As much of the western world is moving into the second month of lockdown, its positive impact on the public health front and its negative impact on the economy front are becoming clearer. The discussion about what happens next, i.e. when and how exactly do we start lifting social restrictions, is gathering momentum.
In the fight against COVID-19 we have two powerful sets of weapons: on the one hand healthcare, medicine and science are helping us take care of our sick whilst pharmas and diagnostics companies race to discover better tests, drugs and hopefully a vaccine. On the other hand, effective data collection and analysis enable us to gradually understand the virus, its effects and spread patterns, and can help us contain it. Mass data sharing, location tracking, contact tracing, electronic permissions to leave home, COVID-19 patient registers and COVID-19 "certificates" or "passports" are emerging as key elements of the "new normal". All these solutions are data intensive and have privacy implications. At the moment, there is no consistency of approach across national borders (even within the EU or western Europe) regarding which of these data-centric solutions to deploy, when and how exactly to approach each of them.
For instance, two main models are emerging for using mobile apps for contact-tracing: on the one hand, the decentralised approach (using Bluetooth signals to locally store on an individual's device the device IDs of other mobile devices that have recently been in the proximity), a version of which is promoted by the collaboration of Apple and Google (see https://www.apple.com/uk/newsroom/2020/04/apple-and-google-partner-on-covid-19-contact-tracing-technology/). On the other hand, others seem to favour more powerful centralised solutions that entail collection of additional data sets and central storage and processing of personal data, thereby allowing more precise and richer analytics and insights, so better intelligence and more informed decision making. The former approach appears to be less intrusive from a privacy point of view; the latter, appears to be a more effective data driven solution in the fight against the virus, but more intrusive from a privacy point of view.
In the UK, NHSX seems to be going for the former approach, working with Google and Apple, although alternatives are being explored. In a press release today, NHSX said that in future releases of the app people will be able to choose to provide the NHS with extra information about themselves to help identify hotspots and trends and, therefore, contribute towards protecting the health of others and getting the country back to normal in a controlled way, as restrictions ease (see https://www.nhsx.nhs.uk/blogs/digital-contact-tracing-protecting-nhs-and-saving-lives/).
A few clear points emerge from the current situation on the data collection, tracking and tracing front: to begin with, we are in desperate need of some degree of international cooperation and consistency in the approaches taken by individual countries. After all, COVID-19 does not stop at national borders, and each country will be better off if it leverages insights from other countries. But it is essential to ensure that international cooperation does not slow down national initiatives. Secondly, privacy and data protection legal requirements are a catalyst in this effort. Approached and applied in the right way, privacy and data protection law can help leverage technology and data to help us beat COVID-19. Approached and applied in the wrong way, they could unduly slow down developments or reduce the value we can derive from data. EU privacy regulators (or most of them) have been at pains to explain that GDPR and EU privacy law are not an obstacle to these data processing activities - on the contrary they are an enabler. Several regulators have published relevant guidance (see e.g. the UK ICO and EDPB initiatives - https://ico.org.uk/media/about-the-ico/documents/2617653/apple-google-api-opinion-final-april-2020.pdf and https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf).
When assessing proposed COVID-19 data processing activities in these uncertain times, CPOs, DPOs, privacy lawyers, regulators and other privacy pros must approach privacy compliance in a pragmatic way, recognising that the right to privacy must be balanced against the urgent need to combat the public health and economic crises. In doing so, we must be exhausting our pragmatism, innovation and creativity, placing the emphasis not on achieving technical compliance with every local legal requirement but rather on satisfying the core data protection principles of transparency, necessity, proportionality, data minimisation, purpose limitation, accountability, security and data subject rights.
FT: How will the UK’s new contact tracing programme work? Former health minister warns on the logistical challenge of launching large-scale operation