Transcript of “Privacy in the time of COVID-19”

Speakers: Karolina Mojzesowicz (Deputy Head of Unit Data Protection, European Commission), James Leaton Gray (Director of The Privacy Practice), and Anna Pouliou (Partner at Deloitte)

In this week’s webinar, we were delighted to be joined by Karolina Mojzesowicz (Deputy Head of Unit, Data Protection, European Commission), James Leaton Gray (Director of The Privacy Practice), and Anna Pouliou (Partner at Deloitte). They gave us an insight into the various questions around privacy and data protection and the challenges created by COVID-19.

Anna, you are joining us from Paris. How’s life under lockdown?

“We are still in lockdown but we are supposed to get out on Monday 11. My colleagues in Belgium are already kind of released but as you know the situation hasn’t stabilised and we will see some uncertainty for a while. This is why today this is such an interesting topic, considering what will happen now employers are being asked to start operating again. COVID-19 has certainly changed things and that’s what we’ll talk about today.” 

“Yes COVID-19 has undoubtedly changed our situation. Before we talk about the applications, I think there are some fundamental relationship changes to discuss between society and government, and us as individuals. I’ve always said that there is no such thing as privacy, and what I mean by that is the fact that it’s fluid. Privacy will change over time and depends on context, environment and culture. All of those things have suddenly changed and so the nature of privacy is also in the process of changing. It’s in flux and in the 16-17 years I’ve worked in privacy, it’s been changing and moving towards a greater understanding for the need of privacy. Is this another turning point? Will it start to change again? Interaction is changing so we need to work out which bits of privacy consideration we push through faster and which we object to and why. It’s a very important and scary period of time.”

“I want to touch on one thing here. Data protection is of course a topic which worries a lot of people. Europe is very focused on privacy and there are strict regulations, namely GDPR. When we speak with American and Asian colleagues, they ask why we’re so strict. I think this is historical. I want to take us back to the Black Death era. It lasted six to seven years in Europe and wiped out maybe a third to half of the population. During that time, it was common to mark the doors of sick people with a red or black cross and even write prayers. It helped people understand who was infected with the plague. When we think about these privacy issues, people are sensitive and they’re more sensitive than ever today. They’re conscious that via smartphones and laptops there could be surveillance. Once the pandemic became public, governments tried to implement apps to track when individuals came into contact with an infected person. James, do you feel that there is sensitivity around surveillance in your area? I read in an article that scientists are concerned that governments will carry on tracing people after the pandemic has passed.”

“We have an interesting situation where you have this tension and it’s the standard GDPR tension between the need for privacy and the need for other things (commerce, governments, business etc.). I think the interesting thing is where we get the answers and information from and how the public can judge the level of risk that they are taking. I don’t think any of the app developers have spent enough time considering risk whilst it’s actually fundamental to data protection. All they’re getting is a certain level of disagreement between various experts on the level of data safety. These systems are centralised, therefore they heavily involve campaigns, big data etc. all of which leads to nervousness.

Personally I think other territories are better at having certain conversations. I was reading an article from the Australian Cyber Institute about the concept of operations. It said it’s not just about the physical security. It’s about understanding the purpose. The environment, the demographics, the human element are all involved. If you launch an app and only a certain demographic uses it, how much use is the app?

In this instance, you’re trying to protect a demographic (over 70s) who are the least likely to understand how to download the app. Here is where so many conversations about technology go wrong, where a lot of it is about society. The approach we’re taking is too technology based, and not enough about sociology, environment, and politics.”

When we talk about tension relating to GDPR. Is that managed by the principles of security?

“This is where the authorities come into play. One of the principles established was that there are some key privacy values that need to be maintained; security and purpose limitation for sure. There’s also data minimisation (how much do you keep?), retention (how long for?), transparency, and need for consent... For those of you that deal with privacy, you understand that this is a pandemic so here reasons of public health are coming into play and consent may not be needed. That doesn’t mean that’s how we should do it. Security must also be considered of course as data can’t be stored with unreliable providers.

I’m going to throw in another idea to highlight the importance of data. You may have heard that some governments have made lists of data to qualify people for ventilators. If there aren’t enough ventilators, doctors need to make a choice on who gets one. There is actually a list or criteria based on age, medical condition etc. This highlights how important accuracy of data is, as well as the rights of access to and rectification of data. If my data is wrong, I may not get access to a ventilator.”

Many employers historically haven’t been able to access employee health data. This may change now with the use of immunity passports. What advice do you have for employers handling with medical data which needs to be shared?

“This is going to worry most of us as we go back to the office. How do we actually return? We have employees abroad so how do they get back? How can you trace people? Can you ask difficult questions about their health and contacts? It is down to the governments to deal with these issues. I can’t impose a temperature test at the door and decide who’s in and who’s out; this needs to be directed by the government. People have been following guidance so far related to the confinement measures. However, many employers are now tempted to make the decisions but it’s vital they respect the privacy values and follow the guidance from governments, the European Data Protection Board, and the national data protection and health authorities (as the rules can vary across countries). Deloitte Legal has created a booklet with the applicable rules per country”

“I think one of the things that will be exposed, is the degree to which some organisations understand and have embraced GDPR regulations, and the degree to which some haven’t. There’s going to be a knowledge gap in some instances. I do think we’re in an era where people will expect a certain degree of pragmatism and we have to be wary of becoming the ‘you can’t do that’ generation as there are opportunities within cyber to manage health data perfectly well. However, there won’t be a one size fits all answer. We know we have to do something appropriately, but you have to look at individual circumstances and how realistic the response will be in those circumstances. I saw a firm where a factory had reopened with a one way system in place. Considering the size of the factories some people work in, this could be a huge undertaking to manage but will be essential to starting production again.

