For years now commentators have declared privacy and data protection rules under assault. But the potential of personal data to help respond to the ongoing COVID-19 pandemic demonstrates a shift in people’s relationship to their data. Wojciech Wiewiórowski – a trained lawyer with decades of experience in national and international data protection regulation – is now at the forefront of these developments.
“Privacy has never been more alive“, Wojciech Wiewiórowski replies when I suggest that in the fight against COVID-19, privacy is losing. His optimism stems from neither idealism nor ignorance. As the European Data Protection Supervisor, he works to protect privacy on a daily basis. His office deals with conventional issues such as data transfers between the EU and third parties as well as hot new issues like big data, Artificial Intelligence and the Internet of Things. But as the pandemic has progressed, data protection has developed an even newer bleeding edge. Privacy incidents like the hijacking of the Ring cameras, cybersecurity risks related to the Zoom videoconferencing system and the ongoing debate about the use of digital tools to control the spread of the disease add new complexity to an old question: what is the place of privacy and data protection in an increasingly data-driven society?
New Game, New Rules?
In his recent blogpost, Wiewiórowski called COVID-19 a “game changer“. In a wide-ranging conversation, he told me why he thinks the pandemic will have such a significant impact on privacy – and why he’s still optimistic. “The feeling that we need to readjust our thinking is something that concerns us not just as individuals, but also in our professional capacity“, he elaborated. He’s quick to caution that this readjustment must be a collective one: “It is a global reflection process, and therefore the answers should not be discussed in silos”. This feeling is shared across the European Union. Recognising that digital technologies and data have a valuable role to play in combating the COVID-19 crisis, several European governments have already deployed new tools that can be used to track individuals by geolocation, to rate individuals’ health risk level and to centralise sensitive data.
Wiewiórowski is an academic professor and experienced data protection lawyer who has worked on both sides of the data protection and privacy debate over his career, including for the Polish government. He does not shy away from difficult questions. In his writing about the pandemic, he raises a critical question: are we ready to sacrifice fundamental rights in order to feel better and to be more secure?
Recalling how the post-9/11 shift in narratives about balancing security and privacy influenced the subsequent policies of the European Union, I ask Wiewiórowski if these solutions are a cause for concern. “Indeed, the measures governments have adopted, and we all as society may adopt in the near future, seemed difficult to imagine few months ago”, he says. Rights still matter, he continues: “I deeply believe, however, that this must not lead to us to a conclusion that we should waive our fundamental rights or ‘suspend’ them in any way. Quite the contrary, fundamental rights, such as the right to privacy or to data protection, should always be seen as an integral part of human dignity. Protecting human dignity is the core value of the society I want to live in”. That does not mean fundamental rights are limitless, he is quick to add, noting, “Society has always acknowledged the possibility of limiting certain rights, and we have developed principles that are guiding us through the process – necessity and proportionality, respect for the essence of the fundamental right, etc.”.
I dig deeper to better understand Wiewiórowski’s views on flexible interpretation of fundamental rights. He explains that while privacy is a fundamental value, there is also a responsibility to use available tools when faced with a great crisis, such as the global pandemic. He points out, factually, that even the crowning glory of the European data protection debate, the EU General Data Protection Regulation, clearly states that the processing of personal data should be designed “to serve mankind”. Indeed, the GDPR contains a little-known passage noting that “the right to the protection of personal data is not an absolute right” and that it “must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality”.
However, the GDPR also includes a clear condition that such measures need to be temporary and transparent: the state of emergency should not become the new normal. Wiewiórowski has clear views on that. “There is of course a risk that what is once considered temporary and exceptional might, before we notice, became a normality. That is why it is essential that we do notice. Here, I cannot stress enough the role of data protection authorities. I believe that with effective judicial redress mechanisms in place, their role can be executed efficiently. After all, it is not only a data protection issue, it touches the core of the rule of law”. This is a good point. Indeed, in 2016 the European data protection authorities formulated a list of requirements for surveillance mechanisms that interfere with the right to privacy and data protection. These “European Essential Guarantees” were later confirmed by the Court of Justice of the European Union. However, as recent challenges to the rule of law in some EU member states have made clear, even the most well-crafted “guarantees” can be eroded under the right circumstances.
A European Model
I am trying to better understand Wiewiórowski’s reasons for cautious optimism. While surveillance technologies China has deployed to fight the virus have received the most attention, other countries have already taken similar steps. South Korea tracks the movements of individuals through credit card transactions, CCTV footage and other data, and Taiwan has integrated health and other databases to allow Taiwanese hospitals, clinics and pharmacies to check patients’ travel information. Will these measures be the foundations of new digital authoritarian surveillance states, like the one already built by China? Should we be worried in Europe?
