The following blog contains some reflections on the current state of data privacy. As governments, societies and economies are struggling to (re)open after the COVID-19 lockdowns, “data privacy” has emerged as the talk-of-the-town. Debates about contact tracing apps and geolocation versus the need to preserve public health (and a functioning economy) have been fuelled around the world. Can we balance data privacy and public health? What are the trade-offs? Although the dilemma “privacy or health” is a pseudo-dilemma, the act of balancing privacy with health (and economy) is a complex one.
What Is Privacy?
One would ask at this point, what is privacy? Can we provide an absolute definition? Well, we can if we go back to 1890. Warren and Brandeis defined privacy in their famous Harvard Law Review article as “the right to be let alone.” The two authors went on to provide certain limitations to their definition. These limitations included that, “The right to privacy does not prohibit any publication of matter which is of public or general interest.”
Limitations to data protection for reasons of public interest are also envisaged in GDPR and CCPA. However, that does not mean that data protection rules are not applicable and binding. Even in an emergency, such as the COVID-19 pandemic, data controllers must ensure the protection of personal data. In fact, the EU has urged that while “data protection can in no way be an obstacle to save human lives, it is equally crucial to reaffirm that the exercise of the rights to privacy and to data protection are still applicable.”
Policy Maker Accountability
At the same time, the OECD asks policymakers to, “ensure that any extraordinary measures are proportionate to the risks and are implemented with full transparency, accountability and a commitment to immediately cease or reverse exceptional uses of data when the crisis is over.”
Proportionality, accountability, and transparency are key elements of data protection principles. They allow for the balancing of interests at stake.
Konstantinos Kakavoulis, privacy lawyer and Homo Digitalis Board Member wonders, “A question is frequently asked lately: Is there a need to enact new legislation to face the pandemic in privacy-friendly terms?” He goes on to explain:
The answer is conclusively negative. The current legal framework provides for all the necessary solutions. We can confront the pandemic while not making important concessions to our rights. Privacy, like every other human right, is not an absolute right. It can be limited if the situation so demands because another right or public interest prevails. What is important is to view the legislative framework considering the current situation. At the same time to also enhance public awareness of privacy. Our legal civilization is rich. What we need is more and more everyday advocates for it.
Our Lives Are Dominated By Connected Devices
This (re)new interest in privacy is not just another trend. It is not destined to disappear in the fog of our hectic daily lives. On the contrary. Surveys indicate that for the last few years, consumers and citizens are becoming more privacy-concerned and aware.
We live in a hyper-connected world. Smartphones are only the peak of the iceberg. Equipped with numerous sensors, biometric and locational, these smart devices can to record, process and transmit valuable data about every aspect of our life. Smartphones have become such as an integral part of our identity. Even modern authentication enhancing technologies – multifactor authentication and Strong Customer Authentication (SCA) in banking – require the presence of a smartphone to complete the authentication of ourselves.
But it is not only smartphones. Smartwatches and smart bands record and monitor our health habits. They know when we sleep, how we sleep, and when we train. Some even alert us to stand up or to start walking. These devices have become both our private-doctor and personal-trainer. It’s no wonder that privacy organizations are against the merge of FitBit with Google. Many believe that this is too much personal data being handled by just a single vendor. (Note: if you are also as concerned about this merger as I am, you can take action here.)
Even when we think we are offline, our home is full of internet-connected devices that keep data about our daily habits. We possess air-conditioning sensors, Wi-Fi-enabled alarms, smart assistants (call me Alexa or Siri), smart refrigerators, not to mention smart cars. Our life is surrounded by sensors. We live in the Internet of Things. Which, by the way, is notoriously insecure.
Have We Lost Trust In Data Protection?
A recent survey by Internet Society reflects this sentiment – these devices are not to be trusted.
- 63% of people surveyed find connected devices ‘creepy’ in the way they collect data about people and their behaviours.
- 53% of people surveyed distrust their connected devices to protect their privacy and to respectfully handle their personal information.
