TY - JOUR
AU - Ruiz, Alejandra
AB - Key Points In this article, the authors make a quantitative and qualitative study of all the Executive regulations issued during the State of Emergency in Peru, that may have impacted the fundamental rights of privacy, personal data protection, and freedom of expression. Peru represents an emblematic case study. It adopted one of the earliest, lengthiest and most severe lockdowns in the world, together with numerous regulations that restricted their citizens' civil liberties. Unlike other jurisdictions, the implemented measures in Peru did not focus solely on more controversial and technological activities such as mass surveillance, face recognition, and contact tracing mobile applications. Rather, massive collection and use of personal data, geolocation, and mandatory registration as a pre-requisite for mobilization during lockdown are among the most important hazards identified by this research. The research aims to illustrate some of the perils that similar countries may be facing during and after the fight against COVID-19. Introduction On 15 March 2020, Peru became the first South American country and one of the earliest Latin American nations to enter into a full lockdown due to the health emergency caused by COVID-19. The early response by the Government garnered compliments from several health institutions and the international media, which highlighted the prioritization of the health and protection of life of their citizens.1 Shortly after, the poster country for rapid coronavirus response became the paradoxical story of tragedy. Despite having one of the largest quarantines in the world (107 days), Peru soon became the world’s second highest per capita rate of new infections per day,2 its economy dropped more than 40 per cent year-on-year in April,3 and nearly half of the population of the capital city, Lima, lost their job.4 In spite of the unappealing health and economy numbers, Peru’s president, Martin Vizcarra, still got the support of the majority of the population.5 In all, 65 per cent of approval (up to July 2020)6 is a rare standard for Peruvian’s head of states, especially during their terms’ final year. The popularity of the Peruvian Government contrasted with the severity and length of the restrictions to civil rights endured during the State of Emergency. Under the Peruvian Constitution, the President—with the support of his Cabinet—can declare the State of Emergency for up to 60 days, but a new Executive Decree can extend it. During the State of Emergency, the Government can suspend or restrict the exercise of some civil rights, including, personal freedom and security, the inviolability of the home, and freedom of assembly and movement in the territory7 but other constitutional rights, such as privacy and freedom of expression, remain in full force and effect. However, in practical terms, those rights suffered severe limitations during the country’s lockdown. In this article, we propose a deeper look into those restrictions, most of them covered under the dazzling blanket of economic and health regulations. We study the case of the Peruvian Government’s fight against COVID-19 from a privacy (especially, personal data protection) and freedom of expression perspectives, by reviewing all of the high-level regulations enacted by the Executive Branch during the quarantine period. Privacy concerns are not limited to the fairly problematic schemes of mass surveillance, face recognition technologies and contact tracing mobile applications. For the first time, countries adopted parallel strategies of massive collection and processing of personal data. The same applies to regulations with effects on freedom of expression. Some of the exceptional measures approved by governments have had a direct or indirect impact on the continuity of the provision of telecommunications services and news media, the ability of people to communicate massively or in private, and on internet access. However, many of these regulations go unnoticed.8 The burden on people’s privacy also takes a toll on their ability to freely express themselves and engage in private conversations. We consider that some of these risks might be neglected by civil society and the academy even though their effects could be felt long after the health emergency has passed. This is the main reason we decided to take a holistic approach that included a thorough review of the regulations enacted by the Government during the State of Emergency that included privacy (including personal data) and freedom of expression. Our methodology consisted of reviewing and studying all of the regulations enacted by the Government: legislative decrees, emergency decrees and executive decrees issued between 15 March 2020 and 30 June 2020, when the nation-wide quarantine came to an end. After that, we classified the regulations into two large categories depending on the fundamental right that was more (positively or negatively) affected by them: privacy and freedom of expression. In “Executive regulations by numbers” section, we present a quantitative overview of the regulations by the Executive Branch, focusing on some high-level characteristics of the regulations and the impact on some of the above-mentioned rights. In “Privacy rights and personal data protection” section, we study the regulations related to personal data collection and some others with privacy implications, such as contact tracing and geolocation. “Freedom of expression and freedom of the press” section covers freedom of expression and the rules that may have affected private communications and press freedom. Finally, we present the conclusions. While our case study is focused on Peru because of the singularities of its early, prolonged and strict lockdown, numerous similarities will come to light for the keen reader as several countries, especially in Latin America, faced not only the same challenges posed by the pandemic but also the same institutional shortcomings. The emergency caught a number of Latin American governments unprepared, with very limited health resources, and dispersed and outdated information about their citizens, who already struggled with an informal economy. Massive collection of personal data and indirect constraints on freedom of expression became tolerable circumstances for a baffled population that understandably put their health ahead of other rights, without completely acknowledging the risks for the times to come. Executive regulations by numbers Within the scope of the study, it was found that 34 regulations from the Executive Branch were issued during the State of Emergency with an impact on the right to freedom of expression, the privacy of citizens and government transparency. The regulations included 13 Executive Decrees,9 14 Emergency Decrees,10 and 7 Legislative Decrees11 issued under the delegation of legislative powers. The study classified these regulations into two main thematic areas: Privacy and Freedom of Expression. The first category included regulations with a direct or potential impact on the rights of privacy and protection of personal data. Thus, it covers executive regulations with provisions on the collection, storage, management and actualization of personal data, and the creation, sharing and interoperability of personal databases. Those databases are not limited to health information such as detection and diagnosis for COVID-19, but some of them also comprehend information related to geographical location, work occupation, vulnerable age and economic conditions of individuals. Nevertheless, most of the provisions were enacted with the declared purpose of facilitating the management of the health emergency and implementing mitigation measures in favour of the people affected by the virus and the lockdown and immobilization orders taken by the Government. Emergency Decree No. 034-2020 is an example of the type of regulations covered by this first category. While it is not a direct health measure, this decree authorized the Ministry of Labor and Employment Promotion to access, use and process personal databases administered by other public entities for the construction of the ‘Register of households with economically vulnerable independent workers’ which would be created to distribute governmental monetary subsidies.12 The second group comprised regulations with direct or potential impact on people's freedom of expression, including private communications (and their metadata) and freedom of the press. Therefore, this class includes regulations that deal with the continuity of the provision of telecommunications services and news media, facilitate the installation of telecommunications services infrastructure, or limit the ability of people to communicate massively or in private, and that impact on internet access. To illustrate the type of regulations under this category, we can mention Executive Decree No. 44-2020-PCM, which ordered the nation-wide social immobilization with the exception of workers for essential activities including telecommunications services, call centers and mass media.13 Figure 1 shows the frequency of those two categories addressed by the regulations issued by the Executive Branch (see Figure 1). In all, 20 of them related to privacy,14 11 were connected with freedom of expression issues,15 and 3 dealt with both topics.16 Figure 1. Open in new tabDownload slide Regulations issued by the Executive Branch by thematic area of impact. Source: Developed by authors based on Executive Decrees, Emergency Decrees, and Legislative