Alex Heshmaty asks Joanne Frears, partner at Lionshead Law, and Will Richmond-Coggan, partner at Freeths, about the implications of various emergency measures being taken by the government in the fight against Covid-19 – many of which are enabled by technology.
How tech is being used
AH. How is technology being used by states in the fight against Coronavirus?
JF. It’s hard to think that the use of technology named after an 11th century Danish king with poor dental hygiene would cause such division in tech and civil liberty circles, but Bluetooth track and trace apps are proving contentious, not just because of the different operating systems, but because of what is perceived as a technology-led, rather than a medical-led approach.
Contract tracing isn’t new and the principles of it are proven and accepted, but the issues of whether data should be stored locally (per Apple/Google’s offering) or centrally (per the NHSX app) are divisive.
In the US, drones have been used for Covid-19 surveillance and in the UK, ARPAS (the UK Drone Association) has co-ordinated a drone task-force to encourage social distancing, operate deliveries of food and medicine and provide HSE inspections where site visits are not possible due to distancing restrictions. As we take CCTV largely for granted, use of drone surveillance seems to have gone largely unnoticed.
WRC. Much of the technology deployed has been in the area of surveillance, and thus how it is used has tended to be reflective of the extent of an existing surveillance culture within different countries. So, for example, while some countries in Europe might be confining themselves to collection of aggregated mobile location data to establish broad patterns of movement, elsewhere in the world other regimes are going a lot further. This might extend to the use of facial recognition technology to identify individuals, enforced wearing of monitoring or tracking bracelets, individuals being obliged to download and install tracking apps, or requiring individuals to take and submit health readings (temperature, blood pressure etc). Some countries are using drones to monitor public gatherings or compliance with lockdowns, and to broadcast public health messages.
Propping up the economy
AH. How is technology helping to keep the economy afloat during lockdown?
JF. There is little “new” technology that is actually keeping the economy afloat right now. Many people are using pre-existing technology for the first time. If someone else asks me if I’ve used Zoom, I’ll scream. We’ve been using it for calls at Lionshead Law for about 18 months and only as an extension to our existing methods of WhatsApp video and conference calls and group working via Google, Slack and MS teams! What is new is that people are finding that it works really well for them. Jokes about putting on trousers or shoes for conference calls aside, there has been a mass realisation that working from home isn’t just for those who can’t tolerate or be tolerated in an office, and that doing so comes with all the time saving, planet saving benefits of ditching the tin-can commute in a car, bus or train.
As a technology lawyer, what is interesting for me is to see the use cases that are now being promoted for existing non-mainstream tools that assist remote working like AR and blockchain – whether that’s used for secure payments for a business partner you will never meet and have a limited chance to do face to face due diligence on, or training staff or even planning how they can work safely together again, possibly even in other locations where they are rapidly needed (*shameless plug* anyone reading this working on a medical deployment project who would like to discuss this, please contact me). Those technologies aren’t new, but are existing tools that may help us out of the situation we are in.
We also absolutely shouldn’t forget that necessity is the mother of invention; with every era of recession comes a flood of invention (as demonstrated by a rise in IP registrations) and collaborative creativeness. Since the last global recession, our working patterns have changed fundamentally and the gig economy has become normalised. Recognising the part such willing workers have played in keeping the nation supplied, will they be able to rely on greater legal protection in future?
WRC. In contrast to the position even a few years ago, the range and capabilities of modern technology has enabled many businesses to pivot quickly from a largely office-based workforce to home working, in some cases more or less overnight. Those businesses that were already configured for a degree of remote or flexible working have been able to scale up that provision relatively easily.
On the other hand, businesses which require their workforce to be present (the manufacturing, haulage or hospitality and leisure sectors, for example) have been more significantly impacted and technology has not managed to cushion that impact to the same extent.
Compromising civil liberties
AH. Are data protection principles and/or civil liberties legislation being compromised (or in danger of being compromised) as a result of Covid? If so, is this justified on the basis of managing a national emergency?
JF. It is a fact that civil liberties are compromised by the Coronavirus Act 2020 and the UK Government would argue, what’s the alternative? Other countries have demonstrated that there were choices that could have been made, from early testing, non-mandatory distancing (eg Sweden) to early adoption of systematic health recording (such as in South Korea). The question will be asked in future whether the coronavirus outbreak was indeed a national emergency that warranted these compromises.
