Data, technology, and (almost) instantaneous communication give us, more than ever before, the means and capacity to combat the COVID-19 perils more effectively. People traceability, real-time tracking and supply monitoring are a few examples of what governments and security forces can currently do to mitigate the spread of the disease. But, do we really know how they are doing it and until when?
Under the current circumstances, very few people would refuse to give permission for certain public institutions to access their data in the view to combat the pandemic. But the question above has to be read with nuances because what it wants to address is the aftermath of this willingly given access, namely, if authorities could use otherwise the power citizens grant them for security reasons.
Technology, they say, is a means to an end. By accessing our personal data, whichever technology is used, we want our institutions to generate and share with all of us wise and publicly accountable information, and to generate knowledge that will aid to combat this and other diseases that are likely to come in the future. Using technology and data science (and purposeful data sets) can surely help governments make informed decisions and augment strategies to battle the COVID-19 crisis.
Rarely, people question their assumptions on privacy. Don’t judge quickly this statement because it seems severe. Take some minutes to reflect on it, instead. We mostly question our privacy when there is a flagrant (and mostly physical) invasion to it. But the digital side of it is largely neglected because it’s invisible, more complex to understand and, ultimately, it is difficult to make someone accountable for what happens with it.
Doing the right thing with data and doing the right thing by data aren’t the same thing. A small prepositional change makes the difference because, in the former, data is a means and, in the latter, data is an enabler.
We want to think that the COVID-19 crisis will trigger a different approach to data privacy, not only the one the regulation asks for, but the one data ethics can trigger. That’s the topic of this article.
A look at what the EU is doing to tackle COVID 19 with technology
For systems to work, frameworks and regulations are necessary. The European Union has engaged itself in creating a comprehensive framework for all its citizens to exert data privacy rights. The enforcement of the General Data Protection Regulation (GDPR) and the ePrivacy Directive are vivid references of it. The urgency (and emergencies) brought by COVID-19 has led European governments—whose take on surveillance, access to personal data and the handling of it is habitually cautious—to start enabling smartphone-based tracking.
According to the Council of Europe, data protection principles always allow forbalancing the interests at stake. Precisely, it is now, when trust in our institutions is a key factor for citizens to give access to certain personal information, with the guarantee that the use of it and the technology that processes it will be thoughtful and vigilant. Each of us is writing the story of COVID-19. How we face, mitigate and fight global threats in the decades to come will be influenced by models and paradigms we establish today.
There is a need for a balancing act between the tight coordination governments are requiring during periods of lockdown and progressive deconfinement, and broader intervention that gives them access to information. And, because nobody has the fortune teller’s ball in this crisis, there is no right or wrong answer to a “how much of” question on this spectrum. It will vary by reality, each country’s circumstances and, the key sometimes forgotten variable, values.
The EU Parliament has stressed that any digital measures against the pandemic must be in full compliance with the data protection and privacy legislation. It has emphasised on the need for using anonymised data and, so as to limit any risk of abuse, the generated data should not be stored in centralised databases.
But, even when tracing people is moved by the best intentions, to some, it is a flagrant case of individual freedom opposing a public good.
The thin red line between relevance and surveillance
We might be stating the obvious but, when used consciously, tracing appsare meant to track the spread of the so-called coronavirus, not individuals. To do so, naturally, systems must track our social behaviours. Because of their ubiquity, smartphone apps are a convenient ally to warn individuals if they have been in contact with an infected person.
Researchers from the University of Oxford think that the virus spreads too fast for it to be “followed” manually. Hence, to them, a “contact-tracing app which builds a memory of proximity contacts and immediately notifies contacts of positive cases can achieve epidemic control if used by enough people.”
However, the red line between what should be tracked because it is relevant to the situation and what should remain in the (sacred) domain of each person’s life is very thin. Tracing apps are raising privacy and data protection issues because they could unmask sensitive user data. By trespassing over that rad line, we enter an uncharted territory that many call surveillance.
European Parliament members have spoken out regarding this matter. To them, the use of apps should not be obligatory. If, according to experts, at least 60% of the population should be using tracking apps for this approach to work…how to get this right if, on the one hand installations shouldn’t be forced but, on the other, extensive usage is required?
There are several ways for such apps to be massively downloaded. One is by applying coercitive measures, i.e. forcing an app into our phones; the other is appealing to the use of fear to convince people to do it. There is a third option even: offering individuals a benefit so they willingly join the tracking exercise.