Decrees published on the Official Daily Newspaper ‘El Peruano’ as described in Supplementary Annex A. Figure 1. Open in new tabDownload slide Regulations issued by the Executive Branch by thematic area of impact. Source: Developed by authors based on Executive Decrees, Emergency Decrees, and Legislative Decrees published on the Official Daily Newspaper ‘El Peruano’ as described in Supplementary Annex A. In Figure 2, we divided the executive regulations depending on whether they advanced or protected those fundamental rights (benefits), posed risks for their exercise, or presented a combination of risks and benefits (see Figure 2). Figure 2. Open in new tabDownload slide Distribution of the regulations of the Executive Branch based on the analysis of risks and benefits for freedom of expression and privacy. Source: Developed by authors based on Executive Decrees, Emergency Decrees, and Legislative Decrees published on the Official Daily Newspaper ‘El Peruano’ as described in Supplementary Annex A. Figure 2. Open in new tabDownload slide Distribution of the regulations of the Executive Branch based on the analysis of risks and benefits for freedom of expression and privacy. Source: Developed by authors based on Executive Decrees, Emergency Decrees, and Legislative Decrees published on the Official Daily Newspaper ‘El Peruano’ as described in Supplementary Annex A. We considered a benefit when: (i) the regulation reinforced the exercise of a fundamental right by establishing a specific mechanism to protect said right (such as an administrative or judicial procedure), or (ii) the regulation precluded the possibility of a state or private intervention that could hinder that right (for instance, establishing legal mandates to government entities or private companies to protect those rights). On the other hand, a regulation created a risk for those rights when: (i) it directly derogated or prohibited the free exercise of the right; or (ii) when it limitted the application of a right without complying with international human right standards, more specifically, with the principles of legality, necessity, proportionality and non-discrimination of the Siracusa Principles on the Limitation and Derogation Provisions in the International Covenant on Civil and Political Rights.17 In order to better illustrate the classification criterion, we propose the following example: Emergency Decree No. 035-2020 establishes that if a transgression to the General Regulation of the Quality of Public Telecommunications Services is not attributable to public telecommunications operators during the State of Emergency in Peru, said transgressions would not give place to the application of sanctions against those companies.18 This aspect was considered as beneficial under our assessment because it established a specific safe harbour to promote telecommunications services and, therefore, private or massive communications. The same Emergency Decree ordered telecommunications operators to guarantee the continuity of their services, by rescheduling and fractionating their customers’ invoices during the State of National Emergency.19 Accordingly, citizens were able to use those essential services to communicate; however, in absence of any form of governmental aid, the telecommunications operators suffered a severe financial loss due to this regulation. Consequently, Emergency Decree No. 035-2020 was classified as ‘both’ beneficial and risky. As a result, of the 34 regulations issued by the Executive Branch, 15 contained risks to the fundamental rights of privacy and freedom of expression20 and 5 were beneficial,21 while 14 showed a mixture of beneficial and menacing aspects.22 A detailed analysis and classification of all 34 regulations is shown in Table 1 in Supplementary Annex B (see Supplementary Annex B). Internet access has become essential for people and, in cases of social isolation, it is probably the primary means of communication. Our study identified that 16 out of the 34 executive regulations affected Internet intermediaries. Internet intermediaries involve Internet access providers or service providers connected to the Internet (such as storage, browsers, social networks, search engines, and communication applications). Nevertheless, only one specific regulation involved special duties for online service providers, related to net neutrality (see Figure 3). Figure 3. Open in new tabDownload slide Impact of the regulations of the Executive Branch on Internet intermediaries. Source: Developed by authors based on Executive Decrees, Emergency Decrees, and Legislative Decrees published on the Official Daily Newspaper ‘El Peruano’ as described in Supplementary Annex A. Figure 3. Open in new tabDownload slide Impact of the regulations of the Executive Branch on Internet intermediaries. Source: Developed by authors based on Executive Decrees, Emergency Decrees, and Legislative Decrees published on the Official Daily Newspaper ‘El Peruano’ as described in Supplementary Annex A. We also highlight two other critical aspects of the regulations under analysis. First, 13 out of the 34 regulations enacted during the State of Emergency are not temporary, in spite of the exceptional circumstances under which they were issued (see Figure 4). This aspect is of special importance because it shows that the effects of some of these regulations—and more troubling, some of those which pose a threat to fundamental rights—might long transcend the health emergency. As Richardson and Devine explained, ‘without a transparent deadline for restoring rights and liberties at the end of an emergency, restrictions might easily remain in place’.23 Supplementary Annex B contains a table identifying the date of expiration of the temporary measures, where applicable (see Supplementary Annex B). Figure 4. Open in new tabDownload slide Temporality of the regulations issued by the Executive Branch. Source: Developed by authors based on Executive Decrees, Emergency Decrees, and Legislative Decrees published on the Official Daily Newspaper ‘El Peruano’ as described in Supplementary Annex A. Figure 4. Open in new tabDownload slide Temporality of the regulations issued by the Executive Branch. Source: Developed by authors based on Executive Decrees, Emergency Decrees, and Legislative Decrees published on the Official Daily Newspaper ‘El Peruano’ as described in Supplementary Annex A. Secondly, 30 out of 34 regulations do not expressly provide for a mechanism of external supervision or accountability (see Figure 5). By external supervision or accountability, we mean the participation of civil society or an independent body that could oversee the activities carried out by the Government, especially when they entail a restriction on a fundamental right, which should be necessary, proportional and non-discriminatory, according to international human rights standards. Supplementary Annex B presents a table identifying the external supervisor, where applicable (see Supplementary Annex B). Figure 5. Open in new tabDownload slide External supervision of the regulations approved by the Executive Branch. Source: Developed by authors based on Executive Decrees, Emergency Decrees, and Legislative Decrees published on the Official Daily Newspaper ‘El Peruano’ as described in Supplementary Annex A. Figure 5. Open in new tabDownload slide External supervision of the regulations approved by the Executive Branch. Source: Developed by authors based on Executive Decrees, Emergency Decrees, and Legislative Decrees published on the Official Daily Newspaper ‘El Peruano’ as described in Supplementary Annex A. Unfortunately, in the vast majority of these regulations, there were no provisions related to the participation of civil society or independent public bodies in the execution and compliance of said regulations. Privacy rights and personal data protection ‘The State must have a considerable flow of information in order to perform its functions more efficiently, which includes using personal information of its citizens.’24 This information is needed for a broad range of services directly provided by the Government and for adopting the best policies to better address the public interest. Given this circumstance, it is necessary that the collection and processing of information by public entities be carried out with regard for the fundamental right to protection of personal data. Under Peruvian Personal Data Protection Law, any person, including a government entity, has to obtain the free, prior and informed consent from the data subject to collect its personal data. Additionally, the data controller must put forward the unambiguously determined purpose for the data collection and must implement the appropriate measures to ensure the security of the information.25 However, consent is not required in some exceptional cases, including when data is collected or transferred by public entities for the performance of their functions and when it is necessary, in circumstances of risk, for the prevention, diagnosis and medical or surgical treatment of the data subject.26 During the first weeks of the quarantine, the Executive Branch issued a series of regulations that allowed the collection and transfer of an enormous quantity of personal data and the access of possibly hundreds of public workers to an undetermined number of personal databases that were under the administration of different ministries and other governmental entities, originally for limited purposes. The decrees issued by the Government included both the voluntary provision of personal