Privacy Matters - Also in a Time of Corona
The value of data in fighting the spread of COVID-19 has been emphasised by authorities around the world - from promoting mobile applications tracing the contacts of positive cases, to the exchange of data by researchers. But where does this leave an individual's right to privacy? Wittenborg lecturer Stanley Mbelu (LL.M) co-authored a recent paper on the subject with fellow academic Fortune Nwaiwu from the Tomas Bata University in the Czech Republic. It was published on Social Science Research Network.
Owner of Data "Vulnerable to Abuse"
Mbelu and Nwaiwu's research shows that there has been a rapid increase in accessing sensitive personal data by businesses, third parties and different government agencies, which "in most situations leaves the owner of the data vulnerable to abuse."
"Statistics have shown that Europe has recorded 1.92 million confirmed COVID-19 cases, with an infection rate estimated to be 218 cases per 100,000 population," the paper entitled Digital Transformation in Healthcare and Surveillance Capitalism: Comparative Assessment of Data and Privacy Protection Compliance across the European Union reads.
"The need for contact tracing with personal data by businesses and governments to limit, and if possible, contain the spread of the virus is no longer news, as the research will further show. Nevertheless, there is a need to ensure that an individual’s right to privacy must be guaranteed during and after these challenging times of the COVID-19 pandemic.
"Personal health and medical data have acquired considerable bio-value in the digital data economy, because companies have found ways of extracting value from such dataset for commercial purposes - particularly developers sell such data to advertising, medical device and pharmaceutical companies. Another way in which personal data can be exploited and abused is through the use of repositories of data about people’s sexual activities and preferences, body weight or health conditions can be used to target them for social shaming, exclusion or denial of insurance, credit or employment opportunities."
The paper cites a case in Germany where politicians were re-identified by journalists through a browsing history dataset of 3 million German citizens, which was supposed to be anonymous. "They were able to uncover not only their medical information but sexual preference as well, thus defeating the sole aim of data anonymous in the first place."
The paper also touches on the proliferation of self-tracking devices. "There are over 160,000 health and medical apps on the market. These apps help the users collect data on issues such as counting calories, fitness tracking and menstrual cycle tracking and a host of other vital healthcare data.
"The types of personal information about people’s bodies that are collected by self-tracking practices can be highly sensitive and revealing of aspects that people may not wish to disclose to others. Personal data has a ‘capacity for betrayal’, and it can be ‘disloyal’. Health and medical data are primary targets of cyber criminals and hackers who use such data for fraudulent activities; breaches of medical and health database which may affect data repositories of major hospitals and public health agencies and health tracking apps frequently occur."
In the European Community, protection of personal data is a fundamental right, further strengthened by the General Data Protection Regulation (GDPR), which came into force in May 2018. The GDPR clearly states that health-related personal data must be treated and handled as sensitive information.
"In this era of digital economy, adherence to the GDPR by all parties is more important than ever," the paper argues. "As businesses and governments rely heavily on private data to track or monitor the health of the people, including their movement and habits, or to develop and modify existing business models, and to discover new market opportunities, such and all similar approaches should be in-line with the above-mentioned regulations, charter and treaty."
Though the GDPR states that any entity which does not comply with the regulation will be fined up to 4% of their annual global turnover of the preceding financial year or €20 million (whichever is greater), the paper questions whether this clause in the regulation will be enough to ensure compliance within the sector.
by James Wittenborg