Can governments track us? Is this throwing the GDPR out of the window?
The short answer is: yes they can, and no it's not. BUT, this is only the case provided the requirements for the processing are met.
Is the criteria being met?
Lawfulness, fairness and transparency: The data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
At the moment there seems to be a lot of noise and confusion about what data will be collected, why and for how long. Governments must be transparent in order to build trust. The damage they can do by destroying the trust that companies have worked to get all these years is incalculable if the fear of a Big Brother state is embedded into our cultural consciousness.
Purpose limitation: Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
As above, it is unclear and there seems to be disparity in each country. Some countries (like the UK) are talking about using anonymous data (out of scope of the GDPR). Privacy professionals and regulators have been debating the definition of what is anonymous for over than a decade. If this nut has been cracked, it will have a crucial impact in businesses worldwide.
Data minimisation: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
This is the point that needs to be examined carefully, can governments explain why they need each bit of information. Have they carried out a DPIA and if so, is this available for review.
Accuracy: data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
If they want to identify a person through a device, say a smart phone, can they be sure it's me leaving the house because i'm carrying it? This is particularly relevant in countries where strict quarantine (and hefty fines for breaking it) are in place.
Storage limitation: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Crucially - how long will this information be kept for. Some countries are being very clear about this (30 days being the norm). Others are vague. The interim nature of this processing must be clear from the outset to gain user trust.
Integrity and confidentiality: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
We are seeing more and more incidents and attacks during the Covid 19 crisis - can governments be sure they can keep the data safe.
And a thought for any companies who are asked to disclose data - have a listen to our podcast on disclosure, remember your company will be held accountable for what it decides to disclose, and reputational damages may follow if you get it wrong.
Tech companies, governments, and international agencies have all announced measures to help contain the spread of the COVID-19 virus. Some of these measures impose severe restrictions on people’s freedoms, including to their privacy and other human rights. Unprecedented levels of surveillance, data exploitation, and misinformation are being tested across the world. Many of those measures are based on extraordinary powers, only to be used temporarily in emergencies. Others use exemptions in data protection laws to share data. Some may be effective and based on advice from epidemiologists, others will not be. But all of them must be temporary, necessary, and proportionate. It is essential to keep track of them. When the pandemic is over, such extraordinary measures must be put to an end and held to account.