Coronavirus Surveillance Tactics Raise Questions About Civil Liberties

Despite pushback from civil liberties groups, governments around the world have been exploring the lure of, and in some cases using, mass digital surveillance technologies as a serum to slow the spread of COVID-19.

One hundred years on from the Spanish flu, the world again finds itself in the throes of a pandemic. With the darkest days possibly still ahead, COVID-19 continues to take both a human and economic toll on countries across the world. There have been over 74,767 reported deaths to date and the United Nations has estimated that the outbreak could cost the global economy up to USD 2 trillion this year.

As citizens continue to battle the pandemic as best they can, governments around the globe continue to face their own nightmarish predicament: containing the spread of the virus before more irreparable damage is done. With all options on the table, and as the experience of several countries might suggest, implementing a form of digital panopticon with the help of mass surveillance technologies might be one way to save more lives and breathe life to devasted economies.

Mass surveillance in the digital age

The panopticon, in its traditional sense, was a concept created by British social theorist Jeremy Bentham in the 18th Century. It comprised a central tower in a prison, overlooking all the cells so that prisoners believed they were always under surveillance.

In the 21st century, the proliferation of technology has given rise to the digital panopticon, facilitating the ubiquitous tracking and monitoring of regular citizens in their daily lives. Capabilities afforded by these technologies are now being brought closer to the forefront of social and political debate, as numerous countries either begin to explore or implement them. For example, in:

  • China, local governments have implemented various data collection campaigns including app-based barcodes and questionnaires which track the health status and movement of citizens.
  • Singapore, the government uses the TraceTogether app, which relies on geo-location technology, to track the spread of coronavirus.
  • Israel, new laws have been passed to facilitate increased citizen tracking through an app known as “HaMagen”.

For a detailed comparison of various apps (including TraceTogether and HaMagen) and software development kits (SDKs) that have been deployed in the emergency response to COVID-19, see Future of Privacy Forum: Privacy & Pandemics: The Role of Mobile Apps (Chart). The comparison covers many areas, including:

  • The scope of personal data collected.
  • How personal data is collected.
  • Who can access the data.
  • The purposes the data is used for.
  • Where the data is stored.
  • How long the data is stored.
  • Proportionality, fundamental rights, and data protection & privacy issues.
  • Whether the app or SDK is developed with open source software

Civil liberties groups voice concern

In the race to mitigate the impact of COVID-19, international and domestic civil liberties groups have expressed concerns about the prospect of increased digital surveillance.

Human Rights Watch

Human Rights Watch has recently called on governments not to increase digital surveillance unless certain conditions are met. These include:

  • That any surveillance measures being adopted in response to COVID-19 must be lawful, necessary and proportionate.
  • Specific time-bound restrictions on the duration of any expanded monitoring and surveillance powers.
  • That the States must ensure, among other things, that the increased collection and use of personal data, including health data, is only used for purposes of responding to the COVID-19 pandemic.

Their other conditions seek to address:

  • The use of big data and artificial intelligence systems, and potential discrimination concerns.
  • The Government’s protection of people’s data through appropriate security measures.
  • The legality of data sharing agreements that may be entered into by governments with other public or private sector entities.
  • Accountability mechanisms and safeguards against abuse.
  • Participation of relevant stakeholders, including the most marginalised population groups.

Electronic Frontiers Australia

In Australia, Electronic Frontiers Australia (EFA), a non-profit national organisation that promotes and protects digital rights and civil liberties, has also voiced similar concerns to those expressed by Human Rights Watch. These include the potential erosion of civil liberties in response to the pandemic, and whether the measures being taken are necessary and proportionate.

EFA has announced a series of online lectures, that will include discussions with digital, health and legal experts, to address the concerns.

Amnesty International

Amnesty International is also concerned that mass surveillance technologies might fundamentally alter privacy and other human rights.

Access Now

Last month, Access Now, a body that defends and promotes digital rights, released recommendations on privacy and data protection in the fight against COVID-19. These recommendations address:

  • Collection and use of health data.
  • Tracking and geo-location.
  • Public-private partnerships regarding apps, websites, and services used as a response to COVID-19.

Policing COVID

Policing COVID is run by legal and human rights advocacy organisations with the assistance of a network of policing academics. Policing COVID seeks to ensure that police in Australia use their new powers:

  • Responsibly.
  • Fairly.
  • Without bias and prejudice.

Data collected by Policing COVID allows it to monitor the impact of new policing powers against the aims listed above. Their website includes a portal to submit reports.

Future of Privacy Forum

The non-profit organisation, Future of Privacy Forum (FPF), has explored the challenges posed by the COVID-19 crisis in its Privacy and Pandemics series. Challenges FPF sees include COVID-19’s impact on existing ethical, privacy and data protection frameworks. For further information, see FPF: A Closer Look at Location Data: Privacy and Pandemics.

Will mass surveillance technology be used in Australia to fight COVID-19?

The Australian government has flagged that as part of its response to COVID-19, it will be conducting additional modelling and surveillance activities to help fight the outbreak. According to the Government, the enhanced surveillance will (in summary) be used to:

  • Investigate cases and their household contacts, to determine transmissibility.
  • Expand existing community, primary care and hospital surveillance systems.
  • Determine levels of immunity to COVID-19.

