The threat of Covid-19 pushes data protection to the limit
The line between privacy and control strategies is becoming increasingly unclear.
At this time of global pandemic and technological boom, data, which were already considered a key asset for many companies around the world, acquire a unique traceability capacity, and the line that separates privacy and control strategies is increasingly unclear.
Once the pandemic spread, the countries that have better managed the health crisis have taken into account in their strategies the use of systems for locating and monitoring infected people. South Korea, China and Poland have launched GPS tracking models that are able to notify the authorities when a potential propagator moves outside their quarantine area. Many other countries, such as the United States and Spain, are moving forward with initiatives to deescalate distancing measures, covered by their legislation.
The World Health Organization (WHO) itself has advised that, in order to lift restrictions, one of the criteria must be that health systems are in a position to “detect, test, isolate and treat each case, as well as to track their risk contacts” to adapt appropriate measures. One way to comply with this recommendation is to put technology at the service of the security and monitoring of containment measures.
In the case of Spain, the Spanish Data Protection Agency (AEPD) has stressed that proportionality must be applied to all measures that may involve data processing, especially if these are health measures. And despite the fact that data protection should not be used to hinder or limit the effectiveness of measures taken by the authorities, especially healthcare bodies, in the fight against the pandemic, it reiterates that this exceptional situation does not entail a suspension of the right to data protection. It must therefore be ensured that personal data processing, even in these emergency health situations, continues to be carried out in accordance with personal data protection regulations.
“This need to ensure compliance with the rules, even in situations like the one we are experiencing, represents a challenge for organizations. We cannot allow data protection regulations to impact on the effectiveness of measures in the fight against the pandemic,” said Elena Mora, MAPFRE’s Head of Privacy and Data Protection.
“In addition, this situation is showing that, despite the availability of a General Data Protection Regulation which was approved, among other reasons, in order to harmonize data protection regulations for the whole of Europe, it is not possible to establish a single solution and criterion when implementing certain measures at the European level, since even with regard to data privacy and data protection, local laws and provisions need to be kept in mind at all times. These provisions can not only condition the way in which measures are implemented, but even challenge the viability of the measures.”
In a context marked by the proliferation of applications, some known and suspicious, and phishing campaigns through instant messaging, email, and other media, privacy and data protection regulations are more important than ever.
Technological ethics
In this scenario there is increasing concern for the sovereignty of data, which is already estranged from individuals in the interests of collectivity, so many experts and collectives are demanding an ethical use of technology. The Council of Europe itself has issued a joint declaration on the limits and principles applicable in a situation such as the current one, and the European Commission has just published a guide establishing the requirements for such applications, recommending voluntary and anonymous use for users.However, there is such concern that, apart from this, as Elena Mora explains, “the European Data Protection Committee has already anticipated that it will soon issue additional guidance on this matter in response to the Commission’s document. Also, in Spain the Spanish Data Protection Agency (the AEPD), given the proliferation of these applications, had to issue a statement reminding people of the exact criteria that must be applied for data processing to be lawful, and alerting the public that when using applications or websites that are not owned by the public authorities, but offered by private companies or persons, they should be especially careful to find out by whom, how and with what guarantees their personal data will be handled.”
One of these applications is the one that Apple and Google are developing jointly. Aware of the concern that exists for privacy, one of the aspects on which they have placed the most emphasis is making sure that users’ privacy and security will be central to the design. The companies are appealing directly to users’ trust, and they will be able to decide voluntarily whether to participate in their new joint system to alert people whether they have come into contact with others who have tested positive for Covid-19. Both companies have insisted that they will not collect information with which a person can be identified or location data, and that they will dismantle the protocol when the pandemic is over.
Another application is Private Kit: Safe Paths, the application that MIT, Harvard, and Mayo Clinic researchers have put together with Facebook and Uber developers, which also specifically addresses privacy aspects in its design.
In any case, debate has opened up about the justification, from an ethical point of view, of the use of apps to monitor and control citizens without undermining respect for fundamental rights. There is an urgent need to continue to promote the ethical and transparent management of data.