“Preparing for Better Times: Restoring Data Rights in the Post-Pandemic World” was the provocative title that pulled me out of bed before 5 a.m. on Thursday, April 23. Open Institute and DataReady brought together folks from across at least 11 time zones for a virtual forum.
Why would I set my alarm for 4:30 a.m. for this? Because using data to fight COVID-19 involves the most fundamental of issues — life or death decisions and individual liberties. And as someone who best builds ideas in the company of others, the chance to engage with the impressive panelists was a welcome change from isolation-induced stagnation. A huge thanks to Al Kags of Open Institute and Tom Orrell of DataReady for hosting the forum and for helping us build ideas together.
Data about people is at the center of the coronavirus response in every country. Together with testing and treatment, knowing where sick people are, and how they are moving to potentially spread the disease, is our only hope of getting out of social distancing alive. Yet once the floodgates of sensitive personal information are open, it can be hard to control how it is used. This has plenty of people worried and focused on what we can do now to ensure data and privacy rights are intact after the crisis response is over.
“We don’t need to create a data crisis to solve a health crisis,” argued ‘Gbénga Ṣẹ̀san from Paradigm Initiative in Nigeria. But many governments are hurtling, afraid, without precedent and some with autocratic tendencies into a COVID-19 response.
In some countries, laws, such as the European General Data Protection Regulation (GDPR), set guidelines for this reconciliation. However, in many places these guidelines don’t exist or are weak. While 32 African countries have data protection laws on the books, and five more have them underway, many fewer have the authorities and structures in place to implement and enforce these laws. This fragile policy environment is what makes Alice Munyua, policy advisor at Mozilla, worry that “we could find ourselves inside a huge surveillance experiment that has no limits and no returns in terms of public health and safety.”
Teki Akuetteh Falconer, executive director of the Africa Digital Rights Hub, argues that “policy makers should not be choosing emergency laws over human rights or privacy rights. We need systems in place so these work together.” This requires not only having the right laws in place, but also having the right people around the table, she argued. “This is a time for governments to lead, but also a time for governments to surround themselves with the experts who can help drive this in a way that is fair and balanced,” including data protection officers and regulators, cybersecurity experts, and data scientists.
So, how should governments — and the experts and advocates surrounding them — use data during the coronavirus response in the most privacy-preserving ways possible? And how should they be preparing now to later walk back any intrusive uses that might be justified during the crisis?
Takeaways from leaders at the #RestoreDataRights virtual forum
These questions and many more were at the center of Thursdays virtual forum. I took away six big messages from the brilliant minds gathered together via Zoom, YouTube and Slido last week:
1. Set your boundaries and your boundaries will set you free*
Mike Pisa, policy fellow at the Center for Global Development, argued that an important early lesson from this pandemic is that robust data protection frameworks like the GDPR have demonstrated enough flexibility to allow for useful innovation in a very short timeframe. Many countries have been able to generate the insights they need by collecting and processing data in ways consistent with GDPR requirements. Others have used their emergency powers that allow processing of sensitive personal data without consent for reasons of public interest including health and security, as long as measures are proportionate and reversible. “The framework, as designed, is bending but not breaking,” Pisa argued. “GDPR is not only allowing for innovation during the crisis, but it is also making innovation easier to carry out because it draws a clear line on the use and reuse of data.” In countries that don’t yet have relevant laws, people will be left guessing where the line is. In some cases, governments are “engaging behind closed doors, and that is just not the way to build trust.” As a first step, governments must open these doors of decision making and should, at the very least, apply the principles of “necessary,” “proportionate,” and “temporary” to any coronavirus-related data use.
Frederic Pivetta, managing partner with Dalberg Data Insights agreed. “For the health crisis, there is no reason for violating privacy or individual data.” Contact tracing is a good example, he argued. “Many people go completely crazy on contract tracking. It is not a silver bullet,” and is only relevant at certain phases of the response and if paired with robust testing protocols. During the containment phase of the response, he argued, tracking macro-mobility patterns is possible by using aggregated, anonymous telecommunications data; using personally identifiable data is not necessary or proportionate at this stage. And even when tracing is called for, there are ways to do it that maintain personal privacy, such as Pan-European privacy preserving proximity tracing (PEPP-PT) or anonymous citizen-driven contact tracing.
2. Each national response must be tailored to its context
How and when to implement contact tracing is a fast-moving and quickly evolving debate in many countries. Just over the weekend, Australia started rolling out a centralized, Bluetooth-based contact tracing program, and Germany abruptly changed course away from a PEPP-PT model to a “strong decentralized” approach, deviating from its European neighbors. The message is clear – each country has to do what is right for its context.
As this rapid evolution of contact tracing approaches, the need to tailor them for each country underscores the importance of governments surrounding themselves with experts that are embedded in and deeply familiar with the national context — what legal and regulatory frameworks guide (or don’t) the coronavirus response, what technology is available (definitely not smartphones and Bluetooth in many places!), how social norms and economic conditions dictate behavior, whether and how testing will be possible, which human rights issues are particularly acute, and so on.
National advocates and media also need to be alert. If the contact tracing debate absorbs all the attention, it will be easy to take eyes off other country-specific concerns related to data misuse in the context of COVID-19. If, for example, a ministry of health or telecommunications company collects and shares personal data in the name of the response, but this data is later used by a police force for disproportionate crackdown on marginalized populations, like minority groups or refugees, this story must also be told.
