The use of technology in the coronavirus pandemic has thrown up a fundamental human rights issue: how do you balance public health requirements against a right to privacy, and maybe other human rights?
A growing number of countries see the use of data as crucial in keeping us all safe; first in tracking our movements and second in tracing contacts of an infected person.
On tracking our movements, European governments and EU leaders have already told wireless carriers to hand over huge amounts of data. Some have pointed out that, though this imperils privacy, it helps with other fundamental rights like freedom of movement, and freedom to conduct a business.
On contact-tracing, some epidemiologists say that using generalised telecoms location data can only be a first step. It is not exact enough to see if people are staying separated. To be fully effective, countries will have to follow the example of South Korea and China and make infected people download an app that will reveal exactly where they go and whom they meet. Several governments (including, reputedly, the UK) are working on their own versions of such an app. Unsurprisingly, it is more efficient if everyone uses the same one.
We must ensure that the matter of professional secrecy is raised with authorities, so that in the stampede to protect public health, the client’s right to confidentiality is not obliterated
The EU has recently published An EU approach for efficient contact tracing apps to support gradual lifting of confinement measures, which claims to grant sufficient data protection, with the European Data Protection Board being consulted first. Its guidance includes guarantees that the use of the app is voluntary, without negative consequences for those who refuse it, and that the app is automatically deactivated when the pandemic is under control.
It describes the kind of data necessary for contact-tracing – not location data, but proximity data.
Assuming the technology works, these two functions of movement-tracking and contact-tracing have huge public benefit, particularly during an exit strategy when people will come back into more frequent contact. But they will give governments an incredible level of surveillance over us and over the use of our data.
As a result, data protection authorities in many countries have been working overtime to keep up. The UK’s Information Commissioner’s Office (ICO), for instance, has issued various announcements. First, the ICO published a statement saying that data protection laws do not get in the way of innovative use of data in a public health emergency – as long as the principles of the law (transparency, fairness and proportionality) are applied. Most other data regulators agree – with the exception of the Dutch organisation, which said that it is not possible to make mobile location data anonymous.
More recently, the ICO has reported that, by using the UK’s position as chair of both the Global Privacy Assembly of privacy regulators and the OECD Working Party on Data Governance and Privacy, a list of worldwide questions has been drawn up for those using new technologies during the health crisis to ask themselves, to ensure that the privacy implications are properly considered, and that they do not put public trust at risk.
These questions relate to: a built-in privacy design; necessity and proportionality; user control; the need for central processing; ongoing monitoring; and what happens when the emergency is over.
For lawyers, this issue is important for two reasons. First, our clients will need advice on the balance between public health and private rights. There is bound to be litigation on the borderline between the two and lawyers will be at the forefront of helping decide where the frontier lies.
Second, our own rights – or rather those of our clients in dealing with us – might be affected, meaning prof essional secrecy. Professional secrecy is always at the heart of surveillance issues as it affects lawyers.
It might seem far-fetched, but a contact-tracing app which discloses where citizens go and whom they meet, which is of its nature not anonymous, might reveal information which is subject to confidentiality rules, such as whether and when a client met a lawyer. It is true that the EU version rules out location data and includes only proximity data, but if this is not anonymous (and assuming I have understood it properly) it could reveal just such information.
As a result, it seems to me incumbent on the legal profession to do two things in the current debate.
First, of course, we must defend citizens’ right to privacy, which may be in danger of being overlooked. It is for the courts finally to settle where the border lies as against the public good.
Second, and maybe more importantly, since we will be the only ones raising this issue, we must ensure that the matter of professional secrecy is raised with the authorities, so that in the understandable stampede to protect public health, the client’s right to confidentiality is not obliterated.
Jonathan Goldsmith is Law Society Council member for EU matters and a former secretary general of the Council of Bars and Law Societies of Europe. All views expressed are personal and do not necessarily reflect the views of the Law Society Council