Kia ora koutou,
It's been some time since my musings in "Notes from the Asia-Pacific" have focused on the privacy implications of COVID-19. However, the landscape is changing, and the APAC region is now moving closer to a post-pandemic phase. We're seeing real progress in national vaccination programs and, with this comes the opportunity to resume international travel. Here in NZ, a travel bubble with Australia is set to commence 19 April, and the government is investigating other travel bubbles with some pacific nations, including the Cook Islands. This has also revived conversations about digital vaccine (or immunity) passports and the impact these promising developments might have on individual privacy.
Setting aside potential compatibility, technical and human rights (could vaccine passports result in discrimination against those who cannot get a vaccine, such as children or pregnant women?) issues, the NZ Office of the Privacy Commissioner has raised a few privacy concerns. Transparency is one, with the OPC noting many vaccine passport apps have been developed with boilerplate privacy notices that are insufficient in view of the sensitive information processed by them. Then there's scope creep. This is a concept well known to most privacy professionals, and it strikes at the heart of both trust and the legitimacy of data processing.
Global experts agree, according to a recent article by IAPP Staff Writer Jennifer Bryant. Italy's data protection authority believes that vaccination data is "particularly delicate" and could if treated incorrectly, have "serious consequences for the life and fundamental rights of people." Eduardo Ustaran of Hogan Lovells believes vaccine passports raise familiar questions around necessity, fairness and reliability. The authenticity of the passports or validation of the status of the holder will be critical to their success. This raises questions about what other health information these passports may need to access to protect the system's integrity.
All these issues could significantly impact the effectiveness of vaccine passports as a whole. If people do not feel confident about the ways their personal information will be used or shared or that the data processed is accurate and authentic, they'll be unlikely to participate. The economic gains anticipated from increased international travel will be prejudiced.
Experts also agree the solution is pretty simple — to privacy professionals, at least. The OPC suggests falling back on the privacy-by-design principles, designing the passports from the outset with privacy and the individual in mind. Others suggest ensuring that data protection principles are followed — including minimizing the data collected, ensuring the data is used only for the intended purpose and ensuring accountability mechanisms are in place. Everyone agrees as the OPC puts it, that "privacy [must not be] sacrificed at the altar of expediency."
Travel bubbles and vaccine passports do also bring optimism to the privacy community, with many major privacy events on the horizon:
- Privacy Week will be held in Australia 3 through 9 May and in NZ 10 through 14 May. As Stephen Bolinger commented in his introduction last week, this is our opportunity to reconnect with our privacy peers at events hosted by the IAPP, our respective privacy authorities and others during these weeks. Stephen already noted the NZ Privacy Commissioner's Privacy Forum 14 May in Wellington. We will also have local KnowledgeNet events in both regions, including a Wellington and Auckland KnowledgeNet 13 May featuring an update on Privacy Act 2020 from Commissioner John Edwards.
- Calls for proposals are still open for the IAPP Asia Privacy Forum (closing 18 April) and the IAPP ANZ Summit (closing 13 June). With the confirmation of the trans-Tasman travel bubble, hopes for an in-person event in Sydney are higher than ever.
- Finally, I'd like to reiterate Jason Lau's previous mention of the upcoming Data Privacy Forum. This will be a live broadcast event, organized in association with the IAPP as Knowledge Partner, featuring great speakers and thought leaders from the APAC region, including Hong Kong's Office of the Privacy Commissioner for Personal Data.
Enjoy the digest, and stay safe and well.
Ngā mihi nui,
If you want to comment on this post, you need to login.