Covid-19 and data privacy pits European governments against US tech once again
by Alex Rennie on 03 Jun 2020
Covid-19 and the concerted push by European governments to develop contact-tracing apps has revealed the difficult trade-offs between privacy and public health. Like in previous debates, policymakers and Big Tech find themselves on opposite sides of the argument, although their roles have reversed, with US giants now positioning themselves as the guardians of their users’ privacy by refusing to facilitate centralised apps.
The Covid-19 crisis has tested the capacities of governments worldwide to effectively protect the public’s health whilst causing as little economic and social damage as possible. Many governments are betting that a sophisticated test, track and isolate strategy will help them to balance these competing demands, with a phone app being pursued as an important pillar of the strategy. Yet such a strategy involves a level of unprecedented government surveillance. An individual’s right to privacy therefore has to be weighed against the need to protect wider public health and the economy.
This trade-off is particularly acute for the EU. Many of the member states worst affected by the virus are precisely those who can least afford repeated economic shutdowns and the increased debt they would entail. Yet in geopolitical terms, the EU is most influential in its role as a standards-setter. The bloc has used standards-setting to project power by leveraging access to its large, rich internal market to force the pace on global rules in a range of sectors. Privacy has been the centrepiece of this push, with the General Data Protection Regulations (GDPR) and the ePrivacy Directive at its core.
Do existing data regulations impede the use of contact-tracing apps?
Contact-tracing apps will collect data on people’s health, via the self-reporting of symptoms or the confirmation of a positive test result, and their interactions with other people, via the transmission of Bluetooth signals. These can either be centralised, with people’s data being stored on a central server, or decentralised, where data is only stored on the user’s phone.
The centralised approach has the advantage of allowing the authorities to judge the riskiness of different types of personal interactions and to identify local infection outbreaks, thereby allowing more targeted public health interventions. However, by storing a person’s data on a server outside of their control, centralised apps also offer a greater chance of being misused by governments or malign actors.
Whilst centralised apps could be vulnerable to a legal challenge if the authorities designing them cannot demonstrate that such a solution is necessary and proportionate, the EU has said that it is up to individual member states to decide on the most suitable app design, suggesting both types of app are GDPR-compliant. The GDPR contains specific provisions that grant exemptions for public health crises, granted that any use of data is proportionate and expires once the crisis has passed. Both France’s privacy regulator and its National Digital Council have also said that France’s plans for a centralised app do comply with existing data privacy laws, provided that sufficient oversight is in place.
Big Tech: the new privacy defenders
Whilst existing privacy regulations therefore appear to offer sufficient leeway for governments to monitor their citizens to a previously unthinkable degree, European governments were clearly unprepared for their plans to be scuppered by the US tech giants.
Britain, France and Germany all planned to pursue a centralised app because they believed the insights provided would help them to more effectively manage the spread of the virus. A recent report by Oxford University found that this approach would likely save more lives than the decentralised alternative.
Yet Apple and Google have announced a new Bluetooth protocol that will make the apps that use it more operationally effective. By enabling these apps to listen for other apps even when in the background, they will consume less battery power. They will also make it more likely that all of a person’s interactions are caught, providing clear epidemiological benefits. The companies, however, have refused to make their update available to those governments working on centralised apps, citing the potential for official snooping.
Without the protocol, centralised apps will require workarounds that will drain a phone’s battery quicker and will, in all likelihood, lead to many interactions being missed if they still fail to operate in the background. Whilst the tech giants insisted that it is for governments to decide what approach to take, governments' reliance on the technological knowhow of these companies has led to most, including Germany, switching to the decentralised model. France and the UK are the only holdouts in Europe at the time of writing, with reports that the UK is considering switching due to the technological difficulties of going it alone.
This striking example of US tech companies forcing governments to abandon their stated policy preferences in an arena as important as public health is likely to further damage relations between the two sides. The governments of France, Germany, Italy, Spain and Portugal have highlighted the “challenges” in the relationship between Europe and “digital global players” following the disagreement. In their joint letter, they argued that “the use of digital technologies must be designed in a way that we, as democratically elected governments, evaluate and judge it both acceptable for our citizens and compliant with our European values.”
Yet the pandemic has also demonstrated the centrality of the US tech giants to the global economy and has only increased their power. All of this means that US technology companies are bound to face renewed public and political scrutiny. On the issue of privacy, this will only increase their motivation to demonstrate their commitment to high privacy standards. This will deny their opponents additional reasons to attack them, but it also has the added benefit of making sound business sense. A recent poll found that less than 20% of the British public would trust the tech companies to protect sensitive data. As they strive to push into more aspects of our lives, including payments, such low trust is a significant challenge that such companies must address.
Whilst the battle over contact tracing apps is unlikely to lead to any meaningful changes to existing privacy regulations, it is likely to bring renewed scrutiny of the socioeconomic power of US companies. The issue has perfectly illustrated the need for greater European technological sovereignty and is likely to have strengthened the idea’s proponents. The implications for the already rocky relationship between European governments and US tech companies will be significant.
Written by Alex Rennie
Alex provides political analysis and monitoring for clients in the emerging technology sector, with a particular focus on drones.