COVID-19 and the privacy problem

Like many facets of business and life, the crisis is showing us what needs to be fixed, and it's no different with privacy

Coronavirus tracing apps, temperature sensing drones, phone apps to monitor social distancing, tech giants sharing smartphone location and mobility data - the COVID-19 pandemic is revealing the many ways technology and data can be used to protect human health. But at what cost to privacy?

Collecting information about people is nothing new - governments have long conducted population data gathering in the form of a census. But now technology has enabled granular personal details on a minute-by-minute basis, both offline and online, to be collected in great swathes. It’s gold for the businesses who compete for our attention and our dollars and hunger for intelligence to guide their activities.

“It shows us something that has always been true, but that we are increasingly aware of - data is power,” Ethics Centre fellow, Dr Matt Beard, told CMO. “We have always collected data and information as a way of obtaining power. And we're continuing to do that. Now it's just there are more forms of data we can collect in a measurable, quantifiable way that we can analyse, store and process.

“There are loads of other kinds of data available to us. And we're trying to collect them at the moment because we want some level of control so that we can secure public health."

That doesn't necessarily mean we shouldn't ask questions about the way in which that is trying to be achieved, however. Dr Beard noted particular questions around the risks that arise from that, who those risks flow to and who is left out of the solution.

Selling the COVIDSafe app

The big questions right now are around the COVIDSafe app. Can the nation’s chief marketer sell the benefits over the perceived risks of a tracing app?

The government has been at pains to reassure citizens their data will be protected and their privacy assured if they use the COVIDSafe app. It has introduced new public health information legislation to protect privacy, which comes on top of protections under the Biosecurity Act, and published a privacy impact assessment. Yet it has not released any of the source code as promised.

Legal and privacy experts, such as UNSW faculty of law senior lecturer, Katharine Kemp, and UNSW professor of law and information systems, Graham Greenleaf, have written the app collects far more data than the government has admitted.

They point out the Privacy Impact Assessment found the app records and shares to the central data store – if a user who tests positive consents – data about other users who were in range of Bluetooth even for a minute within the preceding 21 days. Ministers have said the app would only collect data of other app users within 1.5 metres, for at least 15 minutes. When a user tests positive, the app would allow the user to consent to the upload of only those contacts.

For Dr Beard, privacy concerns about the COVIDSafe app show the enormous trust required for people to adopt the app, like they have accepted severe Covid-related restrictions. The intended goal is for the greater good of limiting the spread of the virus and keeping people safe. But the app is requiring a big public marketing campaign, official reassurances and new laws.

"There are absolutely obligations we have to the group and times when we have to set aside our individual convenience and self-interest in order for the group to benefit," he said. "That’s what it means to be a citizen.

“In principle that makes sense, but when you look at the context and specifics, the framing of this has been problematic. It’s ‘are you willing to do this or not’ without necessarily providing people with enough information to make a reasonable choice."

The lack of information includes selling the app as though it were protection “like sunscreen', giving the impression it has preventative powers from virus infection. It’s presented as a solution to a problem, rather than a tool with a specific purpose. Beard stressed it’s crucial to think about the value that can be conveyed by the tracing app, and to have an appropriate mode of communication to secure reasonable trust.

“The important thing to think about is what kind of conversation needs to take place and what kind of messaging needs to take place from the government so that we could say that the people who either are using the app or are not using the app are doing so with good justification for that decision,” he said.

“In an ideal world, we would be more willing to hand over information to government as a more trusted institution that should be acting in our interest. But what we're seeing here, in terms of reluctance, is just how far government has to go in order to demonstrate that sort of trust so we can say ‘Yes, we believe you have good intentions and systems and processes and accountability and transparency. And that means we can have confidence to hand over information to you and trust it is only going to be used for the ends that have been stipulated’."

Will COVID-19 spur on privacy regulations?

It’s still early days, but one of the wider implications is whether the heightened focus on privacy will usher in new regulations when it comes to personal information, data collection and privacy. Imagine, for example, if these kinds of actions had been taken with the introduction of the MyHealth record system, the metadata laws and the proposed facial recognition database. Again, the virus has an uncomfortable way of revealing what might have been done differently.

Dentsu executive director, data and analytics, John Price, anticipated the COVID-19 outbreak will be a catalyst that accelerates development of ethics and regulations around consumer data use.

“Much of the debate about the implementation of the Australian Government’s COVID-19 tracking application has been driven by consumer fear of the worst possible outcomes,” said Price. “As legislators and consumers become better informed about the mechanics of relevant technologies, we will see increased willingness by the market to adapt ethics and regulations that make sense where there is a clear societal or consumer benefit to evolve."

In Dentsu’s Data Consciousness Project research conducted during late 2019, 49 per cent of Australian consumers agreed sharing personal data is a necessary part of the modern economy. In addition, three quarters believed government needed to play a bigger role in regulation of its usage. 

