Are we Europe or are we Asia? With regard to personal data protection, this is a very pertinent question in these days of the coronavirus.
In general, in Israel we like to think of ourselves as “Europe”, we play in the Euro league and participate in Eurovision. In addition, Israel is recognized by the European Commission as having adequacy status, which means that that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. This status implies that Israeli law offers essentially equivalent protections for personal data and that the rights of privacy are subject to similar legislation to those provided under European law.
But this was before the coronavirus raised its thorny crown.
On March 17, 2020, the Israeli government approved new regulations granting the Israeli Security Agency (Shin Bet) the right to collect information on coronavirus patients using technological means, without requiring court oversight. The information collected is on the level of specific identified individuals and as such is passed on to the Health Ministry (on an individual by individual basis) to be used for epidemiological studies to contain the coronavirus epidemic. In addition, detailed geolocation information of people diagnosed with the coronavirus has been provided to the general public. This information was pseudonymized, but it would not be difficult for people with minimal skills to correlate this information with publicly available information in order to identify these people specifically.
In Europe, on the other hand, information is only used on an aggregated basis. Even in Lombardy, Italy (the center of the worst outbreak in Europe, currently) the authorities are analyzing location data transmitted by citizens’ mobile phones on an aggregated basis, to determine how many people are obeying a government lockdown order and the typical distances they move every day. In the UK discussion is being held with several telco’s regarding providing aggregated data, delayed by 12 to 24 hours and stripped of individual identifiers, to help the government assess whether people are following advice to avoid pubs, bars and restaurants.
Even in this state of crisis, the interest of privacy is being upheld in Europe and any invasion of privacy will only be on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject… as set forth in Article 9 of the GDPR.
In Asia, things are different entirely. In Malaysia, for example, a Malaysian firm has created an artificial intelligence based coronavirus risk profiling solution capable of historical geolocation and anomaly tracking. It is powered by analytics of numerous available data points, including visitors’ previous known locations, heart rate and blood pressure readings. The data is crossed-referenced with public transport ridership and any exposure to locations with infections incidences. The technology is expected to be deployed in Malaysia and also the Philippines.
In South Korea, government agencies are using smartphone location data, but also using surveillance-camera footage, and credit card purchase records to help trace the recent movements of coronavirus patients and establish virus transmission chains. South Korea and Singapore, similar to Israel, post detailed location histories on each person who tested positive for the coronavirus, including such information as when people left for work, whether they wore masks in the subway, the name of the stations where they changed trains, the bars they frequented and their relations with other coronavirus patients.
And then of course there is China. In hundreds of cities in China, the government is requiring citizens to use software on their phones that automatically classifies them with a color code — red, yellow or green — indicating contagion risk. The software determines which people should be quarantined or permitted to enter public places like subways. You are not allowed to enter into any public place without presenting your cellphone and being classified as green. If you are red you are not allowed out your house.
So I ask again – are we Europe or are we Asia?
And I also ask, who do we want to be in this particular situation? Europe or Asia?
I think that the answer to the first question above is self-evident… but what about the answer to the second? There does not appear to be any middle ground in this situation when privacy must be weighed against other considerations, like saving lives. and finally, who do you want to be? Europe or Asia?