‘Don’t let privacy stand in the way of controlling COVID-19 pandemic’

What’s all the fuss with contact-tracing apps, asks lawyer and University of Malta lecturer Mireille M. Caruana, who is standing up to privacy campaigners on opposition to the use of mobile phone apps to trace people who might have contracted COVID-19.

“If we let privacy stand in the way of effectively controlling a pandemic, we would be doing nothing more than giving privacy a bad name. Yes, crises like the 9/11 terror attacks or the London bombings have sparked surveillance legislation in the past. But the fundamental rights to privacy and data protection are not absolute. We give up some of our privacy to feel safe and secure all the time,” Caruana said, in a reaction to an interview that United Nations Special Rapporteur on the Right to Privacy Prof. Joe Cannataci gave to MaltaToday.

“You agree to constant monitoring on the London Underground if it means you are safe. This poses challenging questions about trade-offs. Governments are tasked with ensuring fundamental rights while promoting other countervailing public interests like public health and, ultimately, the right to life.”

What Apple and Google have proposed

Contact-tracing apps could be used as a public health initiative to combat the spread of COVID-19, by registering other users who came in close contact with a person who contracts COVID-19, by sending them a notification and asking them to self-isolate.

But privacy advocates like Prof. Joe Cannataci have described smartphone and other contact-tracing apps as potentially being “amongst the most privacy-intrusive developments in technology in the last twenty years”.

“Unless they are deployed very carefully and within the tightest of constraints, they could be abused in order to introduce a level of surveillance which would make Orwell’s Big Brother look like a forgetful kindergarten assistant,” Prof. Cannataci said.

Now working on a study to be presented to the UN General Assembly in October, Prof. Cannataci also raised questions on whether governments would even think of mothballing contact-tracing technologies after COVID-19. “It’s the control-freak’s dream scenario and potentially a human rights nightmare,” Cannataci stressed, warning that “it can make a totalitarian ruler’s dream of absolute control come true”.

At the core of the debate is whether the interference with human rights are justified and whether that interference is proportional to the aims of states faced with an unprecedented public health crisis.

“The extent of privacy invasiveness of a contact-tracing app is very much dependent on its in-built features, the system underlying the technology and how it is actually deployed. But in order to comply with the GDPR, certain legal tests must be satisfied,” Caruana said, outlining an exhaustive list of criteria which she says would limit the invasiveness of the app.

“Contact-tracing apps could be a vital tool in keeping the right people at home as governments look to start their economies back up again. Therefore, deployment of these tools must be undertaken quickly and without all the necessary evidence to justify their invasion of our privacy,” she insists.

She also said privacy advocates would be unreasonable in insisting that an app should not be deployed unless there is conclusive evidence of its efficacy in stopping the spread of COVID-19.

“But what if it did significantly arrest the impact of COVID-19? Most people would conclude that the interference with our right to privacy would have been justified. While the ringing of a precautionary bell may well be expected, it would be wrong to assume that all contact-tracing apps are a disproportionate or an unjustified interference with our fundamental right to privacy,” she said.

Caruana said that what is of utmost importance with such contact-tracing apps is transparency and accountability: a detailed description and information about in-built privacy and security safeguards must be made publicly available and analysed. Even the source code should be made available, and that the government heeds the advice of any such data protection impact assessment.

“The Information and Data Protection Commissioner’s Office should have an enhanced role watching the implementation closely, auditing the system, and investigating any complaints from the public.

“The deployment of contact-tracing apps will require an unprecedented act of trust by users. Protocols should be followed to ensure fundamental rights are protected and law should be enacted to put the app’s use on a lawful basis. But if the app does what is promised, trusting technology will have played a fundamental part in controlling a pandemic. What we should avoid doing is enacting new surveillance laws in a time of crisis that actually outlive the crisis itself.”