These new cases do not herald a pandemic, but they do raise a question that remained unresolved after 2020: to what extent can the protection of personal data and public health coexist? by Andrea Monti – Initially published in Italian by Italian Tech – La Repubblica
News of the spread of the Hanta and Ebola viruses does not foreshadow a new COVID-19-style pandemic, but precisely for this reason it allows us to address rationally the issue of contact tracing, which, more than any other at the time, highlighted the limitations of a narrow-minded conception of personal data protection.
The ‘parallel story’ of efforts to prevent the spread of these two viruses, in fact, offers food for thought about when and how to use the tools technology provides to reconstruct the events leading to contact with a pathogen and its subsequent spread.
From tracing the source of infection to contact tracing
The search for the “patient zero” super-spreader of the Hanta virus triggered the search for the people who had come into contact with them. This time, fortunately, the investigation involved a relatively small number of people, and it was possible to identify them all fairly quickly without needing to analyse large amounts of data.
At the same time, access to travel information — in this case, air travel — enabled the US to deny entry to a passenger on an Air France flight, who was redirected to Canada to allow the potential high-risk individual, who was asymptomatic, to disembark. It remains to be seen whether the information about a high-risk passenger only arrived after the plane had been airborne for some time or whether, on the contrary, it was already available but not transmitted in time.
Setting aside this specific case, there may be various explanations. On the one hand is the most straightforward one: that the issue concerning the passenger was only discovered after take-off and therefore nothing could have been done to transmit the information earlier. On the other hand is the hypothesis that the information may already have been known, but for some reason was not relayed with the necessary speed. The common theme is that of the limitations on the timely collection, analysis and communication of information critical to people’s safety.
The lesson of the pandemic
From this perspective, it is useful to revisit the experience of contact tracing during the COVID-19 pandemic, in relation to a central issue for the processing of health information: the European General Data Protection Regulation, or —more accurately— its particularly restrictive ideological interpretation when it comes to the large-scale use of data.
During the pandemic, this approach resulted in the virtual impossibility of using the contact tracing systems made possible by Google and Apple — which had, incidentally, provided for methods to limit the collection of information — and in the reduction of the Immuni app to a tool that was not truly effective.
The health emergency raised public safety issues which, according to Article 4 of the EU Treaty, remained within the competence of each Member State and not that of European legislation. In practice, a different choice was made, and the application of the regulation resulted in a restriction on the capacity for public intervention in the common interest, with the well-known consequences in terms of the ability to identify outbreaks. Certainly, this choice was not the sole reason for the poor efficiency of contact tracing, but it contributed to making life more difficult for those on the front line in stopping the spread of the virus.
The fear of mass surveillance
It is unclear whether, in the update to the national pandemic plan, the issue of contact tracing has been safeguarded against a repeat of the consequences arising from this unacceptable way of applying the rules on the processing of personal data. The fact remains, however, that GDPR and legal issues aside, one of the main reasons behind the rejection of extensive monitoring of people’s movements was — and is — the irrational and unsubstantiated fear that state-led mass surveillance inevitably leads to forms of political repression.
The Asian model of risk management
This relationship of inevitable cause and effect, fuelled by the pervasive science-fiction dystopias so widely depicted in motion pictures and television series, simply does not exist. Not all states ‘work’ in the same way, and not all governments have the suppression of civil rights as their objective. In short, one cannot lump everything together indiscriminately.
If, in fact, we compare the way in which Taiwan and South Korea have used information technology to collect and systematise information on people’s movements in order to reconstruct contact tracing maps, and if we look at what happened to the citizens of these two countries once the worst was over — nothing — we can see that mass surveillance is not an evil in itself, but a tool which, when needed, must be used but under very strict public scrutiny.
Why the lessons of Covid still matter
No one wishes for the return of a pandemic or even just the local spread of infectious diseases, but these are events within the realm of possibility, and it is precisely for this reason that failing to learn from experience is an unforgivable sin and a legally inescapable responsibility for those who (did not) take the necessary decisions.