data by citizens and the unauthorized access to (and sometimes transfer of) personal data databases managed by public bodies.27 In both cases, very few and insufficient regulatory provisions were incorporated to ensure the protection of this information from improper access, undue processing, data breaches and similar hazards.28 Creation, use and access to personal databases One type of regulation enacted by the Peruvian Government entailed the access, processing, and transfer of databases with the goal of identifying the vulnerable population, regarding both COVID-19 transmission and compulsory social immobilization.29 Another purpose of these regulations involved the planning, implementation, and follow-up of governmental actions related to health provision, resource allocation, protection, and adaptation to the needs of citizens.30 For instance, the Government implemented lists and registers to determine the beneficiaries of economic subsidies to help the most economically vulnerable population groups (such as the elderly or low-income population).31 The Ministry of Development and Social Inclusion (MIDIS, for its acronym in Spanish) was in charge of those registers. Additionally, MIDIS and other public entities used a wide variety of other databases (controlled by other public bodies) as input to create the registers for beneficiaries of economic subsidies; therefore, they had ample access to those other databases. For some of those registers, citizens were also encouraged to voluntarily hand over their data to use them as input.32 During the State of Emergency, the Government created at least five different databases applicable to five different types of direct subsidies for distinct groups of recipients, including the ‘I stay at home subsidy’,33 ‘Freelancers subsidy’,34 ‘Rural subsidy’,35 ‘Universal family subsidy’,36 and ‘Police, Military and Penitentiary subsidy’.37 Similarly, health-related integrated systems and single databases containing information of the citizens were developed, such as a single database for suspects of infection with SARS-CoV-238 and an integrated database system used for the implementation and monitoring of activities related to the prevention, control, diagnosis, and treatment of COVID-19.39 In most cases, the Ministry of Health is the one responsible for these integrated systems and administering those databases; nevertheless, it was very common that the regulations would authorize other public bodies to get access to them as well.40 It was not surprising that, in the midst of a health emergency, the Government would need to rely on its citizens’ information to efficiently allocate its resources. Hence, the Government also enacted several regulations that allowed for interoperability41 of databases in possession of public entities,42 access to such databases43 or even the transfer of large amounts of personal data.44 However, after a detailed review of these regulations, we found that a recurring problem in the drafting of these rules was the lack of rigour in describing the purpose of access, processing, and sharing/transfer of personal data and databases. The purpose was not usually described in an express or specific manner. Many decrees included a vague wording allowing an administrative body to access to or transfer of personal databases for the purpose of ‘fulfilling its functions and powers in the context of this pandemic’.45 A similar phrasing included generic goals such as ‘the implementation and monitoring of actions linked to prevention, control, diagnosis and treatment of COVID-19’.46 Exceptionally, the decrees that created the subsidies for different segments of the population did include a more explicit goal, for instance, the evaluation and granting of those subsidies.47 Nevertheless, even those regulations did not lay out the specific processing activities to be carried out with the personal data. Naturally, a broad description of the purpose for which access to, processing and sharing of personal data and personal databases makes it difficult to determine the limits of the entities' power to manage those databases, which could open the door for the inadequate or disproportionate use of them. For instance, the Executive Decree No. 068-2020-PCM states that ‘Te Cuido Perú’ (a cross-sectional working group from the Executive Branch) will implement a digital platform with access to the geolocation of people affected by COVID-19 and of people from their immediate environment.48 In addition, that platform will provide access to ‘other instruments or functional structures that allow clinical follow-up, surveillance, monitoring and other measures that contribute to compliance with the objectives of Te Cuido Perú’.49 This regulation additionally states that Te Cuido Peru is led by the Ministry of Defense and ‘aims to provide surveillance and assistance to people affected by Covid-19 and to people who live with them’.50 It is unclear what type of specific activities would be carried out under these imprecise provisions. Could the Government share this information with health care providers for following up with the patients? Would the Military be able to surveil patients’ residences and enforce quarantine measures on them? Another recurring issue is that the databases used as inputs in the creation of the registers and other unified databases are not properly identified. Thus, it is not specifically determined which personal data and which personal databases would be used under these regulations. For example, some regulations established that a public entity would have access to databases managed by other public entities if they contain relevant data ‘to the health of the population’.51 Likewise, the lack of determination of the period of authorization for the access and processing of personal data is also problematic. Most of the regulations do not expressly state what will happen to the newly created databases once the purpose for which they were developed or shared is fulfilled.52 There are no specific obligations regarding the subsequent handling of data bases. None of the decrees reviewed for the purpose of this study contained concrete measures for the safe removal of transferred information nor is there a guarantee that the exceptional access would be effectively restricted after being used. The table in Supplementary Annex B shows the number of regulations that created new personal data bases or provided access or interoperability to existing personal data bases, and points out the aforementioned shortcomings (see Supplementary Annex B). As provided by Peru’s Personal Data Protection Law and its Regulation, personal data must be preserved assuring its security and only for the necessary time to accomplish the purpose for which it was collected.53 Therefore, the person or entity in charge of processing and managing the personal data has the legal obligation to remove it once (i) the purpose has been fulfilled, (ii) the term for its processing has expired, or (iii) the authorization that enabled its processing has ceased or has been revoked.54 However, in practice, there is no certainty that data handlers will comply with this obligation or that the information has been properly deleted, since the National Authority for the Protection of Personal Data has not actively supervised the fulfillment of this type of obligation, especially with respect to government entities. Some news reports have shown cases of noncompliance by private companies.55 Access to and processing of personal data are necessary to ensure proper planning and implementation of social policies in the context of the health emergency. However, even in the presence of a valid legal authority, there are several measures neglected by the Government—as explained before—that would have otherwise mitigated the risks on people’s privacy. In addition, external oversight measures to prevent the misuse of personal data should have been considered. Unfortunately, none of the aforementioned regulations included such mechanisms. Geolocation The world has been debating for the last couple of months about the effectiveness and privacy concerns posed by contact tracing apps deployed by several countries. Peru has not been absent in this controversy since it started implementing an app of its own in April. ‘Perú en tus manos’ was the name of the mobile application and it was supposed to be a digital tool available for every citizen who voluntarily downloaded the app on their smartphones. As of now (July 2020), the contact tracing features of the app were not fully implemented. A debate between civil society, academy and some public servants ensued on whether the contact tracing strategy would use a centralized or decentralized model.56 However, no final decision has been made, and no contact tracing measures (digital or otherwise) have been deployed so far. Nevertheless, the Peruvian Government did adopt a location tracking measure to some of the citizens that reached out to the health emergency call centers, as explained below. The Peruvian Government issued an Executive Decree57 mandating the telecommunications companies to collect the information reported by citizens through the two health emergency call centers. Those who were experiencing symptoms of COVID-19 could make a phone call to the numbers 107 and 113 to request a medical test or the advice of a healthcare professional. If a person reached any of those phone numbers, according to the executive decree, the telecommunications companies had the duty to collect their information including the