At this stage, it is not clear what the ultimate form of enhanced surveillance will take.

Surveillance legislation

Existing federal, state and territory laws as well as criminal legislation govern surveillance in Australia.

The Telecommunications (Interception and Access) Act 1979 (Cth) and Telecommunications Act 1997 (Cth) (Telecommunications Act) impose data security and data retention obligations on telecommunications service providers. The Telecommunications and Other Legislation Amendment Act 2017 updates the Telecommunications Act and requires carriers, carriage service providers, and intermediaries to:

  • Use their best efforts to ensure network security and information confidentiality.
  • In some cases, notify regulators of planned changes to their systems or services that are likely to create material vulnerabilities.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 amends the Telecommunications Act and prescribes voluntary and mandatory assistance from telecommunications service providers to law enforcement and intelligence agencies regarding encryption technologies through:

  • Technical assistance requests.
  • Technical assistance notices.
  • Technical capability notices.

The Surveillance Devices Act 2004 (Cth) governs the use of surveillance devices by Australian government agencies and police of the Australian states and territories when they are using surveillance devices under Commonwealth laws.

Compliance with the Australian Privacy Principles (APPs)

In Australia, APP entities, which include Commonwealth government ministers, departments and bodies, should ensure that they have appropriate systems and processes in place to ensure that they can comply with the APPs. The APPs outline how an APP entity must handle, use and manage personal information.

Under APP 6 (use or disclosure of personal information), an APP entity must only use or disclose personal information for a purpose for which it was collected and not for another purpose, except where the individual has either consented to a secondary use (or disclosure) of the information or an exception applies.

For example, under APP 6.2(b), there is an exception where the secondary use (or disclosure) is required or authorised by, or under:

  • An Australian law.
  • A court or tribunal order.

Some of the lesser-known exceptions in the Privacy Act 1988 (Cth) (Privacy Act) enable sharing of personal information in other scenarios, including under:

  • APP 6.2(c), in the event that a “permitted general situation” exists in relation to the secondary use or disclosure. Section 16A lists seven general permitted situations. For example, if the use or disclosure is necessary to lessen or prevent a serious threat to life, health or safety of any individual, or to public health or safety.
  • APP 6.2(d), health information may be shared if a “permitted health situation” exists in relation to the secondary use or disclosure. Section 16B lists three permitted health situations. For example, if the use or disclosure is authorised under Australian law and necessary for:
    • research relevant to public health or public safety; or
    • the compilation or analysis of statistics relevant to public health or public safety.

Expanded powers in times of crisis

Both the National Health Security Act 2007 (Cth) (NHS Act) and the Privacy Act allow for expanded federal powers in times of crisis, the former in relation to public health crises and the latter in times of emergency.

Under the NHS Act, the Australian government is authorised to exchange public health surveillance information (including personal information) between the states and territories and the World Health Organisation (WHO). State and territory governments are also responsible for collecting surveillance data to contribute to the national picture and to inform the jurisdictional public health response. While no specific action has been taken in response to COVID-19 under this legislation, the government has taken action to facilitate increased data-gathering in other circumstances.

For example, in response to the 2019/2020 Australian bushfires, the declaration of a national emergency under section 80J of the Privacy Act (Declaration) provided Commonwealth agencies and certain private-sector organisations with increased discretion over the collection, use and disclosure of personal information for the purposes of responding to the crisis. That Declaration is effective until 20 January 2021.

Private sector tracking

Reports also indicate that private sector organisations have been assisting Government with the fight against COVID-19. For example, Google and Vodafone have each released information, based on mobile phone location data, to allow the Government to obtain a better picture of trends in movement across the population.

Private sector organisations that are APP entities need to ensure that they continue to meet their compliance obligations under the APPs. For example, the APPs require an APP entity to have a clearly expressed and up-to-date privacy policy (APP 1.3).

As the COVID-19 situation in each country continues to develop, governments and private sector actors should assume that civil liberties groups will continue watching developments closely in their efforts to guard against unlawful or unethical overreach. 

For a collection of resources drafted in response to the COVID-19 pandemic to assist counsel working across jurisdictions, see the Practical Law Global Coronavirus Toolkit for free access to resources spanning the UK, the US, China, Australia, Canada and New Zealand. You can also rely on the free resources outlined in the Thomson Reuters COVID-19 APAC hub to assist you as you prepare and respond to issues.

Andrew McDonald joined Practical Law after more than seven years in practice at leading law firm King & Wood Mallesons and specialist corporate firm Watson Mangioni. Andrew’s practice included advising clients on a range of corporate transactions and commercial matters including mergers and acquisitions, restructures, commercial contracts, capital raising and corporate governance.

Tessia Tan joined Practical Law after working at boutique and mid-tier firms in a variety of different practice areas. She began her legal career at Galilee solicitors, a national firm in Sydney’s CBD. Following that, she worked at both specialist and general practice firms, gaining experience in corporate and commercial matters, as well as family and criminal law. She also has experience working internationally after completing her clerkship at a boutique firm in Singapore.

Leave a Reply

Subscribe toLegal Insight

Discover best practice and keep up-to-date with insights on the latest industry trends.