Discussion on the protection of personal data: Information and privacy in the prevention and ‎control of Covid-19‎

Event report

The session covered Chinese, Canadian, and European perspectives on personal data protection in times of COVID-19, as well as conceptual ideas for privacy and information security introduced by Chinese academia representatives.

Mr Liang Hao (deputy director general, Bureau of International Cooperation, Cyberspace Administration of China) spoke about the legislative basis of data protection in China. He mentioned the cybersecurity law of 2017 which specifies that network operators should set up and optimise the protection mechanism of user information. The Civil Code adopted in May 2020 stipulates how to protect privacy and personal information. The draft of the Personal Information Protection Law was submitted to the Standing Committee of the National People’s Congress for preliminary review. On the international level, China put forward the Global Initiative on Data Security in September 2020, with the following suggestions:

• States need to improve domestic legislature and cross-border coordination. Governments should conduct in-depth research of personal information protection in our era of big data.  
• Governments, businesses, technical communities, non-governmental institutions, as well as individuals, need to facilitate co-operation between public and private sectors, advocate for company self-discipline, and continuously raise public awareness. 
• States should deepen international co-operation in cyberspace and continue to give significant roles to global dialogues and platforms in setting up rules on data protection:  give full play to the UN’s main channel role, and leverage the Internet Governance Forum (IGF), the Asia-Pacific Economic Cooperation (APEC), G20, the World Internet Conference, and other forums. 

Convention 108, which has to date been signed by 55 states, is the only international legally-binding instrument on data protection with regard to the automatic processing of personal data, said Mr Jan Kleijssen (director, Information Society and Action against Crime, Council of Europe). He also introduced ‘A toolkit for member states: Respecting democracy, rule of law and human rights in the framework of the COVID-19 sanitary crisis’ which is fully in line with Convention 108. Finally, he pointed to the October 2020 report that showcased best practices developed by some member states on the issues of privacy and impact assessments prior to taking measures to fight COVID-19, as well as problems such as the mandatory use of contact-tracing apps and measures during states of emergency.

Mr Peng Feng (deputy secretary general, China Internet Development Foundation) noted the efforts of the China Internet Development Foundation invested in international dialogue on security and personal information protection. He also stressed that as there is a risk of abuse and leakage of personal information, data security has become a hot topic. The Chinese government has taken measures to find the balance between the use of information and the protection of information in fighting the pandemic, as well as restoring normal life.

Ms Stephanie Perrin (president, Digital Discretion, Canada) brought her personal perspective from her work on COVID-19 response solutions. First, sometimes there is no need for IT to trace contacts (e.g. Canadian churches tracking visitors on paper). Second, technology oversight and impact assessment are necessary (e.g. multistakeholder review of the contact-tracing apps to fit privacy requirements). Third, data use must be transparent, accountable, and proportionate: citizens are not going to share data without trust, and this impacts the spread of the disease (e.g. Palantir Technologies). The effectiveness of data governance control largely depends on the presence of some kind of independent oversight, usually in the form of a data commissioner or an independent oversight body, Perrin concluded.

Mr Luigi Gambardella (president, ChinaEU) compared the crisis responses in China and Europe, noting that Europe set high stakes that the data of European citizens belong to them, not to the government. Therefore, when European governments sought co-operation with mobile operators to monitor the compliance with the lockdown and social distancing measures on a greater basis, there was a public opinion backlash. How could we find a better balance between data privacy and handling a crisis situation? The problem is not to design an ideal app to sacrifice some privacy for the public good. The problem is trust. Apps developed together with the civil society, industry, and data protection authorities will more easily be trusted than government-driven applications.

No matter the size of a country, you will find a lot of challenges when you try to enforce privacy. Today it is COVID-19, tomorrow it will be something else, pointed Mr Ricky Rakesh (faculty member and researcher on data privacy and protection, India). He spoke about capacity building: how much time and money is the government ready to invest to make sure that you have a mechanism for privacy protection, and are there enough skilled people that can manage it?  Additionally, the General Data Protection Regulation (GDPR), Convention 108, and other frameworks do not meet the demands of states that function in a different cultural and legal paradigm.

Mr Fang Yu (director, Cyberlaw Research Center, China Academy of Information and Communications Technology) provided a general overview of the protection of personal data when facing a public health crisis. He spoke from the legal perspective on the priority of public interest over personal interest during a pandemic. After the review of the GDPR and the Health Insurance Portability and Accountability Act (HIPAA) cases, he concluded that we should follow the principle of reasonableness and compliance regarding personal data, and closely focus on the purpose of epidemic prevention and control, and hinder the relationship between public interests and the individual interests to achieve a balance.

Ms Francesca Musiani (researcher, French National Centre for Scientific Research (CNRS), France) shared the French experience with public response to government COVID-19 measures. There have been several attempts by the French government to deploy digital technologies in order to monitor the population’s activities, movement, contacts, habits, and this has met a fair amount of resistance from citizens and several warnings from agencies tasked with protecting citizen rights. Another point of controversy was the use of drones by the French police to monitor public activity during the pandemic. Following a complaint by the French Human Rights League (LDH), the French high-level court ruled that drones would be banned until there is an appropriately yielded basis for their deployment, or until they are adapted so that individuals filmed by the cameras could not be directly identified. She also voiced concern on when and how the country will be able to revert back to the rights that citizens enjoyed before the pandemic.

Mr Wang Lei (senior Counsel, Sina Group) delivered a practical presentation about the private sector’s response to privacy concerns for personal data processing during COVID-19. He finished with a demand to clarify the rules of data utilisation in special scenarios such as public emergency situations.

Nigeria faced the rise of online criminal activity, said Mr George-Maria Tyendzewa (head, Cybercrime Prosecution Unit, Nigeria). ‘While we have actively sought to engage and respect the privacy of our citizens and residents generally, because this is a constitutional requirement, we have found that it is quite challenging for law enforcement to deal with reports and complaints because we saw a certain rise in phishing scams related to the pandemic.’ He pointed that anonymity hampers law enforcement.

Ms Wang Li (researcher, Xi’An Jiaotong University Suzhou Academy of Information Security, China) echoed the points made by previous speakers regarding the interplay between privacy and benefits to public health, the adoption of common values and fundamental principles, and the increased risk awareness and understanding of the complexity of data governance.