historical record of the geolocation of the device from which the call was made, up to 3 days prior to the call, in the event of suspected or confirmed cases of COVID-19.58 According to the regulation, the information provided by the caller would be ‘duly anonymized’59 and shared—through a national interoperable platform—to several governmental authorities, including the Peruvian armed forces and police. However, it does not provide further information about the process of anonymization. The general legal framework for personal data protection in Peru does not set a standard or even recognize best practices for an adequate process of anonymization; it only provides a general definition of the anonymization procedure (‘a type of personal data processing that prevents the identification of the data subject. The process is irreversible’).60 This can be problematic because of the lack of expertise and concern of public entities in protecting personal data, which could lead to sensitive information being exposed to re-identification and other transgressions. Furthermore, there is no active supervision of deletion or anonymization of personal data by the Peruvian National Authority for Data Protection. Nevertheless, when the information provided by the caller refers to suspicious and positive cases for COVID-19, the transfer of information to health authorities would include personal data, the geolocation of the device, and the recording of the communication made to the emergency telephone line. The above-mentioned rule establishes restrictions on the purpose of data processing. For instance, public entities and officials that have access to this data may only use it for the implementation of COVID-19 prevention and control actions, and for the identification and monitoring of suspected or confirmed cases of COVID-19 infection. Nevertheless, the executive decree61 does not indicate the specific uses of such information, as the stated purpose is too broad. It is also unclear whether all other authorized entities will have access to all of the anonymized data. Furthermore, while the regulation states that the data collected will be immediately deleted upon termination of the State of Emergency, it does not set out specific mechanisms for the deletion of information or for ensuring that such deletion will actually take place.62 Freedom of expression and freedom of the press Freedom of expression is a human right that ‘guarantees people (individually or collectively considered) to freely transmit and share their ideas, thoughts, judgments or opinions […]’.63 The exercise of this right is the ‘materialization of freedom of thought through the most varied forms of communication, whether it is oral, written, through symbols, by radio, television or any other modality’.64 This right is an implementation of the principle of human dignity and an institutional guarantee in a democratic society, as it is a way for the community to express opinions and make informed decisions.65 Freedom of the press, in the same vein, is ‘a derivative of the fundamental right constituted by freedom of information. […] In order to be free, the press has to be independent and pluralistic’.66 One of the risks that the pandemic outbreak of COVID-19 could entail was precisely the potential limitation to the freedom of expression and freedom of the press. A general order of immobilization restricts people’s right to protest or perform public demonstrations, and limits the chance to sustain face-to-face conversations outside the home environment, which might be necessary to assure private communications in multiple scenarios, such as dialogues between a journalist and a confidential source. In addition, the mobilization of workers responsible for the telecommunications infrastructure and telecommunications services is indispensable for the provision of media services and interpersonal communication, as the press staff mobilization is needed for the news coverage and broadcasting. Thus, a national lockdown and the general restrictions to the free movement of people could hinder the regular provision of basic telecommunications and media services that are indispensable in a democratic society. Fortunately, the government regulations issued during the State of Emergency expressly declared the continuity of several activities related to freedom of expression, freedom of the press and private communications, such as media activities, telecommunications services and call centers. In addition to this, the Government established specific measures to contribute to the progression of these activities. Continuity of press-related activities Since the beginning of the State of Emergency, an immobilization order was established.67 Every person in the country was forbidden to leave their residences, with the exception of performing some specific activities, such as buying groceries, attending to a health facility, or going to the bank. Nevertheless, workers from essential activities were excluded from this general prohibition. Health care providers, workers in the food supply chain, security, public cleaning and essential utilities, among others, were able to mobilize from home to their respective workplaces and vice versa. The exception also included workers in the telecommunications sectors, and in the press. Notably, this exemption68 expressly comprehended television, radio and print press workers, but not journalists working for online media outlets. This regulation showed a disregard for the non-traditional mass media. Notwithstanding this omission, we learned from interviews with journalists that, in practice, the exemption was available to all types of media. The personnel had to carry a special mobilization pass (certified by the Government and available to be obtained online), their job credentials, and their national identification card to demonstrate their permission to the police authorities who regularly stopped them on the way to their workplace or returning from them. This represented, sometimes, an obstacle to performing their activities since the mobilization pass needed to be renewed every two days, and the webpage to make the renewals frequently went down during the State of Emergency. Another less evident concern with this registration process for the media was the collection of personal data from journalists. Aiming to limit the mobilization of people, workers authorized to get the mobilization pass had to fill an online form containing several personal data, such as full name, identification number, mobile phone number, email, district of residence, occupation, identification of their employer, the district of their workplace.69 Hence, media staff had to reveal their personal information to obtain the pass, as mentioned above. This was the first time that the Government (including the Police and the Military) gained access to a complete database of all journalists and media staff working in the country. Revealing and storing this information might be particularly prejudicial for investigative journalism but can be equally dangerous for media staff in general when it is accessible for the Government, especially for the Police and the Military. Such personal database being mapped by authorities, officers, and agents could expose journalists and media workers to harassment or personal retaliation measures,70 notwithstanding the negative impact that sharing this information with the Government may have on reporters’ activities such as meeting with confidential sources or visiting some locations.71 To this day, it is unknown how the database of the mobilization pass registry was handled, whether some kind of selection or profiling has been conducted and whether it has been deleted since the mobilization pass became ineffective at the end of the national lockdown on 30 June 2020. Continuity and suspension of telecommunications services The suspension of telecommunications services became a concern for the Peruvian Government, since the national lockdown economically hit millions of households, making it harder to fulfill their financial obligations, including the payment of utility bills. In this context, in the first day of the State Emergency, the telecommunications regulator (OSIPTEL for its acronym in Spanish) issued a regulation that temporarily prohibited telecommunications operators from suspending or terminating the public telecommunications services to their clients for non-payment.72 A few days later, the Government issued an Emergency Decree providing that telecommunications companies would have to grant exemptions to facilitate the payment of bills by residential users during the quarantine, such as splitting the monthly bills in larger installments without interest or any further charges.73 Telecommunications services are a vital instrument to freedom of expression as they allow people to freely communicate with each other, as well as to massively disseminate and get access to information.74 Although the above-mentioned measures helped secure the provision of these essential services, they were not supplemented by government measures to ease the financial burdens for private telecommunications operators which experienced a great loss in their incomes and a higher rate of defaults of payment by their customers. Nearing the end of the State of Emergency, the Government amended the above-mentioned decree, resuming the possibility to suspend the phone, Internet and PayTv services in the event of non-payment.75 However, this change was approved when not all economic sectors had been