The world has certainly changed for all of us in the past five months. While the largest casualty of the pandemic has been human lives and the negatively impacted health of many survivors, digital privacy is also at the top of that list.
Even before COVID-19 became headline news, data privacy was under attack with a number of regions and countries struggling to adopt, implement, or regulate their own privacy-related regulations. The European Union, in particular, had been struggling on numerous fronts, including:
Brazil (Lei Geral de Proteção de Dados) and South Africa (Protection of Personal Information Act) have also struggled with implementing their own version of GDPR, with both countries delaying the regulatory effective date.
But now we are witnessing a new pivot in the data privacy battle, with rollbacks and challenges to even the basic data privacy principles. EU countries are struggling to hold up privacy rights in the face of both health issues and the economic impact. Hungary notably suspended select privacy rights to deal with the country’s state of emergency during the pandemic. Croatia’s government proposed a legal amendment that would allow telecom providers to release geolocation data to the government for tracing individuals who fell ill and were required to self-isolate. Even the European Data Protection Board (EDPB) which is the independent European agency for ensuring the respect of data protection laws, recently stressed the importance of sharing health data between countries for research purposes above respecting individual data privacy rights.
Most of the governments are justifying the sacrifices of individual data privacy rights as a trade-off for individual and societal safety, promising it will only be a temporary measure during the state of emergency. But exceptions are really hard to roll back once implemented. If you lived through 9/11 and have seen the excessive collection and sharing of personal data, you understand this to be true. Or if you reside in the U.S. and still pay income tax which dates to the Civil War and has never been rolled back, but merely modified through generations.
We’ve all been worrying about our health. That was certainly a priority for most governments, which is why contact tracing and other virus containment strategies took precedence over personal data privacy. As we start to grasp economic realities resulting from sheltering in place and lowered productivity, it will be more tempting to sacrifice data privacy principles in order to generate income. The first indicator of this trend is the EU, which desperately needs to see a rebound in tourism which accounts for nearly 10% of the region’s GDP. The Commission has recommended the opening of borders and welcoming of tourists, with cleaning, but also careful contact tracing.
In the U.S. we are seeing the uptick in personal data collection as a way to support contact tracing and enable families to once again enjoy summertime at the beach, or the resumption of summer camps. The COVID-19 Consumer Data Protection Act of 2020 was introduced in early May to protect whatever semblance of data privacy remains with users. Unfortunately, the bill is seen as low priority in Washington and is unlikely to make quick progress. For the time being, we are likely to be left in limbo, reflected in the reality of personal comfort with personal data sharing: 50% of consumers willing to use a contact tracing app that uses their personal data.
From a regulatory perspective, all eyes on California since the California Consumer Protection Act (CCPA) went into effect in January with enforcement slated to start in July. However, the regulation is still not fully finalized and with COVID distracting lawmakers and businesses alike, I won’t be surprised if the regulation is paused until at least October or into 2021.
India and Japan have indicated they will push off data protection regulation initiatives as a result of the pandemic and a focus on normalizing local economies. South Africa has postponed POPIA adoption to an undefined date given the additional strain on regulatory resources. As governments continue to struggle with the tradeoff between security and economic stability with data privacy, we will see data protection efforts deprioritized.
The regulatory data privacy tug of war will continue for the foreseeable future, and we are unlikely to see governments resume pre-COVID levels of attention to enforcing citizen rights until economies begin to rebound (likely a 2-3 year timeframe). While your organization may face less risk around legal and regulatory matters, consumer sentiments on data privacy should be front and center as the picture is much clearer in that aspect. What this may mean for you includes:
As we get through the initial phases of this pandemic, start to be more collaborative and open about data privacy practices with your prospects and customers. It takes 21 days to learn a new habit, and we are well beyond that for COVID-19. Habits have been shaped during this time will stick around going forward. We might just be moving in the right privacy protection direction as a result of this unexpected event – one where the consumer priorities are driving business behavior and we are striking at the right balance between business interests and user expectations.
Photo by Hayden Walker
Sign up and stay up to date by getting insights like this delivered to your mailbox.