Data Privacy and Protection in the ‘New Normal’

Year: 2021


The global outbreak of Covid-19 has sparked fierce debate on how governments should balance effective disease containment with the need for data privacy in the current environment. While increased data collection and surveillance of citizens may seem justifiable during a public health crisis, countries display huge differences in how they use citizens’ data to fight the pandemic.

On one end of the spectrum, countries like China and South Korea seemingly collect their citizens’ entire digital footprints. Similarly, in Singapore, it is compulsory for residents to download contact-tracing applications to be able to access public places such as workplaces, schools and malls.

On the other end, countries like the United States make use of private-sector based applications that are completely voluntary, requiring the consent of the individual. Likewise in Germany, Switzerland and Estonia, the contact-tracing applications adopted use fully anonymised data, and are therefore less privacy-invasive.

Correspondingly, data privacy and protection laws vary from territory to territory. Since the start of the pandemic, many legislators have been pressured to override existing data regulations to cope with the spiralling infections.

``In the event of a Covid-19 case, relevant personal data can be collected, used and disclosed without consent during this period to carry out contact tracing and other response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.``

From Personal Data Protection Commission, Singapore

Now that countries are entering into the endemic stage, policymakers again need to review such laws amidst citizen demands for greater data privacy and protection. In this article, we discuss:

  • What exactly constitutes data privacy and why is it important
  • The debate surrounding data privacy versus public health
  • Erosion of trust caused by data collection and use
  • Key considerations for data privacy as we move towards a ‘new normal’

Data (or Information) Privacy

What is Data Privacy?

In simple terms, data privacy is concerned with the proper handling and protection of critical personal information. This is also known as personally identifiable information (PII) and personal health information (PHI), which includes credit information, medical records and social security numbers, among other things.

Data privacy therefore involves several aspects, as illustrated in the figure below.

Key Components of Data Privacy. Source: Future-Moves Group

Why is it Important?

According to the United Nations, privacy is considered a fundamental human right. Data privacy is important because personal data can be misused if not kept private. Recognising this, almost all countries and territorial regions have established rules governing the collection and handling of personal data.

These laws protect individuals from privacy infringements, identity theft, fraud, uninvited surveillance, and unwanted marketing and advertising. For example, the European Union has initiated the General Data Protection Regulation (GDPR) while ASEAN has introduced the Framework on Personal Data Protection.

Moreover, in today’s digital economy, individuals must trust that their personal data will be handled with care before they are willing to engage online. Likewise, during a pandemic, individuals may be willing to surrender personal data only if it is used for the sole purpose of fighting the novel coronavirus.

Data Privacy vs Public Health – Irreconcilable?

Data is Critical During a Pandemic

It is important to note that one’s right to data privacy is not absolute. There will be circumstances – such as during a pandemic – where public health is given greater priority over individual rights.

In managing a complex emergency like Covid-19, governments rely heavily on real-time, varied and mass volumes of data to formulate effective policies. Therefore, data is extremely crucial in allowing us to have an accurate assessment of the current situation and make evidence-based predictions about the spread of the disease.

Nevertheless, much controversy has surrounded the ways in which personal data is collected and handled by governments for the purposes of contact tracing. While they constitute effective ways to track infections and isolate individuals, these methods are often privacy-invasive.

In South Korea, for example, the Ministry of Health and Welfare (MOHW) and the Korea Center for Disease Control and Prevention Agency (KCDA) can collect and share up to 7 types of data pertaining to infected individuals (or those suspected to be infected) during a serious outbreak.

The information collected is striking by its breadth. Government authorities can access personal data from various sources – immigration services, mobile phone carriers, health care providers, health insurers, credit card and public transit companies.

Covid-19 Contact Tracing in Korea. Source: Park, Choi and Ko (2020)

Korea is not the only country to adopt such a centralised system of data collection. The governments of China, Kenya and Turkey too have taken similar interventionist approaches.

While true that governments can justify the collection of personal data in extraordinary times on the basis of protecting public health, what about the concerns of citizens? How do they weigh the rights of individuals (i.e. data privacy) against the needs of society (i.e. effective disease control)?

East-West Divide on Data Privacy

Some political commentators have alleged that privacy concerns are more paramount in Western democracies, as they are perceived to be “fundamental civil liberties”.

In contrast, as non-Western societies tend to have collectivistic cultures whereby the collective good supposedly triumphs over individual freedoms, data privacy takes a back seat.

“There is likely a fundamental conflict between these requirements and deeply entrenched Western liberal values, such as the expectation of privacy, consent and the sanctity of individual rights.”

From Lee Kuan Yew School of Public Policy

This has led many to believe that data privacy is a more contentious issue in the West than in the East.

However, this is not necessarily true. In Singapore, a petition against wearable devices for contact tracing was signed by around 30,000 people. In addition, many Singaporeans voiced their dissatisfaction and disappointment after the government backtracked on its previous statements regarding the TraceTogether App. In January 2021, the government admitted that – contrary to initial assurances, application data could in fact be obtained by the Singapore Police Force for criminal investigations into serious offences.