Whatever the means to get the app installed on as many devices as possible, one thing is clear: this approach should include sunset clauses so that it is automatically terminated once the pandemic is considered as low or no-risk or is potentially declared “over”.
On this, the European parliament has also stated that, when using apps, governments must clarify, “how they apps are expected to help minimise infection, how they work and what commercial interests the developers have”.
In April 2020, the European Data Protection Board (EDPB) adopted the guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak. Its goal is to define the conditions and principles for an adequate use of location data and contact tracing tools (apps). These tools are justified when:
1. The use of location data supports the response to the pandemic by modelling the spread of the virus which, in turn, will help assess the effectiveness of confinement measures;
2. The use of contact tracing is useful to notify individuals who may have been in close proximity to someone who is eventually confirmed as a carrier of the virus. This will help to break the contamination chains more quickly.
Since the beginning of the crisis, Luxembourg’s Commission nationale pour la protection des données (CNPD), has been actively involved in the development of guidelines. Already in March, it issued “Recommendations on the processing of personal data in the context of a health crisis”.
Are tracing and tracking apps the same?
Regardless of the technology to use, the EU wants national health authorities to approve apps and be responsible to comply with personal data protection rules.
Approaches to using tracing or tracking apps aren’t the same. GPS technology, widely spread and, by default, included in most smartphone app sets, seems to be the fastest to implement. It has two issues, however. It’s based on geolocation and all data needs to be assembled and analysed in a central location and, therefore, handled by one organisation. Precisely because of that, this technology doesn’t have the EU commission’s blessing. Whereas, on the one hand, GPS-based tracking can go back in time to see where any person that is COVID-19 positive was physically before, on the other, it is more intrusive. In the case of China, for instance, people have been required to provide both personal data and location data that is shared with the police.
From both a public health and a data privacy perspective, the EU prefers contact tracing apps that use Bluetooth, a short-wavelength technology. It’s also the solution proposed by Google and Apple that own the two widely spread mobile operating systems, Android and iOS.
Most smartphone devices have the Bluetooth technology already integrated. These apps could alert people who have been in proximity to an infected person for a certain time, including those one may not notice or remember, without tracking the user’s location.
In this story, there isn’t a one-size-fits-all solution. What should really matter is keeping an eye on proportionality, namely, to implement systems that only collect and process personal data that is adequate and relevant for the purposes of combating the pandemic.
Users want to remain in full control of their personal data and app installation should be voluntary to the extent possible.
An opportunity to data ethics
The more we trust, the more information we are willing to give. That, to us, should be the real incentive to allow the tracking of our lives, at least temporarily: we long for the best positive outcome to leave behind this crisis.
Few things, if any, will seem quite the same once current health and economic crisis around Covid-19 has passed, and data privacy isn’t the exception to the rule. In several places, in different manners, it will be wounded. This might translate into the loosening (or strengthening) of the application of data privacy regulation in certain regions or the delay to enforce new ones. But the most dangerous aftermath could be people with a biased understanding of their rights and to which extent governments can use and manipulate personal data based on the way they behaved during the crisis.
There is opportunity too, nevertheless. After all, even bitter pills have blessed effects. For business and organisations, the need to rethink everything they do, from strategy to execution, from workforce management to client engagement, is also giving them the opportunity to revisit data management. The time to put on the lens of data ethics may be coming and is likely to produce profound and positive changes.
We like to think of the GDPR effect as a wave that switches mindsets, from doing the right thing with data to doing the right thing by data.
Thinking of and calling for data ethics isn’t about asking for a looser approach to compliance. On the contrary, it helps change the approach to data privacy from the core. Regulation is commonly seen as a necessary evil and “being compliant”, more often than you think, is about avoiding fines.
By having both, doing the right thing by data, namely, using anonymised data – the process of either encrypting or removing personally identifiable information from data sets- as much as possible, or responsible data profiling will become the norm.
What we think
Frédéric Vonner, Partner, GDPR and Privacy Leader at PwC Luxembourg
How much data is enough to help authorities to mitigate the spread of coronavirus during deconfinement? That’s a key question to me. Ideally, any tracking exercise should be based (and run) on citizen’s good will. That will is strongly influenced by the trust we have in our institutions; voilà the importance of values and of acting ethically when it comes to data privacy. Because this unique crisis is setting the precedents of the way we are to act in the future when we face something similar, we have to be very careful with the decisions we make as individuals, as citizens and as members of public and private organisations.