reactivated, which could have created more pressure on people whose economic activities were still suspended due to compulsory social immobilization. To be sure, maintaining the ban on the suspension of services represented a high financial cost for telecommunications operators, which could put at risk their sustainability and, in the long run, negatively affect other users. On a related matter, due to the general social immobilization aimed at stopping the spread of SARS-CoV-2, OSIPTEL ordered the restriction of some telecommunications-related services, such as portability requests, equipment repairs, new sales of services, and equipment.76 These measures represented a heavy economic toll on the telecommunications operators and a large barrier to communication for thousands of people secluded in their homes and working remotely without necessarily having the appropriate broadband and phone services needed for the new and special circumstances. Approximately two months after adopting this measure, the provision of these services was gradually authorized.77 Even though it was permitted to use the telephone and virtual channels to suspend or cancel telecommunications services, and to change between telecommunications services plans or perform remote network repairs, purchasing new phone and internet services was still prohibited.78 The restriction was adopted because the acquisition of these new services required some physical contact between the user and the provider; either to biometrically verify the identity of the acquirer (validating the fingerprint) or to install the infrastructure supporting the new service, which could expose the parties to a potential contagion.79 However, this provision was not only contradictory to the purpose of ensuring the continuity of telecommunications services but also dismissed the growing demand for these services generated by the circumstances of the country’s compulsory social isolation. This situation highlights the anachronism of the requirements for contracting new telecommunications services, like maintaining biometric validation of fingerprints when there are alternatives to identity verification that do not expose customers to personal contact or other risky circumstances.80 Prank calls In response to repeated prank calls to the above-mentioned emergency phone lines during the State of Emergency,81 the Ministry of Transport and Communications decided to temporarily suspend the outgoing voice and data traffic services in the mobile and fix phone lines from which the nuisance calls were made. According to public media reports, malicious calls represented 7 out of 10 received phone calls.82 Although it was justifiable to control and deter these irresponsible83 calls to limit the saturation of the emergency lines, there were some questionable aspects in the implementation of this measure. First, the suspension of outgoing voice and data traffic of the lines used to make these nuisance calls was ordered by the political authority (the Ministry of Transport and Communications) and the telecommunications operators had to comply with the orders, without allowing the subscribers to previously exercise the right to defend themselves after a due process.84 Secondly, the only sanction provided for in the original decree was the suspension of phone and internet traffic for 30 days; therefore, there was no graduality of sanctions. It was not until two months after the measure was implemented that the suspension procedure was finally specified and it established graduality in the sanctions, ranging from written warnings and financial penalties to the total cancellation of the service.85 Finally, it was questionable whether the strictest sanctions (suspension of the services) met the criteria of necessity and proportionality. Depriving users of essential services such as Internet access is even more burdensome in a scenario of compulsory social immobilization and widespread remote working and studying. Conclusions and recommendations It goes without saying that the world health emergency caused by COVID-19 caught national governments off guard, especially, in Latin American countries, where economic informality, poverty, lack of health infrastructure and services, and reduced information posed a greater challenge for their governments’ response. Peru was one of the countries with the most severe civil rights restrictions levied on their citizens with disappointing results in both the health and economics front lines. This quantitative and qualitative case study aimed to contribute by elucidating the numerous regulations that one country enacted during a national lockdown in order to react to the health and economic necessities of their citizens. In spite of the good intentions of the authorities—that gained the support of the majority of the population—, fundamental rights such as privacy and personal data protection and freedom of expression were gravely restricted, with little awareness of civil society, academia, and the media. With regard to privacy, our research shows that the Peruvian Government is not concerned with the protection of their citizens’ personal data and its value. There were broad and imprecise authorizations for the collection, transfer and sharing of massive amounts of personal data, and for the creation, management, access to and interoperability of an undetermined number of personal databases in possession of state entities. Those regulations failed to provide the needed bulwarks to protect this information from improper access, undue processing, data breaches and other types of malicious manipulation of personal data and databases. Additionally, it was necessary that the governmental decrees established concrete orders for the deletion of the information once the purpose of the access authorization had expired. Neither those orders nor an oversight mechanism was put in place in the majority of the regulations. Therefore, we concluded that a large number of the regulations enacted by the Executive Branch in connection with privacy and personal data protection had a negative or risky impact on those rights (14 out of 20 regulations enacted during the State of Emergency), and some regulations (5) had a mix of beneficial and menacing features. On the other hand, regulations with an impact on freedom of expression were generally less worrisome. In all, 7 out of the 11 regulations adopted in connection with freedom of expression, had a mixture of beneficial and menacing aspects, and none were assessed as purely risky. The fact that the Government exempted press and telecommunications workers from the general immobilization order was a positive sign. However, the decisions of the Government were erratic in some aspects of implementation. For instance, it was contradictory that the Government declared the continuity of telecommunications services, but at the same time, it prohibited companies from selling new internet and phone services because it required personal interaction, under some outdated regulations. The restriction on providing more and better telecommunications services during the time of greatest need was indeed staggering. Also problematic was the Government regulation that authorized the Ministry of Transport and Communications to suspend the outgoing voice and data traffic services from phone users that made prank calls to the emergency call centers, without granting them the opportunity of presenting a proper defense or going through a hearing process. Several of the regulations described in this study are still in place after the nation-wide lockdown ended, and quite possibly some of them will remain even after the conclusion of the health emergency. In all, 30 of the regulations included in our study did not put forward an external mechanism of supervision or accountability to make sure that limitations to privacy and freedom of expression were actually necessary and proportionate. In sum, we can conclude that the potentially harmful effects on the rights of privacy and personal data protection were more significant, extensive and repetitive than on freedom of expression. This difference can be explained by the fact that Personal Data Protection Law and its executive regulation are relatively young in Peru as they were enacted in 2011 and 2013, respectively. Public entities are not accustomed to comply with these regulations, and decision-makers show little awareness of the risks of an overbroad and careless processing of personal data. On the contrary, freedom of expression not only has a long history and significance in the country but Peruvian Governments are usually respectful of this right and freedom of the press. In order to correct some of the flaws outlined in our study, we propose that the Government should amend those regulations to: (i) establish specific end dates for the temporary measures that were issued when they included some type of limitation on people’s privacy rights and freedom of expression; (ii) incorporate an external oversight mechanism that includes civil society in order to guarantee the necessity and proportionality of the limitations to fundamental rights approved by the Government; (iii) include specific purposes for the utilization of personal data and databases, according to the principles of necessity and proportionality; (iv) guarantee the sale of telecommunications services via contact-less means of purchase; and (v) respect the due process of law in any procedure that may result on the restriction of any services instrumental to freedom of expression. We