Contact Tracing COVID-19 Throws a Curveball to GDPR, Data Rights
Monday marked Memorial Day in the United States, while in Europe, it marked the second anniversary of GDPR going into effect, a monumental occasion to be sure. But what does the future of the data privacy law look like in light of current events, including governments’ use of contact tracing applications to fight COVID-19? Are we ready to sacrifice a little data privacy if it means saving one life from coronavirus? We asked data experts to weigh in on the matter.
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) officially became the law of the land. Overnight, citizens of the EU suddenly gained much more control over their digital lives and the data that’s generated from it, while companies that collect and process personal data suddenly had to show a lot more responsibility in how they handle it, and in the most severe cases, comply with people’s requests to disappear from the database entirely.
Two years in, we haven’t seen the sort of big enforcement actions that experts predicted European regulators would take to flex their regulatory muscles. American tech firms were expected to be the biggest targets of GDPR enforcement actions, and they have been. But Google’s $56 million fine, levied in January 2019, remains the biggest enforcement action. All told, European data police have handed out 228 fines costing violators nearly $163 million as of March 2020.
If you’re not satisfied with how GDPR is going so far, then take solace in the fact that these are still early days for GDPR, according to Heather Federman, an attorney who joined BigID as its vice president of privacy and policy this March.
“We’re at the very beginning of seeing how GDPR is going to play out,” Federman says. “We have seen some enforcement actions across various member states that have applied the regulation. And while there are going to be bad apples, a lot [of organizations] are trying to do the best they can to be compliant.”
The one wild card to factor into GDPR’s two-year assessment is, of course, the novel coronavirus that’s wreaking havoc on the world. Europe has been particularly hard hit by COVID-19, with millions of infections and hundreds of thousands of deaths. It’s not particularly relevant from a data privacy standpoint, except for one aspect: the contact tracing applications that European governments are backing to help control the spread of the disease.
An Exception in the Law
European governments have backed the use of contact tracing applications, which typically use Bluetooth radio signals to detect when other people come close to an individual (2 meters in Europe; 6 feet in the states). A record is kept of all of these close physical contacts, and in the event that somebody tests positive for COVID-19, that list becomes quite useful for tracing the flow of the virus.
Many countries around the world have adopted some type of contact tracing app. In fact, some countries, like South Korea, Singapore, and China, have mandated their use, which have been credited with helping to staunch the spread of the coronavirus in those countries. Western democracies, however, have not embraced these apps nearly as strongly as their Asian brethren, and a big reason why is their stances on data privacy.
While GDPR clearly stands in the way of governmental agencies running data dragnets through the digital lives of people, the fledgling law isn’t necessarily incompatible with contact tracing apps, according to Federman.
“In terms of these contact tracing initiatives, generally speaking there is a lot of concern about the privacy issue at play here,” Federman tells Datanami. “For one, they’re collecting this data. So there’s this issue of consent versus no consent. That’s always a sticking point, but in this case there could be an exception.”
GDPR has buried within its (many) pages language that allows for exceptions to be made in the event of public emergencies, such a viral pandemic, she says. However, for an exception to be legal, the application and the data would have to be collected just for contact tracing and no other uses.
“It would have to be specifically tailored for that purpose of processing and not for some additional use,” Federman says. “I don’t think it necessarily saying that we’re going to suspend all privacy protections. But I think we have to be flexible and nimble enough to say we are in a moment of crises, and if this limited subset of data can be used in a way that can clearly help us move forward, then we have to be willing to be OK with that.”
Consenting to Corona Tracking
Grant Geyer, the chief product officer at industrial cybersecurity company Claroty, also sees GDPR being compatible with contact tracing apps, provided the proper consent is taken.
“I don’t see this as an either-or situation between the ability to use contact tracing apps and maintaining users’ data privacy,” Geyer tells Datanami via email. “As long as users are given informed consent of what personal information is being collected, how it will be processed and used, and provide for their ability to withdraw consent, GDPR’s principles are being upheld. Even when dealing with an existential threat like COVID-19, this test of GDPR demonstrates its resilience in achieving public safety and still maintaining data privacy standards.”
