World Cup privacy concerns
In spite of the criticisms, the 2022 FIFA World Cup officially started in Qatar on the 20th of November, and as expected, news about the tournament has dominated the media and the web over the last month. Newspapers have not only questioned and criticised the lack of transparency and fairness of the entire tournament organisation, but many have also claimed unsafety of work conditions, reporting that thousands of migrant workers that built the stadium lost their life[1].
But what most captured my attention, or rather, my concerns, was the recent warning from a few European Supervisory Authorities (SAs) to their citizens visiting Qatar for the World Cup to bring a blank phone with them in order to download the two tournament mobile applications. Apparently, foreign football fans must download two applications to attend the games; the World Cup app – Hayya, and the Covid-tracking app Ehteraz, which allow fans entry into the football stadiums and access to transportation services.
However, in an interview, data security expert Tom Hansen declared that Ehteraz is able to install an encrypted file which claims to hold a unique ID, QR code, infection status, configuration parameters and proximity data of other devices using the App. Essentially, it is clear that the App is taking data from the end user for more reasons than are expressed by the given consent button[2]“. On the other hand, Hayya permissions include full network access and unrestricted access to personal data. Both apps track users’ locations[3].
In fact, according to experts and the EU SAs, these apps “go much further” in treating users’ data than what is stated in the privacy policy[4]. The Open Right Group exposes that Qatari authorities can use this unchecked access to visitors’ phones to track their every movement, phone, social media contacts, and call history, even after people leave the country[5]. This is probably part of why the France Supervisory Authority, the CNIL, suggested to French football fans travelling to Qatar not only to bring a burner phone to download the App but also to uninstall the App immediately after leaving Qatar.
In a country where homosexuality is illegal, and women must obtain permission from their male guardians—who may be fathers, brothers, uncles, grandfathers, and, when married, their husbands—to exercise many of their basic rights, like marrying someone, travelling or obtaining a government scholarship[6], this sounds even more worrying than in “ordinary” circumstances.
COP27 Privacy Concerns
Another app with similar privacy concerns is the Cop27 official App, which was used in the UN Climate Conference concluded on the 20th of November in Sharm el-Sheikh. Egypt hosted over 25,000 heads of state, diplomats, negotiators, journalists and activists from around the world gathered for this climate summit, and the App was promoted as a tool to help attendees navigate the event. Once installed, the App requests the user’s name, email address, mobile phone number, nationality and phone number. Considering the role of those attending the conferences, the number of participants, and the declared App’s purpose; this is a huge amount of data on some very high profile individuals’ personal information.
According to Politico’s investigation, at the beginning of the conference – 8th of November, the App was already downloaded 5.000 times, and it required sweeping permissions from users before installing it, among others the ability of Egypt’s Ministry of Communications and Information Technology to view emails, locate users and accessing photos; the investigation revealed that “even messages shared via encrypted services like WhatsApp are vulnerable, according to POLITICO’s technical review of the application, and two of the outside experts” [7].
Data Protection in Egypt and Qatar
It is worth mentioning that Egypt introduced the Law on the Protection of Personal Data (‘the Data Protection Law’) on July 2020, reflecting the EU Data Protection Regulation. However, the Executive Regulations for implementing the law have not been issued yet[8].
Similarly, Qatar has a data protection regulation in place, implemented in 2016; however, the EU Commission doesn’t consider it to provide the same level of protection as the EU or UK GDPR. In fact, by reviewing this Regulation, controversial elements can easily be found. For instance, the Ministry of Transport and Communication (MOTC) is responsible for enforcing the provisions of the Data Protection Law, and individuals have the right to complain to the “Department” (which is part of the MOTC). Therefore, the MOTC, through the Department, acts as an administrative /quasi-jurisdictional organisation with the competence to decide on matters regarding the application of the Data Protection Law (or the implementing decisions) and individual rights[9]. Considering that the MOTC is a governance body, it is unclear to what extent this Authority can be deemed truly independent.
With the above in mind, the scenarios in Egypt and Qatar both present a massive, alarming surveillance threats. Governmental access to personal data affects the right to protection of personal data and the broader right to private life, as provided by the EU Charter of Fundamental Rights in its art. 7 and 8, respectively. Furthermore, a deeper analysis of the topic would also show how the breach of these fundamental human rights leads to severe threats, if not breaches, to freedom of information, expression and self-determination, at least. In fact, when people feel that their lives are subject to surveillance, they act differently; they might not fully express themselves, feeling unsafe and unable to make truly independent choices.
Does the GDPR/ UK GDPR apply?
It is unlikely that these surveillance activities would be permitted within the UK/EU. If they were taking place, they would be considered unlawful by the respective regulator. Indeed, following Art.3(2)(b) of the UK GDPR/GDPR, concerning the monitoring of UK and EU citizens, certainly, once back in the UK/EU, the foreign controller/processor will be subjected to the domestic law, should those data subjects still use those apps. As a result, once the app is tracking citizens within the European Union or in the UK, UK/EU residents are protected by the GDPR/ UK GDPR and can exercise their rights.
There are also questions about whether the use of the application, given their mandatory requirement for attendance at games in the World Cup in Qatar would fall under the Art. 3(2)(a) of the GDPR/UK GDPR. Given that World Cup tickets would fall under the offering of a good or service to data subjects in the Union (whilst they were in the UK/ Union when the tickets were offered), if there is considered to be an intrinsic link between the offering of World Cup tickets to the use of the app, then the use of this app may fall under the territorial scope of the GDPR/ UK GDPR. However, such a use and link may need to be tested by a court of law to consider whether the territorial scope would stretch to such uses.
Final Considerations
Considering all of the above, and the level of protection granted by Qatar or Egypt, how can UK or EU citizens travelling to these countries, and using these two mandatory apps, be assured of not suffering massive intrusion? How can British residents be assured that their data will receive the same level of protection while in Qatar?
Under the described scenarios, for UK citizens, it would have been very helpful to receive guidance from the ICO, as it happened in other EU Countries. However, for UK citizens, even if the ICO reported it is aware of the important threats and declared that the potential impacts are being considered, it has yet to release any official guidance.
As reported by the Open Right Group, UK football fans heading to Qatar, particularly those of vulnerable groups, would do well to heed the advice of other data authorities and experts[11].
[1] BBC ignores World Cup opening ceremony in favour of Qatar criticism – The Guardian https://www.theguardian.com/football/2022/nov/20/bbc-ignores-world-cup-opening-ceremony-in-favour-of-qatar-criticism
[2] https://www.theregister.com/2022/11/11/world_cup_security/
[3] https://mashable.com/article/world-cup-ehteraz-hayya-app-privacy
[4] Don’t download Qatar World Cup apps, EU data authorities warn – Politico https://www.politico.eu/article/qatar-world-cup-app-data
[5] ORG Open Right Group: https://www.openrightsgroup.org/blog/ico-fails-to-protect-world-cup-fans/
[6] Human Right Watch, “Everything I Have to Do is Tied to a Man”: Women and Qatar’s Male Guardianship Rules | HRW
[7] https://www.politico.eu/article/cop-27-climate-change-app-cybersecurity-weapon-risks/
[8] https://www.dataguidance.com/notes/egypt-data-protection-overview
[9] https://www.dataguidance.com/notes/qatar-state-data-protection-overview#:~:text=The%20Data%20Protection%20Law%20provides%20for%20the%20right%20of%20the,comply%20with%20the%20precautions%20set
[11] https://www.openrightsgroup.org/blog/ico-fails-to-protect-world-cup-fans/
