The Cambodian government’s “Stop Covid-19” QR Code system raises serious privacy and other human rights concerns, Human Rights Watch said today. The authorities should use less-rights-intrusive measures to contain and prevent the spread of the Covid-19 virus.
On February 20, 2021, Cambodia’s Ministry of Post and Telecommunications and Ministry of Health initiated a QR Code system that aims to assist with contact tracing of new Covid-19 cases, which have recently increased. The ministries should publicly explain how the data collected through the QR Code system is used, who has access to the data and for what purpose, the measures taken to secure the data, and the period for which the data is stored.
“Cambodia’s QR Code system is ripe for rights abuses because it lacks privacy protections for personal data,” said Phil Robertson, deputy Asia director. “These concerns are heightened by the government’s stepped-up online surveillance of Cambodians since the outset of the pandemic, putting government critics and activists at greater risk.”
The Post and Telecommunications Ministry did not respond to a March 19 letter from Human Rights Watch asking about access to personal data and its storage and protection measures under the “Stop Covid-19” QR Code system. Other ministries copied on the letter also did not respond.
The Post and Telecommunication Ministry’s Facebook page contains posts that state that the use of the QR Code system is “voluntary,” but “participation is strongly encouraged.” It asks users to scan the QR code when entering establishments or institutions that have previously registered their participation in the QR Code system and downloaded and printed a QR Code from the government’s website.
When a user indicates they have entered a certain establishment, their phone receives a six-digit code in a text message, which they need to enter into their phone. On March 25, a post on the ministry’s Facebook page announced that 154,869 public and private institutions around the country had registered to use the QR Code system, with more than 11 million locations scanned by users. Several provincial authorities are using the system at provincial border crossing-points as part of mandatory screening for Covid-19 symptoms.
Health Minister Mam Bunheng has stated that the aim of the QR Code system is to record the movements of customers, visitors, and staff at registered locations without violating users’ privacy. However, on March 8, the Post and Telecommunications Ministry announced that the QR Code scan would provide the government with information about the user’s location, allowing the authorities not only to quickly identify the user, but also reveal data on whether they were violating the two-week quarantine requirement.
Creating a log of people’s locations reveals sensitive insights about their identity, location, behavior, associations, and activities that infringe on the right to privacy, adding to the government’s existing intrusive surveillance practices, Human Rights Watch said.
Some business owners told Human Rights Watch that they have strictly enforced the QR Code system out of fear of being deemed non-compliant with government-imposed measures. This could make them subject to sanctions such as under the recently passed Law on Measures to Prevent the Spread of Covid-19 and other Serious, Dangerous and Contagious Diseases, which introduced disproportionate criminal penalties of up to 20 years in prison and fines. The QR Code system does not have any basis in legislation and its ostensible voluntary nature should not include sanctions.
Cambodia should enact a data protection law that would regulate and protect the usage, collection, and retention of data in accordance with international standards for privacy and other rights, Human Rights Watch said.
International law obligates governments acting to contain and prevent the spread of Covid-19 to ensure that such measures are based in law, necessary, proportionate, and the least intrusive for the purpose intended. Any contact tracing measures, such as Cambodia’s QR Code system, should be limited in scope and purpose, protect the right to privacy, and be used only for responding to the pandemic.
The measures should also ensure sufficient security of any personal data collected; be transparent about any data-sharing agreements with other public or private sector entities; incorporate protections and safeguards against abusive surveillance; and give people access to effective remedies. They should also be time-bound and only continue for as long as necessary to address the pandemic, mitigate any risk of discrimination or other rights abuses against marginalized populations, and provide for free, active, and meaningful participation of relevant stakeholders in data collection efforts.
“The Cambodian government should urgently develop a law on data protection and specific guidelines on protecting the right to privacy and security of data collected to apply to the QR Code system,” Robertson said. “The United Nations agencies in Cambodia should jointly call out the government’s failure to abide by international human rights law in its Covid-19 response.”