The Covid-19 pandemic demands extraordinary responses, and quite rightly governments are taking unprecedented steps. National administrations tend to acquire new powers during crises as they alone can coerce and mobilise vast resources rapidly.
Across Europe there is a push to use mobile-phone location data and deploy smartphone apps to fight Covid-19. Such technology has been used to great effect in South Korea and China. The argument is that automated surveillance can accelerate the all-important activity of contact-tracing. Arguments for such extensive surveillance normally include some variation of the idea that uniquely dire circumstances demand we give up our right to privacy for the greater good. However, past experience strongly suggests that once intrusive surveillance has been normalised for use against this virus, it is inevitable that other uses will be put forward.
Time and time again organisations have gathered information for one purpose and used it for something else entirely – rarely in the interests of the people affected.
We have become almost numb to the extensive scale of surveillance by private organisations in this internet age. Online businesses are growing richer through tracking, recording and analysing our every website visit, mouse click and online purchase. They use sophisticated and secretive algorithms to segment us before herding us into decisions we are scarcely aware we are taking.
History is littered with examples of the dark consequences of uncontrolled data gathering. Prior to World War II, the efficient Dutch state implemented a registration system which included a census on religion. Used correctly, it was an ideal tool for deciding where to build religious schools. In the wrong hands, it became a tool for genocide.
Ill-informed commentators claim that General Data Protection Regulation (GDPR) means we cannot use technology to protect ourselves. That is lazy and untrue. We can and should use every advanced technology to defend ourselves, but as the Irish Data Protection Commission has said, any such measures involving personal or health data “should be necessary and proportionate”.
In practice this means the state must take the lead in processing personal data to fight Covid-19. Location data from apps on devices or the networks themselves can be used to trace contacts rapidly and accurately and to identify patterns of infection. Private enterprise can and should be harnessed to provide the tools and resources where necessary, but control of our personal data must be in the hands of the state.
The purpose of this exercise should be strictly limited to fighting Covid-19. Data security must be prioritised with stringent penalties for any entity that thinks it can flout the law. When this emergency is over, the data must be destroyed.
It is not enough to trust the state to act correctly. The agencies involved must be transparent and accountable. The criteria, design documents and source code should be shared with the public, and a mechanism to incorporate the public’s feedback must be developed.
It has been reported that the HSE is planning to release a smartphone app that may both facilitate anonymous contact-tracing and permit people to get in touch with a heath professional. These two objectives appear to be in conflict. Anonymisation of personal data is always difficult. To combine one anonymous service with a communication service seems ripe for error. A transparent design process would help ensure a robust solution.
We have already witnessed the slow-motion car crash that was the introduction of the public services card (PSC). In that case, an initial narrow scope with a lawful basis was widened beyond any justification. It seems that up to 50 different state agencies now have access to personal data via a card that was described obtusely as “mandatory but not compulsory”. The PSC has cost over €70 million, and two state agencies are currently in court fighting over its legality. Let’s learn a lesson from the PSC debacle and not repeat these errors.
As citizens we need the state and its agencies to act decisively and to use every lever to fight Covid-19. But once that battle is won, we must not leave a legacy of damage that can never be undone. We have fought hard for rights that many, either for ideological reasons or amoral enterprises, would like to extinguish.
Together we must find a way to protect both our lives and our way of life. In that way we will emerge strengthened, not weakened, from this emergency.
Michael Spratt is one of the founders of the European Association of Data Protection Professionals in Ireland and currently chairs the organisation. He is also a consulting partner with DigiTorc, a consultancy working with British and Irish organisations to minimise data protection risk.