In practice, the COVID-19 crisis has put regulatory powers on hold but as things stand, two forces seem to be at play.
It has been clear from the start that the role of the privacy regulators – and their attitude towards enforcement – would be key to the acceptance and embedding of the new data privacy practices embodied in the GDPR.
Right now, in practical terms, the privacy regulators cannot act beyond providing advice and support. Enforcing punitive action in the context of the COVID-19 economic meltdown would be at best insensitive – at worst, it would damage their credibility irremediably.
Further, their approach to enforcement since May 2018 – as summarised in the latest report from DLA Piper released in February – shows that they have been targeting mostly small to mid-size firms with small to mid-size fines (for small to mid-size infringements); this is probably not sustainable as this segment of the economic fabric is most at risk from the Coronavirus crisis.
And the two large fines – proposed by the UK ICO for the British Airways and Marriott data breaches – are still undergoing some form of legal challenge (for what is in the public domain on the matter).
Again, it would be highly controversial for the regulators or the courts to uphold those fines: What is the point of fining British Airways £183M, in a context where they are going to require billions in state aid to survive?
So more than ever, the privacy regulators have a delicate game to play. And behind all that, and the approach they will decide to take, lurks the shadow of their real independence from politicians. And a key question around the duration during which the exceptional COVID-19 situation could justify a relaxation of the regulatory grip.
Public interest for data privacy matters is heightened by remote working and lockdown conditions
In parallel, as the lockdown makes society entirely dependent on digital services, segments of the public and of the media are waking up to a few realities around data and privacy.
The outcry coming from some corners around the videoconference platform Zoom is laughable in most respects.
“If you’re not paying for the product, you are the product” has been the mantra behind countless of those internet platforms for the best part of the last two decades. In other words, your personal data is often the real currency on the internet instead of your hard-earned cash.
Their terms were obscure and one-sided, and they were sending data to Facebook … big deal … show me one app which doesn’t …
Oh… and if you don’t password-protect your conference and place a link on a public website, some uninvited people may join you…
And if you use an old version of (any) software, it may contain vulnerabilities that hackers can exploit…
Frankly, none of this is new, except the amount of interest and the public reaction.
More interesting is the debate around the use of mobile phones geolocation data in the fight against the Coronavirus.
The use of (properly) anonymised data in the exceptional context of the COVID-19 crisis to measure the general effectiveness of the lockdown (i.e. whether people are following it well or not – collectively) does not seem to infringe on the provisions of the GDPR (as long as the data is properly kept, no longer than is necessary to serve the purpose etc…); there is almost some form of “legitimate interest” behind that many GDPR practitioners will be familiar with.
The use of geolocation data in the context of a large scale testing programme is more problematic: There may be a legitimate interest in using an app – with consent – to monitor the movements of symptomatic or asymptomatic virus carriers, and retrospectively for contact tracing. Whether it is legitimate to extend that to healthy or immune people is another matter. Together with the way the data will be used to enforce any form of lockdown and not just monitor it, and the precedent it may create.
Overall, it seems clear at this stage that those options might have a role to play in any exit or post-COVID-19 strategy, but they will have to be handled with care by politicians and regulators at a time of heightened public emotions around those matters.
Like everything else, our perception around data and privacy will be very different when we re-emerge at the end of the COVID-19 crisis.
The privacy regulators will have to adjust their game and the GDPR may have to evolve. But the public debate shows that the interest on those matters is high, and that’s likely to stay.
JC Gaillard
Managing Director
Corix Partners
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.