Will COVID-19 Kill Our Privacy Rights? - By Dr. Jessica Santos - Kantar

Page created by Sandra Turner

Health & Fitness

English

Like
Share
Embed
Fullscreen
Slides
Download HTML
Download PDF
Abuse

←

→

Page content transcription

If your browser does not render page correctly, please read the page content below

Will COVID-19 Kill Our Privacy Rights? - By Dr. Jessica Santos - Kantar

Will COVID-19 Kill
Our Privacy Rights?

By Dr. Jessica Santos

Compulsory contact tracing apps track people’s geolocations
every 15 minutes, various countries’ central databases store
facial and DNA profiles indefinitely, and many countries share
information about cross border private movement, travel
history and body temperature as a default. Will these policies
become the future new normal in a post-COVID-19 world?
In the last four months, COVID-19 has forced the world through
dramatic changes regarding privacy. On one hand, privacy
legislations have not been officially relaxed. On the other
hand, many may argue that using contact tracing apps or
sharing personal data may provide the best way to reopen our
economies until we eradiate COVID-19 completely.

   Are we willing to trade a
   fundamental human right of privacy
   — which we have fought to preserve
   for decades — for an authoritarian
   control that may deliver more secure
   health? Will we want our privacy
   back after this pandemic?
If so, will it even be possible to regain? Privacy companies must
still comply with ever-tightening privacy legislation, yet they
continue to watch our government enjoy special exemptions
with little consequence. Well, not quite.

© 2020 Kantar                                                      |2

What are different
countries doing?
    Most of the privacy legislations                               —   Russia and many others have issued QR codes to allow
                                                                       citizens to move around. The authorities can check these
    (including GDPR and PIPA), state                                   QR codes. By registering on a government website or
    ‘vital interests’ of the data subjects                             downloading an app on their smartphones, citizens can
                                                                       declare a route and purpose in advance.
    and ‘public interests’ as a legal                              —   The UK government plans to implement a centralised
    basis for personal data processing,                                database of movements and health records, secured by
                                                                       government cyber-monitoring, to potentially identify who
    and we also see some countries/                                    has been sickened by COVID-19 and identify others with
    regions have passed emergency                                      whom they have come into contact.
                                                                       Italy requires that people in certain transmission risk
    laws or implementations waiving                                —
                                                                       categories notify health authorities.
    further obligations.                                           —   France requires employers to maintain a document
For example:                                                           that records workplace health and safety assessments,
                                                                       including professional risks and actions taken by the
—   South Korea located over 10,000 cell phones near the
                                                                       business.
    latest outbreak and sent text messages recommending
    that people in that area get tested for COVID-19.              —   In Germany, tracking employee status would be subject to
                                                                       a co-determination right by the works council.
—   China has put surveillance cameras outside people’s
    homes. Citizens can only access shops and many modes of        —   The Israeli government has backed measures to track the
    public transport by scanning a green profile on their ‘close       mobile phones of people suspected or confirmed to have
    contact detector’ app; people whose profiles turn red must         been infected.
    remain home.                                                   —   In the U.S., Republican members of the Senate Commerce,
—   Hong Kong has focused on monitoring home quarantines.              Science and Transportation Committee introduced a bill
                                                                       (COVID-19 Consumer Data Protection Act of 2020) on
—   New Zealand’s Privacy Commission announced it
                                                                       May 7 to temporarily regulate the collection, transfer,
    will not be considered a breach of the Privacy Act for
                                                                       and processing of certain personal data in connection
    accommodation providers or tourism operators to notify
                                                                       with COVID-19 related purposes. On May 14, Democrats
    a medical or police officer of noncompliance with self-
                                                                       responded with their own plan: The Public Health
    isolation requirements.
                                                                       Emergency Privacy Act (“PHEPA”), which aims to regulate
—   Singapore is using remote-controlled Spots equipped                tech companies and public health agencies that deploy
    with cameras to collect data on foot traffic. These Spots          contact tracing applications and digital monitoring tools.1
    broadcast pre-recorded messages that remind citizens to
    keep their social distance.                                    The Global Privacy Assembly2 made it clear that while
                                                                   information sharing is critical to successfully manage the global
—   Australia launched a Covidsafe app in April — based on
                                                                   COVID-19 pandemic — and enabling the use of data is in the
    source code from Singapore’s TraceTogether software — to
                                                                   public’s best interest — responsible data use must still provide
    find close contacts by recognising another user with the
                                                                   the protections the public expects. Data protection authorities
    date, time, distance and duration of the contact and the
                                                                   stand ready to help facilitate swift and safe data sharing. The
    other user’s reference code.
                                                                   announcement’s underlining message is that privacy will take a
                                                                   backseat during the pandemic, but to what end?

© 2020 Kantar                                                                                                                    |3

Contact Tracing App
– Risk vs Benefit
Contact tracing applications use either Bluetooth technology
or GPS to log two or more users who are in close proximity
for a predetermined amount of time. When a person is
diagnosed with COVID-19, the app notifies other users who
were close to that person so they can take appropriate steps,
such as self-isolation or quarantine. Because these apps are
capable of collecting vast amounts of personal data, privacy
advocates have raised significant concerns about government
surveillance, repurposing data for uses unrelated to the fight
against COVID-19, and storing data centrally for indefinite
periods.

    It remains to be seen whether
    the apps themselves are effective
    or have limits in their intended
    application. They face both
    technological limits (like Bluetooth
    not working in the background
    on iPhones) and social limits, as
    a contact tracing app relies on
    widespread use by the community.
Unless the developers foster openness and transparency as they
create the apps — and reassure potential users that the apps
are not unnecessarily intrusive to privacy — gaining the public’s
acceptance could prove to be a difficult challenge.
Contract tracing apps must reach at least 60% of a target
population to reach an effective level, and most countries have
not achieved that uptake rate. It is, therefore, essential to the
success of contact tracing apps that:
—   Users are comfortable with the technology’s built-in
    privacy protections
—   Privacy risks can be mitigated via enhanced security or
    data minimisation, limited storage, etc.
—   The apps can effectively achieve their intended goal: to
    help combat COVID-19
Addressing public concerns about privacy and high trust in
governments will be key to the widespread adoption of these
technologies.

© 2020 Kantar                                                      |4

Have Data
Protection Principles
Changed?
   Most data protection legislation                                   For example, the UK ICO6 published a blog on 5 May 2020
                                                                      setting new priorities during COVID-19 and beyond, following
   includes a caveat that where                                       the announcement on 15 April 2020 with promise of an
   protecting public health is                                        “empathetic” approach to its enforcement of data protection
                                                                      laws during the coronavirus outbreak. The UK ICO prioritised
   concerned, individual consent                                      areas likely to cause the greatest public harm and directed
   to the use of private information                                  its services to provide guidance for organisations on how to
                                                                      comply with the law during the crisis. The UK ICO also made
   can be waived. While the least-                                    allowances for the crisis’s impact on organisations’ abilities
   intrusive solutions should take                                    to comply with data protection rules, such as timescales for
                                                                      compliance, noting that such “impact” must be a genuine
   always precedence, exceptional                                     cause for any delay. The UK ICO (often regarded as a
                                                                      reasonable and pragmatic regulator) clarified that data
   circumstances — like COVID-19 —                                    protection and electronic communication laws do not preclude
   can supersede privacy protections                                  government legislation, but that the current health emergency
                                                                      requires the current actions necessary to protect the public
   (EDPB ).3                                                          interest.
                                                                      The DPAs’ official guidelines stated that the information
Global DPAs (Data Protection Authorities) have actively               associated with COVID-19 includes sensitive health data,
participated in issuing guidelines on how to attack this global       genetic data and biometric data. Companies collecting, storing,
pandemic4. Different European DPAs have focused on diverse            and processing this data should adhere to strong principles,
areas depending on their unique situations, issuing guidance          such as purpose limitation, data minimization, data accuracy,
on employees working at home, school openings, using video            security and storage limitation.
services for communications, and risk balancing to updating           For the time it takes to resolve this current crisis, DPAs have
requirements for medical institutions and offering warnings           adopted a “Same policy, different focus, adjusted priorities”
about phishing campaigns. DPA positions leverage three                position as they continue to grapple with how best to protect
classifications: ‘restrictive, neutral or permissible,’ recognising   their citizens from COVID-19.
that “the right approach must lie in finding a balanced middle
ground which does not ignore the application of essential
privacy principles.”5

