The Dutch data protection authority, Autoriteit Persoonsgegevens, has said it will recommend against a Bill currently working its way through Parliament to use telecoms data in the COVID-19 fight.
This proclamation from the Chairman of the Dutch watchdog, Aleid Wolfsen, is a condemnation against the work being done, a warning against walking the wrong path, though it remains to be seen whether these words are considered.
“The data has not yet been unconditionally anonymized, the usefulness and necessity is insufficiently substantiated and the guarantees that we have advised are not sufficiently included in the law,” Wolfsen said in an interview with local media outlet Nos.
Although this is the most public and condemning view of the law, it is not the only criticism which has been circulating the country. Telecoms operators are anxious this data could be shared with authorities outside the original intent, while privacy advocates worry the protections to ensure anonymity could be reverse engineered. Security is another concern from Wolfsen.
“If such a database is created, it could leak,” the Chairman stated. “Then others can access it and you can combine it with other data.”
As with everything in life, there is an element of risk, and it is generally accepted in the digital economy that nothing is 100% secure. However, risk has to be embraced and mitigated suitably, otherwise there would be no progress whatsoever. But, the right protections have to be incorporated.
The Bill which is currently working its way through the Dutch House of Representatives would expire after a year but would force the telecoms operators to collect more data on customers and share it with Statistics Netherlands. The telecoms operators must determine which municipality customers live in but then also roaming data to understand where these individuals have travelled to recently.
The National Institute for Public Health and the Environment (RVIM) has likened this data to a smoke alarm. The analysis would give better insight to the spread of the coronavirus, enabling authorities to better react to a potential second wave.
While the theory is sound, the practicalities of reality have seemingly not been addressed. According to Wolfsen, there have not been enough privacy and security protections written into the potential legislation, explaining opposition to the Bill, though it does put the country in somewhat of an awkward position.
In March, the European Data Protection Supervisor (EDPS) said data sharing to combat COVID-19 was acceptable, assuming the right protections have been put in place. Aggregated geo-location data is one proposed initiative which the telcos can help with, though the data must be anonymised to ensure privacy rights are maintained. It is questionable whether this advice is being understood by in the Netherlands, though it would not be the first-time politicians have ignored technicalities.
France is another which seems to have ignored educated advice, creating a centralised server approach to data collection and even asking Apple to remove security and privacy features to ensure the app works correctly. The French Government claimed the app has been a success, though evidence would suggest otherwise.
The primary issue faced by Governments is the decision to centralise data collection and analysis on servers, or take a decentralised approach where data is stored and analysed on consumer devices. The latter is much more secure and better able to maintain privacy, but you do lose flexibility for analysis as there is not centralised server with all the raw data.
Despite the European Commission suggesting there should be a standardised approach to COVID-19 tracking apps, political egos have taken over with fragmentation spread throughout the bloc.
|Country||Name of app||Launched?||Centralised or decentralised data||Voluntary adoption?||Bloc-wide approach?|
The apps which do seem to be the most successful are those where the decentralised approach has been embraced. Norway has suspended its own application due to privacy concerns, while the attempt in the UK has been an absolute disaster, with the Government preferring the centralised approach, failing to deliver a competent application and heading back to the drawing board.
Interestingly enough, a survey which emerged in May suggested IT professionals had little faith in the UK’s approach. Only 24% thought the app would succeed, with 51% stating the Apple/Google decentralised approach would have been the best.
While there was always going to be teething pains for such an application, perhaps the most sensible route would have been to listen to Google and Apple.
These are two companies who have nailed the digital economy. They know how to build successful applications and drive user adoption. However, the creation of an API championing the decentralised approach and refusal to work with Governments on a centralised model, has pushed a wedge between the egotistical political class and Silicon Valley.
In the Dutch case, it does appear once again that the political elite are shunning advice from experts to further their own case. Like flat-earthers, there seems to be an insistence to only listen to opinions which support their cause, as opposed to combatting potential problems at the source.
Here, Wolfsen is probably correct. The right protections have not been put in place, the Chair of the Dutch data protection authority would probably know, but we suspect this will matter very little ultimately. Political movements can often be compared to supertankers; shifting course is incredibly difficult, a task few have the appetite to take on.