What about after this is all over? Surveillance, democracy, and data protection legislation in times of COVID-19

The past few weeks have been marked by the worsening of the public health crisis associated with the spread of the new coronavirus. In response, we observe a global escalation in institutional reactions to this situation: parliaments recognize exceptional states, governments extend their powers through decrees, personal data are mobilized to monitor the quarantined population and the lobby in favor of weakening of legal protections to citizens’ privacy grows. In this context, activists and experts are filled with concerns about the potential impacts of decisions made during the crisis for the future of democracies and digital rights.

Where do we draw the line of the unacceptable? And what will be done with the data collected after the end of the pandemic? In today’s post, we examine some of these questions and reflect on the responses given by government officials to the advance of the pandemic.

In the sanitary war, new technologies are weapons

“We are at war. It is a sanitary war”, French President Emmanuel Macron declares, “We are not fighting an army or a nation. But the enemy is there, invisible, advancing, and that requires all of our general mobilization”. Indeed. With more than one million confirmed cases and tens of thousands of deaths worldwide, the pandemic caused by the new coronavirus is already one of the most relevant political, economic and social events of the past hundred years. And since exceptional times call for exceptional measures, governments around the world have made extensive use of such measures, often triggering the massive surveillance provided by new technologies in the process.

In China, the mobilized apparatus includes CCTV cameras installed in front of houses with confirmed cases, drones that reinforce the importance of using masks and apps that monitor the movement of individuals. In Germany, Italy, and Austria, governments call on cell phone operators to obtain data to support heat maps capable of revealing gatherings. In Israel, the national security agency has been mobilizing personal information secretly collected from the population’s cell phones since 2002, allegedly for the initial purpose of counterterrorism. The government of the Indian state of Karnataka demands selfies from its citizens every hour. The COVID-19 Digital Rights Tracker page, dedicated to monitoring restrictive measures of digital rights in the fight against the pandemic, already registers 20 countries performing digital tracking of their citizens.

Technology companies, in turn, proactively offer a myriad of solutions theoretically capable of contributing to the containment of the disease. The COVID-19 Mobility Data Network, a partnership between Facebook, Camber Systems, Cuebiq and epidemiologists from several universities, aims to inform policymakers on a daily basis about the effectiveness of social distance interventions by analyzing aggregated data on population mobility. Camera makers, such as Australia’s Rapid-Tech Equipment, Britain’s Westminster International and US Testo Thermal Imaging, promise equipment capable of detecting fever. In Brazil, Recife’s In Loco and Rio de Janeiro CyberLabs establish partnerships with city halls to use geolocation and artificial intelligence, respectively, to monitor social isolation in their cities.

In the face of such an emergency, uncertainty affects academics and digital rights activists. Glenn Greenwald, one of those responsible for publishing Snowden’s revelations, ponders: “I am very concerned about civil liberties, but at the same time, I am much more receptive to proposals that I never expected to be in my entire life, given the gravity of the threat”. What measures regarding population monitoring and the use of personal data are acceptable? For how long? What are its long-term effects? The answers are not as obvious as they would be in another context.

What is becoming increasingly evident, however, is that we find ourselves at a critical juncture: a situation of uncertainty in which the taken decisions will significantly impact institutional developments after the medium and long term. For this reason, academics and activists are increasingly concerned about the possible effects of these exceptional measures for the future of democracies and human rights, especially digital ones.

And when quarantine is over? The future of democracies and digital rights after the pandemic

Many parallels have been drawn between the crisis triggered by the new coronavirus and the financial crisis of 2008. Among the differences that the comparison shows, however, one stands out: as internationalist Tanguy Baghdadi notes, at that time, multilateralism was much stronger in the international system, which made it easier for governments to respond to the episode in a coordinated way. In 2020, on the other hand, we are in a post-Brexit world and after a decade marked by the rise of nationalist and ultra-nationalist governments with authoritarian tendencies in several liberal democracies.

In this context, although the current crisis could be expected to strengthen the multilateralist position, many of these governments have adopted even more isolationist discourse and advocated actions that increasingly concentrate powers in their Executive branches. In Europe, the unilateral border closings observed at the beginning of the crisis, the slowness of responses at the bloc level and the tensions that have dominated the debates on economic burden-sharing by Member States fuel Eurosceptic discourse. In the US, Donald Trump states: “That’s why we need borders.”

