Resource Hub

Data privacy during the COVID-19 outbreak

Andrey Arestov discusses implications of COVID-19 on data privacy and marketing amid the influx of online data tracking practices.

We still remember events that happened almost 19 years ago on 9 September 2001. 9/11 was an international disaster with severe impact on the global economy, politics, and pretty much all aspects of our lives. We sometimes don’t even realise that things that we take for granted these days never existed before 9/11. One of those things you probably notice is that the pilots on commercial planes are sitting behind bulletproof doors that are shut during the flight, and before you can board your plane you need to get through a thorough security check. Other impacts were privacy trade-offs in favour of public security. That one event changed the world and changed our lives in ways that we are still experiencing.

We are now in a world that’s been impacted by an invisible enemy, without a face, without insignia that silently infiltrates nations and causes economic, political and social havoc. Every country takes its own steps to deal with the impact. This impact like 9/11 will make our lives different again, there will be a ‘new normal’.

The outbreak of COVID-19 has raised many concerns about the way we will get through this pandemic, and what the future may look like.

One of the things that have been floating around the internet is a limitation of individual rights introduced by many governments: restrictions on data privacy, surveillance, and so on.

China was the first country where the initial wave of the virus made the government lockdown epicentres of the outbreak, start tracking individuals’ movements using data from smartphones and facial recognition cameras in order to identify infection and put protective measures in place.

Limiting rights in situations like we face today is not something new. Since the 1960s, the International Covenant on Civil and Political Rights of the UN has stated in an article [1] that in times of public emergency, the threat of life of a nation or to protect public health and safety, some measures may be introduced including and not limited to the liberty of movement, freedom of expression, and so on. Some countries, including members of the UN, have enabled this option in response to the virus threat.

What about data protection? Well, the now well-known General Data Protection Regulation (GDPR) has covenants that are compliant to the international legislations and clearly articulate directions in a state of emergency. As such, in March, the European Data Protection Board, referring to Article 15 ‘Derogation in time of emergency’ of the European Convention on Human Rights (ECHR), made it clear that the emergency is a legal condition that may legitimise individual freedom restrictions including personal data and ability of employers and health authorities to access personal data without consent. Some European countries have proactively applied this article, including Latvia, Romania, and Estonia. Other European countries, Germany, Austria, the UK and Italy went even further and introduced measures similar to ones in China, Israel and South Korea, where tracking data from mobile phones was implemented to monitor public movement, mapping infected individuals, identifying virus transition chains, controlling quarantine, social distancing and lockdown measures.[2]

Mobile operators have been working closely with local governments providing them with data and analytics, whilst in the States, local authorities approached Google and Facebook to provide aggregated data from smartphones to track the virus transmission, control lockdown enforcement, etc.

Google and Facebook have already started leveraging data capabilities and partnering with governments and organisations globally on providing aggregated reports to track the virus spread.

Facebook, for instance, has set up Disease Prevention Maps.[3] These maps show public movement using aggregated data sets combined with epidemiological data from health systems. Facebook claims that all collected data is aggregated with privacy-protective measures applied.

Google has also started the publication of aggregate anonymised data on public movement. Their mobility report covers public movements by regions, locations, including parks, retail stores, pharmacies and residential. Google stated that the data was collected through consent (users had to enable tracking features in their accounts) and anonymously.[4]

Google’s report has now been made available for New Zealand. According to the figures, Kiwis are largely adhering to the level 4 lockdown and following guidelines.

Google and Apple have also partnered to develop a contact tracing platform for tracking the spread of the virus.[5]

As well as other countries, New Zealand is leveraging data traction for Kiwis who returned to the country using data from their mobile phones. In contrast to other nations, NZ Police still have to ask for consent to gather geo data from phones, and the data will only be tracked from those who grant their consent.[6] Additionally, Worksafe and the Ministry of Health are obliging businesses to track visitors, collect their details and keep records for up to two months for future references. There are already digital tools that facilitate tracking exercise.

The list of tracking tools, solutions and collaborations between tech companies will be growing exponentially allowing for more complicated data collection and analytics. Such an influx of data tracking and sharing has already raised concerns among data protection and human rights organisations. The main message here is that the governments need to take extra steps to protect personal data that includes health and location information and prevent data from being used for wrongful purposes.

“Allowing access to personal data, particularly health data, without guardrails could threaten fundamental rights and liberties and open the door to data exploitation that could violate civil rights and harm vulnerable populations. It is not enough to expect that corporations will keep the promises they make in their unregulated terms of service. There must also be federal protections for new data collection, processing and sharing, and real consequences for violations,” the letter signed by the 15 organisations, including the Center for Digital Democracy, Access Now Campaign for a Commercial-Free Childhood, the Center for Human Rights and Privacy, Amnesty International-USA.[7]

Data privacy measures introduced by different governments due to the outbreak of the virus are intended to protect public health and mitigate the impact of the outbreak. Data protection rules are all in force and consent is still required when we deal with commercial or marketing activities, data gathering and processing. Breaching of the rules in this instance still bears significant financial implications and reputational damage (e.g. GDPR). Marketing professionals still need to follow the law and customers’ concerns as if business as usual. So, for marketers, there won’t be any ease around customers data protection.

As with 9/11, the key questions will be for how long the new rules for data tracking will remain and what trade-offs we’ll have to face to combat the virus going forward?

[1] International Covenant on Civil and Political Rights, https://www.ohchr.org/en/professionalinterest/pag...

[2] New EDPB Statement on Data Protection During the COVID-19 Outbreak, March 23, 2020, https://www.ohchr.org/en/professionalinterest/pag...

[3] Disease Prevention Maps, https://www.ohchr.org/en/professionalinterest/pag...

[4] COVID-19 Community Mobility Reports, https://www.ohchr.org/en/professionalinterest/pag...

[5] Apple and Google partner on COVID-19 contact tracing technology, https://www.ohchr.org/en/professionalinterest/pag...

[6]Coronavirus: New Zealanders arriving home asked to consent to police tracking their location, 2 April 2020, https://www.ohchr.org/en/professionalinterest/pag...

[7] 15 Groups Call on Lawmakers to Protect Privacy and Personal Data in Covid-19 Relief Packages, 20 March 2020, https://www.ohchr.org/en/professionalinterest/pag...