Privacy. Data. Ethics.

And why it’s not one or the other

In the last 10 years, and particularly since working for multinationals, I’ve broken what I suspect some would view as a taboo. A cardinal sin for a ‘data protection professional’. I’ve started talking about Privacy. Now, please don’t do a John Edwards and ‘yawn’ – there are important distinctions, and UK and EU law is styled as data protection legislation.

What I’ve regularly found, though, is that it is almost impossible to deal with one without segueing into the other, and in particular my job title had varied from organisation to organisation, from Head of Privacy, Global Privacy Officer, Data Protection Officer, Information Governance Manager, and, still a favourite purely because of its hopefully attempt to still fit on a business card at font size 10, Data Protection and Records Management Officer (which basically dragged me into archiving, too).

Those titles are a good place to start, in fact. They show the breadth of things that can be included in a role that is aimed at safeguarding personal data. I’ve perpetually fought a rear-guard action against owning data retention policies, yet it’s often seen as part of the role despite them being far more wide-ranging that just records containing personal data. Likewise, in many businesses there is also a conflation between data protection and information security.

It was this conflation that got me into talking about privacy as topic which is almost interchangeable with data protection, in particular for cousins from the other side of the Atlantic. For two reasons. Firstly, to highlight that there is a difference between information security and safeguarding of personal data because of the privacy rights inherent in European data protection laws and the idea that use of private data should be restricted by a company whose obligations extend beyond just making sure it’s not stolen.

And secondly because the concept of privacy is a ‘thing’ in the USA with a solid basis in caselaw (Warren and Brandeis’ “right to be let alone”) and even the US constitution (Fourth Amendment right against unreasonable search and seizure), whereas ‘data protection’ was frankly confusing. In effect, it was an easy shorthand to get their heads around the what and why of GDPR, and to explain that it wasn’t just about deploying encryption tools…

Again, some will argue that there is a distinct difference and that laws clearly relate to ‘data protection’ not ‘privacy’ as a concept. However, leaving aside the roots of European regulation on use of personal data being the protection of individual privacy against the state, the right to be le(f)t alone – to have one’s private space respected – is clearly represented in the European Data Protection Boards thinking in areas such as cookies and consent, where there is a regular application of GDPR concepts to ePrivacy, and, of course, the fact of the same supervisory authorities regulating both.

The most common interactions between the public and data protection principles is of course the ‘privacy notice’, which describes how a controller will collect, use and protect the individual’s personal data. While I’m sure some purists would prefer ‘data protection notice’, or even ‘fair processing notice’ – and no-one should be calling them privacy policies (a semantic bug-bear of mine, and I know I’m not alone) – the reality is that people, to the probably very limited extent that they read them at all, may just about understand what a ‘privacy notice’ is. I rather doubt the same could be said of the other options.

And that’s really what it comes down to. We have an obligation as privacy and data protection professionals to be understood. To find a hook in, whether to the companies and orgs we advise, or the wider public, so that they get what we’re talking about and why it’s important. My kids are smart, but they don’t get what I’m talking about when I say I’m a DPO – but they do when I talk about protecting their privacy rights to stop companies abusing their personal data, because they understand that ‘privacy’ or ‘private’ is something that is hugely important.

So, while I’m not generally a fan of our current UK Information Commissioner and wish the ICO was a lot more consistent and sensible in its approach, any more than I am fan of some of the mission creep going on at the EDPB, from a communication perspective I don’t have a problem with him talking about ‘privacy’. And while there is a semantic difference, I’ll continue to talk about Privacy AND Data Protection.

How responses indicate views of individual privacy

As the World Health Organisation finally confirms that the Covid-19 virus outbreak has crossed the threshold into global pandemic status, we can expect to see governments around the world reacting to take steps to protect their populations. Already, on March 11, the US suspended travel from much of Europe; more directly affected states have put in place internal movement restrictions, predicated on the age-old approach to disease control – stop people moving, stop the spread; quarantine and, more or less, let nature take its course.

What is fast getting interesting from a privacy ethics perspective is how states have and will use technology and the data they hold or can develop to manage the behaviour of their citizens – and also how technology can assist in overcoming some of the problems caused by movement restrictions.

Ground Zero

Perhaps unsurprisingly, given that it was home patient zero and still has, by an order of magnitude, far more cases and deaths than any other country, China has enacted very strict rules on disease control – backed by a significant increase in deployment of surveillance technology.

Scanning into office and apartment buildings to allow detailed movement tracking; CCTV monitoring to detect (non)use of face-masks or elevated temperatures; increased monitoring of social media posts to detect ‘misinformation’; encouraging of informing on neighbours who may be ill, but not declaring it.

It’s easy to say that these are predictable uses of technology in a state which paces a very different emphasis on personal privacy than in Liberal Democracies – something which should (and probably will) be the longer of a much longer piece of work at some stage. And it will certainly be interesting to see whether, now deployed, China rolls these enhance controls back, post-pandemic.