© 2020 Kantar                                                                                                                          |5

Tango with
Big Tech
It is not surprising that most global governments have neither The U.S. government has opened discussions with Facebook,
the time nor the resources to develop technologies such as Google and other tech companies about the possibility of using
overarching surveillance and mass contact tracking apps. They location and movement data from Americans’ smartphones
must partner with Big Tech, which has been unable to steer to combat COVID-19. Officials9 believe that the data they
away from large privacy violations even as it advertises more can glean from smartphones could help them pinpoint future
‘private and secure’ offerings7. Will this be a U-turn? outbreaks and better plan the allocation of additional health
resources. Certainly, these discussions have opened the door to
One concern from privacy advocates sharing all personal information with the government and big
tech companies.
— and what should worry us all — is
The radical reversal of the relationship between government
that whilst companies may initially and Big Tech is clear. After the government levied substantial
collect data for legitimate purposes, penalties to Big Tech in 2019, these same companies can now
present themselves as the defenders of our privacy. Big Tech
they later leverage that data for insists that contact tracing apps should use a decentralised
their own business models. This approach to information sharing, whereas many national
governments initially believed that a centralised approach that
data (mis)use becomes particularly would facilitate data aggregation and analysis.
worrying when those big companies Had the governments agreed to centralised data collection,
(e.g. Facebook, Google or Apple), their agreement would have fuelled the ‘Big Tech is Big Brother’
media narrative. But all this mass data sharing shouldn’t blind
team up with national authorities in us to the underlying, stark reality that even now, we live in a
a time of crisis. world that includes technology companies that stand as equal
— if not senior — partners in discussions with our governments.
Google, for example, uses location data to highlight areas in A technology company that unilaterally decides to protect
and out of compliance with stay-at-home orders. While possibly our privacy today can infringe upon that privacy tomorrow.
motivated by an altruistic desire to become a public health Government, not Big Tech, should be the guarantor of our
resource, Google nevertheless is also undeniably interested in rights. The painful reality is that both our governments and the
financial gains from the health-related data it gathers. When big tech companies have full access and control of our private
users visit Google’s COVID-19 site to log into or create a Google lives.
account, that account connects an identity to data, and that
identity is the key to data monetization.
The question remains: “When it’s a choice between benefiting
a person’s health and satisfying a company’s desire to pursue
its business interests, which one wins?”8 Apple’s latest iOS 13.5
now attempts to allow users to use Face ID while wearing face
masks. Is this software update paving the way for local public
health agencies to develop contact tracing apps?

What Should Private
Companies Do?
Where does this leave most readers, who represent neither the
government nor Big Tech? We offer these practical solutions:

              Proportionality:
              Companies should collect, process and store
              only personal data which is adequate and
              relevant for the purposes clearly indicated
              in their privacy policies. It is typical for an
              organisation’s many divisions to use data for
              diverse purposes — or to collect and save that
              data for future purposes yet to be determined.
              But it is that nebulous use that privacy
              legislation aims to prevent.

              Transparency:
              Data subjects (whom the companies collect and
              process data from) should receive transparent
              information on how personal information is
              used, stored, and processed in easily accessible,
              clear language.

              Data minimization:
              Companies should set clear protocols to collect
              only the data they need, keep that information
              accurate, and delete irrelevant data to decrease
              potential risk.

              Strong security measures:
              Implementing risk management helps to protect
              personal data from unintentional disclosure to
              unauthorised parties. Ransomware attacks are
              at an all-time high during the current COVID-10
              crisis, and experts predict that those attacks will
              only continue to accelerate. Businesses must
              continue to implement work-from-home rules
              and security measures that lock down company
              data to prevent an increase in breaches
              resulting from simple mistakes or oversight.