A Question of Trust

It is important to note that the key issue in the Singapore case is not just that of privacy infringement, but the erosion of trust as the public perceived the government to have failed to commit to its initial promise.

In fact, some independent privacy organisations had reported that TraceTogether is one of the “least intrusive” contact tracing applications in Southeast Asia. However, the inconsistencies in policy communication had inadvertently undermined the government’s credibility.
This case reflects the challenges of enacting foolproof solutions during crisis times, as well as the importance of ensuring transparency in data privacy and collection policies.

Such privacy concerns are echoed in other countries too. In Israel, the High Court had ruled in 2020 that its large-scale coronavirus surveillance and tracking “severely violates the constitutional right to privacy”. Elsewhere, Hong Kong residents flocked to purchase cheap burner phones in a bid to circumvent new contact-tracing requirements announced by the city government.

Evidently, even within non-Western states, data privacy matters.

It is entirely plausible that some states could take advantage of emergency situations such as Covid-19 to engage in disproportionate data collection. Fears that such technologies will lead to greater systems of social control post-pandemic are not unwarranted.

To further illustrate, China not only collects citizens’ location data and self-reported medical history to track and isolate cases, but goes a step further. It uses such information to assign a risk score or health code (with different colours indicating the level of risk) for individuals. This code then determines their access to public facilities and public transport.

China’s Health Code. Source: Center for Strategic and International Studies

The health code clearly takes its cue from China’s social credit system (SCS), which uses big data and largely opaque algorithms to rate citizens based on their level of ‘trustworthiness’. Much has already been said about how the SCS will negatively impact data sharing and privacy.

Ultimately, concerns over privacy violations are universal. While some governments have sacrificed a degree of data privacy for the sake of greater disease control, this does not mean that citizens by virtue feel the same way.

Can We Achieve the Best of Both Worlds?

So, how can societies strike the right balance between private and public health interests? A number of possible solutions aimed at reconciling data privacy with the collective public good are discussed below.

First, in countries where collection of personally identifiable information faces high resistance from society, decentralised applications such as Google-Apple’s Exposure Notification (GAEN) may be a good alternative for governments to consider.

Compared to centralised applications like Singapore’s TraceTogether – where information is shared with the Ministry of Health when an individual is confirmed to be infected – the GAEN ensures that personal data (e.g. where and by whom an individual has been exposed to) is always kept in the phone.

As such, the latter solution offers a higher degree of privacy and anonymity, and assures citizens who may be wary of state surveillance. Countries who support the GAEN as part of their country’s disease containment strategy include Switzerland, Canada, Ireland and Finland.

Second, in countries where citizens must surrender data to the state, governments should have safeguards in place to protect them from unwarranted state surveillance. For example, the data collected by the KCDA can only be assessed by a select number of epidemiological investigators – access is denied to any other government agency – and the data is thereafter deleted after 14 days.

Finally, should there be any exceptions made to data collection, privacy and protection laws during times of crisis, these should be clearly communicated. This ensures transparency and accountability on the part of the government, building trust in institutions that are spearheading national data collection efforts for the social good.

Note: Decentralised applications are not without shortfalls. Their dependence on voluntary consent (i.e. possibility that individuals may choose not to isolate oneself or be tested when notified of exposure, or not download the application at all) may prove to be a limitation in containing the spread of Covid-19.

“Privacy International has stated that measures required during the Covid-19 pandemic should be temporary, necessary, and proportionate, and must be ended when the pandemic is over.”

From Nageshwaran, Harris, Guerche-Sebain (2021)

Conclusion: What Comes Next?

As Covid-19 heedlessly swept across the globe in early 2020, various contact-tracing strategies were hastily introduced to cope with the fast-evolving crisis. As such, accompanying regulations on data collection were passed quickly in an attempt to combat the spread of cases. There was not enough time to fully deliberate on how these measures would implicate data privacy.

Now that countries have learnt to “live with the new normal”, it presents a good time for policymakers and privacy professionals to relook and review existing data protection and privacy laws. The introduction of vaccinated-travel lanes and vaccine passports will add to the challenge. It will not be easy for different jurisdictions to come to a consensus on how to manage the personal data of travellers.

Looking beyond Covid-19, in an era of “Big Tech”, the issue of data privacy will become more salient than ever before: Edward Snowden’s revelations, the Facebook-Cambridge Analytical data scandal, the New York Times’ Privacy Project – all of this illustrates the urgent need to protect our personal data, and recognise that privacy is a fundamental human right in the digital age.

Lim Yun Hui is an Associate Consultant at Future-Moves Group. A graduate of the National University of Singapore with a degree in Political Science, Yun Hui contributes towards FMG’s thought leadership content on current and public affairs, and is interested in environmental and sociopolitical issues.

Headquartered in Singapore, Future-Moves Group is a premier strategy and management consulting firm, with a focus in public policy. Please contact us to find out how we can help you or your organisation with our suite of consulting, advisory and training services.

Disclaimer: The views expressed in this article are those of the writer and do not necessarily represent those of Future-Moves Group.