It was mere months ago that data privacy was one of those wonky policy topics that gradually was becoming more clearly defined in corridors of power from Brussels to Washington to Sacramento. In Europe, tough new rules were setting the pace for the rest of the world. In the United States, Congress was slowly coalescing around national guidelines, encouraged by big tech companies seeking clarity (and a say in the legislative process).
Now, as the novel coronavirus crisis grips the globe, that consensus is being replaced with a new reality: Less data privacy, not more, may be what’s best for public health.
Successful efforts in several Asian countries already have shown that absent a vaccine or effective treatment, the best way to fight COVID-19 is to aggressively “track and trace” infected individuals. Using tools from location tracking to smartphone apps, governments have been able to monitor shifting patterns of movement to indicate how best to impose or lift restrictions. They’ve also been able to alert individuals whose infection might need to be communicated to those who have recently crossed their path.
Such surveillance techniques would have been anathema to privacy advocates before the crisis. Now the question isn’t if governments and their corporate partners should be able to monitor the health of individuals, but rather how much, in what manner, and under what regulatory restrictions. Even digital rights advocates who railed against snooping tricks by the likes of Facebook and their clients reckon such data collection is necessary. “We need a massive surveillance program,” screamed the headline of a late-March essay by the prominent Silicon Valley privacy evangelist Maciej Cegłowski. “I am a privacy activist, typing this through gritted teeth, but I am also a human being like you, watching global calamity unfold around us.”
Some of the best hopes for pandemic fighting come from the same smartphone-enabled applications used by tech behemoths to sell online advertising. In April, Apple and Google announced a joint effort that will enable the Bluetooth chips in their respective smartphones to be used for contact tracing in a similar way to how retailers can already track a user’s location within a store. It follows the lead of Singapore, where a state-sanctioned app called TraceTogether uses Bluetooth signals to establish past proximity between COVID-19 sufferers and those around them. Only this time it’s baked into the operating system.
Before the crisis, regulators were increasingly clamping down on the ad-tech industry’s ability to closely track users. In the U.S., a legislative effort was beginning to pick up speed. The California Consumer Privacy Act (CCPA) took effect in January. The law borrows liberally from the European Union’s General Data Protection Regulation (GDPR), which gives consumers the right to block the collection and sharing of their personal data. A New York State law called the Stop Hacks and Improve Electronic Data Security (SHIELD) Act began imposing new responsibilities on companies in March.
The tech industry, hoping to avoid a potentially misaligned patchwork of state data-protection laws, has in recent years joined privacy advocates in pushing for the development of a federal law. Both sides in the Senate had bills under consideration before the pandemic struck. Between a presidential election and the focus on disaster relief, it’s unlikely legislators will return to the topic this year.
“It’s unfortunate,” says Cameron Kerry, formerly general counsel of the U.S. Commerce Department and now a scholar of privacy and information technology with the Brookings Institution and MIT Media Lab. “Before things shut down, it looked like there could be some room in the legislative calendar this summer to reach agreement on the content of the bill. Now I think it is quite likely at this point that we’re looking at something for next year.”
Battle lines already are being redrawn in Washington, with industry sensing opportunity and some privacy advocates worrying about overreach. “The lack of a national consumer privacy framework and fragmented state rules may create uncertainty for developing data-driven tools to help health officials respond to the ongoing public health crisis,” complains Keir Lamont, policy counsel for the Computer & Communications Industry Association, whose members include Facebook, Google, and Amazon. Jeff Chester, executive director of the privacy-focused Center for Digital Democracy, counters that “the digital marketing industry wants to claim its failure to protect privacy is now a benefit for the public health.” He calls for “guardrail policies” to limit how these companies can use the information they collect as part of any crisis response.
Once again, Europe is leading the way. European Union privacy regulators maintain it is possible to use privacy-invasive tracking methods in the pandemic, while still respecting the rights set out in the GDPR. In early April, they began working on guidance for how to achieve this. Key questions include how long the authorities will be able to hang on to personal information, and whether people will still be able to demand the erasure of their data after the crisis ends.
In China, privacy has a whole different meaning. The country began developing a legal framework for data protection about a decade ago, but it was focused more on companies than individuals. As data-privacy lawyer Emmanuel Pernot-Leplay concluded in a recent article, there is a striking “difference between the strengthening of protection against private entities and the parallel increase of government’s access to personal data, as there is still no significant privacy protection against government intrusion.”
The COVID-19 outbreak has seen a massive increase in state surveillance in China, in partnership with the private sector (for more, see “When red is unlucky” from this issue). Few expect Beijing to roll back such programs when the crisis passes. On the contrary, the success of its public health measures may be seen as a powerful validation of Beijing’s approach.
It’s safe to say more surveillance, not less, will be the new normal in a forever changed world.
Additional reporting by Clay Chandler
A version of this article appears in the May 2020 issue of Fortune with the headline “Privacy in a pandemic.”
More coronavirus coverage from Fortune:
—How Fortune 500 companies are utilizing their resources and expertise during the pandemic
—Inside the surreal “Mask Economy”: Price-gouging, bidding wars, and armed guards
—The IRS just launched “Get My Payment” portal for tracking your stimulus check status
—Should you fear government surveillance in the coronavirus era?
—If you’ve been a little busy lately, here’s what’s going on with the 2020 election
—The coronavirus crisis is fintech’s biggest test yet—and greatest opportunity to go mainstream
—There are 32 authorized coronavirus tests so far—here’s how they differ
—PODCAST: COVID-19 might have upended the concept of the best companies of the year
—VIDEO: 401(k) withdrawal penalties waived for anyone hurt by COVID-19
Subscribe to Outbreak, a daily newsletter roundup of stories on the coronavirus pandemic and its impact on global business. It’s free to get it in your inbox.