How can Europe reconcile privacy with COVID-19 track and tracing systems?

Do European data protection laws limit the opportunities that COVID-19 tracking applications provide us with? The ongoing debate about this goes much deeper than you might think.

The applications for tracking those infected with COVID-19 are a great means to practice what we preach on data protection and privacy – statements that have all too often been based on ideology rather than action.

The issue at hand is an important one as it touches upon a number of crucial questions regarding the future of Europe such as the balance between personal freedom and the public interest, between personal and public security, as well as the line between the private realm and economic interest.

Perhaps most importantly, this touches upon the question of where Europe should draw the line between progress and the intrusion of technology into our lives. The regulations that we construct will be closely tied to these debates.

Citizen concerns about data privacy can have an impact on public safety. For example, during COVID-19, some have refused to share their data in tracking applications. Arguably, this is actually the biggest danger – it is a symptom of a wider lack of trust.

The current pandemic has brought this issue to the forefront. Analysts have found that, in order for tracking applications to work and for their use to make sense, at least 60% of the population of a country must share their data. If we look at the numbers of downloaded applications across Europe, we find that very few countries actually reach this percentage.

The reason for this apparent mistrust is clear: citizens do not want to run the risk of unauthorised access to their data. They are concerned that once the state collects information, it will a priori abuse it, using the collected data for ulterior purposes.

To address this, the EU has designed a so-called ‘Toolbox’ that is driven by a clear purpose – to limit the data collected by the application to only what is truly necessary, and to give users control over the data they share.

Looking beyond COVID-19, this lack of trust may have further repercussions down the line. It risks impeding the EU’s ability to collect sufficient amounts of big data legally. This could prove to be a major drawback for Europe’s continued growth, as big data will be at the heart of the next economic model. Europe’s cautious approach to data is arguably its main hurdle to economic competitiveness and innovation. Thus, there is a need to look more deeply into public concerns about data privacy.

This was one of the reasons why I organised a series of online discussions with experts in the midst of the epidemic to better inform policymakers’ decision-making processes. Together with analyst Tomás Pueyo, representatives of major IT companies and experts such as the political scientist Ivan Krastev, we discussed possible actions going forward.

One of the main takeaways from these discussions was the need for a precise definition of the data gathered by COVID-19 tracing applications. This could help improve public confidence in these applications, which have proved very valuable in the much-needed tracing of those infected with the disease.

Until a few weeks ago, it was possible to hold onto the hope that COVID-19 would disappear and this would remain just an intellectual exercise. Unfortunately, the present circumstances make it clear that we will have to learn to live alongside the virus for longer than initially anticipated.

In order to earn people’s trust, we need to offer them a solution that addresses their worries. One option is to create a pan-European rule – a sort of license that defines the main characteristics of the data used by COVID-19 tracking applications. Several elements would form the basis of this license, which we could call ‘All-Share-Against-COVID’.

First, the collection of information must require the personal consent of everyone. Second, these applications cannot be used for purposes other than the tracing of infected people. Third, the data collected cannot be copied, sold or used by other stakeholders – including government institutions or private companies. Fourth, the data collected should be limited to what is necessary to trace back 14 days’ worth of contacts of people who test positive; any data outside of this realm should be deleted.

I was hesitant to include the requirement for the collected data to exclude the possibility of GPS location data, and for movements to be detected only through Bluetooth technology. This looks like an insignificant detail, but it is actually a vital one. The question is, of course, whether adding such a requirement would not render the existence of the applications themselves pointless. This is perhaps best left for a more technical discussion with experts – after all, this has been the best approach when our decisions required very specific knowledge.

In conclusion, our data protection regulations should be aimed at building citizens’ trust. When considering these rules, we must look at them through concrete cases, not only through our ideological shutters. COVID-19 has revealed that our citizens expect Europe to offer fast, feasible and effective solutions. That should be any policymaker’s ultimate goal.