‘Privacy has taken a back seat’ as governments pursue digital contact tracing

As countries around the world grapple with the COVID-19 pandemic, one of the tools governments everywhere have cited as a way to ease lockdown measures is via digital contact tracing.

Coupled with a test and track approach, digital contact tracing (in theory) allows governments to use data collected via mobile technologies to alert citizens when they have come into contact with someone that may have the novel Coronavirus.

There are a number of approaches to this. Some are more privacy-centric and adopt a decentralised approach, by just alerting users via Bluetooth technology to when they have come into contact with someone experiencing COVID-19 symptoms - with data remaining on each citizen's individual phones.

Whilst other methods rely on using Bluetooth or individual geolocation data that is collected centrally by public authorities to alert citizens. It is thought that this approach has much higher privacy risks - with swathes of public health data in the hands of government bodies - but there are also benefits, such as potentially better mapping of outbreaks.

We are still in the early days of the pandemic and the proof points for each of the methods have not really had enough time to play out to get an understanding of which is ‘superior'.

However, as highlighted by a new report out today, the privacy debate around protection of personal data has largely taken a back seat in the pursuit of minimising the spread of COVID-19.

As global public policy firm Access Partnership highlights, this could have consequences down the line for greater surveillance of citizens by public authorities - even once COVID-19 is ‘over'. The Access Partnership report notes:

Does extensive collection and analysis of personal health data by the state become the new normal, in the same manner that extensive state surveillance became largely normalised after traumatic terrorist attacks in the West in the early 2000s?

The experience of South Korea indicates that perhaps it can. The country struggled to contain a previous disease outbreak several years ago, leading to the adoption of a law which enabled sweeping government access to personal data despite having one of the strictest privacy regimes in the world.

These statutory authorities have now been exercised to the fullest, underpinning Seoul's contact tracing programme, which has shown real results and enjoy public support.

Countries that are interested in doing likewise face not just the technical challenge of building effective digital contact tracing systems, but of constructing a thoughtful legal framework that balances public health needs with data protection concerns, as well as the compliance environment to ensure clear accountability and obligations for public and private sector actors involved.

This needs to be thought through

The Access Partnership report visualises the different approaches being taken by nations across the world in the below map:

Access Partnership states that digital contact tracing constitutes a massive expansion of the ways in which our everyday lives are monitored and quantified.

However, the push for digital contact tracing has also shifted the privacy debate. The report notes:

For several years, the global privacy debate has been driven by private sector scandals and an EU-led approach to protecting consumer privacy through the private sector-focused General Data Protection Regulation. However, the COVID-19 crisis has shifted the conversation. Today, uses and potential abuses of data by governments are the centre of conversations, as public officials around the globe contemplate more expansive uses of data. Companies, by contrast, are positioning themselves as staunch champions of individual privacy, often forging stronger ties with former civil society critics.

...the crisis may result in wider and more fundamentally detrimental consequences for privacy. After the apparent success of efforts to combat the virus through the extensive use of personal data in countries like China and Korea, other governments may follow suit - resulting in a partial reversal of the decade long debate surrounding global personal data protection which has leaned towards restricting uses of personal data. As a result, the principle of data minimisation may lose some of its pre-eminence, as increased access to data is recognised as invaluable to protecting public health.

In other words, governments are setting new precedents for personal data privacy across the globe - where the health of communities takes priority over any privacy concerns. It's too soon to know how this will play out over the long term, but it is something to be aware of.

Access Partnership also highlights how different approaches could have implications for international data flows. For example, overly aggressive digital contact tracing that uses personal data in ways that is at odds with the spirit of EU GDPR could lead to problems for countries seeking data adequacy agreements with the European Union - including South Korea, or even the UK.

The report notes that "these countries could face questions regarding the privacy protections baked into their contact tracing choices".

Report conclusions

The primary conclusion from the Access Partnership report - which is worth reading in full - is that as governments race to get COVID-19 under control, privacy has largely taken a back seat.

It adds that while policy makers may be willing to make trade offs, there could be a growing public backlash in some countries. The report reads:

How this dynamic will play out in the long term is difficult to predict, though it is likely that governments' push for expanded use of personal data will to some extent become the new normal.

Further, we do not yet know how effective different kinds of contact tracing solutions will be. Whether more limited tools, which provide stronger privacy protections, will lead to successful outcomes in the near term, remains to be seen. Their efficacy will depend not only on the technical performance of the technology used, but on mass adoption of these opt-in, consent-based systems. The success - or failure - of more privacy-protective approaches, like Bluetooth Low Energy (BLE) proximity tracing, will significantly impact how countries decide to resolve the privacy versus security dilemma.

If Bluetooth-based approaches fail to deliver workable tools for governments, more expansive - and less voluntary - approaches to digital contact tracing will likely be adopted. The public health surveillance state may be with us for some time to come as a marker of good governance.