The Sensitivity of Location Data on Digital Contact Tracing

Let me have a stab on location data that will be part of the 2nd edition of the Social and Privacy Impact of Contact Tracing .

In the global standard such as the Global Data Protection Regulation (GDPR) compliance applies whenever the use of location data involves processing of personal data.  It means that any data processed in an electronic form or by an electronic communication service / channel indicating geographic position of the terminal (phone, car, tablet, laptops) in public using GPS or a Cell Tower triangulation.  In EU there is a directive which is called EPrivacy that deals with IOT devices and it also defined that a terminal using GPS needs to be protected and can be linked on the rights of the data subjects in any Data Privacy Act.  In the Philippines and in other countries there is no EPrivacy Directive, but it can be related to the eCommerce Law which is RA 8792, Data Privacy Act of 2012 / RA 10173 and the CyberCrime Law of 2012 / RA 10175.

IOT in the context of EPrivacy Directive requires an individual to give an opt-in consent to use location data to provide a value-added service.

The information requirement for the location data needs to be itemized on a privacy notice and the purpose and duration of the processing must be explicitly stated.  Since, the nature of the location is always shared to a 3rd party or a joint controller the process must also be stated on the notice and in the internal policy.

The last important aspect of location data will be based on our ability to withdraw consent.  As data subjects we have the right to opt-out and the controller and processor needs to show evidence that indeed the location data has been erased on an end to end manner.

Let us relate this to contact tracing and the solutions being provided by most countries in the world to address corona virus.  Digital Contact Tracing as being proposed by most countries such as Singapore, South Korea, Australia among others can be classified as either a Privacy Enhancing Technology (PET) or a Privacy Impacting Technology (PIT).  PET can help us solve the problem such as corona virus with Privacy in mind and has implemented Privacy by Design while PIT is impacting our privacy as data subjects on either by Territorial, Information, Bodily or Communication.

These four domains of Privacy define how we act as a person because Territorial and Bodily answers our right as a human being that goes on our bill of rights and even on the 4th amendment of the US Constitution while the Data Privacy aspects can be answered on Information and Communication.  Information Privacy involves the establishment of rules governing the collection and handling of personal data such as credit information, and medical and government records. Which is commonly know right now as Data Privacy / Data Protection.

But let us put our focus on Communication Privacy which covers the security and privacy of mail, telephones, e-mail and other forms of communication including location data.

————————————————————–

Let’s look at the two sources of location data for modelling:

  1. Location data collected by electronic communication service providers (such as mobile telecommunication operators) during the provision of their service; and
  2. Location data collected by application developer or what EU calls Information society service providers’ whose functionality requires the use of such data (e.g., navigation, transportation services, etc.).

The European Data Protection Board or EDPB states that location data collected from electronic communication providers may only be processed within the remits of Articles 6 and 9 of the EPrivacy Directive. This means that these data can only be transmitted to authorities or other third parties if they have been anonymized by the provider or, for data indicating the geographic position of the terminal equipment of a user, which are not traffic data, with the prior consent of the users.

The EDPB also pointed out with emphasis that when it comes to using location data, preference should always be given to the processing of anonymized data rather than personal data.

Anonymization refers to the use of a set of techniques in order to remove the ability to link the data with a natural person against a “reasonability test”.   We must consider the aspect of the objective of the problem when it was first hatched and the contextual element that may vary from country to country in the case of contact tracing applications.

In contact tracing accountability is very important so the Controller of any Digital Contact Tracing Application should be clearly defined. In other countries these contact tracing apps are sponsored and made by the government and what is unique in the Philippines is that the Private Sector donated these applications without proper vetting from proper authorities (DICT) that is why there are mistrust on contact tracing.  And normally, a contact tracing application is being owned by heath authorities and in the case of the Philippines there are two – the Department of Health (DOH) is using COVID Kaya and IATF / NTF / DILG is using StaySafe and definition of being a controller and processor is vague the parties involve.   And If the  deployment of these apps involves different actors their roles and responsibilities must be clearly established from the onset and must be explained to the users.

