Times of emergency have a clarifying effect, and the current COVID-19 pandemic is no exception. Emergencies often reveal what’s important versus what we once might have thought was important. Until this point, the steady drumbeat of privacy was for more restrictions and individual rights. This seemed natural. Many countries view privacy as a fundamental right afforded to their citizens. Yet what this crisis has revealed is that as a society, en masse, we are often willing to trade some of our privacy rights in exchange for what we perceive as a communal benefit.
In future privacy legislation, perhaps drafters should consider whether there are beneficial communal uses of information that might otherwise be considered “private.” Such uses may need to be permitted or carved out from existing or future data privacy laws and regulations so that we do not make exceptions to rules the next time an emergency strikes as has happened in response to COVID-19.
Existing privacy regimes
There’s no shortage of data privacy regulators in this world. These regulators are generally charged with ensuring that companies (primarily) handle personal data in a responsible fashion. To do so, regulators have tended to adopt sometimes-rigid rules and requirements. We now see that such a stringent approach might not operate well at a time when more information sharing is beneficial. While regulators around the world have had to adjust to the pandemic, this article focuses on regulators in the U.S. and EU and still including the U.K. for now.
The European Convention on Human Rights contains a right to the respect for private and family life, home and correspondence (Article 8). That human right has been interpreted to encompass privacy and the right to the protection of one’s personal data. From these foundations, a series of laws and regulations, including the EU General Data Protection Regulation, has sprung. As a result, there is a long history of treating privacy and data protection as fundamental rights that must be safeguarded at a supranational level in Europe.
The U.S. is further behind the privacy curve than Europe. The U.S. still maintains a patchwork of data privacy laws, overseen by an alphabet soup of federal and state regulators. While the nascent concept of privacy is engrained in the Fourth Amendment of the U.S. Constitution, the U.S. Supreme Court has held that the constitutional right to privacy is not without limit. In the absence of an absolute constitutional right to privacy, federal and state legislation has filled the gap. And unfortunately for most companies, that legislation tends to be neither clear nor discrete, resulting in numerous regulators exerting authority over the same category of information. The result can be a dizzying mix of restrictions and regulators, creating uncertainty, especially in a time of crisis.
Can these regimes help us recover?
Contact-tracing applications seem to offer the most immediate hope for the sustained relaxation of lockdowns prior to the widespread availability of a vaccine, but if contact-tracing apps rely on the processing of location data, they may not be permitted under European law. Location data can only be processed with user consent, the obtaining of which may be difficult. If a government wants to use an app that is based on location data, it may need to pass emergency legislation requiring such processing.
There are fewer legal obstacles that would act as impediments to a government-sponsored rollout of a contact-tracing app in the U.S. At the federal level, legislation has been proposed that would regulate the information collected via contact tracing and screening. At the state level, the primary legal obstacle in contact tracing appears to be a disclosure issue, and in limited instances, the ability to opt out of data sharing. However, compelling companies offering contact-tracing apps to allow users to opt out of sharing their data would effectively undermine the entire purpose of contact-tracing apps.
While the EU and the U.S. struggle with how to balance individual rights with the collection of more data about them, Australia’s experience has shown that a good number of individuals want to share their data in circumstances where it is for the common good. Within hours of launching a contact-tracing app using proximity information in the country, 2.44 million people had downloaded it despite concerns about the privacy of the personal data provided.
What does it all mean?
What does it say about the privacy regimes in the U.S. and EU that in a time of real crises, regulators feel obligated to — or by necessity must — roll back and/or change enforcement and regulations? While there are plenty of advocates warning that privacy should not be overlooked during the pandemic, it seems there is a not-insignificant willingness to cede certain privacy rights for the benefit of the larger community.
One of the things that should be examined coming out of the current health emergency is whether we should reevaluate our views on the scope of individual privacy so that exceptions to existing legal regimes do not need to be made in a time of crisis. It seems that the lesson to be learned from the rollback of regulations and the lack of enforcement by regulators during the COVID-19 emergency is that we have perhaps not always struck the right balance between individual rights and when it comes to certain types of data that can be used to support society in changed circumstances.
This lesson is not surprising, as we have seen it play out before. For example, we have accepted that governments take the fingerprints, DNA and other biometrics of criminals and suspected criminals. As domestic and national security becomes of greater concern, cities are more surveilled today than at any other point in the history of mankind. What history teaches us is that often the zealous pursuit for absolute control over one’s personal information is a myth; it’s not what people actually want. Rather, people are willing to share (or have shared) their information for the benefit of their larger communities. How then to translate that into our new normal?
One way to take the lesson that the pandemic is teaching us is to view future privacy legislation in a different light than we have in the past. Rather than looking at it as a zero-sum game as between “overzealous” consumer advocates and “evil” corporations, legislators and advocates should approach privacy regulation as a balancing of factors. More privacy is not always better privacy. Future privacy legislation should consider whether there are communal benefits to be obtained from the use of data that is being regulated. If so, then the obvious question becomes: Does it need to be regulated in the first instance? The answer to that question will inevitably sometimes be “yes,” but perhaps it shouldn’t always be.
While everyone should have the ability to exercise some control over their personal information, what the COVID-19 pandemic has revealed is that individuals are perhaps less zealous about control of their data than those who lobby legislators for strict data privacy regimes. Future privacy legislation should, therefore, reflect a balancing between individual rights and potential communal benefits obtained when sharing of information is not only allowed but facilitated.
Photo by engin akyurt on Unsplash