Opinion: the last few months have seen indications that we may value the accessibility of luxury goods and services more than our privacy

By Brian Dillon and Ciara Heavin UCC 

The General Data Protection Regulation (GDPR) was implemented in May 2018 with much ado both in Europe and around the world. Large international organisations went into overdrive planning how to comply with or even workaround this new data protection regulation.

While there are several parts to GDPR, it is largely concerned with the protection of an individual's personal data, meaning any information such as name, contact details, or medical records relating to an identified or identifiable individual. While GDPR enshrines "the right to be forgotten" in law (otherwise known as erasure), it restricts the right of a person to demand this when there is a public health interest at stake. 

We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences

From RTÉ Radio 1's Liveline, a discussion on GDPR and a school nativity play

The European Data Protection Board has stated that data protection will not impede the fight against Covid-19 and that data protection legislation "remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms". According to the Board, "there is no reason to lift GDPR provisions, but to observe them", pointing to the flexibility of GDPR to facilitate temporary solutions in light of the epidemic.

While the processing of health data is generally prohibited (categorised as 'Special Category Data’), this limitation is temporarily waived if the appropriate safeguards are in place, as part of one of the exceptions in Article 9(2) of GDPR. Such safeguards include time limits for erasure, meeting suitable data security standards, and the adequate training of staff.

Disease surveillance at a local level looks very different when compared with national efforts

Considering the difficulty to meet these standards, it is reasonable to believe that our right to privacy may take a back seat in place of measures to fight the pandemic. While the same rules to process data technically apply, allowances have been made to meet logistical difficulties i.e. requests to delete or disclose recorded personal data will have an extension of two months. This may be further extended if the organisation can justify not having the available resources to produce such records within that time.

Against a backdrop of the global effort to "detect, trace, isolate" during the pandemic, contact tracing through the use of app technology has been implemented in many jurisdictions. National digital surveillance is exemplified in the Health Service Executive's (HSE) Covid app. Launched in July 2020, the app requests users to voluntarily provide information such as age, sex, and location. Users may optionally provide a phone number so the HSE can contact them. The HSE recognised potential data concerns in a tweet: "we'll protect your privacy, and you’ll help us protect everyone. Stay safe. Protect each other". 

However, disease surveillance at a local level looks very different when compared with national efforts.  Supporting the "track and trace" strategy, local businesses and services are mandated to capture individuals’ personal data. This has become problematic, as these new data controllers do not have access to the GDPR compliant technologies that support contact tracing efforts. While collection of digital data can be regulated and audited, with many Covid-related apps being open source and open to public scrutiny, the majority of local businesses and services rely on pen and paper, to capture the personal details of customers.

One recent regulation that has resulted in outrage requires restaurant owners and publicans to record the order details of each customer. These records must be made available to a member of An Garda Síochána for up to 28 days after visit. The Deputy Data Protection Commissioner Graham Doyle has stated that "the interference with fundamental rights, in this case, is not significant and the data collected and the purpose for its collection mean it is unlikely to result in any significant risks to the rights of an individual." 

We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences

From RTÉ Radio 1's Morning Ireland, Adrian Cummins fro the Restaurants Association of Ireland on the new legislation requiring meal records to be kept on file for 28 days

While necessary stopgap data collection measures have been implemented to battle the virus, it is difficult to see how and when these will be reversed. Out of necessity, many organisations have had to adapt to the pandemic very quickly, leading to procedures not being strictly followed. While transparency regarding data retention is crucial for data protection compliance, both the DPC and the EDPB acknowledge the difficulty to fully comply under the circumstances.

GDPR does not specify retention periods, instead stating that personal data may be kept for no longer than is necessary for the purposes for which it was processed. In the current climate, it is unclear how long a business will hold our data. The responsibility has been left to these businesses, who reasonably may consider the processing of data to be low priority while trying to keep their business afloat, especially if negative repercussions are slim. 

We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences

From RTÉ 2fm's Louise McSharry Show, Ciara O'Brien from The Irish Times on how the HSE's Covid-19 app ranks in privacy terms against social media apps that are possibly more relaxed with our info

With the increase in the global tracking and tracing effort, it is important to consider the implications of this growing personal data footprint. These new circumstances require that we are now more identifiable and accessible than ever before. Our locations, buying patterns, and even religious beliefs have never been more exposed to analysis and dissemination.

Surveillance Capitalism, a term coined by Shoshana Zuboff in 2014, describes the commodification of personal data and a claim to "private human experience as a source of free raw material, subordinated to the market dynamic and reborn as behavioral data". While we are generally complacent when we observe improvements to overall service and convenience, this same process may insidiously undermine our personal autonomy, and perhaps lead to the dystopian future envisioned by the likes of George Orwell’s 1984 or Aldous Huxley’s Brave New World. Zuboff nods to these works herself, sometimes referencing this new "distributed and largely uncontested new expression of power" as ‘Big Other’. 

We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences

From RTÉ Radio 1's News At One, Dr Sarah Doyle from the Health Protection Surveillance Centre on the HSE's Covid-19 app

Supported by both apps and informal traditional data collection tools, new strategies and practices seem essential in containing Covid-19. However, we see a growing tension between individual data privacy and public health protection. An important tenet of data protection legislation is to meet sufficient data protection measures when collecting data of personal nature. While we have seen this achieved with some apps, this is not nearly as enforceable when recording data through non-digital means. Measures such as pseudo-anonymization and encryption are totally impractical for local restaurants, beauticians and churches. 

The last few months have been an indication that we may actually value the accessibility of luxury goods and services more than our privacy. In an era of a public health emergency, it seems societal health and wellbeing supersedes specific elements of the GDPR. In this new normal, has the right to be forgotten become a thing of the past? We are quickly approaching a point of no return and, having no point to reference in the past, it is very likely we won’t really appreciate our privacy until it is in someone else's hands.

Brian Dillon is a Software Developer in Business Information Systems at the Cork University Business School at UCC. Dr Ciara Heavin is a Senior Lecturer in Business Information Systems at the Cork University Business School at UCC. She is a former Irish Research Council awardee.


The views expressed here are those of the author and do not represent or reflect the views of RTÉ