The COVID-19 crisis couldn’t have underlined the value of data better. Ever since the outbreak, governments, multilateral organizations and businesses have scrambled to bring all available data on the table to fight the virus and its alarming spread. From monitoring people’s movements to systematic contract tracing via apps and phone records, surveillance via CCTV cameras and face recognition tools to tracking digital payments, extreme measures have become the new normal all over the world.
However, much of this data is people’s personal data, and hence sensitive in nature, leading to overwhelming concerns that we are compromising on data privacy while ensuring safety. In this complicated scenario, what should be the approach going forward?
Right to privacy is not absolute
At the onset of this debate, we must understand that the right to privacy is not an absolute right. It is but common sense that data privacy and protection regulations cannot, and should not, get in the way of saving lives, especially when it’s a question involving millions. But at the same time, while it is agreed that extraordinary times call for extraordinary measures, the circumstances must be treated as just that – extraordinary – and not lead to a blanket permission to waive off individual privacy rights.
History is testimony to the fact that while States are quick to grab power, but when it comes to giving it up, they are reluctant, and even employ surreptitious means to continue to hold on to it. And we are not just talking about typical Surveillance States. As we saw with 9/11, the large-scale mass surveillance put in place by the US authorities in the aftermath of the attacks, continued for years by Executive Orders, till the Snowden revelations in 2013.
Data collection and sharing, and various analytical models currently coming out of this ocean of data to fight the pandemic is a challenging test for authorities around the world when it comes to framing privacy regulations.
The US approach
In the United States, regulatory measures and the overall guidance issued for COVID-19 have eased some of the data privacy concerns and obligation, in an attempt to facilitate a rapid and effective response to the pandemic.
However, organizations are advised to take reasonable steps to comply with data privacy requirements. The current leniency doesn’t suggest anywhere that organizations are temporarily relieved of all data privacy regulatory requirements and obligations. In fact, in an interesting development in mid-March, the office of California Attorney General made clear that the COVID-19 pandemic will not delay its plans to enforce the California Consumer Privacy Act enforcement on July 1.
This hasn’t, however, assuaged the concerns of abuse of data privacy norms. Earlier, a group of 15 organizations in the US had written to the Congress urging it to take steps to protect privacy of citizens and secure their personal data, including location and health data, in the forthcoming emergency relief packages.
The European approach
Back in April, when governments went on an overdrive tracking people, the European Commission was quick to recommend a common EU approach towards contact-tracing apps, designed to warn people if they have been in contact with an infected person.
In a resolution adopted on 17 April, which it reiterated during a plenary debate on 14 May, the European Parliament stressed that any digital measure against the pandemic must be in full compliance with the existing data protection and privacy legislation. It also underlined that the use of apps should not be made mandatory by governments and that they should include sunset clauses so that they are no longer used after the pandemic is over. MEPs stressed the need for anonymized data, highlighting that generated data should not be stored in centralized databases to limit the potential risk of abuse.
Things may be different in China, where the government controlled the infection with an iron-handed approach by using advanced technologies and surveillance systems. But in Singapore or India, and other parts of the world, where data privacy sentiments don’t run strong, things aren’t much different.
Consider the much-touted Singapore app, which is said to be used by only one-fifth of its population. In India, the government faced resistance while mandating its monitoring app, Aarogya Setu, before finally relenting to make it optional.
Additionally, the COVID-19 guidelines and norms may require private companies to collect their employees’ data for monitoring purpose to safeguard workforce health and society at large.
For instance, the Centre for Disease Control (CDC) in the US has legally permitted, and even encouraged, companies to take employee temperatures amidst the current pandemic. However, they are advised to act in a responsible manner with regards to employees’ privacy rights. This includes keeping any kind of inquiry narrowly tailored to reduce the threat of COVID-19 infection, ensuring that medical information thus received is stored securely.
In Canada, the Office of the Privacy Commissioner has alllowed organizations to collect, use and disclose personal information to fight COVID-19 spread. It has also published detailed guidelines to help businesses navigate the impact on privacy. Similarly, in Australia too, the Office of the Information Commissioner (OAIC) has also issued guidelines for companies on employee privacy during the pandemic.
Commercial use of data
What is most worrisome is the commercial use of this data by private companies. What this sorry state of affairs is highlighted by the fact that even as the world is battling a pandemic, Google was accused of tracking users in incognito mode and was slapped with a $5 billion lawsuit.
This is worrying especially given the fact that Apple and Google have worked together to develop an API which has been picked up by 23 countries to create their own contact tracing apps for COVID-19 mitigation.
Finding the middle ground
As Privacy International, (PI) a London-based non-profit that works at the intersection of modern technologies and rights, highlights, “If governments and industry had been more attentive to legality, security, and privacy in the run up to this crisis, everyone could have more confidence in the deployment of new measures. Unfortunately, this is not the case. It is thus difficult to separate ambition from necessary response; desirable graphing from social graphing; health surveillance from policing surveillance; health and safety from workplace surveillance.”
Often, there are no black and white answers to questions. The right answer here is finding a middle ground.