Big Company, Big Government, Big Brother? Privacy after Covid-19

April 17, 2020

The COVID-19 pandemic will be a history-altering event. But where will it take us? In “On the Horizon,” a new CSIS series, our scholars offer their insights into the fundamental changes we might anticipate for our future social and economic world.

Privacy after Covid-19

Some say that democracies only make major changes when confronted with a crisis. It is too early to conclude whether Covid-19 was such a crisis, but the immediate response to it required rebalancing, perhaps temporary, of individual and collective rights. Long-standing political assumptions about privacy and surveillance came into question. The immediate tension is between official desires to maintain some kind of surveillance once the crisis is past and the strong reaction of privacy groups to this. Health surveillance, unless it is temporary, forces consideration of the same issues as privacy writ large: whether consent is required for collection of personal data, who owns that data, and what rules govern its use.

The Post-Privacy World

Justice Brandeis defined privacy as the right to be left alone. But, measured by the amount of data routinely collected and stored by commercial entities, we live in a post-privacy environment. Traditional privacy, where an individual’s personal information was unknown and often unknowable, is an artifact of the Industrial Age, before ubiquitous digital connectivity. Privacy, to the extent it exists, is now created by rules and regulations that govern how data is collected and used. Privacy is created by rules that are followed and enforced

Let’s review what companies currently collect on individuals through their mobile phone. This includes location (down to the square meter), rate of speed, and, in some cases, altitude. Those with health apps also provide heart rate, diet, and hours of sleep. Sophisticated algorithms extrapolate the knowledge available from this data. For example, knowing location, speed, and altitude identifies mode of transport (e.g., foot, motor vehicle, or plane). Some operating systems allow location data to be correlated with web searches, contacts, or reading lists. A few widely used mobile operating systems scan emails for keywords and correlate them with location data and online searches. Using the enhanced privacy settings on some major operating systems does not stop this collection. This data is not generally available to government agencies.

The post-privacy environment is marked by uncertainty, in part because there is disagreement over the form new privacy rules for commercial collection should take. The United States has taken a sectoral and self-regulatory approach to privacy where constraints largely apply only to government use of personal data. The European Union has taken a comprehensive regulatory approach. There are disadvantages with each and growing divergence as the digital environment redefines itself in response to technological change.

What people say about privacy and what they do are very different. Perhaps people may be unaware of how little privacy they have left, but consumer choices suggest their attitudes toward privacy are changing. The acceptance of intrusive commercial surveillance may be because consumers have little choice (to use a service, you must provide your data), but this raises anti-competitiveness concerns and (at least in Brussels) the question of whether online services should be regulated like public utilities.

Covid-19, if nothing else, highlights key issues for future privacy policies. In a digital environment, you surrender the possibility of being left alone the moment you connect to a digital network, and very few are willing to completely disconnect. Digital technologies create surveillance opportunities that make people uncomfortable but, as in the case of health surveillance, offer real benefit. The process of redefinition will be lengthy and complicated by the increased interest outside the United States in regulation and “data sovereignty.” The immediate issue is whether to continue health surveillance and how it would be governed.

Health Surveillance

Governments are taking advantage of the mobile phone as a collector platform for public health purposes. Surveillance of location and contacts can help manage the spread of disease. Israel uses location data already collected by its intelligence agencies for this. Singapore and Korea created “apps” for mobile phones that tracked compliance with quarantine rules. In the United States, the White House is developing a national virus surveillance system, and the recent stimulus package funds the Centers for Disease Control to develop a “public health data surveillance and analytics infrastructure.” The two tech giants who control the majority of the world’s smartphone operating systems agreed to cooperate with the federal government to develop technologies that allow surveillance from mobile devices.

Surveillance is not a perfect solution. Users have to opt into surveillance by installing an app and then agree to notify authorities if they are diagnosed with Covid-19. Health authorities then notify those who have been in contact with the infected person. The data is anonymized, at least in the initial phases, but allows for the discovery of an individual’s identity if necessary. Contact tracing is a conventional and effective tool used in controlling disease outbreaks, but technology-based tracing may not be effective if it is not made mandatory, and there appears to be some public resistance to doing this.

Privacy Rules

When there is a tangible threat, Americans and Europeans give privacy lower priority. But when Covid-19 pressures decline, there will be a renewed debate on whether citizen concerns over surveillance outweigh public health. Privacy groups have already lined up to oppose permanent change or the retention of health surveillance system. "We cannot allow the COVID-19 pandemic to serve as an excuse to gut individual's right to privacy," said a statement issued April 2 by 100 human rights groups.

In the face of emergency, existing privacy regulations did not obstruct efforts to manage Covid-19. The European Union’s General Data Protection Regulation (GDPR) has not been an obstacle for government health surveillance programs in Europe. In the United States, the Health Insurance Portability and Accountability Act (HIPAA), which governs the collection and use of health-related data, was interpreted by the Department of Health and Human Services as waiving limits on the sharing of “protected health information” (e.g., patient information) to shield health workers, manage outbreaks of infectious disease, and assist patients.