In addition, on the principle of purpose limitation, the purpose must be specific enough to exclude further processing to unrelated to the management of the health crisis (e.g. commercial, surveillance or law enforcement purposes).    In the context of a contact tracing application, careful consideration should be given to the principle of data minimization and privacy by design:

  1. Contact tracing apps do not require tracking the location of individual users. Instead, proximity data should be used.
  2. As contact tracing applications can function without direct identification of individuals, mitigating measures should be employed to prevent re-identification.
  3. The collected information should reside on the mobile / terminal of the user and only relevant information should be collected when necessary. (there must be process in place to be triggered by health or local government units)

Recommendations:

  1. According to the PbD and data minimization, the data processed should be reduced to the strict minimum.
  2. The application should not collect unrelated or not needed information, which may include civil status, communication identifiers, messages, call logs, location data, device identifiers, etc.
  3. Data broadcasted by applications must only include some anonymized and pseudonymous identifiers
  4. These identifiers must be renewed regularly with same model on RSA encrypted keys on both private and public tokens
  5. Implementations for contact tracing can follow a centralized or a decentralized approach. 
  6. These approaches must provide adequate security measures.
  7. Consideration must be considered weighing privacy in the process that may impact rights of individuals
  8. Cryptographic techniques must be implemented to secure the data stored in servers and the cloud
  9. Authentication between the application and the server must also be performed by using multi-factor authentication
  10. The reporting of users as COVID-19 infected on the application must be subject to proper authorization.  If confirmation cannot be obtained in a secure manner, no data processing should take place that presumes the validity of the user’s status.

In the end this kind of applications must be strictly voluntary, and it cannot be forced because contact tracing has a thin line on surveillance systems and Individuals must always have full control over their data and the public should be able to choose freely to use such an application.

Data Privacy as an Enabler

Data Privacy had taken the banner headline in 2018 with the implementation of new GDPR last May 2018 and the adoption of Data Privacy Act in Asia specially in the Philippines that penalizes an offender to imprisonment and some penalties. But eventhough GDPR has no imprisonment attached to it the penalty can be up to 20M Euros or 4% of the Profit of the Company violating it.

But most the people or the enterprise see just the penalty but the the law actually acts as an enabler for the enterpise to be more trust-worthy with regards to their data and its integrity. The Data Privacy Act enables us as companies to be trustworthy with our clients and our customers in fact are the owner of the data not us as companies we only process and has limited control to it on a certain period(not infinity).

It also challenges our culture to not be a willing victim to our privacy. I was talking to a CEO of blockchain company and she mentioned that this is all just hype because all our data are already out there in Facebook, Twitter, SnapChat, WeChat, Viber etc… maybe she has a point but as a company we need to know the integrity of data we process may it be employee data, business partner data or customer information. As professionals and leaders of our enterprise we need to challenge ourselves on how we do business and ask the question on why are we collecting this datapoint. We need to include privacy on the projects we embark on and in our operations (BAU). It encourages us to have a risk based approach on doing our business / projects.

I invite you to look at etisphere.com

A portfolio of the world’s most ethical companies consistently outperforms the market during the period analysed by eithsphere both in times of growth and during market decline…

In the end it is not just about compliance its a trust issue. Maybe it may sound ambitious and IT leaders would say that innovation can never be a compliance game and we need to be fast and agile otherwise our competitor will crush us but the law gives us the opportunity to build privacy and security by design on our initiatives. And by doing security and privacy by design we will have that confidence and integrity that the data we process are in fact true and correct and I quote Patricia Aburdene (MegaTrends 2010)…

Transcendent values like trust and integrity literally translate into revenue, profits and prosperity.

Data Privacy Day – BREATHE

We celebrated Data Privacy Day in January 28, 2020! And some sectors are now proposing for an amendment of the special law which we call nowadays as the “Data Privacy Act”.  In 2012 the law was passed thru the efforts of the late Senator Angara and the IRR was published in 2016 and the newly formed commission started its campaign in 2017 and fast forward we are now in 2020.