© 2020 Kantar                                                      |7

Final Thoughts
The seismic nature of this moment is evident. Some experts fear The argument about contact tracing is rightly focused on
mission creep, while others see this unprecedented situation as the present. But these two questions – about Big Tech vs
an opportunity to align our laws with the digital age. COVID-19 government, and the individual and the state – won’t fade away
could mark the moment where we compromised our privacy even after COVID-19 is but a distant memory. Once we have a
in favour of granting power and wealth to Big Tech and our vaccine, we’re going to have to address them. The psychological
governments, ushering in the inevitable emergence of a new imprint of this crisis, and the ways in which that imprint shapes
hyperpower that combines government and big tech. the answers we find, may become the pandemic’s most lasting
legacy.
Are we comfortable with the possibility that when this
pandemic ends, surveillance capitalists may have amassed
immense empires of unaccountable power that enables
The pandemic could also present an
companies and governments to track every movement and opportunity to re-assert — or
every experience, use that data to predict our behaviour, and
sell those predictions to the highest bidder? How will we reclaim
finally assert — regulation over the
our freedom — if any is left to reclaim? new digital age.
We have fought for decades (even centuries) to limit “Nothing is inevitable, we have a responsibility to society as
government and corporations’ powers over free individuals, well as to the privacy of individuals. And we can do both. The
rebelling against totalitarian threats and arbitrary state powers. answer to that question is entirely up to us” (Shoshana Zuboff,
The COVID-19 pandemic required us to rescind this demand, 2019). COVID-19 won’t disappear soon. Some will continue to
and — when necessary — willingly relinquish that freedom in panic and struggle to cope, desperately wishing for a return to
exchange for possibility of safety. Billions of citizens worldwide normality, and perhaps a less nuanced discussion about how
have sacrificed some privacy for the convenience of Amazon, the crisis offers a unique opportunity to fix the wrongs of the
the distraction of Instagram, or knowledge superpowers past. Yet without that discussion, our new norms may include
granted by Google. Now, we have added another privacy trade- a world in which more little bits of our inner selves float in the
off in exchange for information we can use to protect ourselves ether, easy pickings for misuse.
from encountering individuals infected with the COVID-19 virus.
This viral pandemic won’t last forever, but it has thrown some
These developments tap into a deep underlying truth: that life critical issues into sharp relief. These issues involve human
constantly confronts us with a series of trade-offs between values, power, and the relationship between technology,
important but mutually incompatible human values. Liberals society and the individual. And the issues won’t resolve once
liked to believe they’d solved this riddle permanently via a the pandemic ends. Rather, the approach we take to answering
philosophy that says freedom is the value that outweighs all these questions will help shape our lives for decades to come.
others. But the last ten years have shown that this belief of
absolute freedom — like any other — is contingent on the scale
of the trade-off and not absolute.
A connected world poses huge privacy challenges to the
liberal democratic west, and the pandemic has exposed that
challenge in powerful new ways. It’s not hard to imagine that
future citizens living in liberal democracies will willingly trade
away much more privacy in return for services that help protect
them from another viral pandemic. Who will drive that shift:
Big Tech or government? And how will that shift affect our
traditional desires for a limited state and individual liberty?

References
1.   https://www.mintz.com/insights-center/viewpoints/2826/2020-05-28-covid-19-privacy-
     proposals-both-sides-aisle-comparison?_cldee=amVzc2ljYS5zYW50b3NAa2FudGFyaGVhbHRoLmN
     vbQ%3d%3d&recipientid=contact-6ab8e9d48686e6119403a0d3c1f8c3d1-4ee0361bc16149fdb9d5a3
     a4d7285f11&esid=b2812366-0ca1-ea11-943b-a0d3c1f8c3d1
2.   https://globalprivacyassembly.org/
3.   https://edpb.europa.eu/edpb_en
4.   https://iapp.org/resources/article/dpa-guidance-on-covid-19/
5.   https://www.hldataprotection.com/2020/03/articles/international-eu-privacy/coronavirus-and-
     data-protection-europes-data-protection-authorities-views/
6.   https://ico.org.uk/
7.   https://www.kantar.com/inspiration/health/the-future-is-private-a-dramatic-change-in-
     perception
8.   Michelle De Mooy, director of the Privacy & Data Project at the Center for Democracy & Technology
     (https://twitter.com/michelledemooy?lang=en)
9.   Daniel Castro, vice president at the Information Technology and Innovation Foundation https://www.
     forbes.com/sites/rebeccasadwick/2020/03/23/smartphone-data-predict-coronavirus/

© 2020 Kantar                                                                                            |9