hope that this mapping and review of Peruvian regulations during the State of Emergency will contribute to similar analysis in other jurisdictions, and help governments to improve their regulatory practices, and make civil society and academia more aware of some veiled restrictions on fundamental rights. Supplementary Data Supplementary data is available at International Data Privacy Law The elaboration of the article has not received funding, and the authors have no conflict of interest to disclose. The authors would like to thank the Center for Studies on Freedom of Expression and Access to Information (CELE) of the Law School at the University of Palermo for their feedback and for financing the tracking of regulations issued by the Peruvian Government during the State of Emergency. However, the authors bear full responsibility for the analysis and assessment expressed in this article. Footnotes 1 Carlos Escaffi, ‘Perú: cuando los costos no importan y el fin supremo es su gente’ La tercera (Santiago de Chile, 26 March 2020) <https://www.latercera.com/opinion/noticia/peru-cuando-los-costos-no-importan-y-el-fin-supremo-es-su-gente/WJ2KZUPUIRHZ5I7TKGCJFDBK7U/> last accessed 13 October 2020. El Peruano, ‘Cepal destaca medidas de Perú ante pandemia. Multilateral recomienda un nuevo modelo de desarrollo en la región’ El Peruano (Lima, 05 April 2020) <https://elperuano.pe/noticia/93960-cepal-destaca-medidas-de-peru-ante-pandemia> accessed 13 October 2020. TvPerú Noticias, ‘COVID-19: embajador chino destaca medidas adoptadas en Perú’, TvPerú Noticias (Lima, 02 April 2020) <https://tvperu.gob.pe/noticias/politica/covid-19-embajador-chino-destaca-medidas-adoptadas-en-peru> accessed 13 October 2020. 2 Ciara Nugent, ‘Peru Locked Down Hard and Early. Why Is Its Coronavirus Outbreak So Bad?’ (Time, 29 May 2020) <https://time.com/5844768/peru-coronavirus/> accessed 25 July 2020. 3 BBC News, ‘Coronavirus: Peru Economy Sinks 40% in April Amid Lockdown’ (BBC, 16 June 2020) <https://www.bbc.com/news/world-latin-america-53051157> accessed 25 July 2020. 4 Paola Villar and Lucero Chávez, ‘Casi la mitad de empleos en Lima se perdieron y algunos puestos jamás regresarán tras la pandemia’ El Comercio (Lima, 16 June 2020) <https://elcomercio.pe/economia/peru/trabajo-coronavirus-peru-casi-la-mitad-de-empleos-en-lima-se-perdieron-y-algunos-puestos-jamas-regresaran-tras-la-pandemia-inei-covid-19-trabajadores-formal-noticia/> accessed 25 July 2020. 5 Marco Aquino, ‘Peru's Vizcarra shuffles cabinet as pandemic takes toll’ (Reuters, 15 July 2020) <https://www.reuters.com/article/us-peru-politics/perus-vizcarra-shuffles-cabinet-as-pandemic-takes-toll-idUSKCN24G30G> accessed 25 July 2020. 6 Ipsos, Informe de opinión. Gestión Pública (August 2020), p.3 <https://www.ipsos.com/sites/default/files/ct/news/documents/2020-08/encuesta_nacional_urbana_agosto_2020_-_gestion_publica.pdf> accessed 13 October 2020. 7 Political Constitution of Peru, art 137. 8 For instance, the ‘COVID-19 Civic Freedom Tracker’ from the International Center for Not-For-Profit Law only identified three measures adopted by the Peruvian Government to respond to the pandemic that might affect civic freedoms and human rights, as can be seen on the following website: International Center for Not-For-Profit Law, ‘COVID-19 Civic Freedom Tracker’, Peru (2020) <https://www.icnl.org/covid19tracker/?location=98&issue=&date=&type=> accessed 20 October 2020. In contrast, our study identifies at least 34 regulations that affect two fundamental rights. 9 Executive Decrees Nos 044-2020-PCM, 046-2020-PCM, 005-2020-MIDIS, 051-2020-PCM, 004-2020-IN, 053-2020-PCM, 068-2020-PCM, 070-2020-PCM, 075-2020-PCM, 080-2020-PCM, 083-2020-PCM, 094-2020-PCM, and 116-2020-PCM. See complete references in Supplementary Annex A. 10 Emergency Decrees Nos 026-2020, 031-2020, 033-2020, 034-2020, 035-2020, 037-2020, 039-2020, 041-2020, 042-2020, 044-2020, 052-2020, 053-2020, 065-2020, and 074-2020. See complete references in Supplementary Annex A. 11 Legislative Decrees Nos 1468, 1474, 1477, 1478, 1479, 1489, and 1490. See complete references in Supplementary Annex A. 12 Emergency Decree No 034-2020, Final Complementary Provision. See complete reference in Supplementary Annex A. 13 Emergency Decree No 044-2020, arts 2 and 4. See complete reference in Supplementary Annex A. 14 Emergency Decrees No 031-2020, Emergency Decree No 033-2020, Emergency Decree No 034-2020, Emergency Decree No 037-2020, Emergency Decree No 039-2020, Emergency Decree No 041-2020, Emergency Decree No 042-2020, Emergency Decree No 044-2020, Emergency Decree No 052-2020, Emergency Decree No 053-2020, Emergency Decree No 065-2020, Emergency Decree No 074-2020, Legislative Decree No 1468, Legislative Decree No 1474, Legislative Decree No 1489, Legislative Decree No 1490, Executive Decree No 005-2020-MIDIS, Executive Decree No 004-2020-IN, Executive Decree No 068-2020-PCM, and 070-2020-PCM. See complete references in Supplementary Annex A. 15 Emergency Decree No 035-2020, Legislative Decree No 1477, Legislative Decree No 1478, Legislative Decree No 1479, Executive Decree No 044-2020-PCM, Executive Decree No 046-2020-PCM, Executive Decree No 051-2020-PCM, Executive Decree No 053-2020-PCM, Executive Decree No 075-2020-PCM, Executive Decree No 075-2020-PCM, and Executive Decree No 094-2020-PCM. See complete references in Supplementary Annex A. 16 Emergency Decree No 026-2020, Executive Decree No 080-2020-PCM and Executive Decree No 116-2020-PCM. See complete references in Supplementary Annex A. 17 International Covenant on Civil and Political Rights (adopted 16 December 1966, entered into force 23 March 1976) 999 UNTS 171 (ICCPR). Siracusa Principles on the Limitation and Derogation Provisions in the International Covenant on Civil and Political Rights (adopted 30 April-4 May 1984) E/CN.4/1985/4. Under the ICCPR, public health needs can justify limitations on some rights such as freedom of movement, freedom of religion, freedom of expression, right of peaceful assembly, right of freedom of association and right of privacy. Those limitations, nevertheless, shall be construed according to the principles of necessity, proportionality and nondiscrimination. cf Richardson and Devine, Eric Richardson and Colleen Devine, ‘Emergencies End Eventually: How to Better Analyze Human Rights Restrictions Sparked by the COVID-19 Pandemic Under the International Covenant on Civil and Political Rights’ (2021) 42 Mich J Int’l l 6–9. According to Ayala, international standards require those limitations to also be gradual and temporary. cf Carlos Ayala. Retos de la Pandemia del Covid-19 para el Estado de Derecho, la Democracia y los Derechos Humanos. MPIL Research Paper Series No 2020-17, p 3. 18 Emergency Decree No 035-2020, art 10. See complete reference in Supplementary Annex A. 19 Emergency Decree No 035-2020, art 2. See complete reference in Supplementary Annex A. 20 Emergency Decree No 026-2020, Emergency Decree No 031-2020, Emergency Decree No 034-2020, Emergency Decree No 037-2020, Emergency Decree No 041-2020, Emergency Decree No 042-2020, Emergency Decree No 044-2020, Emergency Decree No 052-2020, Emergency Decree No 053-2020, Emergency Decree No 074-2020, Legislative Decree No 1468, Legislative Decree No 1474, Executive Decree No 005-2020-MIDIS, Executive Decree No 004-2020-IN, and Executive Decree No 068-2020-PCM. See complete references in Supplementary Annex A. 21 Legislative Decree No 1477, Legislative Decree No 1478, Legislative Decree No 1490, Executive Decree No 046-2020-PCM, and Executive Decree No 053-2020-PCM. See complete references in Supplementary Annex A. 22 Emergency Decree No 033-2020, Emergency Decree No 035-2020, Emergency Decree No 039-2020, Emergency Decree No 065-2020, Legislative Decree No 1479, Legislative Decree No 1489, Executive Decree No 044-2020-PCM, Executive Decree No 051-2020-PCM, Executive Decree No 070-2020-PCM, Executive Decree No 075-2020-PCM, Executive Decree No 080-2020-PCM, Executive Decree No 083-2020-PCM, Executive Decree No 094-2020-PCM, and Executive Decree No 116-2020-PCM. See complete references in Supplementary Annex A. 23 Eric Richardson and Colleen Devine, ‘Emergencies End Eventually: How to Better Analyze Human Rights Restrictions Sparked by the COVID-19 Pandemic Under the International Covenant on Civil and Political Rights’ (2020) 42 Mich J Int’l l 18. <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3643253> accessed 09 October 2020. 24 Karin Cruzatt, ‘El derecho fundamental a la protección de datos personales: aportes para su desarrollo en el Perú’ (2008) 37 Ius Et Veritas 260. 25 Law No 29733, Ley de protección de datos personales [Personal Data Protection Law], Title I. <http://www.pcm.gob.pe/transparencia/Resol_ministeriales/2011/ley-29733.pdf> accessed 25 July 2020. 26 Ibid art 14. 27 The aforementioned regulations are as follows: Emergency Decree No 026-2020 (art 2), Emergency Decree No 031-2020 (art 4.2), Emergency Decree No 034-2020 (Final Complementary Provision), Emergency Decree No 037-2020 (Second Amending Complementary Provision), Emergency Decree No 039-2020 (art 12), Emergency Decree No 041-2020 (Second Final Complementary Provision), Emergency Decree No 042-2020 (arts 2 and 9), Emergency Decree No 044-2020 (art 9), Emergency Decree No 052-2020 (art 3), Emergency Decree No 053-2020 (art 7), Emergency Decree No 065-2020 (art 7), Emergency Decree No 074-2020 (art 5), Legislative Decree No 1468 (art 6 and the First Final Complementary Provision), Legislative Decree No 1474 (arts 5 and 7), Legislative Decree No 1489 (Amending Complementary Provision), Executive Decree No 005-2020-MIDIS (art 8), Executive Decree No 004-2020-IN (arts 1 and 2), Executive Decree No 068-2020-PCM (art 1), Executive Decree No 070-2020-PCM (arts 3, 4 and 5), and Executive Decree No 080-2020-PCM (art 3). The following sub-chapters are intended to discuss the content of some of these regulations. See complete references in Supplementary Annex A. 28 Those provisions are noted next to each corresponding regulation in footnote 28. 