As the deadly COVID-19 pandemic rages on, public and private entities alike rush to find a cure, a vaccine, and at the very least, methods for limiting the uncontrolled multiplication of the virus. But exploring every possibility must be balanced with the protection of data privacy – and that can be difficult.
Take for example a recent study on ‘contact tracing’ at Oxford University. In this approach, the location of the infected person is tracked, and anyone who has come in contact with the patient is informed and advised to quarantine. The study reinforces a growing group of experts advocating for contact tracing. One can quickly imagine the privacy concerns inherent to this method, but it’s actually one of the less draconian methods in play across the globe.
Several countries, like China and South Korea, have reportedly relied on surveillance of mobile phones to track infected individuals’ activities and other countries are building apps which allow potential coronavirus victims to enter their test results and make them available to health officials and for tracking purposes. Singapore has employed the TrackTogether app, which uses Bluetooth technology to create a log of people who have been within an infected person’s Bluetooth radius for at least half an hour.
In countries with stringent privacy laws, the data collected through telecom operators is anonymous and aggregated – the infected are tracked as a map of disease spread. But Europe and the United States, in collaboration with tech giants like Facebook and Google, have looked at more exact ways of using location data to track the spread of infection.
What does the law say?
As more and more nations struggle to keep up the fight against COVID-19, many of them are moving towards tracking consumers’ mobile phone information, raising widespread privacy alarms across the world. In such situations, the data privacy laws of countries can be a guiding light to businesses, government agencies, and consumers who know their rights and will stand against any breach of privacy.
For instance, in Europe, the GDPR has been in place for a couple of years now. This regulation is directly applicable to all its member states in the interest of consumer data protection. However, many member states have asked for allowances to move their privacy regulations as well.
Similarly, in the United States, the California Consumer Privacy Act (CCPA) has imposed strict data privacy regulations that allow enterprises to collect and use consumer data only upon consent and also places restrictions on when and how the information can be shared with third parties. Following California, many other states, like New York are also in the process of passing stringent data privacy regulations.
Developing countries like Brazil also have their version of GDPR called the Lei Geral de Proteção de Dados Pessoais or LGPD. This was passed in 2018 and presents a series of regulations to organizations to comply thereby ensuring the protection of private individual information.
In India, the Personal Data Protection Bill was passed in 2019; this bill prohibits the collection or processing of sensitive personal data of people without any specific, explicit, and lawful purpose. PDPB stresses important aspects like consent, protection of data, and restricts sharing information among third parties without consent.
With more and more countries around the world moving towards their own privacy regulation bills, it seems that the importance of ensuring privacy through efficient systems and software in place should be considered more than ever by small and big enterprises around the globe.
Obligations and Challenges for Businesses
Many privacy advocates are warning enterprises against demanding excess information from employees, and to adhere to the privacy laws of their respective countries. For instance, in Europe, as per the General Data Protection Regulation (GDPR), the regulations are clear that employee data can only be collected for a specific reason (and) can only be obtained with consent. This is in response to a wave of enterprises that have sought travel bans, and ordered health tests for their employees to stop the spread of the pandemic.
Many countries, including the Netherlands, France, Italy, and Denmark, have issued statements forbidding enterprises from collecting excessive employee data. Although the pandemic is dangerous, “it does not give a free reason to gather private data,” argue privacy advocates.
And while drastic times call for drastic measures, privacy laws have not been suspended. This means that companies that collect consumer data must also find ways to achieve compliance with limited access to their databases and typical workflows. Obligations like responding to Data Subject Asset Requests (DSAR) can be especially challenging during these times, but the best course of action is to comply whenever possible and to communicate openly with consumers about your company’s limitations.
Apart from balancing employee privacy and health concerns, enterprises are also tasked with the challenges of employees working remotely – a Pandora’s box of data security concerns. Within an enterprise network, there are adequate security protocols in place. Working remotely adds in local and public networks, exposing the organization’s IT infrastructure to greater risks.
In such situations, businesses must take necessary security-enhancing steps – working on Virtual Private Networks (VPN), avoiding the usage of USB sticks, and using secure cloud services.
The COVID-19 crisis has significantly changed the approach and working style of many businesses. And the economic fallout from social distancing has shut many businesses down completely. To top it all off, data privacy laws create extra pressure and cost. Should there be relaxations or changes in privacy regulations like the CCPA or GDPR to help reinvigorate floundering businesses across the globe? Perhaps, but in the meantime, organizations should be prepared to answer these questions:
- What data is being collected?
- How and where is data stored?
- With whom is data shared?
- Where will data processing take place?
Privacy laws aren’t going anywhere, and enterprises should do their best to follow those laws when dealing with employees and consumers. Having a robust data privacy framework is the way to deal efficiently with significant data privacy concerns during these testing times. But for those that don’t have such a framework, now is a good time to hire outside help and to take note of points of concern. It’s never too early to start preparing for the next disaster.