The exceptionality used to expand surveillance is also mobilized to legitimize the suspension of checks and balances that limit the power of the Executive branch: this is observed in Viktor Orbán’s Hungary, who passed an authorization for the Prime Minister to govern by decrees for an indefinite period, and also in Israel, where Benjamin Netanyahu’s government temporarily suspends parliament and closes courts, thereby postponing Netanyahu’s own trial for bribery, fraud, and breach of trust.

The uncertainty regarding the duration of actions of this nature worries academics and activists, for whom examples of authoritarian measures approved in other recent and later normalized crises abound.

Many recall the case of the Patriot Act, legislation enacted in response to 9/11 that immensely expanded the US government’s surveillance powers. Although the original text of the law provided that it would remain in force only until 2005, the norm has undergone various subsequent renovations and several of its provisions remain in effect today. In the words of Albert Cahn, executive director of the Surveillance Technology Oversight Project: “We have absolutely no reason to believe that government agencies eager to expand their power in response to COVID-19 will be willing to see these authorities lapse once the virus is eradicated.”

We do not need to choose between privacy and public health

In Brazil, the crisis has had a profound impact on the Brazilian data protection ecosystem. One of its most notable effects was the intensification of the lobby for postponing the entry into force of the General Data Protection Act (Lei Geral de Proteção de Dados – LGPD), which was due to start in August. In the context of the reduction of its revenues due to the pandemic, the business field pressures the Legislative branch, arguing that it is not able to bear the costs of complying with the law. Similarly, government sectors try to frame the law as a barrier to the processing of citizens’ data in order to combat the spread of the virus. In this narrative, we would have to give up the right to privacy to guarantee public health.

This is a mistake. The General Data Protection Act expressly authorizes (Arts. 7 and 11) the processing of personal data, including sensitive data, for the purpose of “protecting life or physical safety”. In fact, instead of constituting a barrier, the LGPD would be a powerful institutional instrument for confronting the coronavirus, since it would not only bring legal certainty to the private sector and the government in handling this data but would also provide a series of safeguards and protection guarantees of citizens’ fundamental rights.

For this potential to be realized, however, it would also be essential to structure the National Data Protection Authority (Autoridade Nacional de Proteção de Dados – ANPD), a central institution capable of standardizing the interpretation of the law to provide greater certainty at that time, as well as guiding the entities that process data personal data in Brazil. Unfortunately, the federal government has been slow to move ahead with the creation of the authority.

In the absence of LGPD and ANPD, the scenario ahead is alarming. At present, the protection of personal data in Brazil is disciplined by a series of sectorial and dispersed rules. To them, the tendency is to add numerous new legislation (federal, state and municipal) produced to facilitate data sharing during the pandemic, especially in view of the notable gap between the Federal Executive and the other spheres in dealing with the crisis. Add to that the absence of a central authority and the result will be an extraordinarily disharmonious regulatory regime which will be subject to the fragmented interpretations of the judicial institutions of twenty-seven different federative units.

In addition, extending the LGPD will mean creating barriers for Brazilian companies to enter the global digital economy, since regulations from different jurisdictions (such as the European Union) condition the transfer of personal data from their citizens to countries with adequate levels of protection personal data, something that will only come with the LGPD. It is also noteworthy that it will favor the insertion of Brazil in the OECD and will provide the necessary regulatory certainty for Brazilian companies to recover at the end of the pandemic. It is a law produced after a decade of debates and unanimously approved, being a civic and economic advance for Brazilian society. Regarding this point, there is no room for uncertainty: COVID-19 reinforces the need for LGPD and ANPD.

Conclusion

The dimension of the public health crisis that we are experiencing causes insecurity about the universe of acceptable measures to combat the spread of the new coronavirus. Undoubtedly, it is a context of absolute exception, to which institutions must respond in an exceptional way. What it is not, however, is a free pass for the unrestrained expansion of the State’s vigilantist capacities over the population, nor for the disproportionate concentration of powers by the Federal Executive. All responses to the crisis must be transparent, scientifically based, proportionate and, whenever possible, temporally delimited from the beginning. In the case of personal data, similarly, the processing must take place in an aggregated and anonymized form whenever possible. In addition, the LGPD and the ANPD would bring predictability and legal certainty and help in an effective fight against the coronavirus crisis.

Interested in today’s post? Understand more about the General Data Protection Act and its impacts on Brazil in our post on the subject.

The views and opinions expressed in this article are those of the authors.
Illustration by Freepik Stories