Some of the suggestions based on the proposal of the good Congressman of Tarlac are stiffer penalties including administrative fines not exceeding to 5M PhP, additional classification of personal information and sensitive personal information on the different sector that is deemed sensitive on that sector, organizational structure of the commission, introduction of personal data on minors, some additional clause on offense by a public officer and the commission can launch conferences in the advancement of the general public etc…

There are good points and not so good points but my suggestion is to let the law breathe first.  The implementation of RA10173 is barely two years old and let the commission flex its muscle before amending the law.  Laws should be universal and the incidentals can be done on circulars that has been done in the past.  

Personally, I think the most pressing matter is the development of the ecosystem, compliance and registration of the 2M companies (NPC has 35k companies registered to date only)  and the education of the current pool of Data Privacy Officers and making the country as a center of excellence on Data Privacy and Protection in the region.

We need to understand that RA10173 is a special law on data that targets personal information and classifying personal data as asset both on civil law and commercial law.

CIVIL LAW because of the  8 rights of our citizen – Right to INFORMED, OBJECT, ACCESS, CORRECT / RECTIFY, BLOCK / REMOVE, DATA PORTABILITY, COMPLAINT and IMDENIFIED.

Commercial Law because we need to understand the basics and DATA is considered as an ASSET and personal information or customer information may it be intangible is one of the most important asset nowadays as the business model of each enterprise changes our classification of asset also changes.

Corporation / Juridical Entities must understand that their organization is dependent on the productivity of four assets: 

  • People
  • Information / Data 
  • Technology 
  • Facilities 

As I mentioned, as we creatively change our business model canvass our strategy changes and our data becomes bigger and bigger.  We have to relate personal information to be an asset because as we collect more the data becomes more valuable and as we collect less it becomes smaller in value. 

No alt text provided for this image

And in order to be resilient in this day we need to realize two things in corporate we need to sustain our asset and protect it 

We have discussed earlier that this law is due to the change in times and due to the actions being done creatively by companies in this age.  We need to understand that this is a special law and it be anchored on the bill or rights in article 3 section 2 which is was also patterned on the fourth amendment on the US constitution.

Below are a series of events on Privacy Law including the Philippine implementation.

No alt text provided for this image

Privacy has been in there for so long and Justice Brandeis in 1928 case mentioned:

“The right to be let alone is the most comprehensive of rights and the right most valued by civilized men”

*We can discuss the 1928 case but it will take a day of discussion…

As I mentioned law must be universal and implementation must be inputted inside the implementing rules and regulation or either as circulars and consultation can be done on giving advisories.

Data Breach is a story of OLD (Three Little Pigs and the BIG BAD WOLF)

The Data Privacy Act and the GDPR of EU was born due to monetization of data by companies. Time Magazine has dubbed data as the new OIL so the law is mandating us to protect the rights of our consumers.  

But the data breaches is a story of OLD. We can compare the attackers as the BIG BAD WOLF that will blow our house down. And we as the three little pigs. The story goes like this…. one takeslittle time in building the home out of straw and spends the rest of his time playing and relaxing. A second pig builds a home out of sticks, which takes slightly longer, but he too values relaxation time. A third pig chooses to build a home out of bricks, which requires a great deal of time and effort. He values taking the time to build a home properly over relaxation and recreation. When the Big Bad Wolf comes to the homes, only the third pig’s house of bricks stands up to the pressure applied by the wolf.

Moral of the story… hard work and dedication pays off. Companies nowadays are not like companies in the 1980s we need to adapt or else we will die and building our roadmap to protect the personal information of our stakeholders is vital to our survival because as the former deputy commissioner of the National Privacy Commission has said “Privacy is now a proxy of TRUST if I don’t TRUST you I will not do business with you and on the other hand if I TRUST you I will do business with you”. We need to up our skill in privacy and security since these are intangible assets of the enterprise and respect the rights of our stakeholders.

No alt text provided for this image