These measures are temporary relaxations on government use of health data and do not touch directly on privacy’s most pressing problem—commercial use of personal data—suggesting their effect on privacy in general may be limited. Survey data suggests individuals will accept intrusive surveillance during a pandemic but are reluctant to see it become permanent. The issue is whether, once Covid-19 is under control, to continue health surveillance to warn of and control any future pandemic.

A key issue for policymakers will be whether to keep health surveillance in place after the virus is perceived as less of a threat. Any continual health surveillance will require new rules and an oversight structure. Developing rules and oversight for health surveillance raises a different question: whether these should be applied more broadly. Public objections to continued health surveillance post-Covid-19 suggest that the distrust that greets government surveillance may spread to commercial surveillance.

Legislating Privacy

The general sentiment seems to be that the measures of enhanced digital surveillance created in response to the virus are expedient and temporary, justified by health and not security. While these measures have been presented as provisional, and to be discontinued once the crisis is over, this global pandemic opens the possibility of permanent measures for monitoring disease and health using the data generated by digital devices. If this is the case, both U.S. and European privacy rules will need to be amended to permit it.

Before Covid-19, privacy leadership had devolved from Washington to state legislatures and to the European Union, which has set itself the goal of becoming the global privacy regulator. But neither states nor the European Union are adequate substitutes for federal policy. Industrial Age privacy has been eroded to the point of vanishing by the data created by and harvested from digital networks, but Europe is not a good guide on how to construct a new American privacy policy. The European Union’s privacy rules helped stifle the European information technology industry and explain why there are no European internet giants. An overly expansive definition of privacy hurts innovation; but a minimalist definition (like that in the United States) and the relentless commercialization of personal information leaves citizens vulnerable to manipulation, as with Cambridge Analytica.

While it is unlikely that Congress will pass a national privacy bill in the next year, the need to amend existing laws to accommodate health surveillance, the antitrust implications of a few giant companies dominating the information space, and the growing discontent over privacy will eventually force it to enact legislation. Covid-19 will expand public awareness of how technology has commercialized personal data, but it will take time for this awareness to play out in public attitudes and policy. If anything, there is something of a rush to put in place privacy rules before public concern grows stronger. Informed by the experience of Covid-19, Congress may wish to consider the following points:

"Personally Identifiable Information" (PII) is a commodity. The business model of the internet is based on trading this commodity for services. No alternative to this business model has yet emerged, but trade in PII is unstructured and lacks markets or pricing mechanisms. This creates inefficiencies in the exchange and use of personal data and makes individual control over data more difficult.

Absent judicial and regulatory pressure, privacy will continue to shrink as new technologies create new sources of data and make greater use of it. Access to and use of data is essential for economic growth (and now, perhaps, for public health).

The response to Covid-19 will accelerate concerns over cybersecurity, but there has been no new thinking in a decade on public policy to address the cybersecurity problem. Cybersecurity and privacy are related—both deal with data protection—but have a fundamental difference. Privacy is based on an expectation that rules will be followed. Cybersecurity is a response to rules violations. Covid-19, with its eruption of cyber fraud and cyber espionage, will increase demand for better data protection.

Antitrust affects the privacy debate, as the data practices of regulated and unregulated service providers differ significantly. Tensions over antitrust will be exacerbated as changes in telecommunications technology pit large tech companies offering largely unregulated services against regulated service providers. As tech companies move into the telecommunications space, they will gain an inadvertent advantage. Unbalanced regulatory treatment of similar services guarantees a battle, but it will not be a repetition of the Uber experience, where a well-financed tech company offered an unregulated service in competition with the highly regulated taxi companies. Unlike the hapless cab drivers, the regulated competitors this time are also financial giants and experienced in the ways of Washington.

The imbalance between highly regulated government use of personal data and lightly regulated commercial use dates to the 1980s and no longer makes sense. The response to Covid-19 is an opportunity to reconsider the use of personal data by government agencies for health purposes. Privacy advocates care about government surveillance but have often given commercial surveillance a pass. Covid-19 has not fundamentally changed their views, and we can expect a backlash from these groups against the measures created for health surveillance. At the same time, the benefits of health surveillance and data analytics for controlling the risk of pandemic will create a demand for some continuation of these measures that will probably be unstoppable but also shaped by growing public interest in constraints on commercial use.

Covid-19 comes at a time of heightened attention to the ways technology reshapes societies. Although there are many contradictions in public attitudes on data collection and use, there are emerging outlines of a new concept of privacy that balances greater access with increased transparency and rules on use. A new rules-based approach to privacy and data protection lies somewhere between the United States’ commercial minimalism and European regulatory overreach. The health surveillance created for Covid-19 can help reframe the issue for Congress to better balance rules, oversight, government use, and commercial practices.

James Andrew Lewis is a senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2020 by the Center for Strategic and International Studies. All rights reserved.