Privacy more important than ever in the fight against COVID-19

The rise of COVID-19 tracking apps worldwide has sparked increased awareness and debate about the right to privacy. We spoke with two of our seasoned privacy officers, Kjetil Rognsvåg and Kari Laumann, who have dedicated much of their careers to this very topic.

Written: Jun 2020

Reading Time: 4 minutes

Thank you, Kjetil and Kari, for agreeing to share some perspectives with us on the COVID-19 impact on our privacy. Can you help us understand the specific privacy issues raised by the emergence of new apps to ‘track and trace’ the spread of COVID-19?

Kari: The COVID-19 pandemic has shown the tremendous power that lies in personal data. If used correctly, the data can help contain the spread of the virus and help us get back to our daily lives. If the benefit is great enough, people are willing to share their data. But, the discussion and concerns that have taken place across the globe show that people want to combat the virus, but they also value their privacy. Therefore it crucial that both public and private sector sets the highest privacy standards for the tools used to curb coronavirus.

Kjetil: One of the obvious concerns has been the connection between location and health-related data. Both types of data are confidential or sensitive, and the gathering of these particular types of data should, in my opinion, cause reactions and questions in society.

The COVID-19 ‘track and trace’ apps have popped into our lives quite quickly…

Kari: Speed has been essential, but this has perhaps had an impact on quality, potentially creating a higher risk for unwanted processing/errors/data breaches.

Kjetil: The emergence of these apps has also raised concerns that people will get accustomed to this kind of surveillance, and that authorities and others will find them useful for other purposes going forward, and that privacy, in the long-run, will be threatened.

Is there a ‘right’ way and a ‘wrong’ way for these COVID-19 apps to track and trace?

Kjetil: I think that the most relevant European (GDPR) principle for these apps would be “privacy by design”, data minimization, strict retention periods – in combination with sufficient security. It’s about starting the development process by aiming for the most privacy-friendly design or set-up of such an application, keeping the amount of information used to a minimum, storing information for short periods and ensuring that that information is safe and secure while it’s being stored.

What should users look out for when evaluating whether to install a track and trace app? 

Kari: Users should look for transparent and thorough information about how the various apps are processing their personal data. But I admit that it is difficult for the average user to assess the security and privacy measures of such an app.

Kjetil: Also, you should check the data retention times, which should be kept to a minimum. For example, storing personal data for 30 days is the case for one of the track and trace apps I’m aware of, which is a relatively short time-frame for this kind of information.

Storing data for a longer period, even if for research purposes, would potentially have more severe privacy consequences. I’ve not read any arguments for why you would need to retain this kind of data for a very long period in order to track, trace and notify users.

There has been a lot media coverage about different models for the COVID-19 apps, decentralized versus centralized. Which of these models is better for us in terms of privacy?

Kari: I believe that most privacy professionals would argue that a centralized model, in which there’s a central database with all details, is the less ideal solution. A decentralized model, where most of the information is stored locally on the users phones (which is what Google and Apple are proposing), is more ideal in terms of privacy.

Do you believe that people are willing to share more (and worry less about privacy) in times of global crisis?

Kari: Yes. I believe that people are willing to share more if they see it as beneficial for themselves or their families. I don’t believe they are less concerned about privacy though, but rather if they experience that giving up some of their personal information will lead to fewer victims, less suffering, and kids returning to schools, then yes, they are more likely to give away more information.

Does that mean that we need to make a choice between our privacy or sharing our data to stop the spread?

Kari: In some countries, you might not have a choice and you need to download an app or share your data in other ways. I do believe that both authorities and companies need to aim higher: to develop tools that both achieve the purpose (in this case curbing spread of Covid) and safeguard peoples’ privacy. This is also a legal requirement in Europe and some of our Asian markets.

Kjetil: I just want to mention that Article 12 of the 1948 Universal Declaration of Human Rights states: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation.”  In this statement, it is clear that there is an element of choice for individuals. I have the right to choose what I want to share from my personal life. This is not about giving up on privacy – this is for me the core of privacy! I have the right to choose.

Thank you both for sharing your perspectives and educating us a bit more on the privacy situation amidst the COVID-19 crisis

About our privacy experts

Kari Laumann is based in the Telenor Bangkok office and is part of the Group Privacy team. Kari is a sociologist and has 10 + years of experience as a privacy professional, including working for the Norwegian Data Protection Authority.

Kjetil Rognsvåg has worked with privacy in Telenor for the past 18 years – in projects, in various Data Protection Officer (DPO) roles, as Group Privacy Officer and present as DPO for Telenor ASA and Telenor Global Services/Wholesale. He has a long record from telecom both at Ericsson and Telenor, in Europe, Asia and the Americas. Kjetil holds a BSC in electronics and is a Certified Information Privacy Manager (CIPM).