In his damning indictment of lockdown last weekend in the Daily Mail, Lord Sumption called on us all “to ask ourselves what are the limits to the things that the State can legitimately do to people against their will in a liberal democracy” and it is a point well made that begs for discussion.
In the UK, the justification for lockdown and the impact of it on our civil liberties was to “protect our NHS”, balancing the need for access to medical care with a restriction on social freedoms. In a state where healthcare is free and covered by National Insurance this is a quid pro quo that is easy to defend: The average cost of treatment for a Covid-19 hospital stay in the US is $35,000 and many countries where medical costs rely on private insurance have legislated to cap fees hospitals can charge for Covid-19 patients, both to prevent profiteering and to protect their medical aid industries.
Whatever your political leaning, the knowledge that if you are sick you will be cared for, free, by skilled practitioners with capacity to deal with your illness and the knowledge that “our NHS” has not collapsed (as other healthcare systems have) is reassuring. Time will tell whether the preservation of lives versus the curtailment of personal freedom and cost to the economy was a balance well struck.
Right now we should be asking ourselves how long can the Government justify these emergency measures and do we want mass surveillance and data collection to be part of our “new normal”?
WRC. The most obvious way in which data protection principles are threatened is in relation to those technologies being used for population surveillance and monitoring. For the time being, much of this surveillance (even in its more intrusive form) can be justified by reference to the public health emergency, provided that a proper lawful basis for processing has been identified and subject to appropriate impact assessments being undertaken. It is going to be very important, however, to be alert to the persistence of many of these apps and other monitoring tools, beyond the conclusion of the present emergency. It will be tempting for governments and other organisations, having tapped into this fresh rich seam of data, to continue to draw on it after the emergency has passed and at that point there is a real risk of civil liberties being endangered without a suitable lawful excuse.
Less prominent, but perhaps more widespread, has been the erosion of data protection principles in the domestic setting in connection with home working. As mentioned above, these home working arrangements were often put in place at very short notice, and for understandable reasons the focus at that point was on getting businesses back up and running as quickly as possible, rather than necessarily considering data protection compliance. For their employers, this may present a significant risk, if arrangements put in place are not up to the standards of security imposed within the business in “ordinary” times. A breach by a home working employee could expose the employer to direct or vicarious liability, and may also amount to a breach of contract if the business is a data processor, having given warranties about the technical and organisational safeguards that it imposes in connection with the processing of data entrusted to it.
Preventing government overreach
AH. Is existing data protection legislation and civil liberties laws sufficient to address any government overreach?
JF. The answer to this is almost certainly “no” as the Coronavirus Act 2020 provides a pretty open playing field for ‘temporary measures’ to protect life and society at large, which can be interpreted as imposing radical restrictions in the interests of “public health”.
We know that the bigger the data, the easier it is to spot trends and all the science about epidemiology points to the importance of being able to anticipate spikes and trace and isolate “Typhoid Marys” and “super-spreaders” to stop the spread of contagion. The main concern is that data protection and civil liberty acts are always trumped by emergency measures in the “interest of national security” and its ilk and the tech community is already expressing concerns over project creep of track and trace apps as “updates” that require or optionally encourage further information sharing are rolled out and people aren’t aware how to disable those.
WRC. It is important to bear in mind that while existing legislation can be used to tackle such overreach, that is not its primary purpose – and it is always preferable to make sure that new legislation is properly scrutinised for unintended (or deliberate) consequences, before it is enacted. Where governmental overreach is effected through other primary or subordinate legislation, tensions can arise between the competing legislative regimes and, as mentioned above, those tensions are resolved differently in the midst of a public health emergency and after that emergency has abated.
The track and trace app
AH. The government has announced the development of a track and trace app. What is known about the technological feasibility of such an app, whether it could result in any legal implications and is there any guidance for developers?
JF. We know that track and trace works when done by human tracers and the UK Government has recruited thousands of people for this purpose. As for doing it via an app, it seems like the Holy Grail of epidemiology and we know that it “could” work.
The NHSX track and trace app being trialled in the Isle of Wight uses mainstream SDKs and so it should be operable with any phone and accessible for any developer to improve. This is not to say that it isn’t secure – we are assured that the same level of security applied to patient data across the UK is being applied to the database.
