This article is a part of the The Law, Economics, and Policy of the COVID-19 Pandemic symposium.
Privacy absolutism is the misguided belief that protecting citizens’ privacy supersedes all other policy goals, especially economic ones. This is a mistake. Privacy is one value among many, not an end in itself. Unfortunately, the absolutist worldview has filtered into policymaking and is beginning to have very real consequences. Readers need look no further than contact tracing applications and the fight against Covid-19.
Covid-19 has presented the world with a privacy conundrum worthy of the big screen. In fact, it’s a plotline we’ve seen before. Moviegoers will recall that, in the wildly popular film “The Dark Knight”, Batman has to decide between preserving the privacy of Gotham’s citizens or resorting to mass surveillance in order to defeat the Joker. Ultimately, the caped crusader begrudgingly chooses the latter. Before the Covid-19 outbreak, this might have seemed like an unrealistic plot twist. Fast forward a couple of months, and it neatly illustrates the difficult decision that most western societies urgently need to make as they consider the use of contract tracing apps to fight Covid-19.
Contact tracing is often cited as one of the most promising tools to safely reopen Covid-19-hit economies. Unfortunately, its adoption has been severely undermined by a barrage of overblown privacy fears.
Take the contact tracing API and App co-developed by Apple and Google. While these firms’ efforts to rapidly introduce contact tracing tools are laudable, it is hard to shake the feeling that they have been holding back slightly.
In an overt attempt to protect users’ privacy, Apple and Google’s joint offering does not collect any location data (a move that has irked some states). Similarly, both firms have repeatedly stressed that users will have to opt-in to their contact tracing solution (as opposed to the API functioning by default). And, of course, all the data will be anonymous – even for healthcare authorities.
This is a missed opportunity. Google and Apple’s networks include billions of devices. That puts them in a unique position to rapidly achieve the scale required to successfully enable the tracing of Covid-19 infections. Contact tracing applications need to reach a critical mass of users to be effective. For instance, some experts have argued that an adoption rate of at least 60% is necessary. Unfortunately, existing apps – notably in Singapore, Australia, Norway and Iceland – have struggled to get anywhere near this number. Forcing users to opt-out of Google and Apple’s services could go a long way towards inverting this trend. Businesses could also boost these numbers by making them mandatory for their employees and consumers.
However, it is hard to blame Google or Apple for not pushing the envelope a little bit further. For the best part of a decade, they and other firms have repeatedly faced specious accusations of “surveillance capitalism”. This has notably resulted in heavy-handed regulation (including the GDPR, in the EU, and the CCPA, in California), as well as significant fines and settlements.
Those chickens have now come home to roost. The firms that are probably best-placed to implement an effective contact tracing solution simply cannot afford the privacy-related risks. This includes the risk associated with violating existing privacy law, but also potential reputational consequences.
Matters have also been exacerbated by the overly cautious stance of many western governments, as well as their citizens:
- The European Data Protection Board cautioned governments and private sector actors to anonymize location data collected via contact tracing apps. The European Parliament made similar pronouncements.
- A group of Democratic Senators pushed back against Apple and Google’s contact tracing solution, notably due to privacy considerations.
- And public support for contact tracing is also critically low. Surveys in the US show that contact tracing is significantly less popular than more restrictive policies, such as business and school closures. Similarly, polls in the UK suggest that between 52% and 62% of Britons would consider using contact tracing applications.
- Belgium’s initial plans for a contact tracing application were struck down by its data protection authority on account that they did not comply with the GDPR.
- Finally, across the globe, there has been pushback against so-called “centralized” tracing apps, notably due to privacy fears.
In short, the West’s insistence on maximizing privacy protection is holding back its efforts to combat the joint threats posed by Covid-19 and the unfolding economic recession.
But contrary to the mass surveillance portrayed in the Dark Knight, the privacy risks entailed by contact tracing are for the most part negligible. State surveillance is hardly a prospect in western democracies. And the risk of data breaches is no greater here than with many other apps and services that we all use daily. To wit, password, email, and identity theft are still, by far, the most common targets for cyber attackers. Put differently, cyber criminals appear to be more interested in stealing assets that can be readily monetized, rather than location data that is almost worthless. This suggests that contact tracing applications, whether centralized or not, are unlikely to be an important target for cyberattackers.
The meagre risks entailed by contact tracing – regardless of how it is ultimately implemented – are thus a tiny price to pay if they enable some return to normalcy. At the time of writing, at least 5,8 million human beings have been infected with Covid-19, causing an estimated 358,000 deaths worldwide. Both Covid-19 and the measures destined to combat it have resulted in a collapse of the global economy – what the IMF has called “the worst economic downturn since the great depression”. Freedoms that the west had taken for granted have suddenly evaporated: the freedom to work, to travel, to see loved ones, etc. Can anyone honestly claim that is not worth temporarily sacrificing some privacy to partially regain these liberties?
More generally, it is not just contact tracing applications and the fight against Covid-19 that have suffered because of excessive privacy fears. The European GDPR offers another salient example. Whatever one thinks about the merits of privacy regulation, it is becoming increasingly clear that the EU overstepped the mark. For instance, an early empirical study found that the entry into force of the GDPR markedly decreased venture capital investments in Europe. Michal Gal aptly summarizes the implications of this emerging body of literature:
The price of data protection through the GDPR is much higher than previously recognized. The GDPR creates two main harmful effects on competition and innovation: it limits competition in data markets, creating more concentrated market structures and entrenching the market power of those who are already strong; and it limits data sharing between different data collectors, thereby preventing the realization of some data synergies which may lead to better data-based knowledge. […] The effects on competition and innovation identified may justify a reevaluation of the balance reached to ensure that overall welfare is increased.
In short, just like the Dark Knight, policymakers, firms and citizens around the world need to think carefully about the tradeoff that exists between protecting privacy and other objectives, such as saving lives, promoting competition, and increasing innovation. As things stand, however, it seems that many have veered too far on the privacy end of the scale.