Op/Ed: Privacy after the pandemic

April 22, 2020
Crisis situations can set a dangerous precedent when left to government overreach

History does not repeat, but it rhymes. There are many aspects of the COVID-19 pandemic that feel shockingly unprecedented, but in at least one important aspect of the crisis, there are strong echoes of the last great trauma on American soil.

The Patriot Act was passed in the wake of September 11th. It was a time when a “never again” sentiment was dominant in public discourse, and our understanding of what privacy meant in a new digital era was still developing. While it’s arguable that the Patriot Act prevented more terrorist attacks on American citizens, to some it represented a smash-and-grab raid on citizens’ privacy rights. The extent to which the U.S. government strong-armed its way into the lives of regular people post-9-11 would only become clear years later. But in the current moment, in our justified impulse to build stronger civic defenses against devastating disease, I dearly hope the lessons of the Post 9-11 era are remembered. Rights given up are not easily re-captured.

No reasonable person would say that privacy fine print trumps the pressing need to protect thousands, possibly hundreds of thousands of lives worldwide. But as Yuval Noah Harari noted in the Financial Times recently: “When choosing between alternatives, we should ask ourselves not only how to overcome the immediate threat, but also what kind of world we will inhabit once the storm passes.”

The experts have bold ideas. Those working at the intersection of technology and epidemiology have proposed all manner of biometric surveillance and activity-tracking solutions to help limit the rapid spread of disease in the future, and let societies absorb the brunt of an outbreak without coming to a complete standstill. Indeed, China has moved past the “proposal” phase and straight into implementation. Their containment effort involved facial-recognition technology, body temperature monitoring, and activity tracking via smartphone.

The West is not China. But the impulse to rapidly implement these very same approaches is already visible, and it’s not hard to envision something like a Patriot Act Part 2 that normalizes what Harari calls “under-the-skin” surveillance as an essential government activity. I should not need to explain why this is a dangerous idea, but I would emphasize that the most plausible approach for a Western government to implement this would be in partnership with various private companies. What kind of world will we inhabit once the storm passes?

There’s one major differentiator between the present moment and the post 9-11 moment, and I believe it’s the thing that can permit a better compromise between present necessity and future consequences: the small but robust body of digital privacy law that’s in various stages of rollout around the world. First and foremost is GDPR. The principles enshrined in the General Data Protection Regulation and the rights granted to citizens are in many ways future-proof. Keeping those rights top-of-mind can produce COVID-19 solutions that do what is needed without giving the privacy game away. In this pressure-filled moment, respecting the intent of laws like GDPR and California’s CCPA is the best way to prevent a Patriot Act redux.

For example, no matter the type of data being collected, a person should be able to easily access their record and request that it be deleted once it is no longer essential. That is a starting point. If a governmental body undertakes a new biometric collection or processing activity, a well-considered audit of the privacy risk to citizens is vital.

European data bodies are actively searching for COVID-19 solutions that do what is needed while respecting GDPR principles. A single European-wide tracking app with robust data protection built in has been proposed as a way to standardize protections across the territory. In the US, where the trajectory of the virus is a few weeks behind, these discussions have not begun in earnest yet. But they will, and in the absence of a strong federal privacy law like GDPR, U.S. citizens must hope that their leaders look to the lessons of recent history in crafting a response.

I truly hope the United States leverages the power of big data to protect its citizens from the worst of the pandemic. But I also hope the U.S. remembers what happened 20 years ago, the rights its citizens gave up in one fell swoop, and the words of European Data Protection Supervisor Wojciech Wiewiorowski this week: “Big Data means Big Responsibility.”

About the Author:

Privacy expert and engineer Cillian Kieran is the CEO and founder of the privacy company Ethyca. Cillian has extensive technical experience working with legacy enterprise organizations such as Heineken, Sony, Dell and Pepsi building data platforms, visualization tools and leading strategic advisory in change management and data governance policy definitions liaising with CIO, CDO and legal counsel.