High Risk Privacy, GDPR and Data Ethics Impacts of Coronavirus Covid-19

Briefing

The Covid-19 pandemic introduces new and varied data threats, risks and data ethics challenges. There is no ideal playbook to respond fully to these concerns. Risk anticipation, risk identification, risk analysis, risk response and risk mitigation are now centre stage in corporate data governance. Coronavirus has rudely interrupted settled risk appetites in data protection, General Data Protection Regulation (GDPR) compliance, global data privacy and cybersecurity. Focussing on the highest risks is crucial. These high risk impacts include the proliferation of covid-19 contact tracing applications (Apps) and the rapid rise of cybercrime, hacking, scammers and cybersecurity incidents.  There are now significant encroachments on employee privacy because of teleworking and working from home. The impact of the enforcement of new data privacy laws and the need to avoid future regulatory scrutiny are all high risk concerns.    

Contact Tracing Apps and Covid-19 Technologies

The pandemic is a data-intensive medical emergency. To reduce the spread of the virus, rigorous testing, manual tracing and contact tracing Apps have been identified as the best ways to combat the disease. Contact tracing Apps in China and South Korea often require a lot of personal data, track users, send notifications to the government and make automated decisions about whether a person should remain in quarantine or be allowed to work. Other solutions have focused on Privacy by Design and have invested in privacy-enhancing technologies. Australia launched an App that put the user in change of the data collected and how these are shared. Researchers at the Massachusetts Institute of Technology, Stanford, McGill, University College London,  Oxford University and elsewhere are pioneering the use of bluetooth technology, cryptography and minimum-data models. Google and Apple are working with NHSX, the digital arm of the UK’s National Health Service to launch a contact tracing App. Amid the innovation, key data ethics questions must be answered by all stakeholders. Who will be the data controller? Who will receive and store the personal data? Are privacy by design, data minimisation and security by design principles built into the technology? Will law enforcement have access to the health or other data? Will data be deleted, anonymised, pseudonymised or destroyed after a set period? What is the extent of geolocation tracking? Is the app compulsory? Are users given the opportunity to consent? Will data on the App be encrypted? Is the App built on open source software? Are developers willing to provide transparency about their algorithms in line with EU Governance Framework on Algorithmic Accountability and Transparency or Guidance from the European Data Protection Board? Contact tracing Apps and other Coronavirus-inspired technologies provide great opportunities, but also pose high risks to data protection, GDPR compliance and cybersecurity. Companies and organisations should work transparently and in an accountable manner.

Cybersecurity Threats, Cybercrime, Hackers and Scammers

The UK National Cyber Security Centre (NCSC) and the US Department for Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA)  have issued a joint advisory detailing how the Covid-19 global pandemic is being exploited by cybercriminals and advanced persistent threat (APT) groups. A significant number of malicious cyber actors are using the Covid-19 pandemic for their own objectives. All over the world, there have been increased ransomware attacks, phishing emails, social engineering, malware, email spoofing, text message scams (SMS phishing) and attacks against newly installed working from home systems. Cybercriminals and hackers are constantly attacking IT infrastructure, corporate networks, information systems, online services and applications. Business organisations and staff are encouraged to apply official guidance to mitigate these threats, encourage staff to spot potential attacks, train staff to “refuse to click, or delete” suspicious material and encourage IT leaders to update their staff awareness and reduce the risk of human error.

Encroachments on Employee Privacy

The World Economic Forum and Pew Research Centre have examined employee working from home practices in several countries, before the Covid-19 pandemic. Coronavirus has caused rapid and exponential growth in teleworking and working from home, around the world. Many of these arrangements were set up quickly with limited vendor due diligence, cybersecurity testing, data protection (privacy) impact assessments and staff training. There has also been a proliferation of personal data collected and stored on employer’s systems. Medical data, healthcare information, video and sound recordings, geolocation data, images and sounds of family members, biometric data, online tracking data and other sensitive and special categories of data have risen rapidly. Over time, companies and organisations must reassess their record management policies, retention schedules, data protection policies, GDPR compliance and cybersecurity protocols. The volume and types of new personal data creates increased data protection, GDPR and cybersecurity risks.

The Effect of New Data Protection Laws 

The GDPR inspired a rapid expansion of data protection laws around the world since 2016. The California Consumer Privacy Act (CCPA) came into force in January 2020 and enforcement is set to begin on 1 July 2020 by the California Attorney General. Even though a cross-sector group of companies, associations and organisations have requested that CCPA enforcement should be postponed because of Covid-19, enforcement will begin in July 2020. Companies and organisations around the world that fall within the scope of CCPA should continue their CCPA compliance programmes, focus on the most high-risk data sets and closely monitor their cybersecurity risk exposure. Brazil’s General Data Protection Law (LGPD), due to come into force on 1 August 2020 has been postponed until 1 January 2021 because of Covid-19. Administrative rules, sanctions and penalties will be enforced after 1 August 2021.  

