Do the European data protection rules harm the opportunities that COVID-19 tracking applications give us? Actually here the question is quite bigger.
The applications for tracking the infected with COVID-19 people are a very good case to test in practice our theoretical statements on data protection and privacy, which often turn into ideological ones. The issue is an important one as it involves a number of important questions for the future of Europe – the balance between personal freedom and the public interest, the balance between personal security and public security, line between the private realm and economic interest, and most importantly: where is the border that Europe it must put before the development and penetration of technology into our lives and how quickly we can afford this transition to happen. The regulations that we construct are tightly related to the answers of those questions.
Many people do not come up with specific expressions of their fears when it comes to data privacy. They simply refuse to share their data, even in cases such as the COVID-19 tracking applications. And for me, this is actually the biggest danger – the general lack of trust, which leads to an absolute refusal to share any data about what you do online.
The COVID-19 is a very good showcase. According to the calculations of experts in order for the tracking applications to work and their use to make sense, at least 60% of the population of a country must share data in them. If we look at the numbers of downloaded applications across Europe, we will see that this percentage is almost nowhere to be found. The reasons for this huge mistrust are clear. Citizens’ fears are obvious – the risk of unauthorized access to their data, the fear that personal information may be misused, and that someone may simply collect information that does not correspond to the purpose. That is why the EU has already come up with the so-called Toolbox, which have a clear purpose – to limit the amount of data that use this type of applications only to the necessary, as well as to give users control over the data they share.
This shows that we as policy makers should start everything we do in data protection with a simple question: will it change the attitude towards sharing personal online data?
Because the lack of trust that leads to a general refusal to share data will mean that we as EU will not be able to collect big data legally. As we know, the big data is foundation of the new model of economic development in the world.
From this point of view, I rather believe that Europe’s cautious approach to data is the main hurdle to economic competitiveness and innovation. Our main problem is the lack of confidence among many Europeans that their data is being used correctly. We also have a serious problem that for many people in Europe, personal privacy is now much more important than the public interest. There are also people who believe that once the state collects information, it will a priori abuse it. For me, this understanding and approach to data privacy is a serious problem for Europe.
This was one of the reasons why I organized a series of online discussions in the midst of the COVID-19 epidemic, where we could think about our options for action. Together with Tomás Pueyo, representatives of the major IT companies and people such as the political scientist Ivan Krastev, we discussed possible reactions. Mr Pueyo and I discussed the need to have a precise definition of the data gathered by the COVID-19 tracing applications. The aim was precisely to improve public confidence in these applications, which have proved very valuable in the much-needed tracing of those infected with the disease. Until a few weeks ago, I sincerely hoped that this would remain just an intellectual exercise, because COVID-19 would disappear soon. Unfortunately, these days we see that we will have a long time to fight this infection. In the various discussions, I personally came up with the idea that in order to make people trust us, we need to offer them a solution that responds to their worries and fears. One possibility is to create a European rule, which can be called a license that defines the main characteristics of the data that COVID-19 tracking applications use. As a basis for this license, which we can call All-Share-Against-COVID, I would include several elements:
First, the collection of information requires the personal consent of everyone. Second, it cannot be used for purposes other than the purely medical tracing of infected people. Third, the data collected cannot be copied, sold or used by other stakeholders – government institutions or private companies. Fourth, it should be deleted the moment the WHO ends the declared COVID-19 pandemic. I was hesitant to include the requirement for the collected data to exclude the possibility of GPS location data, and movements to be detected only through the Bluetooth technology. This looks like a small and unimportant question but it is actually a vital one and is indicative of how we should regulate data privacy. The question is, of course, whether adding such a requirement will not make the existence of the applications themselves useless. I leave this option opened for a more technical discussion with experts. This is the right approach when we need a very specific knowledge. In this case the experts should determine if the COVID-19 tracing applications could actually function properly without GPS tracing.
In conclusion, I believe that our data protection regulations should be aimed at building trust in our citizens. Second, when we talk about these rules, we must look at them through concrete cases, not only through our ideological stances. The situation with COVID-19 has proved to us that our citizens expect Europe to offer fast, feasible and effective solutions.
Eva Maydell, MEP EPP Group in the European Parliament