“We cannot put every measure in the same bag. Some countries are actively engaging with their data protection authorities, trying to provide safeguards by relying on anonymized data as much as possible … applying sunset clauses, and more,” she said.
What governments’ responses to the coronavirus pandemic have done, Massé said, is shine a light on the tension between privacy and surveillance that already exists in Europe. “While the EU is a leader in data protection, many of its member states continue to have sweeping surveillance laws. This crisis is bringing to light some of this surveillance capability to the public and showing the concrete implications that daily monitoring of movements have on your life and rights.”
Google and Apple face questions from Congress
In the U.S., many of the initial privacy questions have focused on a new screening website launched by the Google affiliate company Verily, which is aimed at directing potential patients in the Bay Area to testing locations and informing them about the virus. (The site requires patients to have a Google account, privacy advocates have noted.) Senators including former presidential candidates Cory Booker (D-N.J.) and Kamala Harris (D-Calif.) have pressed the company to disclose whether the information it gathers would be shared with Google or other third parties, or used for commercial purposes beyond the scope of pandemic relief.
A spokesperson for Verily has said it “will only retain the data as long as necessary to fulfill the purposes of the Baseline COVID-19 testing program, or unless the individual separately authorizes further retention and use of information.”
Google announced a separate initiative Friday that uses data from smartphones to trace whether people in 131 counties are obeying pleas to stay home or are venturing out to places like stores or parks. But it’s making that data publicly available only in broad summaries that don’t reveal any individual person’s movements, identity, location or contacts.
The full extent of government or corporate data-tracking in the pandemic fight in the U.S. is far from clear. White House officials have denied any interest in collecting detailed information on people’s travels, despite some news reports to the contrary. The Wall Street Journal also reported that some state governments are seeking assistance from Clearview AI, a facial-recognition company that has drawn widespread criticism for allowing police agencies to tap its vast database of people’s photos scraped from the internet.
One major U.S. wireless carrier, AT&T, has told POLITICO it has received no requests from government agencies to hand over that kind of data, and Facebook CEO Mark Zuckerberg said last month that his company would “probably” turn down any request to provide its users’ information. However, he noted that Facebook partners with public health organizations to monitor global diseases based on data from users who have opted to share their location histories.
Plenty of other potential sources of detailed data exist on the travels and contacts of vast numbers of people, though, much of it derived from mobile apps or other devices and used by companies such as marketers.
Europe, meanwhile, has followed a more explicit path in its virus response: One by one, governments across the bloc have taken the unprecedented step of asking telecommunications companies to hand over mobile phone data so they can track population movements.
Brussels has also joined the fray, with Thierry Breton, the EU’s internal markets commissioner, spearheading efforts to centralize this approach at the European level. During a conference call with executives from telecoms giants, the Frenchman asked them to hand over so-called metadata, or peripheral information stripped of individual identifiers, on millions of people’s mobile phones.
So far, regulators have given these schemes their blessing — pointing out that they use data that is anonymized and aggregated and are therefore not subject to Europe’s tough privacy regime, the General Data Protection Regulation. (One exception was the Dutch privacy watchdog, which said it’s not possible to anonymize mobile location data.) But these blessings may wear thin as the region’s governments eye more intrusive techniques to contain the pandemic.
Next step: Intrusive phone apps?
Ulrich Kelber, Germany’s federal data protection commissioner, threw his weight behind a plan for the country’s disease prevention agency to use Deutsche Telekom metadata. But last weekend, he said talk of tracking individual smartphones to monitor quarantine would be a “totally inappropriate and encroaching measure.”
Epidemiologists have argued that using telecom location data is only a first step: To be fully effective, some say, the EU will have to follow the example of South Korea and China and make infected people download an app that would reveal exactly where they go and whom they meet.
Norway is one country considering this path. Researchers there say now that people are staying at home, aggregated mobile data just isn’t precise enough to see if people are staying separated. In response, the government is working on its own smartphone app to give greater insight into individuals’ activities.
Norway is not alone. Spain, Romania and Slovakia have already created their own version of these apps, while others, like the U.K. and Germany plan to follow suit.
While those behind these apps are keen to emphasize they bake in more data security and protection than their non-EU counterparts, civil rights hawks in the region are mindful of creeping surveillance measures that will be hard to roll back once the crisis is over.
“It would be much more efficient [to stop the spread of the coronavirus] if everyone had the same app,” said Sune Lehmann Jørgensen, a professor at the Technical University of Denmark who is advising the government on how best to track the coronavirus. “But we shouldn’t just institute global surveillance. [The] 9/11 [attacks] showed us that in times of crisis, we can erode people’s rights.”