Antony Cook, regional vice president and chief legal counsel for Corporate, External and Legal Affairs (CELA) for Asia
As governments across Asia continue to grapple with outbreaks of infection in the COVID-19 pandemic, leaders are looking to technology for answers not only in detection and containment but also to quickly bridge critical gaps in our health, education and government systems.
In this context, trust has never been more important – trust that technology solutions are secure; trust that technology is being used responsibly; and trust that our personal data is being safeguarded and used appropriately.
This final area has been a focus for many. As innovative tools are quickly deployed for crisis response – from contact tracing, to monitoring the implementation of social distancing measures, to handling personal information for individuals diagnosed with COVID-19 it is critical that privacy is protected. In other words, we must make sure we do everything possible to fight COVID-19 and at the same time protect privacy. As we look to the weeks and months ahead in the fight against this virus, I’d like to share three early observations on the use of technology in line with data privacy principles during this pandemic.
1. Core privacy principles have enduring relevance
Much of the attention of government agencies, employers and citizens is rightly focused on speedy solutions to stem the effects of the pandemic. Apps have been created, and companies, stores, clinics and public places all across the globe have started collecting large amounts of data – much of it personal data – to enable tracing in the case of a virus cluster forming.
In this context, a number of Asian regulators have moved quickly to provide guidance, including Australia’s Office of the Australian Information Commissioner (OAIC), Singapore’s Personal Data Protection Commission (PDPC), New Zealand’s Office of the Privacy Commisioner and Hong Kong’s Privacy Commisioner for Personal Data (PCPD). The underlying theme from this guidance is clear – regulators recognize that there is a need to move quickly in areas like contact tracing, and that this can be done within existing privacy regulations. These regulations provide a clear framework for the collection and use of personal data even in the context of the crisis. Rapid responses to the crisis must incorporate serious consideration and evaluation of privacy requirements if they are to be brought to bear for the fight.
Regulators can also facilitate privacy-respecting responses by sharing resources across jurisdictional lines and exploring cooperative approaches. The compendium of resources by the Global Privacy Assembly is a helpful first step, and we look forward to engaging with bodies like APEC and the Asia-Pacific Privacy Authorities Forum on efforts within the region.
2. Privacy has to be built into our pandemic response solutions
The design and use of technology as part of pandemic response involves choices that have privacy implications. As government, industry and individuals rush to build innovative solutions, it is crucial we also consider the privacy implications of such technology.
A variety of tracking, tracing, and testing technologies are being considered globally by governments, with some already deployed in Asia. Decisions in the design of these apps and technology affect how they collect and share personal data. For example, in choosing the method to locate a user’s proximity to another user, an approach that relies on continuous collection of location data has different privacy implications from an approach that only detects based on proximity (e.g., using Bluetooth). Providing transparency on these choices and allowing societies to publicly discuss the issues involved is essential, especially as we are making many of these decisions very quickly.
Microsoft has shared six privacy principles to be followed as we collectively move forward in developing and considering the use of technologies for tracking, tracing and testing. We believe all organizations should:
- Be transparent about the reason for collecting data, what data is collected and how long it is kept.
- Collect data only for public health purposes.
- Collect the minimal amount of data.
- Implement appropriate safeguards designed to secure data.
- Do not share data without consent, and minimize the data shared.
- Delete data as soon as it is no longer needed for the emergency.
In order for these innovative technological solutions to succeed, people need to understand how their personal data will be collected and used, and companies and organizations need to be accountable and responsible for this data. This will also help drive efforts to ensure that the full range of technological innovations available for harnessing data for public good while protecting privacy are considered – including differential privacy, federated learning, decentralized identities and other anonymization techniques
3. Technology companies have an obligation to ensure their technology can be trusted
As we adapt to living, communicating, and working online at an unprecedented scale, we are shaping a new social contract on how we thrive within this digital universe. Many of these new experiences of remote working, communication and collaboration that have become more commonplace during this crisis will likely be here to stay.
Technology companies like Microsoft are clearly central to this. We have a responsibility to ensure that our technology upholds strong privacy and security standards. We also need to communicate this information transparently. At Microsoft, we make clear commitments on the central importance of privacy in software like Microsoft Teams, including never using Teams data to serve users ads, and never tracking participation attention in Teams meetings.
No one should have to choose between using technology to keep our businesses, schools and families connected and preserving their right to data privacy. We should all be able to have confidence that we can do both.
The technology that is central to much of our crisis response will be here to stay. It is in this environment that trust in technology, as it permeates all areas of our lives, has never been more important. Governments, organizations, and individuals have a part to play to ensure that privacy is always accounted for in any crisis response. The decisions we make today will indelibly affect our lives for years to come, so it’s important we get them right.