Data Privacy and the Pandemic
A Principled Approach
Data privacy and protection has become even more top-of-mind during the COVID-19 pandemic. What were once arcane matters for cybersecurity and governance professionals, legislators, and marketers, has become public discourse.
The argument for tracking COVID-infected individuals, and tracing those who have come into physical contact with them is, as WireWheel’s Founder and CEO Justin Antonipillai put it, “raising a tremendous number of data privacy and protection issues and has brought related regulatory issues to the table.”
During the “Privacy Tech Leaders” session at the recent SPOKES Conference (December 1-2), Justin asked “How are you seeing those [data privacy issues] develop and how are you dealing with them in your organization?”
“Data has been incredibly important, not just in terms of ensuring that we knew who was having the virus and trying to track, trace and get people tested, but when it comes to vaccines…[ensuring they] do well in their phase four trials…,” says Julie Brill, who anticipates we are going to see a lot more personal data being used to fight the pandemic. Brill is Corporate Vice President, Deputy General Counsel and Chief Privacy Officer, Microsoft.
“Many people, while they need to use tech to stay connected, also have serious concerns about what is happening to their data,” says Brill. Addressing these concerns, she posted a blog, Preserving privacy while addressing COVID-19 (Brill and Lee, 2020), that outlines “Microsoft’s principals for using Covid-related technologies:”
As countries and companies focus on technologies such as tracking, tracing and testing to fight the pandemic, it’s critical that we also protect people’s privacy…As in all other aspects of modern life, digital technologies are likely to be used for tracking, tracing and testing. This requires special care, as sensitive data about our location and health status may be involved.
The seven principals, include critical concepts that address many contentious issues, such as meaningful consent, transparency, minimizing collection to only what is necessary for health purposes, restricting use, and importantly: voluntary participation, and deleting the data “as soon as the emergency is resolved.”
While the parameters of each of these concepts may be open to interpretation, they seem clearly intended to introduce, not only an important data protection framework, but a level of control that can be exercised by individuals in line with that of the recently passed California Privacy Rights Act (CPRA) and the EU General Data Protection Regulation (GDPR).
“Privacy and ethical concerns must be considered as we move forward to use data responsibly to defeat the COVID-19 pandemic,” concludes the statement.
Even in the Absence of Laws
“Covid really exposed a number of problems we have, including the lack of having clear guardrails, about how companies can use data in a robust way, but also in a privacy-protective way” offers Julie.
Lindsay Finch who is Executive Vice President, Global Privacy and Product, Legal at Salesforce agrees and proposes that perhaps federal privacy laws are required “So many of the laws that are already in place globally set countries and companies up for success in terms of how to work through these data challenges. [This is because] the underlying principles of the COVID-specific bills, and I think what many of us are advocating for in terms of an overarching federal privacy law, are very much the same…”
The pandemic, continues Lindsay,
has just brought [data privacy] to the forefront and made it dining room conversation around a lot of issues on privacy that we didn’t see before. And I really see this turning into a broader conversation beyond the pandemic around data collection and responsible data use…
Data ethics [is] an exciting emerging area. And there’s certainly more and more laws and regulatory proposals in this area…But even in the absence of laws, it’s really critical for companies to be thinking about the ethical implications of their data practices as part of their comprehensive data governance strategy.”
“We know that no matter how good a technology is, people won’t use it unless they trust it. And so, developing technology, with not only privacy, but…around human rights and civil liberties…is the right thing to do.”
What is it Exactly, and Will it Work?
Gabriela Zanfir-Fortuna, Senior Counsel, The Future of Privacy Forum, also published a piece in April 2020: “Why Data Protection Law is Uniquely Equipped to Let Us Fight a Pandemic.”
In this piece Gabriela reminds that “data privacy” and “data protection” are two very different things, writing:
Perhaps happy to finally see this field of law taking the front stage of public debate through the GDPR, we [data protection lawyers] have not stopped anyone from saying that the GDPR is a privacy law.
The truth is, the GDPR is a “data protection” law (it stands for the General “Data Protection” Regulation). And this makes a world of difference these days, when governments, individuals, companies, public health authorities are looking at the collection of personal data and digital tracking of people as a potential effective way to stop the spread of the COVID-19 pandemic…
She continues writing emphatically “Importantly, the goal of data protection is to ensure that information relating to individuals are collected and used in such a way that all their other fundamental rights are protected…This is why data protection is uniquely equipped to let us fight the pandemic using personal data.”
During discussions Zanfir-Fortuna, notes that “European data protection authorities have been very quick to react and to issue guidance on what companies and authorities can do with the data…” This is facilitated by a “level of legal certainty” despite certain vagueness that comes with interpreting regulations like the GDPR.
She says it has also “facilitated some of the best innovations we’ve seen in pandemic responses” such as the Pan-European Privacy-Preserving Proximity-Tracing (PEPP-PT) protocol for tracing applications which served as a foundation for the Google and Apple contact tracing Apps. (This protocol, it should be noted, is not without controversy.)
Enthusiasms notwithstanding, and appropriately circumspect, Gabriella adds: “it remains to be seen…when you’re looking at this period in time and [analyzing] the data and results, whether it actually was also effective in practice.”