This is the first global pandemic of the digital age. In China, where Covid-19 originated, some local governments launched their own health code apps and accessed users’ GPS location data to track the development of the virus. Telecommunications companies collaborated with local governments and provided users’ location data. This had human rights ramifications. For example, it was reported that Hangzhou citizens could be barred from workplaces and highways based on the colour of their health code. This raises questions about potential discrimination and the associated mental stress, as the health code algorithms are opaque.
As the coronavirus continues to spread in the UK, Continental Europe and the US, researchers and scientists in the West are now evaluating some of the methods adopted in Asia. These include contact tracing apps and health data sharing, which are common in China, Singapore and South Korea. This has far-reaching implications for civil liberties. Under new state of emergency powers, to what extent has there been independent scrutiny of the ethical and social aspects of these methods?
Data privacy intrusions
In recent years, technology companies have been castigated for their failure to respect data privacy. For example, Facebook paid a record-breaking US$5bn fine to settle Federal Trade Commission charges in relation to its violation of users’ privacy in the 2018 Cambridge Analytica scandal. Aside from the financial impact, companies have to work hard to regain customers’ trust and their social licence to operate.
China has witnessed a similar trend. In early 2018, users of Alibaba's affiliate Ant Financial criticised the company for signing them up to Zhima (Sesame) Credit, its social credit scoring system, by default. In the same year, Chinese state media widely reported an online backlash against Robin Li, Baidu's founder/CEO, for his comments that Chinese people were willing to give up data privacy for convenience. In March 2019, mainland Chinese media reported a customer’s complaints about suspected eavesdropping by Meituan, a food delivery app. And according to iiMedia Research, 97% of Chinese apps have now obtained permission to access the user’s camera by default, some 95% get access to the GPS location, 85% access voice recording, and 35% the user’s contacts.
The regulatory response
In response, regulators have sought to crack down on abuses. In Europe, the General Data Protection Regulation (GDPR) came into effect in May 2018 to enhance public awareness of data privacy as a human right. And in late December 2019, the Cyberspace Administration of China (CAC) finalised its data privacy law for mobile apps’ personal data collection. Since November it has punished at least 100 apps across e-commerce, banking and other sectors for incorrect collection of personal data, lack of privacy agreements or ambiguous rules.
However, some governments are now piggy-backing on technology companies’ offerings to manage their response to the pandemic. In the US, it is reported that a White House taskforce has reached out to health technology companies to create a national coronavirus surveillance system in order to track cases. Google and Apple are reportedly collaborating on contact tracing to help in the fight against the pandemic. Are we now seeing policymakers formally endorsing the “trade-off” between privacy and convenience/utility, in the name of national security? Health privacy laws usually grant broad exceptions for this purpose, but should users accept this?
Some epidemiologists argue that contact tracing apps can only be effective when the adoption rate exceeds 60%, but the desired uptake has not yet been achieved even in countries like Singapore, where a compliance culture is strong.
Meanwhile, Chinese regulators continue to monitor companies’ intrusion into users’ data privacy, especially health apps, amid the Covid-19 outbreak. In March, the CAC published an article on its official WeChat account to highlight its evaluation of health platform apps. Many fell short of the regulator’s expectations in terms of purpose limitation, user consent and data minimisation.
We will continue to engage with technology and healthcare companies globally to ensure they are aware of this complex topic and demonstrate their commitment to upholding basic human rights principles. However, as individuals, we will need to consider the tension between our personal rights to data privacy and the greater public good.