The ability of an individual to consent to their data being collected and processed is also core to the California Consumer Privacy Act (CCPA), which went into effect in January but won’t start being enforced until July 1. CCPA resembles GDPR in many ways, including the possibility of big fines for organizations caught abusing people’s person data.
Adhering to the CCPA would be a requirement for Google and Apple, which have followed the lead of tech companies in Europe and Asia and developed contact tracing apps for Android and iOS mobile devices. However, unlike the contact tracing applications in Asia, the personal location data in the Google and Apple apps is not accessible to the government. Instead, in the event that somebody becomes sick, the people who have been near that person will receive an alert, and it’s up to those people to act upon the alerts, not any central authority.
Buno Pati, the CEO Infoworks, doesn’t see contact tracing apps running afoul of new privacy laws, assuming they clearly spell out what they’re doing and gain the consent of the users.
“Provided that app-based contact tracing preserves and respects these rights, I do not view them as damaging or requiring changes to the core precepts of GDPR or CCPA,” Pati says. “However, if app-based contact tracing is mandated by law, and individual have no rights to transparency and control, it will be a step backwards in the progress society has made to protect individual privacy.”
But Do They Actually Work?
The bigger problem with the contact tracing apps is whether or not they are actually effective, according to BigID’s Federman. Usage of the apps is voluntary, and people just aren’t volunteering to use them, at least in the United Kingdom. That presents a bit of a Catch-22 situation.
“What I’ve been personally struggling with here is that, on the one hand, I don’t know if consent really works and if we’re going to use technology for contact tracing, you almost need everybody to partake in the system,” she says. “The problem is not everybody is going to have the right technology for contact tracing initiatives. So how do we make sure that we’re all on the same level playing field? We aren’t assured of that. And then we have no assurance that this data is going to be used [appropriately]. I have more concern about the usage of this data than I do the consent aspect of this data.”
It’s possible to build a contact tracing application that’s functional and fully respects people’s privacy, according Joe DosSantos, Qlik’s chief data officer. The key prerequisite for that would be for people to have a digital identification number and a trusted entity to process data as that person generates it.
“You need somebody you can trust that you can hold these things, but you also trust not to have access to them. You need a superlative security mechanism, like Blockchain,” DosSantos says. “The idea of transacting with anonymity is at the core of this. You can calculate R0 without knowing anything about the people. If want to know how where it’s spread, you say, I want to interrogate what state each of these different people lives in and you can interrogate the blockchain that way.”
Trust (or the lack thereof) is the key barrier preventing the United States from partaking of the type of public health success that people in Asian countries are benefiting from, according to DosSantos. People in the United States tend to not trust the government to hold onto their sensitive data and do the right thing with it. “Why people trust Google more than they trust the US Government? I don’t know,” he says.
Big Brother, Where Art Thou?
While American big tech firms have a reputation for being cavalier with privacy rights, the work that Google and Apple are currently doing with the contact tracing app in the United States is going far in preserving peoples’ rights, says Todd Mostak, the CEO of OmniSci, a Silicon Valley-based developer of a GPU-accelerated database.
That’s the result of a fundamental difference in philosophy that American firms have compared to their Asian brethren, he says.
“They’re pretty aggressive [in Asia] in using straight up cell phone data sets in many case or mandatory use of apps,” Mostak says. “I don’t think the country is prepared to go there.”
Mostak has high hopes that massive amounts of aggregated and anonymized data visualized through a compelling user interface (such as the OmniSci dashboard he walked Datanami through last week) can provide policymakers the fine-grained view of people’s current behaviors that they need to make good policy decisions, without violating individuals’ privacy rights.
“I don’t think anybody is cavalier, like ‘Let’s spy on Americans,’ at all. If anything, people are overly cautious about anything that might appear to be invading anybody’s privacy, even if it’s completely anonymous,” he says. “I don’t think this is in danger of turning into Big Brother. But people are right to be concerned and aware. It’s one of those things as society, you have to weigh the benefits against potential consequences.”
If there was a guarantee that a sacrifice in data privacy translated directly into saved lives through a contact tracing app, would you take that deal? It’s doubtful that many in the US would, he says.
“I’m not sure people will be down for people knocking on their door, saying ‘You’ve been exposed and need to go into quarantine now,’” Mostak says. “I completely get Americans’ concern for government overreach.”