In today’s world it is hard to think of any service, industry or sector that is not in some way driven by data. Data-driven systems can be very visible when they are synonymous with a device (such as smart phones, watches, and home speakers) but also near invisible as they work quietly in the background, helping to shape the world in which we live. These systems are utilised to provide services or products, to make decisions, to justify decisions, and to influence how people behave and think.

Covid the Catalyst

In many ways, COVID-19 has acted as a catalyst, rapidly increasing the visibility of data-driven systems, and surfacing the impact they have on people’s lives. Over the past year there have been regular nationwide briefings that have included an R value based on predictive data-driven models as well as models for predicting where Covid-19 cases will increase. These models have been driven by people’s data (e.g., mobility, health, socioeconomic data), the output of which has been used to enact laws that have limited people’s freedoms through national and local lockdowns. Algorithms driven by population medical data have been designed to decide who should be shielding whilst the contact-tracing app is analysing millions of device-to-device interactions to compute risk scores on how likely someone is to have been exposed to COVID-19. What all of these systems have in common is their need to collect sensitive information about people and their behaviours, data that not so long-ago people may have been far less willing to share.

If people are unwilling for their data to be shared and used as part of these systems, they become far less effective. Yet, not all data is equal with some data being more sensitive than others. This can impact the risk that a person feels when handing over their data to be processed either by a person or an automated data-driven system. For example, people may feel more reluctant sharing their sensitive medical data than they would their supermarket loyalty card data. However, data sharing decisions are very much dependent on who the information is being shared with, and for what purpose. So, for most people any reluctance to share sensitive medical data is abated if this sharing is with their GP for the purpose of managing their health. Further, people also have an expectation of how their data is managed and used after the point of disclosure. For example, there is an expectation that a GP would discuss a patient’s medical history with a colleague without this having been explicitly agreed upon by the patient.

When people are making decisions about what data they will or will not share they take their privacy into consideration. As we’ve already indicated, privacy is a very contextually dependent behaviour. What people are willing to share in one context can vary significantly to what they are willing to share in another. To help people decide what to share, with who and when, they tend to rely on privacy norms and prior behaviours (e.g., because I’ve shared this before, I’ll share it again). Norms are what people have come to expect as “usual” or “typical” based on their prior experiences. It is when these norms are violated that people feel as though their privacy has been violated. Yet, a global pandemic in a data-driven world has significantly altered people’s lives and the contexts in which these privacy norms develop. Has this temporary emergency state caused people and society to revaluate these norms, and if so, what are the likely longer-term effects of these changes?

Privacy as a Currency

To help us think about how data privacy norms have changed, we consider privacy as a currency with every piece of data being valued in terms of how private it is. Some pieces of data may be very private and so are more valuable, whilst others are less private so less valuable. With data-driven systems, people hand over their data (and thus their privacy) to receive something in return. This could be as simple as providing an email address in order to access an account on a social media website to post content. This practice is so widespread it has become the norm. We expect the typical price to pay for such an account is our email address. Often, we are willing to pay more for the things we have a greater want or need for. For instance, many people are willing to have a smart speaker in their home to satisfy the need for connectivity, to have information immediately, and to efficiently manage their lives. The cost is that these devices continually listen and collect audio data at appropriate, as well as inappropriate, moments. However, as we have seen during Covid-19, prices change.

Covid-19 has significantly shifted most people’s lives into a temporary abnormal state. Fundamental human needs, such as intimacy and mobility, have been limited through lockdowns and social distancing. The cost to meet these fundamental needs, in terms of privacy, was once negligible. Now, the privacy price tag for seeing friends and family (most likely from a distance) is our medical and location data. This would have been deemed extortionate pre-Covid-19 but now looks like a bargain. In other words, Covid-19 has led to the significant inflation of the price of our fundamental freedoms and the data required to pay for them illustrates that the value of our privacy has plummeted. We are, perhaps, in a privacy recession.

