Will Covid-19 spell the end of Europe’s long-cherished privacy ideals and give way to widespread technology-fueled state surveillance?
Countries across the region have been ramping up data-tracking technology to follow the trail of coronavirus infection and monitor quarantines.
This has involved mobile phone operators handing over location data while at the same time the UK’s National Health Services enlisted the help of US technology company Palantir, better known for its relationship with government spy agencies.
But the fightback is beginning, with a coalition of technology experts and scientists from around Europe banding together to try and prevent the fight against coronavirus coming at the expense of privacy.
This week, the group unveiled an initiative with the (not very catchy) name PEPP-PT, short for Pan-European Privacy-Preserving Proximity Tracing, this week. Its slogan: “Proximity tracing YES, giving up privacy NO!”
The initiative is meant to be “a fully privacy-preserving approach” to tracking coronavirus infection chains across borders in Europe, and is led by Germany’s Fraunhofer Heinrich Hertz Institute (HHI) for telecoms. It is backed by 130 members across eight countries, from research labs like France’s Inria to companies like the UK’s Vodafone.
The PEPP-PT’s aim is to develop a basic set of “standards, technology and services” that countries and developers can then plug into. It’s a kind of framework for the multitude of apps that are likely to emerge as local answers to a global pandemic.
The Europe-wide initiative came just days after the UK health service’s digital transformation unit NHSX announced it was organising a global hackathon to find privacy-friendly technology solutions to fight Covid-19.
Mobile location tracking
The announcements are a reaction to the way European governments have been handling coronavirus, with increasing use of data-tracking technology to measure the spread of the pandemic.
The decision of the UK's National Health Service to enlist a group of US technology providers, including data-analytics company Palantir, to figure out how to stop the spread of Covid-19 drew some raised eyebrows last week.
Elsewhere in Europe, telecoms carriers — including the UK’s Vodafone, Germany’s Deutsche Telekom and France’s Orange — said they’d start sharing mobile phone location data with the European Commission to track the spread of the coronavirus.
While the Commission said it would anonymise data and aggregate it to protect privacy, the European Data Protection Supervisor — the EU’s privacy watchdog — warned that safeguards should be well in place, and that caution should be exercised so these exceptional measures don’t become permanent.
Others have questioned to what extent anonymised data is fully anonymous, and whether it can be traced back, albeit with some expert work.
War trauma
Around the world, countries including Israel, South Korea, Singapore and Taiwan were quick to implement technology using data from smartphones for the likes of contacts tracing and quarantine control. While seemingly effective, the measures raised concerns from privacy advocates.
The spectre of state surveillance has hit a nerve in Europe, perhaps more than anywhere else. For decades, the region associated surveillance and putting people on file with WWII trauma. That led to a tradition of highly-active privacy watchdogs, a cautious take on exploiting Europeans’ data and a tough stance from regulators on abuses by technology giants.
It culminated with the adoption of General Data Protection Regulation (GDPR), which came into force in May 2018 after years of negotiation between member states.
GDPR spirit
But now, all that is at risk of being thrown out the window.
“This complicated construct is now facing its make or break challenge,” says Andre Loesekrug-Pietri, the chairman of JEDI, the Joint European Disruption Initiative — Europe’s version of the US Defence department’s moonshot innovation unit DARPA. “It is not certain that the spirit of the GDPR survives the coronavirus crisis.”
Loesekrug-Pietri is one of the people warning that anonymised data is not foolproof. He says Europe should focus on fostering new homegrown technology to avoid the privacy trap while better exploiting people’s data for things like coronavirus tracking.
The PEPP-PT initiative vowed that the framework and technology it is developing would be entirely GDPR compliant. JEDI meanwhile has been supporting the research and development of technology like homomorphic cryptology, which would also be respectful of GDPR and Europe’s privacy-first DNA, Loesekrug-Pietri says.
He added: “Europe’s ability to position itself on these technologies today defines our ability to protect our data tomorrow.”