where every move of every person is minutely detailed, contact tracing is an effective disease control strategy. As soon as an individual has been confirmed to have contracted COVID-19, the personal details of every person they have been in contact with will be made available and that person can then be prevented from infecting further individuals. This however brings to mind frightening Orwellian scenarios that instinctively remind citizens of controlling regimes and scary invasions of privacy. Of course, the current contact registration requirement is not as encompassing, as it “only” requires visitors of restaurants, bars and cafés to give their personal details. Any such data collection, however, raises concerns about the manner of collecting and sharing of data, transparency, storage periods of data, encryption and the risk of breaches. Therefore, it is rather unhelpful when some officials implore visitors to give their details because they already give their personal details to social media and for store loyalty cards. The inhibition to actively give personal data has to do with the fact the contact registration is yet another release of personal data that could potentially be breached, the barrage of conflicting information and lack of consensus relating to the corona virus and how to contain it, interference with the rights to private life, combined with a COVID-19 tiredness after so many months of restrictions.
The question of proportionality is vital and with this question comes the requirement by the authority for the presentation of scientific research to support the invasive practice of contact registration. Without a scientific justification, contact registration becomes just another political move that ostensibly shows an effort is being made in preventing the spread of COVID-19. Unfortunately, extensive browsing of the official website of Vienna and other local official sources resulted in no reference to overwhelmingly clear scientific research that supports contact registration as introduced in Vienna’s gastronomy as a clear necessity in containing the spread of COVID-19. Further online global exploration reveals some research published in the revered medical journal The Lancet, but this more concerns differentiating between conventional and app contact tracing. This just raises further questions. Why for instance can the Viennese gastronomy guest not be trusted to remember where and with whom they have been having a drink or dinner in the past few weeks? There seems to be an obvious lack in proper and clear justification for the mandatory contact registration. First responses* already show that at least 40% of guests are not willing to comply with the new requirements. The consequences for the Viennese gastronomy are still to be seen.
Is the local authority risking inefficiency, breach, and too much burden on the local gastronomer?
Since the introduction of General Data Protection Regulation in May 2018, gastronomy businesses, like every other business, have been required to comply with a range of measurements implemented to ensure the protection of personal data. These measurements include processing personal data securely by means of appropriate technical and organizational measures and storing personal data securely. Of course, the new measurements will require a renewed schooling of the personnel that will be in charge of the collection of the personal data (in case of usage of paper forms) and possibly an increase in secured storage capabilities. As an extra security, especially when data collection happens through paper forms, gastronomers should consider having their personnel sign confidentiality agreements. Furthermore, websites and other places where the gastronomer’s data protection policy is displayed possibly need to be updated in order to specific how the guests’ personal data is processed and stored. Then there is the question of whether the gastronomer will now need to appoint a data protection officer, because of the potentially enormous amount of personal data that it will have to handle. If data is collected digitally, the gastronomer must invest in digital devices that must constantly be disinfected. Or present their guest with the requirement to download an app that they then must use to register their details on, or they use to scan a QR code with. An obvious question that arises from this is: who is responsible for checking whether the guest actually registers their details or scans that code? Reports from abroad already confirm that two thirds of all registrations are useless, because they are either illegible or contain false names.**
What about QR codes?
It is questionable why not a clearer and more streamlined directive has been put in place in how to collect personal contact data. Besides making a form available along with a list of apps that can be used, the gastronomer is left to decide how to perform the burdensome task of collecting the personal data of its guests. All that the local government is interested in, is that the data is being collected somehow. However, should there not be more direction from the authorities when it comes to such sensitive measurements? There have already been a number of enormous breaches discovered in simple, but unsecured IT solutions to collect guest data, such as that of 4 million entries made in the system of Gastronovi in Germany***. Isn’t it the responsibility of any public authority to ensure its measurements can be implemented in the safest way possible for the public? Of course, Vienna has recently been put on numerous infamous red lists and risks an ever-increasing crippling effect of COVID-19 on the local economy. There is a lot of pressure to get off these lists. Instead of rushing through new measurement, maybe the local authority should have for instance made an app available that works with QR codes. QR codes are nothing new. They have been widely used in marketing, banking, and at events for over a decade. Nearly everyone knows how to use QR codes. Now, there is a multitude of apps that gastronomers use in order to gather personal guest data. The guest is left with the burden of having to download multiple apps and review many pages of data protection and terms of use policies. There is definitely room for improvement.
RFID as solution for the Vienna Christmas markets.
The requirement to collect guest data will remain in place until at least the end of the year. If the Christmas markets will be organized as in the past years, contact registration will potentially also become an issue. Radio-frequency identification (RFID) technology has been used successfully at many large-scale events in previous years. Visitors of such events are given a wristband containing RFID tags that contain unique identification information with which payments can be made and entry can be monitored. The unique identification information is connected with the personal information that the visitor has provided upon registration. RFID requires prior registration and a physical chip that can be incorporated in for instance a wristband. It however has the advantage over QR that can be preloaded with money and used for payment.
Both QR codes and RFID are technologies that are readily available and easily implementable. Considering the fact that the Viennese intends to require contact registration in gastronomy at least until the end of the year, the local authorities should step up and provide one solution for all businesses. This would be the most reasonable way to ensure an efficient, safe, viable, and least burdensome way to collect the data of its citizens.
Written by Aisha N. van der Staal and Gregor Wepper