It will be even more interesting, given the furore over Heathrow airport’s ‘failure’ to deploy temperature scanning on an incoming flight from Milan, how far more democratic governments feel they want to go in deploying similar methods to police their populations as the pandemic worsens.

Two borders away, we have seen a different, but perhaps in a sense no less invasive, use of technology. As well as mass-testing, smartphone notifications have been widely distributed to show the movements of known infected people – which has led to some significant issues, one individual identified as having potentially been visiting a red-light area, whereas they were actually in a nearby restaurant.

While the alerts have purportedly been anonymised, it’s not atypical – or unexpected really – that a proportion of individuals have been able to be identified, especially where there is a more prurient interest.

In each of these countries, governments have deployed existing technologies to exert social control in an effort reduce the levels of transmission – apparently with some effect in both cases, but certainly with impacts on rights and freedoms of their citizens. In both cases, the flavour of response echoes existing views of privacy, technology and interaction of both with the state and social control.

Similar patterns are evident in Hong Kong (surveillance, publishing of details of cases online and Singapore (surveillance to track individuals, accompanied by hefty fines). In these cases too, populations have historically tended to be more accepting of state control for the ‘greater good’, than for example the more libertarian populations of Europe and North America.

A growing risk

It’s fair to say though, that the Western Liberal Democracies have only just begun to be tested in their response – infection and mortality rates (numbers, if not necessarily percentages of those infected) have only really just begun to nudge most governments to start reacting in a more active way.

Staying in the APAC region, Taiwan instigated movement controls very early, and also put in place fines for spreading misinformation, while utilising combined health, immigration and customs data sets – having learnt from the SARs outbreak – and massively increased production of effective facemasks. This combination of data and physical controls has, at this point, kept a tight rein on the outbreak in comparison to mainland China – without resorting to hugely privacy invasive measures.

However, while the lessons from Taiwan can and should be learnt, it’s also worth noting that they have certain advantages – having learnt from SARs, they are also an island and have been able to exert effective border controls. Europe in particular is already well-past that point – leading us back to the question of how far Western governments will feel they should and can go.

Trading off individual rights and freedoms in the face of national crises isn’t a new concept – in fact, it’s part of the social contract between government and people that, at times of war for example, the government will defend its citizens, and that there may be an impact on individual rights ‘for the duration’.

But it’s also fair to say that the state of the art in terms of social engineering and population control via use of data has somewhat moved on in the last decade or so – the ability to surveil citizens has never been greater, and, since 9/11, the deployment of surveillance against civil populations has also grown hugely as evidenced by programmes such as PRISM, or deployment of technology such as full body-scanners at airports.

In pre-GDPR days, information security teams used to talk about ‘reducing the expectation of privacy’ in employees using the network. So we are, perhaps, no less inured to the idea of sacrificing privacy rights for security than in other jurisdictions – if less openly and obviously than elsewhere.

Big data and machine learning

Of course, despite the risks, there are cast-iron cases for using personal data for combating Covid-19. As seen in Taiwan and China, capturing detailed case histories and modelling the spread of the virus can assist in developing preventative measures, and also in deploying scarce health resources to where they will be most effective.

There are a number of ethical choices wrapped up even in that. Firstly, do we deploy resource to help the most sick, when the mortality rate is significantly higher and resource may be less effective, or to prevent spread of the disease? Not an privacy ethics choice, admittedly, except where it is founded on data – data which, perhaps, is not complete, given the likely level of under-detection at this stage.

Would that lead perhaps to mis-deployment? The UK government has already been criticised for under-reacting and not understanding ‘classic public health’- after taking a position based on modelling. (We do not, of course, understand the full logic of the decision).

Unintended benefits/consequences

As well as the macro-level, micro-decision-making, business by business will also have data protection ramifications. We are already seeing a growth in capture of health-related information by employers, and requests for confirmation of non- work-related travel details.

Likewise, with operators like Microsoft and Google offering to provide the collaboration software for free to low-level licence users, we are likely to see a vast increase in deployments of cloud tools to enable home-working – all of which entail privacy and information security challenges; but which could, if rolled out successfully, affect a long-term shift which would, for example, reduce travel overall and therefore also help to tackle the climate crisis.

At local democracy level, decision-making is not vested in executive powers – only by committee; so will the lower tiers grind to a halt due to the antiquated strictures around meetings, or will there be challenges that create a new – and perhaps more modern, family-friendly, alternative.

We still have a way to go on this journey – we are, in the UK at least, only just entering ‘phase two’ – the so-called Delay phase. The manner of country’s, and business’ responses will be led by their own cultures and capabilities. We must be cautious though, that the crisis is not used to permanently erode civil liberties and individual privacy – while also looking for the silver linings where we can.

Sources: