By Crystal Woody, Senior Director of Strategic Communications at Privitar

Earlier this week, I had the opportunity to catch up with Stewart Room, Partner & Data Protection Leader at leading global law firm DWF. Stewart is a data protection, privacy and cyber security expert, covering all aspects of strategy, law and compliance. A dual qualified barrister and solicitor with nearly 30 years’ experience, Stewart has practised exclusively in the fields of data protection, privacy and cyber security since 2001 and is recognised in the UK as one of the country’s leading lawyers.

During our conversation, we discussed the state of data privacy during the Covid-19 pandemic. We also talked about the role of regulators in times of crisis, and advice for businesses during this unprecedented time. The transcript of our interview follows.

Stewart will share additional insights on Data Privacy During the Pandemic on May 14th (6:00pm BST / 13:00pm EDT) during In:Confidence Digital. For more information about his session, or to register for free, visit: https://inconfidence.privitar.com/watch/.

Interview Transcript

CW: What is the role of data protection regulators in a time of crisis?
SR: Looking at it from the perspective of the UK, there is no ambiguity about the regulator’s role in this situation.  They have to discharge their statutory duties and uphold the law.  If they don’t, they will be acting unlawfully.

The tasks of the DPAs are set out in Article 57 of the GDPR, with the first one being monitoring and enforcing the application of the regulation.  When it comes to activities such as building contact tracing apps, there are two key elements of their tasks to note. First, there is the giving of advice to parliaments, governments etc. on the impacts for rights and freedoms caused by any legislative or administrative measures in place, or in contemplation, for COVIDTech. Thus, you would expect the DPAs to be in conversation with government and public health authorities right now and data processing for public health. The second major task is to oversee the performance of data protection impact assessments.  DPIAs will be compulsory for contact tracing apps and I would expect the DPAs to be in the detail and, of course, pressing for them if they are not being proactively supplied for review, if necessary enforcing the law through formal means.Looking at this a different way, it’s not the role of DPAs to be advocates for COVIDTech. They have to maintain their independence and neutrality.  Also, it’s not their job to lower legal standards.  Nor do I think it’s their job to be popular, for example by taking a temperature check of prevailing public opinion, or guessing at what it is, then siding with the consensus, perceived or real.  COVIDTech will not be judged fully in the heat of the crisis.  It will have a long aftermath of deep scrutiny, over many, many years, and the regulatory stance adopted today will be part of the scrutiny tomorrow.
It’s not an easy job.  There are a lot of challenges and pitfalls in the way. However, the DPAs’ offices are stacked with very talented and clever people and this must be encouraging for good outcomes.

CW: How has the COVID-19 pandemic shifted the data privacy landscape?
SR: There are many shifts. I find it a source of real comfort that it has caused people to become more engaged with the topic. It’s vital that data privacy is democratised: it is not the preserve of elite lawyers, elite academics, elite technologists or elite regulators.  It is a topic for everyone. Another shift – and I think this is very significant – is that the regulators themselves are coming under scrutiny, about the role they are taking in COVIDTech. I’m not sure where that is heading, but it’s vital that confidence is maintained in the regulatory regime and I don’t we can divorce the COVIDTech issues from the wider concerns about the effectiveness of GDPR enforcement.

In an area that is very close to my heart, which I call ‘The Journey to Code’, which is about the likely future trajectory of data privacy requiring more data privacy ‘outcomes’ to be delivered in tech and data themselves, I believe that COVIDTech is proving the point. The conversation about centralisation v. decentralisation for contact tracing apps is an obvious illustration. Another is Bluetooth v other electronic signals. The Apple/Google alliance is another.

However, the most significant shift is towards a greater surveillance society. It’s the classic challenge of crisis situations and we saw it after 9/11. No wonder people are concerned. We want to fight the virus, we want to protect the vulnerable and the front line, we want to end lockdown and return to normality but at the same time we want to maintain our rights and freedoms. The reality is that we can’t have everything, there has to be trade-offs of sorts. The key goal is not to cause an absolute and perpetual trade-in of rights and freedoms for immediate gains.

CW: Do you expect to see long term changes to data protection and privacy as a result of the COVID-19 pandemic?
SR: Anything is possible. When I was a young(er) lawyer, in the 1990s, I read about ECHELON surveillance and dismissed a lot of what I read as conspiracy theory.  After 9/11, many governments went about building mass surveillance systems.  I was much older and wiser when I read about Edwards Snowden’s disclosures, but the scale and breadth of the structures built after 9/11 astounded me. My point is that we should not rule out the creation of a perpetual mass surveillance system in the West triggered by COVID-19. I do not see this as a fear of the paranoid, but a real risk. And I remember a previous Information Commissioner saying not long ago that we were ‘sleepwalking into a surveillance society’.

However, in a more positive sense, I hope that the wider public engagement maintains for the longer term.  GDPR triggered that, but it ran out of steam due to the enforcement system not living up to expectations.  I hope that isn’t the case again.

CW: What piece of advice would you offer to businesses with respect to data usage and protection during this time?
SR: The best thing I can say is remember, the law still applies and people haven’t changed.  COVID-19 cannot be a reason to throw away workplace protections against surveillance, discrimination and inequality. Every step that employers take to maintain health and safety in the workplace when we finally return, will need to be reasoned against the legal obligations just mentioned.  In the meantime, while we are working from home, or under less supervision, businesses have to reflect anew on their risk levels and their risk priorities. Without wishing to be alarmist, I predict that there will be a long legal aftermath to COVID-19 and that will include legal problems relating to data mishandling in business, not just in an insecurity sense, but also for mistreatment of workers. Another thing: what are all of these CEO emails about?  I am getting dozens each week from organisations that I haven’t had contact with for years. Much of this is direct marketing dressed-up. This definitely needs looking at.

Data Privacy In:Confidence