The UK’s own National Cyber Security Centre admits that use of track and trace apps is new. Technical Director, Ian Levy says; “Digital contact tracing is new and no-one’s done it at scale before. Using Bluetooth to measure distance in the real world hasn’t been done at this scale before. Interoperating between massive numbers of different devices in ways that weren’t originally conceived hasn’t been done before. And we’ve not battled a pandemic like this before.” That’s a pretty binary statement acknowledging that this is new and untested.
Whether an app is centralised or decentralised it seems the best way to track and trace is with a single system that works to a single reporting standard and protocol and continues to be effective as people travel across borders. From my perspective as a lawyer, the argument should not be which system is better, but who do we trust more with our data – Government or Google et al, when neither has a good track record with privacy or of being entirely honest about how data collected is used.
WRC. The feasibility of the government’s track and trace app appears to depend heavily on the degree of uptake. This in turn depends to a significant extent on the confidence that members of the public have in entrusting their data to a form of governmental surveillance. From a limited trial so far in the Isle of Wight, it seems that more work needs to be done to instil such confidence. In terms of guidance for developers, I would always recommend that if an application is going to be processing significant quantities of personal data, a data protection impact assessment should be undertaken at the outset, and that the principles of data protection by design should be followed throughout. This ensures that the rights of the data subject are put at the heart of any design, and only impacted to the minimum extent (and for the minimum time) necessary to achieve the app’s purpose. Plainly a failure to protect the interests of the individuals using the app could expose the developers or those who make use of any data derived from it, to significant legal consequences such as regulatory fines or civil claims.
The Coronavirus Act 2020
AH. Does the Coronavirus Act 2020 contain any measures which could impinge on data protection and/or civil liberties?
JF. In England, the history of temporary legislation remaining so is poor. Most law students scoff when they are told that the first Income Tax act was famously introduced as a “temporary measure” 200 years ago. No-one would want to see the Coronavirus Act remaining in force eternally.
Whilst much has been made of social distancing and lockdown obligations under the Act and the powers to detain persons (s 51) and restrict gatherings (Schedules 21 and 22), extensions to the right to retain fingerprint and DNA evidence (“in the interests of national security”) under s 24 has hardly been mentioned, yet these gives additional powers to law enforcement to retain biometric data well beyond existing timescales.
Nor has the right for Government to call upon food producers for information about food security and Government’s ability to potentially suppress information relating to food supply been highlighted (s 25). This is surprising given the usually vocal nature of the UK food industry lobby; but then the 1 per cent of turnover fine might be increased if it did become outspoken.
WRC. There are a number of provisions which have the potential to impact on data protection/civil liberties, but the way that the Act is organised broadly appears to anticipate these concerns and limit the scope of such powers’ effects. So, for example, section 24 of the Act allows the Home Secretary to make regulations extending time for the storage of fingerprint and DNA information, but only where there is a determination that the coronavirus pandemic is impeding the ability of the security services to process that data, and that it is in the interests of national security for such data to be retained. There are time limits on how far such retention can be extended, and if the pandemic is brought under control, the provisions of the Act and subordinate legislation enacted under it will be subject to review and will expire if not renewed.
One more thing
AH. Any final thoughts?
JF. There is a very real risk that with project creep and lack of public understanding of what is supplied and how it can be used and the type of data sharing under track and trace regimes could normalise mass surveillance, even in countries that believe they have a good track record of civil liberties. This may be the perfect time to consider these questions and perhaps to wonder if maybe there is a reason the ability to see things clearly is called 2020 vision?
Alex Heshmaty is technology editor of the Newsletter.
Joanne Frears is IP & Technology Leader at Lionshead Law, a virtual law firm specialising in employment, immigration, commercial and technology law. She advises innovation clients on all manner of commercial and IP matters and is a regular speaker on future law. Email firstname.lastname@example.org. Twitter @techlioness.
Will Richmond-Coggan is a director in the data protection team at Freeths LLP. He acts for clients from start-ups to multinationals and advises on a wide range of strategic, commercial and contentious data protection and privacy issues. Email William.Richmond-Coggan@freeths.co.uk. Twitter @Tech_Litig8or.