The debate regarding privacy during COVID19 rages on. Do we trade the privacy of our data, in order to provide a stopgap for COVID19 restrictions (until a vaccine is available)?

The law will tell us what the GDPR allows, what CCPA allows, what HIPPA allows, what the constitution allows etc. However, privacy (I know I keep saying) is not just about the law. Its also about society, politics, ethics and personal choices and behaviours.

I have been banging on for years about trying to make organisations see the value of privacy as a Corporate Social Responsibility – to demonstrate privacy behaviours beyond just the law (I am so passionate about this – it is the central theme of my PhD research) – essentially to address privacy in their corporate citizenship programs. Corporate citizenship refers to an organisation’s responsibilities toward society. The goal is to produce higher standards of living and quality of life for the communities that surround them. All organisations have basic ethical and legal responsibilities; however, the most sustainable businesses establish a strong foundation of corporate citizenship, showing a commitment to ethical behaviour by creating a balance between the needs of shareholders and the needs of the community and environment in the surrounding area. This was reflected by Giovanni Butarrelli in 2018, when he highlighted how GDPR would only be effective if organisations addressed the ethical component of data protection – by adhering to the spirit of the law and not just the letter of the law.

But what about our own ethical responsibilities towards society with regards to our privacy? Can we ask of organisations what we do not demand of ourselves? Is it now time for us to start demonstrating privacy behaviours that are ethical and socially responsible, and to share information for the greater good even though we recognise it is an invasion of our privacy?

I understand this can be difficult for many to digest, and many will feel fear, and many will peddle fear. So to avoid associating privacy with such anxiety, let’s try to frame the argument in a socially responsible context, rather than a legal one :

Do we have a moral obligation to trade our COVID19 status in order to :

1) avoid a global depression

2) return to some level of normalcy pre-vaccine

3) reduce the probability of infecting others if we get the virus

4) reduce  the probability of getting the virus ourselves and

5) protect healthcare workers and vulnerable individuals in our society by reducing the number of people passing through hospitals with the virus. “

Sounds a bit different eh.

I’m not denying that trading my privacy in a socially responsible context such as that created by COVID19 – makes me feel uncomfortable, however that the world is in lockdown and we need to get back to connecting with people once again. Much of the travelling world was in lockdown before, post 9/11 – and as a result of that lockdown – our privacy was and is increasingly invaded at airports, as

1) it was mandated through revised legislation

2) we took comfort and assurance from it.

3) we knew that international travel would not be possible without it.

4) we knew that the travel lockdown post 9-11 could only be lifted by implementing enhanced super-invasive security checks and measures.

Essentially we knew that if we said ‘no’ to the 9/11 security checks and ‘no’ to the sharing of passenger data in Advanced Passenger Lists to the US Government (which are still mandatory for arrival into the US), as they breached our privacy rights – international travel would most likely have remained locked down and Greta Thurnberg would not be famous.

What are the alternatives?

For those who chose not to trade the privacy of your COVID status in these circumstances, I fully respect these choices, but I ask two things:

• Do you suggest an alternative?
• Are you going to continue to self-isolate whilst those of us who trade the privacy of our COVID status return to the world? (I am reminded of a similar debate facing MMR vaccinations, where those who refuse to take on the risk of the MMR vaccination, benefit from those who take on the risk – as the latter reduce the threat of measles mumps and rubella in the community).

What might the privacy professional’s role be in socially responsible privacy behaviours?

In demonstrating this new socially responsible privacy, our role as privacy professionals may be to guide the shape and limitation of information use so that we can provide assurance to those who agree to trade the privacy of their COVID status e.g.

• by advocating for the use of differential privacy, privacy enhancing technologies and/or the use of blockchain technologies,
• by vigilance to the misuse or extended use of citizens data
• by monitoring those tasked with the provision of such services
• by highlighting good privacy hygiene rules
• by ensuring the trading of our privacy has a timeline and that post vaccination we are provided with the tools to delete our information.

Ethical Dilemmas that lie ahead?

We trade our privacy for different things. Studies show that those under 25 trade their privacy for sociability and to look cool. Those over 40 however will sell their souls for a loyalty card and a 20% discount. Regardless of age, most of us likely recognise the data protection principles (enshrined in GDPR) of necessity and proportionality that are inherent in the processing of COVID19 health status data, the public good that results and the importance of this information in protecting many vulnerable people in the community.

As someone who is not comfortable flying in an airplane at the best of times (its “game over man, we’re all gunna die”) – I would refuse to board a plane with someone who refuses to be searched. Similarly, I envisage that people will not want to go to places where there are people who refuse to share their COVID19 status.

So it seems likely that society will divide into two groups: those who trade their COVID19 status and those who don’t. Those who trade their COVID19 status will be considered a lesser risk in society, and will likely be admitted to large gatherings such as sports events, concerts, cinemas and theatres etc. Those who don’t share their status will likely not be admitted, just like at the airport. If you do not agree to the security checks at the airport – you do not get to fly.

Will such decisions be legally disputed? Can we say we have been discriminated based on our health status? Can others respond by saying they must view someone as COVID positive if they cannot provide comfort of otherwise? Will governments try to use this data beyond the agreed purpose?

I’m sure the courts and privacy professionals will be busy. And this will drive a huge social change towards trading privacy for reasons of public health, in my view.