The discussion kicked off on looking at the balance between privacy protection and public health. According to Miller, privacy and public health are wrongly being pitted against each other in a false tradeoff. However, guidance from regulators, cooperation on solutions between the private and public sector and transparency can help the tech industry face the emergency while making sure that privacy is protected. Wiewiórowski argued that the General Data Protection Regulation (GDPR) legal framework is fit for purpose and can endure the effects of a crisis, provided that the core principles of data protection serve as the basis of all the upcoming different responses to the crisis. Kelber warned against considering data protection a burden when protecting public health. Through innovative proposals and respect for EU values, it is possible to develop privacy-friendly tools to counter the crisis.
“I don’t think it is a binary choice. The global fight against the pandemic reminds us to protect privacy while achieving other important public policy goals.” John Miller, ITI
The discussion shifted to the issue of contact tracing apps, which are being developed in Europe and around the world to monitor the spread of the virus. Kelber said that it is important that people can trust these apps, and the European Data Protection Board is working with the European Commission to develop guidelines for privacy-friendly solutions. Big companies releasing application programming interfaces (API) for apps can speed up the rollout of national and European solutions, although excessive fragmentation may be a burden for interoperability. Similarly, Wiewiórowski called for minimum standards at EU level to ensure interoperability and protect the rights of market actors. Miller highlighted that it is important that public authorities cooperate with stakeholders in defining solutions in order to increase transparency and trust.
“When I asked for a pan-European approach […] it was because it is the only way to go back to the Single Market and the free movement of people. There is no normality without free movement of people.” Wojciech Wiewiórowski, European Data Protection Supervisor
The panel proceeded to elaborate on some more practical issues regarding data collection and processing in the tools developed in response to COVID-19. Both Wiewiórowski and Kelber called for tracing systems to be voluntary for ethical and cultural reasons. On the process of data anonymization, Wiewiórowski noted that while it is true that it is impossible to achieve full anonymization, de facto anonymization is possible, and it is protected by the legal principles of the GDPR. Miller added that flexibility of the legal framework on the use of anonymized, pseudonymized and aggregated data can be helpful to ensure inclusivity and uptake of the contact tracing apps. All panelists agreed that trust and transparency between authorities, businesses and citizens are key to make any solution work.
“We (DPAs) can handle the crisis… we’re in close contact to exchange about national approaches and are working on EU-wide guidance on this topic in the EDPB” Prof. Ulrich Kelber, Federal Commissioner for Data Protection and Freedom of Information, Germany