Contact tracing is a legal minefield for businesses
In the age of Big Data, where the always-on digital assistant and ever more intrusive geo-tracking technology reign, it is perhaps inevitable that our efforts to control Covid-19 seem to depend on developing technology to monitor individuals’ movements.
Every wave of innovation that has birthed these technologies has brought with it fresh regulatory concern. The most recent results are the much-vaunted General Data Protection Regulation (GDPR) and California Consumer Privacy Act. Further GDPR-style laws are in the pipeline across the US and in other countries.
Yet although privacy has rapidly risen up the political agenda, we now find ourselves at a critical juncture: with the near unprecedented global rollout of contact tracing technology set to fundamentally test the extent of data protection regulator’s teeth — and, by extension, if our data is truly safe.
The debate is neatly captured by the responses to the NHS’ app, an early version of which was trialed on the Isle of Wight, with the new version now being developed by Big Tech (Apple and Google). Hailed as “ground-breaking” and “pioneering” by supporters, and “intrusive” and “potentially unlawful” by detractors, it has also been branded “the normalisation of surveillance” by the Human Rights Foundation.
But crucially, it is not just pandemic-stricken governments that are pushing contact tracing. Across the world, as we enter the early stages of the “return to work” odyssey, workplace technology is looking increasingly attractive to many businesses — not least employee tracking sensors, to help demonstrate adoption of social distancing measures.
However, though certainly helpful to reduce some liability, such technology comes with its own risks.
For a start, it could prove a financial liability to businesses, through data law fines, if the process is not managed correctly.
Moreover, the wholesale emergence of such tech, be it within the workplace or without, will heighten concerns that we are sleepwalking into a surveillance society. Indeed, even before the outbreak of Covid-19, Barclays saw its employee monitoring system fall victim to a global employee pushback.
Most policymakers appear to share these concerns, and have long used them as the basis of regulation. It is in such a vein that the European Commission and the European Data Protection Board issued guidance heavily restricting use of contact tracing apps.
But though the guidance has clarified some issues (not least that the use of apps is voluntary and that they must be dismantled at the end of the crisis), important questions still abound.
First, although the government pledged that data collected by the abortive centralised app would “either be deleted or fully anonymised in line with the law”, the Joint Committee on Human Rights had said that further legislation is required to ensure the total deletion of data. This issue is only complicated by Google and Apple’s decentralised model, not least as French authorities have pressed the tech firms to actually relax their privacy protections.
Another area of concern for many employers is treatment of manual data logs or other forms of surveillance. It’s difficult to escape the sense that we are entering into some legally unchartered waters, perhaps typified by the fact that the Isle of Wight trial was launched before the Information Commissioner’s Office received an impact assessment for NHSX.
Regulators are also facing obstacles in the battle to curb corporate overreach in the use of consumers’ data. Equipped with large legal war chests, Big Business has been able to appeal fines and seek to pit regulators against one another. So far, not a penny of the multi-million pound British Airways fine has yet been paid, and some are saying the GDPR has been left looking like a paper tiger.
The rollout of contact tracing apps, or similar tech, could accentuate this challenge. The UK now has over 25,000 contact tracers ready to collect data, but only 22 technical experts at the UK regulator (the Information Commissioner’s Office) to police this.
Before the pandemic, plans were afoot to launch a coordinated fightback, with regulators intending to pool resources to allow them to match the legal spending capacity of big business. Covid-19 might have put the kibosh on such moves, and for now the big question is how to police new, sensitive data from a huge chunk of the population.
What can be said, however, is that a regulator fightback of some degree will occur, whether through enhanced resources or powers. It is vital, therefore, that any business looking to implement workplace tracing tech ensures its data privacy compliance is fully up-to-date.
Given how local and government guidance keeps changing and is often contradictory, it would be dangerous to assume you can rely on an announcement or speech to justify surveillance or re-opening steps taken, if not in compliance with data and other laws. Unless these laws are actually repealed, businesses in breach will still be in the firing line.
Main image credit: Getty