“As we improve education and awareness of data security and data privacy in the market, we will see public responses shift focus from prevention and blockage of data use toward identifying how to reap the benefits of personal data sharing while ensuring there are relevant circuit breakers to apply appropriate limitations,” said Price.

“Moving forward, brands and government organisations working with consumer data will need to provide upfront transparency with their consumers and constituents. Doing this via extended terms and conditions is also not the answer."

Price cited a recently an assessment that found the average time it takes to read terms and conditions of major technology platforms ranges from 10 minutes to more than an hour.

“Consumers are generally aware the use of their data is part of improving their customer experience, so being clear with them in simple ways on how you are using their data will help establish and maintain their trust in your brand,” he said.

According to LogRhythm CMO, Cindy Zhou, the COVID-19 pandemic has resulted in many businesses facing data privacy questions as they monitor the impact of the virus on their organisation.

“In response to these concerns, we have seen international authorities take action to encourage, and in some instances require organisations to monitor and respond to these evolving cybersecurity and data privacy issues,” she told CMO.

“Marketers are faced with more regulation and stricter guidelines on our ability to procure contacts, yet the lead generation expectations are high. The idea of a worldwide privacy framework is hard to fathom right now, but I believe is needed to ensure consistency in how we manage privacy and consent. The current landscape of GDPR in Europe, California's CCPA, and Canada's CASL have nuances in the text that creates confusion for global marketers.”

Beyond the current period, Zhou saw the need for a clear and accurate public statement from authorities about what personal data is being collected, why it is being collected, with whom (if anyone) it will be shared, how it will be secured, and how long it will be retained.

However, there are those who believe a world-wide privacy framework is exponentially more complex. Attivo Networks CMO, Carolyn Crandall, said a framework detailing minimum handling and safety measures could help protect our personal information, yet creating a centralised database that attackers would aggressively target in order to modify, steal or destroy data is extremely risky.

“It could also create opportunities for violating an individual’s privacy - having all the data in one place might allow for undesired correlation of information and its potential misuse by adversaries or portions of government overstepping their intended boundaries,” she warned.

Avoiding the ‘honey pot’ risk may entail common requirements over a common storehouse of data. There are precedents for regional compliance structures that enable the free flow of data while imposing uniform data protection requirements such as the APEC Privacy Framework and EU-US and Swiss-US Privacy Shield Framework. These could serve as a model, according to CrowdStrike VP and counsel, privacy and cyber policy, Drew Bagley.

He noted recent legislative developments globally have included common requirements such as incorporating privacy-by-design, implementing cybersecurity, and reporting data breaches if they are likely to pose a risk to individuals. “Accordingly, a global framework focused on these common requirements could provide a practical means to incentivise the adoption of more uniform data protection practices,” he said.

Bagley explained a global policy framework could include a flexible, principles-based approach, rather than prescriptive requirements, an acknowledgement that not all data is created equal. Some data types, for instance, are more sensitive than others. Then there are other considerations such as data processing transparency, incentives to adopt new safeguards as threats evolve, and support for global data flows needed for innovative technologies often dependent on dynamic cross-border data transfers.

Up next: Redefining privacy as a human right

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

Nice blog!Blog is really informative , valuable.keep updating us with such amazing blogs.influencer agency in Melbourne

Rajat Kumar

Why flipping Status Quo Bias is the key to B2B marketing success

Read more

good this information are very helpful for millions of peoples customer loyalty Consultant is an important part of every business.

Tom Devid

Report: 4 ways to generate customer loyalty

Read more

Great post, thanks for sharing such a informative content.

CodeWare Limited

APAC software company brings on first VP of growth

Read more

This article highlights Gartner’s latest digital experience platforms report and how they are influencing content operations ecosystems. ...

vikram Roy

Gartner 2022 Digital Experience Platforms reveals leading vendor players

Read more

What about this one I think it's a great platform providing a lot of options, you can collect different data and work w...

Salvador Lopez

Gartner highlights four content marketing platform players as leaders

Read more

Blog Posts

​Why we need to look at the whole brand puzzle, not just play with the pieces

Creating meaningful brands should be a holistic and considered process. However, all too frequently it’s one that is disparate and reactive, where one objective is prioritized at the expense of all others. So, what are the key pieces to the ‘good’ brand puzzle?

Marketing overseas? 4 ways to make your message stick

Companies encounter a variety of challenges when it comes to marketing overseas. Marketing departments often don’t know much about the business and cultural context of the international audiences they are trying to reach. Sometimes they are also unsure about what kind of marketing they should be doing.

Cynthia Dearin

Author, business strategist, advisor

From unconscious to reflective: What level of data user are you?

Using data is a hot topic right now. Leaders are realising data can no longer just be the responsibility of dedicated analysts or staff with ‘data’ in their title or role description.

Dr Selena Fisk

Data expert, author

Sign in