In response to my concerns, Wiewiórowski argues, “Our legal traditions and European human-centric approach is something that cannot be that easily set aside”. He elaborates, “I understand that some member states are looking for inspiration, ideas on how to effectively combat the virus, and a temptation to look at the experiences of some Asian countries is not surprising. I am positive, however, that on a European level we can come up with technologically advanced solutions which are, at the very same time, respectful of fundamental rights and freedoms. This is why the EDPS is advocating the pan-European approach, where as a result of joint effort by EU member states we can produce effective solutions in compliance with EU law and privacy and data protection principles”. Indeed, the European Union has moved quickly to develop recommendations for the use of technology and data to address the pandemic. In particular, the EU is working on pan-European approaches to using mobile apps to facilitate social distancing and contact tracing, as well as a unified approach to the use of anonymised and aggregated mobile location data to model and predict the evolution of the virus.
Can the EU approach become a model for the rest of the world? In a recent article for Foreign Affairs, Nicholas Wright argues that Western democracies must rise to meet the need for “democratic surveillance” to protect their own populations. But is democratic surveillance an oxymoron? Are surveillance and democracy compatible? Wiewiórowski points out an important distinction: “It is important to be precise about the word surveillance, as it has particularly negative connotations in the data protection language, and maybe not so much when used in the context of monitoring public health”. Didier Reynders, Commissioner for Justice, argues that the European approach achieves a healthy balance between strength and privacy: “Europe’s data protection rules are the strongest in the world and they are fit also for this crisis, providing for exceptions and flexibility“.
Perhaps the COVID-19 crisis could be the opportunity the EU needs to establish itself as a worthy rival to China on the digital frontier and develop its own response to China’s “Digital Silk Road”. However, Wiewiórowski is not in favour of speaking about Europe as a competitor on the surveillance front. “We need to remember that technology and use of data is only a contribution to the whole effort to fight COVID-19 and its negative impacts”, he told me. “I would like to think of Europe as an example of coordination between different sectors, stakeholders and experts where knowledge and resources build a synergy effect. If technology can be helpful, and I believe it can be, it should be considered as a tool, not as an aim per se”.
Commenting on the need for a common approach at the EU level, he continues, “The EDPS often calls for pan-European approach to the most difficult matters. That is simply because we deeply believe that things work better if we work together. And it’s not only about member states working together, but all of us – experts, academia, civil society. Europe is built on a culture of cooperation and discussion we should not be afraid of using. I will support any attempts aimed at improving coordination, be it on the level of EU institutions or other, less formal, fora”.
The spirit of cooperation is also present in Wiewiórowski’s writing on EU Digital Solidarity, which, according to him, should make data work for all people in Europe, especially the most vulnerable. “The borderless world of the European Union, not only in the literal sense but also in respect to how much we can exchange with each other, is an opportunity to face the challenge that COVID-19 poses together. We know the problems and criticism Europe has faced with respect to coordinating the response to the crisis between e.g. health authorities of member states. In the digital area, we have less legal constraints than in the health sector and therefore we should seize the opportunity to use our resources in the best way possible to address the crisis. First and foremost, however, we have a unified framework of data protection which creates a level playing field and encourages joining our efforts in our technological response to the crisis”.
Looking To The Future
Many agree that the crisis will not be over in matter of weeks and that, rather, the fight will take many more months – and the recovery years more. Many new challenges are yet to come. If these predictions are correct, is emergency the new normal and, if so, what does that mean for our right to privacy and data protection?
“The issue of the nature of the emergency state is something I personally reflect a lot about”, Wiewiórowski says. His perspective is shaped by his personal experience as an 11-year-old boy growing up in communist Poland. His first-hand experience with a totalitarian regime taught him what extreme surveillance and censorship mean for society. “The constitution said dozens of words on democracy and the political leaders were elaborating on social good, peace and socialist democracy. At the same time, they introduced martial law – more than a state of emergency – in the whole country because they could not speak with political opposition”, he says. He adds, emphatically, “I can assure you I am the last person in the world who believes that the notion of a ‘pragmatic approach’ should be used in dealing with fundamental rights”.
Wiewiórowski acknowledges that somehow life will have to go on with certain measures still in place. But that cannot mean that we dismiss privacy and data protection as long as COVID-19 exists. He rejects my suggestion that a more pragmatic approach to data protection implies less hawkish positions from the data protection authorities. “Quite the contrary!” He explains: “Since the limitation of any fundamental right should be based on the analysis of proportionality and necessity, it is a responsibility of the state to constantly assess whether measures in place are indeed justified, given how, after some progress with the fight with the virus, the overall situation might change. In this context, national data protection authorities have a crucial role to play, both as a ‘watchdog’ and as a source of expertise”.
At the end of our discussion, I am curious about the lessons he draws from the current situation and the implications it will have for our relationship to fundamental rights as a society. “The challenges we are facing are of concern for our citizens – for each and every individual. That brings a debate on the fundamental rights to privacy and data protection to very practical aspects interfering with individuals’ daily life. I believe we are ready for a mature conversation about the relation between fundamental rights (not only those two but many others, including personal liberty) and the measures we, as societies, decide to impose”.
Our conversation comes to an end, but the topic is far from exhausted. The current health crisis is just an indication of what lies ahead of us. I have many more questions about the future of fundamental rights in general, but I end with the lessons Wiewiórowski draws today: “As data protection authorities, we should facilitate this discussion by providing expertise and setting the limits of what can be and what cannot be done with full respect to our fundamental rights”.