Are contact tracing mandates compatible with data protection laws?

Hoping to mine all that valuable contact-tracing data your business collects? Think again—the privacy watchdogs stand firm on data protection.

May 2020 was the month that marked two years since the European Union’s General Data Protection Regulation (GDPR) came into effect with much fanfare.

Arguably the most far-reaching privacy regulation to date, the GDPR provides individuals with a never-seen-before degree of control over the information they share with businesses.

By forcing businesses to recognize that they do not have ownership over customer information and that they are duty bound to protect any data collected, the GDPR became a catalyst for change. In fact, it can be argued that the regulation was instrumental in creating deeper global conversations around consumer privacy and transforming the way business is done.

The GDPR prompted businesses worldwide to not only re-examine their privacy policies and compliance processes, but also to acknowledge the value of privacy in building consumer trust in business.

To ensure consumer privacy, the GDPR and other privacy legislation modeled after it, impose strict limits on the purposes for which data can be collected, stored, and processed. Under the provisions of the GDPR, consumers have the express right to demand a copy of their records from any organization and request for that data to be deleted.

However, the GDPR was created before COVID-19 rocked our shores. The pandemic called for collection of personal information, to help protect citizens and facilitate public health work such as contact tracing. How do GDPR and similar privacy legislations remain relevant in a pandemic or any future public crisis?

More data being collected for longer periods

Under the principle of data minimization in the GDPR, businesses need to ensure that they collect only the bare minimum of data required to manage their ongoing transactions and services with customers. Today, due to COVID-19 contact tracing measures, all organizations—from grocery stores and condominium complexes to government authorities—are handling sensitive personal data such names, identity card numbers and phone details that were not necessary in the pre-pandemic era.

With the threat to public health and safety being at the forefront, due consideration might not be given to the security and privacy risks. However, the risks are greater than ever due to the nature of the information collected, as well as the length of time that the information may be retained.

This begs the question: what will happen to the data that has already been collected after it has served its purpose? In the post-COVID-19 landscape, how will we ensure that this data does not fall into the wrong hands? On the other hand, should privacy requirements be relaxed due to the unprecedented nature of this global pandemic?

Enforcement likely to continue

At present, exceptional circumstances such as the COVID-19 outbreak, do not serve as an excuse for non-compliance with privacy regulation. While some countries such as Thailand have given organizations affected by COVID-19 a little leeway by offering a one-year extension to ensure compliance, businesses in most other countries are expected to comply as usual.

In its March 2020 statement on COVID-19, the European Data Protection Board (EDPB) emphasized that the public health concerns caused by the COVID-19 outbreak and the corresponding measures are not incompatible with the personal data protection.

In SE Asia, Singapore’s authorities expect organizations collecting personal information for contact tracing purposes to enforce reasonable security arrangements to protect the personal data in their possession from unauthorized access or disclosure, and ensure that the data is not used for other purposes without consent or authorization under the law. Organizations must also ensure the security of hardware and devices used to collect such data.

Staying prepared and in tune

In addition to enforcement largely remaining in place, legislation in the privacy arena continues to evolve, impacted by latest global technology trends and challenges such as COVID-19. It is, hence, imperative that businesses do not take their eye off the privacy ball and continue to take proactive measures to ensure ongoing compliance.

They should continue to work towards establishing one holistic view of their customers using customer identity and access management. Transparent, accountable, and privacy-first solutions must be embedding into the organization’s workflow by design to enable the business to balance the benefits and risks associated with personal data collection. This will enable businesses to meet requirements such as guaranteeing that the data is retained for only as long as necessary for the original purpose (e.g., contact tracing).

It is also time for businesses to go deeper and think strategically about customer privacy. The early stages of the privacy conversation, marked by the first two years of GDPR implementation and emphasis on big tech—have acted as an impetus for governments around the world to strengthen their own privacy laws. By this token, businesses around the world can expect to face privacy compliance challenges sooner than they expect.

The interplay between privacy legislation and the fallout from COVID-19 remains to be seen. However, it is certain that stricter privacy laws are here to stay regardless of how the COVID-19 pandemic plays out in the next 12 to 24 months.

While regulators assess and determine the best way forward, the time is ripe for businesses to assess their own exposure, take steps to maintain compliance and engage with regulators to shape the future of privacy.