Opinion, advice, and analysis by the TNW community

Coronavirus didn’t kill our privacy — it just exposed the corpse

The problem isn't new

coronavirus-pandemic-digital-privacy
Mindaugas Kiskis
Story by
Mindaugas Kiskis

Co-founder @OneConsent, Professor @Mykolas Romeris University, Partner @INVENT — Digital frontier lawyer, tech geek & entrepreneur, making the impossible possible, former Fulbright Scholar @Arizona State and Markle Fellow @Oxford. Digital frontier lawyer, tech geek & entrepreneur, making the impossible possible, former Fulbright Scholar @Arizona State and Markle Fellow @Oxford.

Covid-19 has succeeded in exposing both the hypocrisy and the tools available to governments and private parties in scrutinizing our every move. Various forms of surveillance were scavenging on our privacy for decades under the lull of supposedly strong privacy laws in Europe.

In 2018 we got the GDPR as a blanket for our online privacy, but two years in it proves to be a distraction, if not a body bag, for the decaying corpse of what was once individual privacy.

If I have to choose the point of no return, it was probably the data retention regulations, originally introduced in Europe in 2006 for the greater good of anti-terrorism effort, which served the lethal blow to privacy. The EU wide mass communication surveillance rules in 2000 were a front run by the power players in post-soviet countries. Despite little civil society, such rules were found unconstitutional, as memories of tyranny were still alive.

Armed with common sense and then brave judicial independence the Lithuanian Constitutional Court did so in 2002, just to be bulldozed over by the EU Data Retention Directive in 2006. Mass data retention opened the floodgate for various kinds of surveillance, financial surveillance, censorship, and restrictions on privacy for the protections of all kinds of supposedly ‘greater good’: From serious crime prevention and public safety, to more dubious goods like supporting the obsolete media industry business models.

Mass surveillance wasn’t stopped

In 2014, the EU Data Retention Directive was famously struck down by the Court of Justice of the European Union, the highest judicial body in the EU, for essentially being a “mass surveillance,” to quietly survive at the national legislation level.

The invalidation of the EU directive does not invalidate the national law implementing the data retention rules, and such national laws, while essentially declared “mass surveillance tool,” are still retained by majority of the EU countries years after the said decision of the Court of Justice. 

Similarly, mass fingerprinting and biometric measuring of the population was normalized through the innocent standardization of identity documents (EU Regulation 2252/2004) and even rubber-stamped by the EU judiciary as allegedly necessary to secure the borders of the EU against illegal entry.

And, don’t forget the real time video or financial surveillance, necessary for the ‘greater good’ of policing minor traffic violations, anti-money laundering and whatnot, which were also introduced decades ago. Even before Covid-19 pandemic, it was only a matter of time, when governments tracked our every move.

I leave it to the reader to ponder how successful was this mass surveillance we had since at least the turn of the century at protecting the public in the EU against terrorist threats, or against unauthorized entry into the EU, or against the money laundering by the billions at supposedly reputable banking institutions. What is certain that it enabled many abuses, which are literally countless, since there are no official bodies responsible for counting them.

GDPR, the false prophet

To ascertain the moral ground of caring for privacy and literally claiming service to mankind the GDPR was introduced, but under the fancy packaging there is little substance. It is not even a salve for privacy, since “data protection” and “personal data” do not have “privacy” or “private” as a prerequisite.

While many were led to believe that “data protection” is an advanced form of privacy protection, in reality it proved a poor surrogate. Some are starting to recognize how the GDPR has only been a boon for the consulting industry and multinationals, but a stone under the neck of small businesses and entrepreneurs.

In view of the above, if anyone is surprised to see the governments around the world to all of a sudden uncover all the instruments for tracking and surveying the Covid-19 cases, they haven’t been paying attention.

Save for the surveillance drones, taken individually no new surveillance instruments were invented for Covid-19 surveillance so far — it is the same already regulated data retention, location tracking, biometric data processing, and good old wiretapping and government officer “tails.” The latter are well familiar for anyone from a country with the non-democratic history.

Switch to mass surveillance too easy

In most countries only minor amendments of the laws sufficed to introduce Covid-19 surveillance, which normally would be an eye opener. It is the new normal, where privacy is no longer an issue or not even a “nuisance” for the power hungry. It is all for the greater good, remember. 

In Europe all this is happening with the nod of the EU privacy bureaucrats closely aligning after the effort. The top privacy regulatory body of the EU — the European Data Protection Board in a statement adopted on 19 March 2020, promulgated that “emergency is a legal condition which may legitimize restrictions of freedoms provided these restrictions are proportionate and limited to the emergency period.”

May legitimize? Under what kind of emergency, who establishes it and for how long? I am sure Mr Orban in Hungary is happy with such power. And let’s not forget to exclude even the nominal judicial review, which is just a time wasting nuisance, anyway. 

The scope of the Covid-19 power and data grab taken together is awe inspiring, but rest assured – all is just for the public health and enforcing quarantine on Covic-19 cases. With the regulation of Digital Services and the Review of the Directive on security of network and information systems (NIS Directive) already in the Q4 2020 agenda of the European Commission, it would not be very surprising to see further attempts to regulate encryption or eliminate anonymous use of communications or payment tools. We’ve got nothing to be concerned about, if we’ve got nothing to hide, right?

Watchdogs falter

Blind eye towards privacy abuses by the governments is not a novelty for the privacy bureaucrats either. They are part of the government and depend on it for their promotions and budgets anyway.

Even prior to Covid-19 emergency, blatant privacy violations need not be investigated, because there is just nothing to see there. It would be a pun, if it was not the fact in the EU country as recently as in January 2020 — the leaking of investigation videos of LGBT car sex crime suspects by the Lithuanian police was shot down as not worth to investigate and did not deserve even an expression of concern by the data protection supervisor.

The GDPR and similar efforts are based on a premise that more comprehensive governmental regulation means better privacy protection. Individual rights to protect oneself from privacy violations were menacingly left out of the GDPR, while the governmental powers to police the violations of data protection regimes were expanded.

And to what end? To sideline privacy completely in times like this.

Coronavirus exposes the issue

The Covid-19 pandemic clearly shows the limits of this approach, as there are no roadblocks for the privacy demise and public fears can be manipulated to embrace it. Truth to be told there is little non-ideological proof that “more regulation means better privacy” approach will lead us to other outcomes than seen in the first half of the 20th century. Yet many still subscribe to this approach by advocating for GDPR like legislation in the US or elsewhere as the future for privacy. 

If history of privacy teaches us anything — privacy evolved as the citizen effort against invasion by the government — it basically extended Habeas Corpus protections for the private sphere of an individual. If privacy is to survive as a virtue, we the people need to be empowered against the public and private intruders, be it governments or internet corporations.

Unfortunately, the majority of privacy scholarship is more concerned with drafting or commenting on the regulations, rather than reconceptualizing the grassroots privacy. Real privacy tools are more on offer from the tech community, than from the privacy and data protection establishment. 

Covid-19 crisis is an opportunity to mobilize the grassroots privacy effort, to reinvent privacy for Covid-19 cases and other emergencies, if we don’t do that — tyrannies will do as they did in the past and all for the ‘greater good.’

Published April 21, 2020 — 09:45 UTC

Pssst, hey you!

Do you want to get the sassiest daily tech newsletter every day, in your inbox, for FREE? Of course you do: sign up for Big Spam here.