Even before COVID-19 became headline news, data privacy was under attack with a number of regions and countries struggling to adopt, implement, or regulate their own privacy-related regulations. The European Union, in particular, had been struggling on numerous fronts, including:

• Poor funding and limited staff resources devoted to privacy audits and confirmation of industry privacy practice compliance;
• Lack of enforcement for ePrivacy and the General Data Privacy Regulation (GDPR); and
• Big tech that treads a fine line between using and taking ownership over user data.  

Brazil (Lei Geral de Proteção de Dados) and South Africa (Protection of Personal Information Act) have also struggled with implementing their own version of GDPR, with both countries delaying the regulatory effective date.

But now we are witnessing a new pivot in the data privacy battle, with rollbacks and challenges to even the basic data privacy principles. EU countries are struggling to hold up privacy rights in the face of both health issues and the economic impact. Hungary notably suspended select privacy rights to deal with the country’s state of emergency during the pandemic. Croatia’s government proposed a legal amendment that would allow telecom providers to release geolocation data to the government for tracing individuals who fell ill and were required to self-isolate. Even the European Data Protection Board (EDPB) which is the independent European agency for ensuring the respect of data protection laws, recently stressed the importance of sharing health data between countries for research purposes above respecting individual data privacy rights.

Most of the governments are justifying the sacrifices of individual data privacy rights as a trade-off for individual and societal safety, promising it will only be a temporary measure during the state of emergency. But exceptions are really hard to roll back once implemented. If you lived through 9/11 and have seen the excessive collection and sharing of personal data, you understand this to be true. Or if you reside in the U.S. and still pay income tax which dates to the Civil War and has never been rolled back, but merely modified through generations.

Security and economics above privacy

We’ve all been worrying about our health. That was certainly a priority for most governments, which is why contact tracing and other virus containment strategies took precedence over personal data privacy. As we start to grasp economic realities resulting from sheltering in place and lowered productivity, it will be more tempting to sacrifice data privacy principles in order to generate income. The first indicator of this trend is the EU, which desperately needs to see a rebound in tourism which accounts for nearly 10% of the region’s GDP. The Commission has recommended the opening of borders and welcoming of tourists, with cleaning, but also careful contact tracing.

In the U.S. we are seeing the uptick in personal data collection as a way to support contact tracing and enable families to once again enjoy summertime at the beach, or the resumption of summer camps. The COVID-19 Consumer Data Protection Act of 2020 was introduced in early May to protect whatever semblance of data privacy remains with users. Unfortunately, the bill is seen as low priority in Washington and is unlikely to make quick progress. For the time being, we are likely to be left in limbo, reflected in the reality of personal comfort with personal data sharing: 50% of consumers willing to use a contact tracing app that uses their personal data.

From a regulatory perspective, all eyes on California since the California Consumer Protection Act (CCPA) went into effect in January with enforcement slated to start in July. However, the regulation is still not fully finalized and with COVID distracting  lawmakers and businesses alike, I won’t be surprised if the regulation is paused until at least October or into 2021.

India and Japan have indicated they will push off data protection regulation initiatives as a result of the pandemic and a focus on normalizing local economies. South Africa has postponed POPIA adoption to an undefined date given the additional strain on regulatory resources. As governments continue to struggle with the tradeoff between security and economic stability with data privacy, we will see data protection efforts deprioritized.
‍

Where do we go from here?

The regulatory data privacy tug of war will continue for the foreseeable future, and we are unlikely to see governments resume pre-COVID levels of attention to enforcing citizen rights until economies begin to rebound (likely a 2-3 year timeframe). While your organization may face less risk around legal and regulatory matters, consumer sentiments on data privacy should  be front and center as the picture is much clearer in that aspect. What this may mean for you includes:

• Revisiting digital risk and opportunity. Organizations need to revisit their digital strategy and associated digital policies to ensure there is still the right balance between business priorities, operational integrity and ethical considerations for an individual’s privacy. A lot has changed in the past three months and a review is prudent for any organization.

• Communicating consumer value. COVID-19 has reinforced consumer sentiment that privacy is important and something of value. Most users are willing to give up some level of privacy but only if they are receiving something of equal or greater value in return. And value is now being measured very differently. Think of the merits of your offerings in very tangible ways, such as giving consumers the freedom to return to work, ability to take a summer vacation, avoiding physical trips to obtain products, and less around discounts or convenience that were priorities before COVID. For some users, even additional physical safety protections can be construed as value-add when communicated through digital channels ahead of product or service delivery.

• Thinking of new ways to give access to products and services. You might think of innovation as something that can take months or even years. But that isn’t necessarily the case. A local restaurant I enjoy has started to provide online cooking classes with home delivery of ingredients 24 hours before a class starts. It’s been a great way for families to enjoy time together but also a very real way for the business to generate revenue. It is a slight pivot that only required modifications to the restaurant’s online ordering system and the introduction of video interfacing capabilities. And best of all? The demand at the restaurant for the offering is growing!

• Be transparent on all data collection. Users are becoming versed in terms such as location data collection and encryption. When you collect data, be open and transparent with what you are doing with that data, how it will be stored, used, and maintained. Consumers increasingly understand that location data without a name can easily be pinned to an individual when an organization sees that pin travel between a workplace and a home address. Don’t disrespect the customer by pretending they don’t understand what’s behind the curtain. Or worse, don’t let them jump to the conclusion that it is worse than what they are imagining.

As we get through the initial phases of this pandemic, start to be more collaborative and open about data privacy practices with your prospects and customers. It takes 21 days to learn a new habit, and we are well beyond that for COVID-19. Habits have been shaped during this time will stick around going forward. We might just be moving in the right privacy protection direction as a result of this unexpected event – one where the consumer priorities are driving business behavior and we are striking at the right balance between business interests and user expectations.

Photo by Hayden Walker