23 / 03 / 2021
One year on: prevention is better than cure when it comes to protecting privacy
André Thompson, Privacy Counsel and DPO, Trūata
In little over a year, the dynamics of the workplace and everyday social interactions have been completely transformed. The Covid-19 pandemic has had far-reaching implications across society, and privacy concerns have been thrust into the spotlight. Data and analytics programmes, which were introduced to help combat and curb the spread of Covid-19, have the potential to present future privacy risks if adequate safeguards are not put in place to avoid the potentially excessive collection and unlawful repurposing of personal data.
What do such dramatic societal shifts mean for personal privacy?
The right to privacy can be traced through international conventions and agreements such as the 1948 Universal Declaration of Human Rights, the 1950 European Convention on Human Rights, the 1981 Council of Europe Convention 108 and, most recently, the 2000 Charter of Fundamental Rights of the EU. None of these, however, could have foreseen a time when everyday activities—our work, education and social lives—would, almost overnight, become largely dependent upon digital platforms. The pandemic has accelerated digital adoption and online tools now play a pivotal role in our day-to-day collaboration and communication.
Individuals and organizations have had to rapidly adapt and adjust to working in virtual environments, which has created a reliance on software vendors in order to facilitate the dynamics of remote working; however, many of these companies have yet to look at how the adoption of certain technologies is impacting, or will impact, employee privacy. Recent research by Gartner found that less than 50% of employees trust their organization with their data, and 44% are not receiving any information regarding the data that is being collected about them. Not only should organizations be considering the inadvertent harm that may be caused through surveillance and monitoring tech, but they also need to understand that the law will soon catch-up to address such issues; what may have become the ‘tolerated exception’ excused by a pandemic, will not become the ‘accepted norm’ in a privacy-conscious society.
Have we opened the back door to privacy invasion?
When writing their hugely influential article for the Harvard Law Review in 1890, Supreme Court Justice Louis Brandeis and his friend, Samuel Warren, advocated for “the right to be let lone” when new technology threatened personal privacy. Brandeis and Warren were, at that time, referring to the handheld camera that gave rise to the evolution of photography, and they articulated that such technology was “opening the back door” to privacy invasions when the front door had been closed by the law. While such innovation at that time was markedly different to videoconferencing software and the use of AI for productivity measurement and pandemic modelling, this statement powerfully resonates to the ‘new normal’ we find ourselves living in today. Despite the introduction of robust privacy and data protection laws, such as the GDPR, individuals are allowing themselves to submit to monitoring and data sharing about their habits and behaviors like never before. And this gives rise to the fear that, despite the strong data subject rights and organizational compliance requirements set out in new global privacy laws, the use of these new technologies, whilst in accordance with the law, will not be in the spirit of the law or may veer into unethical territory.
Data protection strategies should be proactive rather than reactive
The GDPR can address some of the concerns that have come to the forefront of COVID-led conversations around data, for example requiring that organizations embed ‘Data Protection by Design’—referred to internationally as ‘Privacy by Design’—into their products and services. Organizations, therefore, need to ensure that all data is protected to the highest standards, whether employee or customer data, and seek to limit the secondary use of personal data to purely legitimate purposes which are compatible with the original purpose of collection.
No matter what the use-case, understanding the data and the level of risk that lies within it will be crucial to organizations who intend to proactively tackle privacy concerns and leverage the true value of the data they have at their disposal. The expansive definitions of “personal data” in modern privacy laws are broad and encompass not only direct identifiers but also indirect identifiers, also known as quasi-identifiers which, when taken together, can form a granular view of a specific individual’s behavior. These quasi-identifiers are frequently hidden in vast datasets and require re-identification risk assessments in order to fully and adequately understand the risk associated with compliance with the GDPR and other laws that now make up the ‘global privacy framework’. In order to catch-up with the pace of their digital transformation and ensure lawful data use, organizations must simultaneously look towards ready-built privacy tech solutions that can balance data utility with privacy.
Move forward with ethical awareness
With such dramatic shifts in the way that we work and conduct business, it is imperative that organizations understand that the ‘value of data’ will, moving forward, be defined by the value they place on privacy. The growing levels of regulatory action being taken against those who fail to comply with data protection and privacy laws will only increase in the wake of a pandemic that has seen individuals having to provide more and more personal data just to conduct everyday activities that wouldn’t normally require technological intervention, let alone surveillance or monitoring. To adopt a complacent approach to data strategy, even for those who are not too far along the data maturity curve when it comes to business strategy, will see many organizations struggling to manage reputational damage from the fallout of unlawful or unethical data use.
To some extent, the pandemic has enabled organizations to hide behind a new-norm naivety, but the post-pandemic world is set to be far less forgiving as individuals increasingly push for clarity around the vast amounts of data gathered and stored over the past year. Organizations must think carefully about what they are doing with both the personal data of consumers and employees to ensure that reasons for such data use are both legitimate and ethical. Just as they have adopted new technologies to pivot and grow in a time of crisis, they must also adopt privacy-enhancing data-processing strategies if they wish to take a risk-averse approach to business that keeps them, along with their customers and employees, out of harms way.
As Supreme Court Justice Louis Brandeis stated, “the greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding”. With that said, only when organizations understand and objectively measure the potential risks that hide within their data lakes can they mitigate such risks and assure all stakeholders that protecting privacy outweighs commercial growth, while also understanding that it is through protecting privacy that commercial growth will flourish in a data-led economy.