3. Get concrete about trust and accountability
The lines the governments draw, and the principles they apply, must be visible to citizens to foster trust. In the context of COVID-19, citizen trust in government can be a matter of life and death, Pisa argued that because “the warier people are about how their health information is used, the less likely they are to interact with the healthcare system.” In addition, he pointed out that many of digital tools being debated as part of the COVID-19 response (such as contact tracing apps) require people to opt into their use, so lack of trust will directly influence how useful the tools are. Munyua believes the risks created by distrust go well beyond the crisis. “If governments abuse data and botch surveillance efforts, it will undermine citizen trust in data-based initiatives” that are an important part of a growing digital economy.
Pivetta recommends that governments establish ethics committee to guide their use of data during the COVID-19 response. These committees could complement (or help fill gaps in) any existing legal or regulatory structures and could include non-governmental members with expertise in epidemiology, philosophy, public health, ethics, and so on. He argued that the private sector also has a role to play in fostering trust, as well as clear incentives to do so. Telecommunications firms, for example have reputations to uphold, and are playing the long game in countries with respect to attracting customers, so they don’t want to lose their trust. (Indeed, in the case of Germany mentioned above, Apple apparently played a role in the country’s policy shift.)
4. Employ the policy tools you already have
“Ensuring digital privacy is not just a matter of technology,” argued Munyua. “It is a matter of rules, policy, oversight, and stewardship.” Even when data protection regulations and authorities are not fully in place, there are plenty of traditional policy tools that can serve governments in managing data use at this time.
Pisa cited a recent paper by the Ada Lovelace Institute called “Exit Through the App Store,” a rapid evidence review of the technical considerations and societal implications of using technology to transition from the COVID-19 crisis. It recommends embedding accountability into legislation that guides governments’ crisis responses, including by explicitly limiting how data is used, delineating who has access to it, when it will be deleted, and how the impacts of its use will be assessed after the crisis. And like almost every speaker at the forum, the paper recommends opening all digital tools to scrutiny including through multi-stakeholder advisory groups, and making source code open.
Jessica Espey from the SDSN Thematic Research Network on Data and Statistics (TReNDS) argued that governments and private sector firms can use contractual agreements for data sharing to apply the principles of “necessary,” “proportionate,” and “temporary.” Sunset clauses enshrined in contracts can be used as one tool to restore data rights after a given period.
Both Espey and Shaida Baidee of Open Data Watch encourage countries to turn to the UN or regional bodies that help harmonize policy and standards in other areas. For example, the EU is helping European countries negotiate together with telecommunications firms to establish common terms for data access in use in the COVID-19 response. They argued that the UN Economic Commission for Africa or the African Union could help both negotiate terms at a continental or regional level, and help ensure that these agreements, and any winddown clauses, are upheld.
5. Start with the end in mind
“Accountability is a more than just winding down,” argued Munyua. “It requires a cadence of regular public reporting, and possibly an independent third-party entity that can hold both public and private sector accountable” throughout and after the crisis response. Tom Moultrie from the University of Cape Town agrees. “After the fact it is hard to get the genie back in the bottle, so accountability for data use has to be continuous and subject to ongoing reevaluation,” and planned from the outset. This includes planning for regularly inspecting data sharing agreements, up-front creation of sunset clauses and data deletion agreements, ongoing disclosure of how data are used, and early establishment of plans for post-crisis audits of how data were used. In this spirit, Moultrie called for “post-COVID data compacts” to document government commitments to a retrospective look at how data was used during the crisis, to walking back any intrusive uses justified by the crisis response, and to full restoration of data rights.
6. Come together to be stronger
Despite the concerns that occasioned this forum, many panelists also see opportunities.
Houghton has been moved by the sense of generosity and conviction he has seen among Kenyan citizens during the crisis, and sees opportunities for increased civic engagement. He described town halls that used to attract just handfuls of people when live are attracting hundreds when virtual. Real-time reporting of human rights violations has gone up dramatically. He sees a “huge moment to catalyze more citizens to take more interest in governance issues.”
He and Pivetta both see a potential to accelerate data literacy and collaboration. Houghton sees an “opportunity to bring data techies together with ordinary citizens to give them the tools to both monitor and speak back to duty bearers.” Pivetta sees “tremendous opportunity to create data and technology ecosystems in countries that bring institutions to the next level, both from regulatory and legal perspective and the digital perspective.”
As this swirl of issues came forth over Zoom, I kept coming back to Falconer’s early comment – this is a time for governments to surround themselves with experts.
The coronavirus crisis is accelerating government decision making, all under uncertainty and extreme complexity. This is true not just for decisions around safe and responsible data use, but also on public health, fiscal policy, education planning, food security, regional trade and migration, and social safety nets. As an advocate for evidence-informed policymaking on efficiency and moral grounds, and a champion for investing flexibly in local policy research institutions, I can’t help but see this as a time of increased urgency for the scholars, advocates, and policy research institutions in each of the affected countries. This is your greatest moment of service.
* I attribute this phrase to Paul Brest, former president of the William and Flora Hewlett Foundation, passed along to me by former colleague Dana Schmidt.