29 See, for example, Emergency Decree No 034-2020 (it authorizes the Ministry of Labor and Employment Promotion to access, use and process personal databases managed by other public entities, such as the ‘General Household Register’, the ‘National User Register’ and other databases with relevant data for the construction of the ‘Register of households with self-employed workers in economic vulnerability’ and the distribution of the corresponding governmental monetary subsidies); Emergency Decree No 026-2020 (it authorizes the Ministry of Development and Social Inclusion to access and process personal databases managed by other public entities, such as the Ministry of Health, the Ministry of Labor and Employment Promotion and others that contain relevant information on the health of the population for the implementation of the ‘Nominated Register of High-Risk Senior Citizens and Persons with Severe Disabilities’ and the aid to be given to said population); and Legislative Decree No 1474 (it provides that every public and private entity must provide information on the elderly to the authorities in charge of the actions for their protection and comprehensive care, as well as the execution and follow-up of said actions during the health emergency). See complete references in Supplementary Annex A. 30 See, for example, Emergency Decree No 042-2020 (it authorizes the Ministry of Development and Social Inclusion to access, use and process of personal databases of private and public payrolls administered by the Ministry of Labor and Employment Promotion and the Ministry of Economy and Finance for the construction of the registry of households benefiting from the monetary subsidy in rural areas) and Emergency Decree No 037-2020 (it designates the Ministry of Economy and Finance and the Ministry of Health responsible for the centralization of the required databases to the prioritization, allocation and implementation of actions that will allow the timely and adequate allocation of governmental resources, in the framework of the Health Emergency). See complete references in Supplementary Annex A. 31 For example, Emergency Decree No 042-2020 created the ‘Register of households benefiting from the monetary subsidy in rural areas in the framework of the COVID-19 emergency’ and Emergency Decree No 052-2020 created the ‘National Registry for COVID-19 measures’. See complete references in Supplementary Annex A. 32 For instance, the National Home Register (‘Registro Nacional de Hogares’). <https://www.gob.pe/institucion/midis/noticias/158790-comunicado-n-019-2020> accessed 13 October 2020, which was created under the Emergency Decree No 052-2020. Particularly, articles 3.2.e and 4.2 of this Decree encourage citizens to enter their information in the National Home Register platform. See complete reference in Supplementary Annex A. 33 Emergency Decree No 027-2020 (arts 2 and 3) and Emergency Decree No 044-2020 (arts 1 and 2). See complete references in Supplementary Annex A. 34 Emergency Decree No 033-2020 (art 3), see complete reference in Supplementary Annex A, and Emergency Decree No 036-2020 (arts 1 and 2). The latter is available at <https://busquedas.elperuano.pe/normaslegales/decreto-de-urgencia-que-establece-medidas-complementarias-pa-decreto-de-urgencia-no-036-2020-1865482-2/> accessed 13 October 2020. 35 Emergency Decree No 042-2020 (arts 1 and 2). See complete reference in Supplementary Annex A. 36 Emergency Decree No 052-2020 (art 2). See complete reference in Supplementary Annex A. 37 Emergency Decree No 053-2020 (art 2). See complete reference in Supplementary Annex A. 38 Emergency Decree No 039-2020. See complete reference in Supplementary Annex A. 39 Emergency Decree No 031-2020. See complete reference in Supplementary Annex A. 40 For example, Executive Decree No 070-2020-PCM (this regulation provides that various public administrative entities must have access through the ‘National Platform for State Interoperability’ to personal and sensitive information of people who call two emergency call centers (107 and 113). The Ministry of Health and its affiliated public bodies would access and manage such registered data which consist—mainly—of an initial national digital triage for COVID-19, aiming to implement preventive actions and to adopt policies in response to the pandemic outbreak, within its powers). See complete reference in Supplementary Annex A. 41 The general legal framework for personal data protection in Peru does not establish specific standards for interoperability. Article 14 of the Personal Data Protection Law establishes that when personal data is collected or transferred for the performance of public entities functions within the scope of their legal powers, it is not required to obtain the consent of the data subject. According to Article 11 of the Regulation implementing the Personal Data Protection Law, this provision includes the processing of personal data that is essential to ‘carry out interoperability between public entities’. Furthermore, the First Final Complementary Provision of the Regulation implementing the Personal Data Protection Law establishes that the definition, scope and content of interoperability, as well as the guidelines for its application and operation in accordance with the personal data protection standards, are the responsibility of the National Office of Electronic Government and Information Technology of the Presidency of the Council of Ministers (ONGEI, for its acronym in Spanish, now Secretary of Digital Government or SEGDI). Ministerial Resolution No 381-2008-PCM approved the ‘Standards and Specifications of Interoperability of the Peruvian Government’, which included a definition of interoperability according to the following: ‘it is the capacity of two or more systems or components to exchange information and to use the information that has been exchanged’ (p 6). Although it was repealed by Resolution No. 266-2019-PCM, we considered that definition for the purposes of elaborating the table in Supplementary Annex. On the other hand, the regulatory framework for State interoperability platforms does not have significant provisions related to data protection but Article 2 of Legislative Decree No 1246 states that in cases where the information or data is protected under the Personal Data Protection Law, Public Administration entities must obtain the express authorization of the users to access said information or data. In other respects, Resolution No. 002-2019-PCM/SEGDI provides that all public entities that make a service available through the State Interoperability Platform (PIDE, for its acronym in Spanish) ‘must safeguard the secure management of the data through the use of secure storage and communication protocols, standard coding algorithms and other pertinent aspects, in accordance with current regulations and good practices that exist in the field of software development, information security and protection of personal data’. 42 See, for example, Executive Decree No 070-2020-PCM (arts 3, 4 and 5) and Emergency Decree No 037-2020 (Second Amending Complementary Provision). See complete references in Supplementary Annex A. 43 See, for example, Emergency Decree No 041-2020 (Second Final Complementary Provision). See complete reference in Supplementary Annex A. 44 See, for example, Emergency Decree No 052-2020 (art 3). See complete reference in Supplementary Annex A. 45 Executive Decree No 070-2020-PCM (art 3), Executive Decree No 068-2020-PC (art 1), Executive Decree No 004-2020-IN (art 2), and Executive Decree No 005-2020-MIDIS (art 8). See complete references in Supplementary Annex A. 46 Emergency Decree No 031-2020, art 4. See complete reference in Supplementary Annex A. 47 See, for example, Emergency Decree No 026-2020, Emergency Decree No 034-2020, Emergency Decree No 042-2020 and Emergency Decree No 044-2020. See complete references in Supplementary Annex A. 48 Executive Decree No 068-2020-PCM, art 1. See complete reference in Supplementary Annex A. 49 Ibid. 50 Ibid. 51 See, for example, Emergency Decree No 034-2020 and Emergency Decree No 026-2020. The first one grants access to the data contained in the personal databases managed by the MIDIS, such as the ‘General Household Register’, the ‘Registry National Users’ and the ‘Register of Households Beneficiaries of the monetary subsidy’, as well as databases administered by the ‘Superintendency of Banking, Insurance and Pension Funds Administrators’, and other databases from public entities that contain relevant data to build the ‘Register of households with economically vulnerable independent workers’. The latter one authorizes the MIDIS to access and process personal databases administered by the Ministry of Health, the Ministry of Labor and Employment Promotion, the Ministry of Transport and Communications, and other databases from public entities that contain relevant information on the health of the population to be registered. See complete references in Supplementary Annex A. 52 See, for example, Emergency Decree No 26-2020 (art 2), Emergency Decree No 31-2020 (art 4) and Emergency Decree No 34-2020 (Final Complementary Provision). See complete references in Supplementary Annex A. 53 Law No 29733, Personal Data Protection Law, art 6. 