Further Reading
1.   https://iapp.org/news/a/global-pandemic-incites-concerns-about-data-sharing-overreach/
2.   https://www.kantar.com/inspiration/health/the-future-is-private-a-dramatic-change-in-
     perception
3.   https://www.kantar.com/inspiration/health/global-privacy-landscape-2020-he
4.   https://edition.cnn.com/2020/05/16/tech/surveillance-privacy-coronavirus-npw-intl/index.html
5.   https://iapp.org/resources/article/dpa-guidance-on-covid-19/
6.   https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/blog-information-
     commissioner-sets-out-new-priorities-for-uk-data-protection-during-covid-19-and-beyond/
7.   https://www.ropesgray.com/en/newsroom/alerts/2020/05/The-UK-Information-Commissioners-
     Regulatory-Approach-and-Priorities-During-COVID-19
8.   https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/blog-information-
     commissioner-sets-out-new-priorities-for-uk-data-protection-during-covid-19-and-beyond/#!
9.   https://www.techradar.com/news/ios-135-is-here
10. https://www.dataprivacymonitor.com/data-security-incident-response/dsir-deeper-dive-
    the-ransomware-epidemic/?utm_source=BakerHostetler+-+Data+Privacy+Monitor&utm_
    campaign=43e6d72923-RSS_EMAIL_CAMPAIGN&utm_medium=email&utm_term=0_11eb73cca1-
    43e6d72923-73741481
11. https://nwsh.substack.com/p/new-world-same-humans-17
12. https://www.dataprotectionreport.com/2020/04/how-contact-tracing-apps-in-asia-are-being-
    used-to-fight-covid-19-is-the-reward-worth-the-risk/
13. https://www.research.ox.ac.uk/Article/2020-04-16-digital-contact-tracing-can-slow-or-even-
    stopcoronavirus-transmission-and-ease-us-out-of-lockdown
14. https://main.sec.uni-hannover.de/JointStatement.pdf
15. https://ec.europa.eu/info/sites/info/files/recommendation_on_apps_for_contact_tracing_4.pdf
16. https://www.apple.com/hk/en/newsroom/2020/04/apple-and-google-partner-on-covid-19-
    contact-tracing-technology/
17. https://www.dataprotectionreport.com/2020/04/obtaining-and-sharing-employee-health-
    status-information-in-a-pandemic/#
18. https://www.google.com/covid19/mobility/
19. https://www.cnbc.com/2020/03/19/facebook-google-could-share-smartphone-data-to-fight-
    coronavirus.html
20. https://www.mintz.com/insights-center/events/2020/coronavirus-covid-19-managing-privacy-
    cybersecurity-risks
21. https://www.mintz.com/insights-center/events/2020/telehealth-keeping-fast-moving-federal-
    and-state-regulatory-landscape
22. https://www.theguardian.com/australia-news/2020/apr/26/australias-coronavirus-tracing-app-
    set-to-launch-today-despite-lingering-privacy-concerns
23. https://www.whitecase.com/publications/alert/covid-19-and-data-protection-compliance-
    germany
24. https://en.wikipedia.org/wiki/The_Age_of_Surveillance_Capitalism
25. https://edition.cnn.com/2020/04/14/world/moscow-cyber-tracking-qr-code-intl/index.html
26. https://www.mintz.com/insights-center/viewpoints/2826/2020-05-28-covid-19-privacy-
    proposals-both-sides-aisle-comparison?_cldee=amVzc2ljYS5zYW50b3NAa2FudGFyaGVhbHRoLmN
    vbQ%3d%3d&recipientid=contact-6ab8e9d48686e6119403a0d3c1f8c3d1-4ee0361bc16149fdb9d5a3
    a4d7285f11&esid=b2812366-0ca1-ea11-943b-a0d3c1f8c3d1

© 2020 Kantar                                                                                      | 10

About Kantar
Kantar is the world’s leading evidence-based insights and consulting company. We have a complete, unique
and rounded understanding of how people think, feel and act; globally and locally in over 90 markets. By
combining the deep expertise of our people, our data resources and benchmarks, our innovative analytics
and technology, we help our clients understand people and inspire growth.
© 2020 Kantar
For more information, please contact info@kantarhealth.com, or visit us at www.kantar.com/health

You can also read