I was in my doctor’s office for a post-coronavirus antibody test. As he was taking my blood, I asked him if the government was collecting this data for research on trends in antibody decline.
“No” he replied. “There are GDPR measures protecting you from that.” My doctor thought he was reassuring me.
“What a pity” I thought. As a “survivor” of SARS-CoV-2, I would hope that any longitudinal statistical data I could provide the research community would be valuable. Because of my battles with heart disease and a persistent organ infection, I get my blood tested every six months. My annual COVID-19 antibody data, combined with millions of others having routine blood tests, could help researchers trying to understand the evolution of this virus.
European healthcare is the envy of the world and we should be leading the way in the fight against COVID-19. But in our dismal failure to effectively manage the pandemic risks, I need to ask whether the European GDPR (General Data Protection Regulation) is one further policy tool standing in the way of risk management.
Is my personal data worth more than my health? Or my life?
The European GDPR legislation was passed in 2016 to ensure privacy and personal data protection at a time when Google and Facebook knew more about me than Mrs Monger. It was meant to update the pre-Internet 1995 European Data Protection Directive but had suffered a series of orchestrated delays (until Angela Merkel’s phone was hacked). It essentially gives Europeans some measure of control over their personal data and how it is processed and used. But the legislation has important ramifications on research and public safety concerns. This law was not written with the idea of managing a pandemic in mind.
Protecting privacy is sacrosanct in certain countries like Germany where there was a brutal history of authorities using personal information to commit atrocities on their populations. GDPR reflects the values of a generation that had grown up during the Cold War and then believing every stranger on the Internet was a predator. This policy though is being imposed on two subsequent generations that consider these predators as members of their tribes, colleagues and trustworthy information sources. Most people under 35 are not terribly concerned how their personal data is used so long as it provides them with benefits.
As most European countries lock down their populations in a second round of colossal COVID-19 risk management failure, protecting the sanctity of this unwanted legislation may be a tough sell if we realise how GDPR has got in the way of protecting Europeans and controlling the virus.
Tracking Saves Lives
“Test, track and trace” was the mantra back in March when people looked to Asia to learn how to contain the coronavirus. The Chinese introduced a system where I would receive a code on my phone and at every point in my public movement (into shops, onto trains or public facilities) I would have my phone scanned and my body temperature taken. My whereabouts were known not just to the authorities but to others around me who would receive an alert on their phones if a person testing as ‘high-risk’ was near me. If I didn’t like that, I would have to stay indoors.
The South Korean tracking system passed its muster when, in May, a super-spreader event occurred in a crowded LGBTQ nightclub district in Seoul potentially infecting thousands. Prejudice and taboo around homosexuality in certain quarters of Korean culture made voluntary tracking well-nigh impossible but the authorities were able to quickly track down and test thousands of individuals, putting them into (monitored) quarantine and successfully containing the spread.
Both China and Korea had controlled the coronavirus spread early on in the outbreak, have suffered far lower infection and mortality rates than in the West and have not strangled their economies. I don’t see much outrage from a public allowed to get back to some degree of normalcy and economic activity.
We have the technology in the West to track people – from CCTV on every street corner to face recognition tools on every smart phone. What we lack is the regulatory permission to use these technologies to protect populations in times of crisis. The British call their COVID-19 strategy: Test and Trace (no tracking) but they rely on voluntary information and self-quarantining. As contracting the coronavirus has become the new social shaming equivalent of venereal disease, should we be surprised (as seen in Adelaide this week) that people lie?
Give me Liberty or Give me COVID!
Does GDPR reflect European culture? Do most Europeans demand privacy and data protection or is this a policy strategy of a small but loud political faction? As they age and millennials assume their roles in governance, will such echoes fade? If authorities were openly collecting data that would help contain COVID-19 and track down those who may have been unknowingly exposed, how many Europeans would object? How many thousands of lives could have been spared if our researchers and governments were not limited by such privacy and data access restrictions.
In the United States the cultural and historical roots of independence and liberty run deeper through the societal narrative. No doubt imposing an Asian style tracking system would have even a harder time in the hyper-litigious US than some untimely regulation coming out of Brussels. Even implementing a basic test and trace system has been proven to be woefully inadequate in the US with only one state barely passing.
But how strong is this cultural value of privacy in the face of widespread death and suffering? Is my personal data worth more than my ability to freely move around or enjoy gainful employment? Is it worth more than my life? In times of war, people readily surrender certain freedoms and privileges. It strikes me as ridiculous that spineless precautionistas readily locked down European populations while preserving the sanctity of GDPR and refusing to allow tracking tools that have been proven successful elsewhere.
Couldn’t certain privacy and data protection measures become more elastic in the face of a crisis? I would suggest imposing a type of reverse data protection: you have a right to not be tracked or informed of a potential virus exposure but you would have to make the effort to have yourself removed from the prevention programme (something like a Google Street View’s option for the Privatollahs).
We basically have the means to track everyone (even before Bill Gates put that chip in our brains) so we could always gather the beneficial data quietly. Researchers could still benefit from virus and antibody data without sharing the information. Would that be such a big deal?
Data is Power
In the 1990s I can recall having rather animated research ethics debates about the American Centers for Disease Control and Prevention’s use of biomonitoring data from their national programme. While the collection was intended to measure environmental exposures to certain toxins across a wide population, they were also quietly testing samples for the presence of HIV (at the time when this viral transmission dominated the narrative in the United States). The goal of this testing was to measure the prevalence of the disease in the population and as the subjects did not request the tests, the HIV positive results were not conveyed to the programme participants (contentiously allowing the virus to further spread undetected in the population).
I would agree with the CDC on this action – such data is essential to understand a disease and determine the resources and strategies needed to fight it. Data today is knowledge, especially in the public health domain, and hence data is power. But European researchers are not allowed to collect such data (without permission) and the cumbersome alternatives have left us with a dearth of vital information on SARS-CoV-2 at a time when informed decisions need to be made.
GDPR is valuable to ensure unscrupulous actors don’t profit from my data for marketing or political ends, but if access to my data will help fight serious diseases and protect individuals, then we should not measure data protection in such absolutist terms. And as the generation born with a Facebook account and a tablet in the crib comes of age, we may have to reconsider how vital such historical concepts are today.