Industry Thought Leadership

The Landscape of Data Sharing Regulations Amidst the COVID-19 Crisis

May, 2020
Rohit Sethi

Arthur D. Little

The COVID-19 crisis is considerably changing the way our societies balance public health against all other concerns. While lockdowns are the most characteristic symbol of this trade-off that societies have to make, contact and localization tracing are also redefining the way we understand data privacy. All around the world, telecom operators (Telcos) are sharing data with governments and other stakeholders, even in more protective jurisdictions such as the European Union (EU), to stop the spread of the virus. On the other hand, there are definitely compliance and reputational risks associated with such data sharing that can materialize in the time to come. While there is a clear shift of paradigm when it comes to data sharing, updating existing regulations will be a complex task as well. What can Telcos do to emerge clean post the crisis or even stronger with respect to their privacy protection actions and perception, and how can they prepare for the post-COVID-19 regulatory landscape, is a top of mind for most.

East-Asia has transformed data sharing into the new big conversation
The extent of data sharing already happening or planned varies for each country and jurisdiction. Contact tracing already started as early as late February this year in South Korea. South Korea’s Centers for Disease Control and Prevention (KCDC) ran the contact tracing system that used data from 28 organizations covering police, credit card and smartphone companies, to trace the movement of individuals with COVID-19. Other East-Asian countries were also early movers in building their COVID-19 response based on shared data for example, Taiwan’s “Digital Fence” that used Telcos’ GPS data to monitor people in self-quarantine, and Singapore, where “TraceTogether” contact tracing app was built upon Bluetooth connection data between devices. For hard-hit Western countries, technological responses have been much slower, primarily owing to stricter data protection laws and higher cultural aversion towards privacy infringements. However, in light of the success achieved by certain East Asian countries in containing the virus’s spread, the overall view seems to be changing.

Several gaps exist with respect to an ideal state of data sharing
The existing and new types of information that organisations may collect to combat COVID-19 cover aspects such as effectiveness of self-isolation, body temperature, visitors to the premises, and device location data, all of which are personal data.

In line with the generally established principles around data protection as clearly delineated in the European General Data Protection Regulation (GDPR), in an ideal situation, any app/ mechanism built to combat COVID-19 should adhere to the principles of: Consent i.e. ensure that appropriate permission has been received from the data subject, Transparency i.e. inform data subjects as to how their data will be used, Purpose limitation i.e. ensure that the gathered data is used only for the purposes indicated, and Security standards i.e. ensure appropriate security measures will be undertaken to protect this personal data from getting leaked or shared outside of the original intent.
In addition to commitment on the above principles by the entities gathering and managing the personal data, there should be a wider protection for individuals in terms of state-level or national-level data protection act(s). In most of the apps/ mechanisms launched so far, all measures required for an ideal state have not been observed.

For example, in South Korea and Taiwan, the data shared by Telcos with the government can serve to identify specific cases and is applicable to all the population, whether they provide consent or not. While these measures provide a pragmatic means for effective containing of the spread, they do raise serious privacy concerns. However, data sharing Telcos stand on robust legal grounds for example, in South Korea, a law drafted in the wake of 2015 MERS outbreak gives the Korea Centers for Disease Control & Prevention (KCDC) unwarranted powers to require data when there is a public health emergency.

In more protective Western countries, similar laws are mostly non-existing however, the GDPR does allow for such data processing if certain principles are met. In normal times, the GDPR prohibits any sharing of personal data without consent. However, exceptional provisions exist in case of epidemics to deal with personal health data and to allow EU member states to introduce specific legislations for other types of data such as mobile location. In the absence of such national legislation, any Telco sharing personal location data, even with governments, is therefore in non-compliance of the law. Questions were already being raised about data shared, or rumored to be shared by Telcos such as Vodafone in Italy, Telekom Austria A.G. in Austria, and BT and O2 in the UK.

Whereas Telcos have a central role in direct mobile data sharing, they are only facilitators in app-based approaches, where the two key types of players are governments and the large technology giants such as Apple and Google. Singapore spearheaded the government approach using systematic consent through an opt-in basis for their contact tracing app, TraceTogether. Rather than working with Telcos’ data, this app used Bluetooth to make devices communicate with each other and, ultimately with public health authorities. Several European countries are trying to emulate similar apps for example, France’s StopCovid app, which publicly claims to be “anonymous and voluntary”. However, the consent component is already being blurred in some countries as governments, such as in India, made the app usage mandatory for specific parts of the population such as for people who work in public and private offices, for all train travelers and for the ones living in high-risk areas with respect to spread of the virus. Additionally, given that India does not have a national data privacy law, there are concerns over the app being used in a way that violates civil liberties, including as a state surveillance system that could be exploited after the app outlives its coronavirus-tracking purpose.

Preparing for the future – players to take stances, governments to close gaps
The above mentioned apps/ mechanisms can be critical for privacy as they gather more data than Telcos ever did, and hence appropriate regulations are required for governments, smartphone manufacturers, app-store managers or whichever entity is developing and administering these apps/ mechanism, especially in countries where national data protection laws do not exist yet. Even when not directly involved with app development, Telcos have been solicited in several cases to give them privileged access (e.g. to Bluetooth communications) or to push them into smartphones on an opt-out basis. Arbitraging between cooperation, compliance and customer trust has been a conundrum in many cases, as illustrated by Apple’s decisions. Apple has decided to develop its own contact-tracing platform with Google, enabling interoperable Bluetooth communication between devices for official apps without funneling to central governmental server for privacy reasons. In fact, it has embarked on a confrontational course with countries such as the UK and France, which have decided to develop their own top-down apps and have asked Apple to remove restrictions on Bluetooth usage. Apple has refused, provoking the ire of several legislators, that claim the firm is slowing down efforts to stop spread of the virus. Despite immediate reputational risk, Apple could benefit from its decision, as it did in 2016 when refusing to provide access to an iPhone as sought by Federal Bureau of Investigation (FBI), ended up reinforcing customer trust in the company. Learning from the above, taking a stance for privacy, when supported by firm regulatory and ethical grounds, can be a sound decision for Telcos as well.

Countries are already drafting new regulations to address the gaps. In Armenia, the parliament on 31st March passed amendments giving the authorities broad surveillance powers that require Telcos to share phone records for customers, including phone numbers, location, time, and date of their calls and text messages. Such new individual laws, such as South Korea’s provisions passed after the 2015 MERS outbreak, will undoubtedly redefine the regulatory landscape, however it is key that global alignment is maintained as the data sharing paradigm evolves, given that data protection regulations and measures are intertwined globally. For instance, EU authorities will have to adapt their cross-border data sharing rules as some countries update their former data protection mechanisms, prompting alterations to the multinational data transfer landscape. Such changes can bring new opportunities and risks for Telcos which will only become clear with time, however as a broad guidance to navigate this complex regulatory landscape, Telcos need to have their priorities right in order to ensure legal compliance, while also maintaining amenable relations with governments as well as trust of their customers.