The sentiment of mistrust is not only due to the lack of privacy and security by design of these devices. It is also due to how companies and governments make use of this data. Everyone agrees that data is the new oil that propels industries and economies. This trend is understood by customers. Almost six-in-ten Americans believe that companies and governments cannot operate if they do not collect data about them!
E-government and digitalised companies bring many benefits, such as the minimisation of bureaucracy and innovation solving many outstanding humanity issues. However, more and more often incidents like the Cambridge Analytica scandal and high profile data breaches are making the news headlines. These breaches understandably increase the level of mistrust towards data use strategy. The findings of a recent Pew Research Center survey denotes just this:
Figure 1: Trust over data-use by companies and governments. Source: Pew Research Center
The Gap In Our Knowledge
Surveys also reveal another worrying statistic. People are unaware of how to adapt and adjust device settings to minimize the risks to their personal data. According to the Internet Society research, 80% of people surveyed are aware of how to set and reset passwords. However, only 50% are aware of how to disable the collection of data about users and their behaviours.
This low know-how is mostly part of the overall skills gap in the cybersecurity sector. It is an issue that must be tackled by all governments. The problem of “digital divide” threatens not only individuals but businesses and countries alike. People, education, and learning lie at the heart of these issues. Solutions must be found if we want to have a democratic use of technology.
There Is Hope
However, not everything is pessimistic. There is a light of hope and that rests with the younger generation. They are generally more technology savvy and are an attractive target group for businesses and governments. A survey of 2,601 adults worldwide was conducted by Cisco in 2019. They examined the actions, not just the attitudes, of consumers concerning data privacy. The survey reveals an important new group of people. 32% of respondents said that they care about privacy, are willing to act and have done so by switching companies or providers over data or data-sharing policies.
Called by the researchers as “privacy actives”, they see respect for privacy as core to the brands of the companies with whom they do business. 90% of them believe that the way in which their data is treated reflects how they are treated as customers. Not surprisingly, they also say they will not buy from companies if they do not trust how their data is used.
The Role Of Crowdsourcing
It is more than satisfying that in the last few years several research approaches try to solve privacy issues through the participation of the people. This is the crowdsourcing paradigm. Here, the wisdom of the crowd is used to generate valuable knowledge for all consumers. For example, one application field of crowdsourcing could be to identify the different individual privacy perceptions in the frame of newly introduced legislation like GDPR and COPPA.
Crowdsourcing in this way has much potential, and moves “in the direction of building trust in data protection through raising privacy awareness,” adds Chrysakis.
Privacy Enhancing Technology (PET)
The use of emerging technology presents many new challenges for data privacy. However, technology evolution can be also the answer to these challenges and concerns. Privacy Enhancing Technologies (PETs), such as Homomorphic Encryption, “enable the analysis and the sharing of insights without requiring the sharing of the underlying data itself”. They can help resolve the tension between individual privacy and public health challenges introduced by the COVID-19 pandemic. They do this by enabling data sharing and collaboration while the data itself remains protected.
In the global rush to develop cures and vaccines against COVID-19, PETs could also prove useful in facilitating cross-border healthcare research on sensitive data. Healthcare providers from multiple countries can contribute encrypted data sets to researchers. This would allow them to reliably calculate correlations between certain chronic conditions or genetic variants and COVID-19 mortality rates without exposing individual patient data.
Someone at Bell Labs had said that “privacy will be to the Information Age as product safety was to the Industrial Age.” While we are faced with numerous challenges, which are only amplified by emergencies such as COVID-19, we need to focus on solutions. It is the right time to accelerate the introduction to the markets of new technologies, like PETs. These innovative technologies can help with the complex balancing act: reconciling public health and economic recovery with individual privacy.
Data privacy regulators have also to do their homework to ensure that legislations help the adoption of such technology. Emergencies must be viewed as opportunities for solving outstanding problems. That was also the concept behind the recent 5th Data Privacy and Protection conference I attended a few days ago. You will read more about it in my next post. Till then, farewell.