By Arne Hintz

The pervasive tracing, tracking, and analysing of citizens and populations has emerged as the tradeoff of an increasingly datafied world. Citizens are becoming more transparent to the major data-collecting institutions of the platform economy and the state, while they have limited possibilities to intervene into processes of data governance, control the data that is collected about them, and affect how they are profiled and assessed through data assemblages. The COVID-19 pandemic has highlighted the centrality of these dynamics. Contact tracing and detailed identification of outbreak clusters have been essential responses to COVID-19. Yet, detailed data about our movements, interactions and pastimes is now tracked, stored, and analysed, both “online” through the use of contact-tracing apps and “offline” (e.g., when we fill in a form at a bar or restaurant). The rise of tracking raises the question of how exactly data is collected and analysed, by whom, for what purposes, and with what limitations. Essentially, it signals the necessity of legal safeguards to ensure that data analytics fulfil their purpose while preventing privacy infringements, discrimination, and the misuse of data. The COVID-19 pandemic thus alerts us to the importance of effective regulatory frameworks that protect the rights and freedoms of digital citizens. It also demands public involvement in a debate that affects our lives during the pandemic and beyond.

The wider context of data policy in the wake of major data controversies by both public and commercial institutions—from the Snowden revelations to Cambridge Analytica—is currently ambiguous. On the one hand, it reflects a deeply entrenched commitment to expansive data collection. On the other hand, it increasingly recognises the need for enhanced data protection and citizens’ data rights. In many countries, the possibilities for monitoring people’s data traces (particularly by state agencies) have significantly expanded. The UK Investigatory Powers Act from 2016 serves as a stark example, because it legalised a broad range of measures, including the “bulk collection” of people’s data and communication; the “internet connection records” (i.e., people’s web browsing habits); and “computer network exploitation” (i.e., state-sponsored hacking into the networks of companies and other governments as well as the devices of individual citizens).¹

At the same time as these encroachments, we have also seen the strengthening of data protection rules, most prominently by the European Union General Data Protection Regulation (GDPR) in 2018. The GDPR enhances citizen control over data by providing rights to access and withdraw personal data, request an explanation for data use, and deny consent to data tracking by platforms. It requires that data be collected only for specific purposes to reduce indiscriminate data sharing and trading. The GDPR also limits the processing of sensitive personal data. While some elements of the GDPR have been controversial and the regulation overall is often described as insufficient, it has been recognised as an important building block towards a citizen-oriented data policy framework. The emerging policy environment of data collection and data use has been significant in societies that are increasingly governed through data analysis and processes of automated decision-making. Profiling citizens and segmenting populations through detailed analysis of personal and behavioural data are now at the core of governance processes and shape state-citizen relations.

What does the shifting data environment mean during COVID-19 times? How should regulatory frameworks enable and constrain the tracking and tracing of virus outbreaks, and what boundaries should exist? If we accept that some data collection and analysis is useful to address the pandemic and its serious health implications, the purpose limitation of this data (as highlighted by the GDPR) becomes crucial. In some countries, contact-tracing apps were designed to track a much wider range of data than initially necessary for tracing infection chains and enable government agencies to use that data for non-medical tracking purposes. In order to avoid contact-tracing becoming a Trojan Horse for widespread citizen surveillance, strict purpose limitation would be an essential cornerstone of a robust regulatory framework. Similarly, limitations to the collection of sensitive data and the deletion of all data at fixed times during or after the pandemic would be core components of such a framework. While it may be debatable whether wider data collection and sharing would be acceptable as long as the affected individuals give their consent, a consent model often leads to pressures and incentives for citizens to hand over data against their will and interest, which would make strict prohibitions seem a more appropriate mechanism. The COVID-19 contact-tracing case thus points to some of the elements that are increasingly discussed and regulated as part of policy reforms such as the GDPR, and it highlights the challenges of indiscriminate data collection.

Indiscriminate data collection also poses questions about who should develop such policy, and whether broader public involvement would be desirable or even necessary. The COVID-19 pandemic helps us explore the role of citizens as policy actors. Contributions to the regulatory and legislative environment by civic actors outside the realm of traditional “policymakers” have received increased attention in recent years. These range from the role of civil society in multi-stakeholder policy processes to policy influences by social movements and to the development of specific legislation by citizens in the form of what has been called crowd law and policy hacking.’ The COVID-19 case demonstrates multiple dimensions of these kinds of public engagement. It shows the strong normative role of technical developers arguing for decentralised data storage options in contact-tracing apps (e.g., the Decentralised Privacy-Preserving Proximity Tracing project), who have prevailed in many cases over the initial government intention to centralise data handling. Further, we have seen legal scholars taking the lead in proposing relevant legislative frameworks, for example, by developing a dedicated Coronavirus Safeguards Bill for the UK (which has not, so far, been adopted by the UK government but has still influenced the debate on contact-tracing). The public discourse on COVID-19 responses in many countries has also considered the problem of data collection and possible privacy infringements, thus placing data analytics firmly on the public agenda.

The current pandemic has shown that emergency situations require the rapid adoption of legal safeguards, and a wider public debate on what data analyses are acceptable and where boundaries lie. Policy components from recent regulatory frameworks such as the GDPR can be an important part of this endeavour, as should critical reflection on data extraction laws such as the Investigatory Powers Act. Expert proposals from civil society have promoted rules that address problems raised by the pandemic while protecting civic rights. At the “margins” of established policy processes, these interventions by civil society and the public play a significant role in advancing normative pressure on civic data policies.

About the author

Arne Hintz is Reader at Cardiff University’s School of Journalism, Media and Culture and Co-Director of its Data Justice Lab. His research focuses on digital citizenship and the future of democracy and participation in the age of datafication. He is Co-Chair of the Global Media Policy Working Group of the International Association for Media and Communication Research and co-author of Digital Citizenship in a Datafied Society (Polity, 2019).