54 Law No 29733, Personal Data Protection Law, arts 20 and 28. Executive Decree No 003-2013-JUS, Regulation of Law No 29733, art 132. 55 Such is the case of Telefónica, which refused to comply with two court orders that forced it to hand over the traffic calls of the former political candidate Keiko Fujimori, by arguing that the requested information was not available. However, it was later revealed that this information did exist in Telefónica's systems even though it was thought to have been deleted. See: Miguel Morachimo, ‘Qué hacen las empresas de telecomunicaciones con nuestros datos?’ (Hiperderecho, 25 January 2019) <https://hiperderecho.org/2019/01/que-hacen-las-empresas-de-telecomunicaciones-con-nuestros-datos/> accessed 09 October 2020. 56 See, for instance: Miguel Morachimo, ‘Rastreo de contactos digital: presente y futuro en Perú’ Hiperderecho (26 June 2020) <https://hiperderecho.org/2020/06/rastreo-de-contactos-digital-presente-y-futuro-en-peru/> accessed 25 July 2020. 57 Executive Decree No 070-2020-PCM, art 3. See complete reference in Supplementary Annex A. 58 Ibid. 59 Own translation of ‘debidamente anonimizada’. Executive Decree No 070-2020-PCM, art 3. See complete reference in Supplementary Annex A. 60 Own translation of ‘Tratamiento de datos personales que impide la identificación o que no hace identificable al titular de estos. El procedimiento es irreversible’. Law No 29733, Personal Data Protection Law art 2.14. 61 Executive Decree No 070-2020-PCM. See complete reference in Supplementary Annex A. 62 As mentioned before, the Peruvian Personal Data Protection Law establishes that personal data must be preserved, assuring its security and only for the necessary time to accomplish the purpose of the processing. It also states that the personal databases manager must adopt the technical, organizational and legal measures to ensure the security of personal data, which should be appropriate to the specifically authorized treatment and the kind of personal data managed. Furthermore, sensitive data, such as health-related information, is subject to stricter protection. On the other hand, the aforementioned Decree provides that entities will adopt the corresponding technical, organizational and legal measures to safeguard the confidentiality, integrity and availability of the data until its elimination at the end of the State of Emergency. In this sense, the Executive Decree No 070-2020-PCM repeats the textual provisions of the Peruvian Personal Data Protection Law. However, it does not establish specific mechanisms for the security of sensitive information to be managed nor for its elimination. 63 Judgment of the Peruvian Constitutional Court of August 14, 2002, on the extraordinary appeal filed by the Rural Savings and Credit Fund of San Martín against the judgment of the Mixed Chamber of the Superior Court of Justice of San Martín, for File 0905-2001-AA/TC, para 9. 64 Germán Bidart, ‘Manual de Derecho Constitucional Argentino’ (p. 228, 1st edn, Ediar, 1985) quoted in Defensoría del Perú (2018) in: ‘Situación de la libertad de expresión en el Perú: setiembre 1996 - setiembre 2000’, p 8. <https://www.defensoria.gob.pe/wp-content/uploads/2018/05/informe_48.pdf> accessed 25 July 2020. 65 Judgment of the Peruvian Constitutional Court, dated September 11, 2010, on an application for unconstitutionality filed by 6717 citizens, represented by Daniel Linares Bazán, against the second paragraph of Article 22 of Law No 28278, Radio and Television Law, for File 00015-2010-PI/TC, paras 16–20. <https://www.tc.gob.pe/jurisprudencia/2012/00015-2010-AI.html> accessed 25 July 2020. 66 United Nations Educational Scientific and Cultural Organization, Press freedom and development (1st edn, UNESCO 2008). <https://unesdoc.unesco.org/in/documentViewer.xhtml?v=2.1.196&id=p::usmarcdef_0000161825_eng&file=/in/rest/annotationSVC/DownloadWatermarkedAttachment/attach_import_65a0b200-5e87-4ba4-80ed-39733a4eeb38%3F_%3D161825eng.pdf&locale=es&multi=true&ark=/ark:/48223/pf0000161825_eng/PDF/161825eng.pdf#%5B%7B%22num%22%3A190%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2Cnull%2C0%5D> accessed 25 July 2020. 67 See Emergency Decree No 026-2020, Emergency Decree No 031-2020 and Executive Decree No 044-2020-PCM. See complete references in Supplementary Annex A. 68 Executive Decree No 046-2020-PCM. See complete reference in Supplementary Annex A. 69 ‘Solicitar pase especial laboral’ (Plataforma Digital Única del Estado Peruano, 20 August 2020). <https://www.gob.pe/8783-solicitar-pase-especial-laboral> accessed 10 October 2020. 70 In order to illustrate these risks, we can mention the detention of Ralph Zapata, a regional editor of the research online news media OjoPúblico. He was intervened by ten officers of the National Police of Peru, under the alleged accusation of breaching the general immobilization order, even though the intervention started at his home and there are records that he was working on his home computer minutes before. The publisher was released an hour later. OjoPúblico, ‘Piura: Policía saca de su casa a editor regional de OjoPúblico y lo traslada por la fuerza a la comisaría’ (28 March 2020). <https://ojo-publico.com/1716/policia-detiene-y-agrede-editor-regional-de-ojopublico> accessed 10 October 2020. 71 cf Julie Posseti and others, The Perugia Principles for Journalists Working with Whistleblowers in the Digital Age (2019), p 5 <https://whistleblowingnetwork.org/WIN/media/pdfs/Journalism-Sources-INT-Blueprint-2018-Perugia-Principles-for-Journalists.pdf> accessed 10 October 2020. 72 Presidential Resolution No 00035-2020-PD/OSIPTEL of 16 March 2020. 73 Emergency Decree No 035-2020. See complete reference in Supplementary Annex A. 74 cf International Media Support and others, The Maldivian Digital Communications Environment: Freedom of Expression and the Media, Telecommunications and IT Sectors (2010), p 8 <http://www.law-democracy.org/wp-content/uploads/2010/07/10.06.Maldives.DCEs-Report.pdf> accessed 15 October 2020. 75 Resolution of the Board of Directors No 00067-2020-CD/OSIPTEL of 3 June 2020. 76 Resolution of the Board of Directors No 00045-2020-CD/OSIPTEL of 31 March 2020. 77 Resolution of the Board of Directors No 00045-2020-CD/OSIPTEL of 31 March 2020; Resolution of the Board of Directors No 050-2020-CD/OSIPTEL of 30 April 2020; Presidential Resolution No 00040-2020-pd/OSIPTEL of 11 April 2020; and Presidential Resolution No 00042-2020-PD/OSIPTEL of 18 May 2020. 78 Public and private entities providing public and essential services expressly authorised by national legislation were exempt from this restriction (Article 3, Resolution of the Board of Directors 00045-2020-CD/OSIPTEL). 79 Thirteenth paragraph of the preamble to the Resolution of the Board of Directors 00045-2020-CD/OSIPTEL. 80 Andrés Calderón, ‘Liberados en la Red’ (El Comercio, 6 April 2020). <https://elcomercio.pe/opinion/columnistas/liberados-en-la-red-por-andres-calderon-noticia/?ref=ecr> accessed 25 July 2020. 81 The emergency lines were enabled by the public health political authority to attend medical consultations, provide information about the pandemic caused by SARS-CoV-2, and channel healthcare services through technological means. See: <https://elperuano.pe/noticia/93384-nueva-plataforma-de-la-linea-113-permitira-atender-80000-llamadas-diarias> accessed 25 July 2020. 82 Defensoría del Pueblo, '‘Línea de emergencia 113: sanción a infractores debe ser proporcional a la gravedad de la conducta cometida’ (Defensoría del Pueblo, 09 April 2020) <https://www.defensoria.gob.pe/linea-de-emergencia-113-sancion-a-infractores-debe-ser-proporcional-a-la-gravedad-de-la-conducta-cometida/> accessed 25 July 2020. 83 As it was cataloged by government representatives. Sociedad LR, ‘719 líneas telefónicas fueron suspendidas por llamadas malintencionadas’ La República (Lima, 12 April 2020) <https://larepublica.pe/sociedad/2020/04/12/coronavirus-en-peru-719-lineas-telefonicas-fueron-suspendidas-por-llamadas-malintencionadas-entel-bitel-movistar-claro/> accessed 25 July 2020. 84 According to Article 13 of the Emergency Decree No 026-2020, the emergency call centres had to send the Ministry of Transport and Communications a daily report of the telephone numbers from which they received nuisance communications. As a result, the Ministry required the telecommunications operators to suspend the outgoing voice and data traffic of the lines contained in said report within a maximum period of twenty-four hours. See complete reference in Supplementary Annex A. 85 The suspension sanction was established on 16 March 2020 with the Emergency Decree No 026-2020 and the rule that specified the procedural issues and graduality of the sanction on 9 May 2020 with the Legislative Decree No 1479. See complete references in Supplementary Annex A. © The Author(s) 2021. Published by Oxford University Press. All rights reserved. For permissions, please email: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/open_access/funder_policies/chorus/standard_publication_model)
TI - Privacy, personal data protection, and freedom of expression under quarantine? The Peruvian experience
JF - International Data Privacy Law
DO - 10.1093/idpl/ipab003
DA - 2021-02-04
UR - https://www.deepdyve.com/lp/oxford-university-press/privacy-personal-data-protection-and-freedom-of-expression-under-M0EFkvx07r
SP - 1
EP - 1
VL - Advance Article
IS - 
DP - DeepDyve
ER -