Regarding security and purpose limitation, I think where I’m nervous is back to that point of what the purpose is. Using the app as an example, the original purpose may be narrowly defined as ‘to trace’. However, there are other linked purposes. Pandemic researchers may want to keep the data for the next pandemic. Is this a breach of purpose limitation? If it isn’t, then what is the limit? Do we keep data forever for interest?”

“There are very significant considerations around scientific research. The European Data Protection Board has created two sub committees, one focusing on technology and tracing applications and another focused on the use of data in scientific research. We need to apply considerations around privacy to both. We are privileged in that we have regulators to protect us as employees and citizens from surveillance. At the same time, we have the European Commission who can intervene when necessary for consistency and coordination among member states. It’s so hard to have coordinated action but in this instance for the use of apps, it did happen.”

In some places, people who have had COVID-19 will be less restricted. It’s almost the opposite of the plague door markings. Do you think we will see a two tier society when those who aren’t restricted have more freedom meaning people chose to share their data?

“This is one of the more worrying aspects around privacy to come in the next decade. It relates to acceptance and habituation. Ignoring scientific queries around COVID-19 immunity, at first it seems nice that if you have an immunity passport, you can go to the gym. This is useful, so why don’t you now carry another piece of health data that allows you to do other things? It’s like the argument of thumb prints being used in schools to access lunch or library books. It habituated people to the idea that they can use biometric pass mechanisms to access key aspects of their lives and this premise will expand to become more normal. I do think there is something similar happening here. If it brings me advantages I’m happy to give my rights up for that.

The longer term conversation is around where the data should be held, and how can we secure the immunity passport data. We then need to start looking at technology. We’ve approached this the wrong way around by approaching technology before we worked out what was going on.”

We are joined by Karolina at this point.

Karolina, can you give us a sense on what’s going on with tracking apps and what instigated the need for a collective response?

“For once this wasn’t too hard. Our Directorate Generals responsible for health issues are in constant contact with the Health Ministries across the European Union. In light of the events, it was very clear that a harmonised solution needed to be provided. There were discussions concerning what data can and should be used bearing in mind the various considerations. Of course the considerations focused on effective monitoring of the disease, and the possibility to inform people that they were in contact with an infected person. We asked which data would allow reliable information about such contact. We discussed how to balance this consideration with the protection of data and privacy. We looked on the developments taking place in the Asian countries who were developing apps earlier than we were in order to find the most suitable solutions for Europe.”

There seems to be a query around centralised and de-centralised models. Can you give us a sense of the key differences between centralised and decentralised application models, and in your opinion which one is better for privacy and accurate updates?

“The difference is where and how much of the personal data on epidemiological proximity is stored. The Commission and the European Data Protection Board (EDPB) were very conscious not to exclude one of the models. Both of the models have their advantages and disadvantages. This was one of the European Commission’s most debated topics; whether the Commission should decide which of the models is the most advantageous from a data protection perspective. The decision was made to allow both systems to be used bearing in mind that the decentralised systems with less storage offered better data security while the centralised models provide greater opportunity to store data for health research purposes.”

What are your opinions on organisations who are thinking of developing their own applications to track their employees?

“This is something that needs to be very much reflected upon. Any kind of tracing can only be done in line with legislation and the installation of the app from our point of view must be voluntary, so, in light of the Privacy Directive should probably be based on consent. Consent within employment relationships is very difficult. Furthermore, employers as private operators can’t justify their actions by saying they are pursuing a public interest objective.

Ultimately private entities aren’t intended to pursue a public health interest. It’s not their job. You employer must respect legislation and their obligations around safety such as masks and screens. This wouldn’t go as far as tracing staff.”

“Most of the studies I’ve read say you need to have an uptake of above 50% to make these apps work. I can’t see how an employer could create an app which interacts with the government app to reach this number. If it can’t, then it doesn’t improve employee safety as it’s only covering their own employees and won’t have enough data points to make it epidemiologically valid.”

Instead of apps, some places are talking about using CCTV to monitor contact and movement. Is it acceptable to use building access control to identify human contact and protect people?

“This needs to be included in a very clear piece of legislation. I have never thought about using CCTV to observe whether people are in contact with others from a health perspective. How is this supposed to work? How can it be helpful as a tool to help the spread of the disease? I wouldn’t say that it’s a suitable measure to meet the aim.”

Bluetooth works through walls. It’s possible that you can be detected as being close to someone without the actual risk being present. There’s also a risk of spoofing and people claiming others have been infected, to limit their movement. What steps are being taken to ensure abuse isn’t happening?

“Technology can’t fix everything. Even if I monitor everyone at the office, how do we check who touched the surfaces, used the bathrooms etc. Let’s be realistic and let the government give us some general guidelines we can follow. There’s also a question of transparency. We are using technology to the rescue in this situation but let’s not forget that privacy has to also be respected.”

“We’re back to the understandable desire to use technology to answer difficult sociological questions. I read that Heathrow is trailing CCTV that can map the temperature of the human body. On what basis is this sort of CCTV balancing the need to save lives vs respecting privacy? It’s the question of law vs ethics. The rush to use technology to answer these questions is understandable. If experts can provide a kit that gives you an easy solution then I can’t blame the government for wanting to trial it. What we ought to do is try and slow society down until science is ready to catch up. This is what lock down and isolation is all about.”

“We are very much aware of the drawbacks of falling back on Bluetooth, and it was discussed to what extent Bluetooth data should be crosschecked with location data. It is all a question of balancing the different considerations. Think back to centralised and decentralised data. The main difference is where the matching takes place. Is it on the device, or the centralised server?”

Did you find this useful?