Planet Earth is currently in the grip of a pandemic, the disease COVID-19, more commonly known as CoronaVirus. The ongoing emergency is creating – and will continue to create – events which are without precedent in modern times.
An inevitable consequence of this ongoing crisis is that certain uncomfortable discussions which have so far been kicked down the road can no longer be ignored. Civil liberties versus the imposition of emergency government powers is now high up the agenda. A Pandora’s box of mass connectivity, state surveillance and human rights is exploding as panic seizes the world.
The consequent debate functions as a reality only in states which count as full democracies (see The Economist Intelligence Unit’s Democracy Index here). Below that level, the discussion is little more than lip service. In hybrid and authoritarian regimes, it does not exist and, if attempted, may be brutally suppressed.
It is therefore incumbent upon the full democracies of the world to continue the debate with urgency and vigour, even in the face of ongoing catastrophic turmoil and terror. The highest standards of protection of both individual and collective rights, whilst subject to review in times of emergency, must be maintained, even if few choose to follow them.
In such a world, protection of personal data sounds like an anomaly – mundane, even. Nevertheless, on 19 March 2020, the European Data Protection Board (EDPB) issued its “Statement on the processing of personal data in the context of the COVID-19 outbreak” [pdf]. The European Union has the highest standards of data protection in the world, closely followed by New Zealand and Canada. In the United States, it is haphazard, varying dramatically between individual states (but see Inforrm media law blog’s post which states: “…Congress is considering passing a Data Protection Bill in a bid to harmonise data protection regimes nationwide…“).
Our lives are now mapped and interpretable via digital data, in addition to subsisting analogue data. Everyone who possesses a device which is connected to the internet is continuously generating unimaginable quantities of data about themselves and the intimacies of their lives 24/7. The few who are not connected in this way are either doing so by choice, by default (eg. age/incapacity) or because they are living in a state of deprivation; technically, in this brave new world, they barely exist.
A large proportion of personal data is highly sensitive and therefore wide open to abuse by anyone with access, including governments and commercial enterprises. Health data is such an example; add your location, contacts, eating/fitness/shopping/sexual habits and each of us becomes an open access dataset for a huge number of interested parties.
Data = Information = Power
In the time of CoronaVirus, data, even flawed or patchy data, is the greatest weapon of governments in stopping the spread of the virus and developing appropriate medical treatment. The more information which is harvested, the greater the chance of success in containing the disease.
However, this involves the provision of highly sensitive information about individuals’ health status and a wealth of other activity such as movement of people, alone or collectively. We have only to look at the vicious government clamp-down of the young protesters in Hong Kong during 2019 to see how such information can be abused by those who extract it.
In many cases, that information can be handed over willingly and in exchange for increased convenience in everyday life such as smart purchases, access to essential services and ease of travel. Personal data is routinely collected and used by governments, commercial enterprises, civil society institutions and a host of others. This may happen with or without consent and/or, of greater concern, by stealth.
So this is Social Contract 3.0 – with wildly unequal contracting parties on all sides. Never before has the “legitimacy of the authority of the state over the individual” been so open to abuse. In addition, the big tech companies such as Google, Facebook, Alibaba, Amazon, ByteDance (TikTok) etc. now also operate as virtual states. Their contribution to the pool of government data is frequently murky and unaccountable.
As a result, the social contract between state and citizens has morphed into a commercialised behemoth that knows no borders and observes few regulations. Surveillance capitalism has come of age and is becoming the preferred system of the global community.
That said, it is beyond doubt that East Asian countries such as Taiwan and South Korea have used mass connectivity to control the spread of CoronaVirus and save lives, with encouraging results so far. In the last few days, Wired magazine has produced two articles examining the situation in each country. The Taiwan piece (“Taiwan is Beating the Coronavirus. Can the US do the Same?“) refers to the “the adroit use of technology”. The South Korea article (“What the world can learn from South Korea’s coronavirus strategy“) says the following:
South Korea is one of the most wired countries in the world, where everybody uses cell phones for just about everything, and [the government] was able to use our cell phones to not only track but send warnings, like ‘watch out, there’s a Covid-19 patient in your vicinity……..One significant trade off South Korea has had to make, and that the UK [and EU] may soon grapple with, is the trade-off between public health and civil liberties. Not just the restriction of movement – cancelling schools; home working; ending mass gatherings – but also the erosion of privacy.
The debate is therefore framed as a) the responsible use of data can save lives but b) it can also act as a vehicle for egregious state intrusion into the lives of its citizens. Inevitably, this extends into the wider discussion about the exercise of the rule of law in times of national/international emergencies, such as we have now.
Without doubt, urgent action is vital and difficult decisions must be taken at speed. Nevertheless, democracy requires that the state protects the privacy and integrity of its citizens as far as is humanly possible. Derogation from that central tenet should only occur in extreme circumstances and with strict checks, balances and time limits.
The European statement
Against this backdrop, the EDPB issued its statement a few days ago. It provides a timely and necessary reminder of the points set out above. The first paragraph reads as follows:
Data protection rules (such as the GDPR) do not hinder measures taken in the fight against the
coronavirus pandemic. The fight against communicable diseases is a valuable goal shared by all nations
and therefore, should be supported in the best possible way. It is in the interest of humanity to curb
the spread of diseases and to use modern techniques in the fight against scourges affecting great parts
of the world. Even so, the EDPB would like to underline that, even in these exceptional times, the data
controller and processor must ensure the protection of the personal data of the data subjects.
Therefore, a number of considerations should be taken into account to guarantee the lawful
processing of personal data and in all cases it should be recalled that any measure taken in this context
must respect the general principles of law and must not be irreversible. Emergency is a legal condition
which may legitimise restrictions of freedoms provided these restrictions are proportionate and
limited to the emergency period.
The full text of the Statement can be found here [pdf].
Both the Wired articles allude to the cultural differences between East Asian countries and the more liberal western democracies. In recent years, I have lived in East Asia as well as the UK.
The potentially sensitive topic of cultural differences will be considered in more detail in part 2 of this post: “Life in the Time of CoronaVirus #2: the Rule of Law and Cultural Differences“.
I will finalise this next post as soon as I am able.
Valerie Eliot Smith is a non-practising barrister and Visiting Scholar at the Centre for Commercial Law Studies, Queen Mary University of London. She has lived with the illness myalgic encephalomyelitis (ME) since 1981. When health permits, she writes a blog on legal and health-related issues at valerieeliotsmith.com
This post originally appeared on the Law and Health blog and is reproduced with permission and thanks.