The world has fought pandemics before, but for the first time, authorities have at hand the powerful tools that come from digital technologies and the real-time collection of personal data. All over the world apps are being developed and personal information collected to follow the spread of the disease and supervise quarantines. Latin America, a region where privacy protection and enforcement is uneven, has also started to implement data-driven responses. This combination might help address the coronavirus outbreak, but it also threatens the privacy of citizens.
Countries are deploying data to curb the pandemic in basically three main ways: Contact tracing, which uses location data to know where people are, where they have been and who they have had contact with, as done by South Korea and Israel; Modeling, using geolocation and mobility data to help explain the disease’ spread; and mobility permit applications, which track whether a person should be self-isolating based on their risk of carrying the disease.
In Colombia, the government issued a notice to cell phone service providers that they may be required to hand in customers’ personal information to the National Department of Planning. Medellín launched a geo-referencing strategy to collect information on citizens and potential carriers of the virus, so that it can better plan how to distribute health services in the city. The city of Recife in northeast Brazil has been tracking 700,000 cell phones to monitor compliance with social isolation measures. The Brazilian telecom association offered authorities “a unique data solution to monitor population mobility, displacement, and agglomeration points and identify situations of the concentration of people at risk of contamination by the new coronavirus.” In São Paulo, the mayor announced a partnership with telecom companies to use targeted SMS messages for neighborhoods that pose a significant risk for widespread contamination, effectively profiling and ranking low-income neighborhoods.
Despite the fact that data-driven responses can be useful in helping address the COVID-19 crisis in the region when implemented alongside other measures, massive data gathering poses risks for regular citizens. It can easily be used to target minorities or political opponents. This is particularly concerning in countries with authoritarian-leaning governments.
“Massive data gathering poses risks for regular citizens. It can easily be used to target minorities or political opponents.”
Existing regional data-protection laws such as Brasil’s 2018 General Data Protection Law, Mexico’s 2010 Data Protection law and Colombia’s 2012 Habeas Data law all rely on user consent to enable most kinds of personal data collection and use. But consent is an insufficient protection mechanism. Once a citizen gives consent, it is hard for individuals to exercise control about how their information is being used. These regulations also contain broad exceptions for national emergencies and for data collected for public purposes. Exemptions for public emergencies, necessarily rely on authorities in charge to define the limits of what is an emergency — and what is acceptable or not when it comes to using and managing reams of personal data. Lastly, the degree with which regulations are enforced varies considerably.
Brazil’s congress passed a law similar to the European Union’s personal privacy law, which contains additional protections and rights for individuals, but the effective date when provisions would start to apply has been postponed multiple times — most recently because of the pandemic, to protect small business from facing new costs or rules — and no data authority, like a regulatory agency or an official in charge, is in place.
There is, however, a lot that policymakers can do now. As specific solutions are implemented to track future waves of contagion or allow those who are immune to go back to work, policymakers in the region can create legal and policy limits regarding how the information is used and demand that risk-mitigating tools be included in data-driven strategies from the beginning. First and foremost, governments should collect only the data needed — a data minimization policy. Second, much along the lines of Colombia’s executive order for telecom companies or Recife’s use of aggregate data, governments must limit the use of this information for purposes of the pandemic. Third, an emergency protocol for data collection by public officials of public-private partnerships must be implemented limiting the amount of time the data can be stored, in this case while the pandemic lasts. Fourth, programs must be transparent with public and open access to the rules, to allow monitoring and evaluation by the courts and civil society.
Finally, policymakers in the region should still be cautious with these tools: Locational data is not very accurate to start with. It can convey that two people a few meters apart crossed paths, but it won’t distinguish if they were on the same bus or in two separate cars at a stoplight. In many Latin American communities, there are large groups of people that live in close proximity anyway, sharing the same small home. Additionally, though the adoption of smartphones and mobile internet has grown in recent years in Latin America, it is still relatively low: About 66% of the population has a smartphone and about 52% has access to mobile Internet. This would yield biased data sets – often excluding rural populations or the most vulnerable communities. The usefulness of any of these applications will depend on extensive testing. Extensive testing is key to know who’s healthy, safe or at risk.
Latin American countries are facing hard tradeoffs and their citizens are making enormous sacrifices. Those in power must rise to the occasion and show their citizens that they are trustworthy in this moment of crisis: They need to make sure that the invasion of our fundamental rights — to privacy, work, education and mobility — will be limited and proportional to the needs of addressing the emergency.
Cordova is a specialist in public technologies, and a former fellow at the Berkman Klein Center of Internet and Society at Harvard University. Botero Arcila is a doctoral candidate at Harvard Law School and a current fellow at the Berkman Klein Center of Internet and Society.