Reducing the Risk of Future Regulatory Scrutiny

Companies and organisations should maintain high data governance standards even though there is a pause in the progress of new data protection laws or the pragmatic enforcement of established laws and standards by certain regulators.  The UK Information  Commissioner’s Office and Ireland’s Data Protection Commission have indicated that they will take into account the context of Convid-19 in their enforcement.  Decisions made during the Covid-19 crisis will be judged months and years after the pandemic has subsided. The seeds for future GDPR and cybersecurity breaches could be inadvertently planted during the lockdown period. The key principles of lawfulness, fairness, notice, consent, transparency, accountability, data minimisation and cybersecurity resilience always apply. Trade-offs may be inevitable, but companies and organisations should always aim for win-win outcomes.

Cybersecurity: Focus on Ireland’s National Cyber Strategy

Briefing

Ireland is an important player in the global digital economy. According to the Commission for Communications Regulation (“ComReg”) and other estimates, 30% of the European Union’s data are hosted in Ireland. The Republic of Ireland ranks 7th out of 28 EU member states in the European Commission Digital Economy and Society Index (DESI) 2019. It is a leading country in the EU for the adoption and use of digital technologies. Several of the world’s largest technology companies are headquartered in Ireland, where many of their data centres are located. At the end of 2019, the Irish government published its second National Cyber Security Strategy for 2019 – 2024, to increase its cybersecurity readiness and resilience. Security of Ireland’s network and information systems is important for economic growth, investment, trust, national security and innovation.  

A cybersecurity Journey  

A key proposal is to develop Ireland’s National Cyber Security Centre (NCSC), increase incident monitoring, respond to incidents and threats and work with the Defence Forces and the Gardai (Police) on critical national infrastructure issues. There is also a growing realisation that cybersecurity resilience, national security and critical national infrastructure should embrace new partnerships between the public sector and private sector. ComReg recommends allowing intelligence on threats to national security to be shared between Irish state agencies and the private sector. Access by private companies to intelligence on national security risks is seen as the best way to guarantee and secure telecoms networks in Ireland.

Key elements of Ireland’s National Cyber Security Strategy 2019-2022

The strategy’s main objectives are to:

  • Continue to improve Ireland’s ability to respond to and manage cybersecurity incidents, including those involving national security
  • Identify and protect critical national infrastructure by increasing its resilience to cyber attacks and ensure that operators of essential services have appropriate incident response plans to reduce and manage disruptions to services
  • Improve the resilience and security of public sector IT systems to better protect data and the services that people rely on
  • Invest in educational initiatives to prepare the workforce for advanced IT and cybersecurity careers
  • Increase business awareness of the need to secure their networks, devices and information and to drive research and development in cyber security in Ireland, including new technology investment
  • Continue to engage with international partners and international organisations to ensure that cyberspace remains open, secure, unitary, free and able to facilitate economic and social development
  • Increase the general level of skills and awareness among private individuals about basic cyber hygiene and support them with information and training.

The strategy’s other key deliverables include the appointment of Cyber Attachés to Ireland’s key foreign diplomatic missions, ratification of the Budapest Convention on Cybercrime, expanding the current Threat Sharing Group (TSG), refining existing arrangements with the UK on information sharing and incident response and providing support to Cyber Ireland to develop a Cyber Security Cluster of industry, academia and government.

Action Plan: Monitor progress, review outputs and evaluate results

Companies, organisations, the public sector and investors must monitor the implementation of the strategy. The Irish government’s overall budget for this strategy has not been published. Priorities within the strategy for each major objective has not been fully outlined. The role of Small and Medium Sized Enterprises (SMEs) and their position in supply-chain cybersecurity resilience, should be monitored as this is underdeveloped in the strategy. The key question is whether Ireland’s NCSC will become a larger, more confident and technically well-resourced cybersecurity champion in the coming years. 

Ireland’s data protection approach should also be monitored in conjunction with the National Cyber Security Strategy. Ireland’s Data Protection Commission (DPC Ireland), the data protection and General Data Protection Regulation (GDPR) regulator received a total budget allocation of €16.9 million for 2020, which included a less than requested budget increase. The quadruple challenges of Brexit, coronavirus covid-19, the post-election uncertain government and a cooling Irish economy in the second half of 2020 will directly affect the immediate implementation of the strategy.