It seems our privacy norms have fundamentally shifted during the Covid-19 pandemic. Looking to the future, what might privacy norms look like post-Covid? Continuing to use currency as an analogy and our Covid-19 world being a recession in privacy, we consult economic recovery models to inspire our predictions for how the value of privacy may change as the world recovers from Covid-19. Broadly, there are 3 types of recovery referred to as I) V-shaped recovery, ii) U-shaped recovery, iii) L-shaped recovery.

V-shaped recovery

In a V-shaped recovery we would see a rapid return to our pre-Covid privacy norms. Maybe, as people begin to go back to the places that they used to visit regularly, they will be reminded of how little privacy they used to have to “sell” to be able to go about their daily routines. The data itself may also act as a reminder. As people return to work, to socialising with friends, to cafes, to the gym, certain data types (e.g., mobility) will be generated that allow for more intimate inferences to be developed about their lives when compared to the same data during the pandemic. The more data people generate, the more invasive it may feel when they are asked to share it. Therefore, over time, as the value of people’s data starts to normalise in tandem with the ease with which their fundamental needs are met, we may see people becoming more and more resistant to using the apps or services (e.g. contact-tracing app) that collect data to feed data-driven systems. Of course, this imagined pattern of behaviour relies on the idea that much of our data sharing is voluntary.

U-shaped recovery

Compared to a V-shaped recovery, in a U-shaped recovery we would see a more gradual return to our pre-Covid privacy norms. But what could be the key difference between a V-shaped and a U-shaped recovery? One possibility is that the curve of a U recovery would be shaped by periodical changes to data collection policies (i.e., voluntary vs. mandatory). As was mentioned earlier, if people are unwilling for their data to be shared and used as part of these systems, they become far less effective. Therefore, it is not hard to imagine that our gradual reclaiming of fundamental freedoms will come with the proviso that people must continue sharing certain types of data with certain entities. Indeed, some previously voluntary data sharing became mandatory overnight as the Covid-19 pandemic escalated. For example, as we entered the first lockdown last March the exemption clause in the National Data Opt-Out service (that allows patients to opt out of their confidential patient information being used for research and planning) was triggered: people’s ability to opt-out does not apply when there is an overriding public interest in the use of data. However, such data-sharing practices are near invisible to most people as they go about their daily lives, and it is more likely that privacy norms will be defined by active engagement in mandatory / voluntary data sharing. One can imagine that using a contact-tracing app will become obligatory, possibly requiring ‘tap ins’ at public establishments, with entry refused if non-compliant. In terms of a gradual change in mandatory data sharing, it may be that the list of public places where people must ‘tap in’ gets shorter and shorter over time and thus the onus of data sharing being voluntary increases. As society starts to regain greater control over the types of data being shared and with whom, there will be an opportunity to re-evaluate what privacy means. This re-evaluation may result in the redefining of privacy norms, possibly returning to what they were pre-Covid-19.

L-shaped recovery

In an L-shaped recovery, change is slow. So slow that our pre-Covid privacy norms may become a distant memory and we never return to them. This slow increase in valuing our privacy may occur under the same mandatory/voluntary data sharing context discussed when considering a U-shaped recovery, only the scales are considerably tipped in favour of mandatory data sharing. After experiencing 12 months of our privacy having little value, people may have become used to, or even comfortable with, these new data sharing expectations. Therefore, we may also be vulnerable to accepting data sharing obligations that are less directly related to Covid-19, a situation that can be referred to as ‘scope creep’. In other words, the data-sharing activities that we have experienced during the Covid-19 pandemic may set a precedent that is difficult to retract from.

Speculating what our privacy norms may be like post-pandemic highlights the multitude of interrelating factors that are at play and emphasises that it is very unclear what our post-Covid-19 data-driven world may be like. To help us think about how data privacy norms have and will continue to change, we considered privacy as a currency and thus how much of it we are willing to use to pay for our fundamental needs and freedoms before, during and after the Covid-19 pandemic. We raise more questions than provide answers, but the one thing that we can be sure of (whether a researcher, stakeholder, or citizen) is that as we figure out what our new ‘normality’ is in a pandemic-vulnerable world we need an open discussion about our privacy norms around data sharing to allow us to be safe and healthy citizens of a healthy and safe world.

Article by: Mark Warner and Selina Sutton