Watching the Corona crisis unfold across Europe called to mind the following quote of unknown provenance: “There are decades where nothing happens; and there are weeks where decades happen.”
When the pandemic materialized and the first government lock-downs were announced, the compulsory work-from-era catalyzed the ongoing digitalization of the continent’s economy and society. In this way, an historical process was fast-forwarded. What was inevitably going to happen is now already happening on an accelerated timetable.
From an Internet governance and data privacy point of view in the EU, there is one worrying trend, however, that warrants closer scrutiny. In the immediate aftermath of the COVID outbreak, a growing chorus of voices in the media and on social media began questioning safeguards on the protections of the fundamental right to privacy in the interest of a more effective public health response. Especially through March, when the case numbers were exploding in Europe while China seemed to have successfully “flattened the curve”, there was much more reticence to defend the sanctity of data privacy in the face of such an acute crisis.
Fortunately, Europe on the whole can pride itself on having a very high bar when it comes to restricting certain rights in times of public health emergencies. There are far-reaching provisions in the EU Treaties, in the GDPR, and in the European Convention on Human Rights that firmly defend the idea that data belongs to individuals – not their governments. Acceptable derogations from these protections must always be strictly required, temporary, and proportionate.
Nevertheless, with the situation moving fast, governments were quick to take a permissive approach to data collection and processing. European collaborations with mobile operators to monitor compliance with social distancing measures on an aggregate basis and other forms of data-sharing among governments became the norm. In some policy circles, there was initially a debate about whether tracking apps should be made mandatory to better break infection cycles once they became apparent.
The individual merits and dangers of these measures could cover reams and would certainly require a much longer analysis than this text allows, but there are several compelling reasons to ensure that the bar for limitations of data privacy remains extremely high.
First, in a world of nascent digitalization, suspending the right to data privacy in the interest of public health often reflects the “law of the instrument”, or, in the vernacular, “To a man with a hammer, everything looks like a nail.” That is to say, to a policymaker with the ability to track the geolocation data of millions of citizens, every problem she or he confronts is likely to look like a problem that could be solved by using this data. The government’s limited use of data that rightfully belongs to its citizens could quickly be expanded to other, unrelated areas.
Second, once precedents have been set to expand governmental powers – even temporarily – they could open the door to more invasive forms of surveillance. This is a lesson the United States learned after the terrorist attacks of September 11, 2001, as civil liberties advocates remind us. For liberal societies, where the right to privacy is deeply engrained culturally, change that threatens data privacy is more likely to be creeping than sweeping.
Third, and to my mind one of the most important reasons to keep the bar extremely high: For
governments, having access to the personal data of its citizens may valorize surveillance and coercion at the expense of persuasion. Democratic governments persuade; autocratic governments enforce. Liberal politicians and regulators with access to citizens’ data may be tempted to focus on compliance via coercive means rather than through debate and dialogue.
Clearly, trade-offs are required in exceptional circumstances to ensure collective well-being. But the hurdles for compromising on the sanctity of data privacy are – and should remain – extremely high.
Stephan Bürklin is Chief of Staff to the European Managing Partner, Brunswick
Group, Munich, Germany. He has participated at our online Young Professional Seminar “Governing the Internet and Opening the Data: What is Europe’s digital future?” on 26th June and 3rd July .