Data dilemma - is surrendering privacy a necessary price to defeat Coronavirus?
- Summary:
- In times of international crisis, the normal rulebooks get torn up. What price privacy to defeat Coronavirus?
The Coronavirus pandemic has changed us into nations of homeworkers who have taken to group chat and networking apps to stay in touch. However people used to interact in the real world before, they have now found the virtual equivalents – from videoconferencing all the way through to digital bars and house parties.
But are there legal and regulatory dimensions to this unplanned explosion of data sharing, Zoom meetings, and digital interactivity? And what about the legal dimensions of fighting the Coronavirus itself via mobile apps and other technologies?
Philip James is a Partner specialising in Technology and Digital Media at law firm Sheridans. In his view, there have been several developments that are worthy of note. First, are the recent statements from the European Data Protection Board (EDPB) about data privacy during the outbreak – an issue that some may find challenging in the new global context of citizens collaborating to track the spread of the virus.
Until Coronavirus hit Europe and headed West to the US, it had – despite World Health Organization (WHO) warnings – been regarded as a problem for China and other Asian economies. Many of those adopted what some regard as draconian measures to minimise the spread, but which others now see as strategies that were well-planned and strictly enforced when compared with the US and UK responses.
Europe, far more so than the US, has long been highly concerned with data privacy and data protection, twin issues that risk being pushed aside by attempts to co-ordinate a response to the crisis. Once it is over, these will need to be re-examined to ensure we have not given away too much of our liberty in the longer term, suggests James.
Prefacing twin EDPB statements on 19 March, Andrea Jelinek, the organization’s Chair, said:
Data protection rules (such as GDPR) do not hinder measures taken in the fight against the Coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”
The following observations are compiled from the published statement and its separate commentary:
- GDPR provides for the legal grounds to enable employers and competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject.
- In an employment context, the processing of personal data may be necessary for compliance with a legal obligation to which an employer is subject, such as obligations relating to health and safety at the workplace, or to the public interest, such as the control of diseases and other threats to health.
- For the processing of electronic communications data, such as mobile location data, additional rules apply. National laws implementing the ePrivacy Directive provide for the principle that location data can only be used by the operator when it is made anonymous, or with the consent of individuals.
- Public authorities should first aim for the processing of location data in an anonymous way (i.e. processing data aggregated in a way that it cannot be reversed to personal data). This could enable them to generate reports on the concentration of mobile devices at a certain location.
- GDPR also foresees derogations to the prohibition of processing of certain special categories of personal data, such as health data, where it is necessary for public health.
Essentially, therefore, privacy can be overridden in a pandemic, in the interest of saving lives. Sheridan's James explains:
This makes reference to the actual lawful basis in which you can process data. If you actually look at the articles of GDPR that this refers to, there's actually a bit more. And it doesn't just talk about the vital interests of the data subject. If the data subject is physically incapable of agreeing to something themselves, another person could make the decision on their behalf.
There are also issues concerning whether data can ever be truly anonymous, he says. In the current crisis, organizations that are allowed access to anonymised data to combat the virus might covertly adopt measures to uncover people’s identities from it.
Handing over data to...?
Another interesting development in fighting the pandemic has been the voluntary adoption in the US, UK and elsewhere, of applications that allow citizens to monitor their own health and symptoms from day to day, and share that data with researchers and health services, in order to track the spread of the virus.
James observes that, in the West, many people have been happy to share this data voluntarily in the interests of saving lives. But where similar measures have been adopted in other countries, such as China, they have been seen by Western commentators as another draconian imposition.
This cultural mismatch is intriguing, if the arguement is supported that China has simply been better at saving lives, at a time when Western media have sought to blame it for the virus’ existence. James says:
This is clearly a cultural distinction between Chinese society and the UK and Europe. I think the Chinese tool was much more a surveillance tool, whereas here it was voluntary.
The US, of course, has been reeling from grave concern concerns around privacy and civil liberties with things like Edward Snowden. The last thing they want now is to be drawn into another surveillance-related protest.
And so I think they are a bit more hesitant about forcing people to be tracked as a result, so they've tried to get people to consent to sharing their location data in order to get a handle on how extensive the spread of the virus has been.
But will consent deliver the numbers that will provide workable data? It’s an important question, says James:
It's got to be better to get that consent, but it’s also relevant how you get it. And it depends how you draft it – with opt-in or opt-out wording, for example. But are you going to get sufficient numbers of people sharing their information that way in order to be effective? You need a decent percentage of the population to consent, in order to have a significant impact.
He points to the UK as an exemplar:
I think what the UK government is doing is allowing people to process anonymous data, which they wouldn't otherwise have done. But if you want to process mobile application data that can be linked to someone, you're basically tracking people.
If you think about someone tracking your location, that is a much greater intrusion on your privacy than someone knowing you've got COVID-19, because lots of people have got it.
My take
The Coronavirus crisis provides an unwelcome demonstration that attitudes to privacy can change when society experiences an unexpected shock. As with so much at present, more questions than answers, but the questions remain important. How long can/should privacy rules can be relaxed? How far are we prepared to go down this route? And how do we prevent organizations taking the opportunity to grab large amounts of data?