From public transport to cultural scenes and social gatherings, urban areas have faced a series of unique challenges in the fight against Covid-19. The key weapon in this fight has been the use of data – both in the shorter-term as cities have sought to contain the outbreak and recover, and also in the longer term to create pandemic resilience and improve services to citizens in a post-Covid-19 world. Yet two questions remain unanswered: can this greater public authority insight gained from data gathered both during and after this pandemic be reconciled with the erosion of privacy, and is this an opportunity to increase citizen involvement in the development of the cities of the future?
This article is part of our Future Cities series where our sector experts examine the most pressing issues facing our cities in the post-Covid era and provide their views and advice on how to prepare for, and adapt to, the long-term legacy of the crisis.
Covid-19, cities and data: short-term
Both the public and private sectors have harnessed data and embraced data-driven solutions to aid the Covid-19 response. This has included leveraging data relating to issues such as transport, air quality, and CCTV, to better understand cities and people’s movements, as well as measure compliance with social distancing rules. We have also seen data being collected from citizens’ smartphones through contact tracing apps to help control the spread of the virus and, while this is not specific to those that live in cities, it is arguably even more vital in a city where population density is high and public authorities need to act quickly to prevent localised outbreaks such as the one currently hitting the headlines in Leicester in the UK.
Contact-tracing smartphone apps, in particular, have ignited debate as the world has broadly splintered between two different models – the public authority-led centralised model and the privacy-protecting decentralised model – with many suggesting that "contact tracing" itself hardly goes hand-in-hand with privacy. In broad terms, under the authority-led centralised model, data gathered is uploaded to a central server. When an individual notifies the app that they are displaying symptoms of Covid-19, matches are made with other contacts on this server. By contrast, the decentralised model stores information locally on the smartphone, and it is there that matches are made with people who may have contracted the virus. The centralised model gives authorities more insight into the virus and its spread, whereas the decentralised approach offers a higher degree of privacy.
To pick some useful examples of apps that have been rolled out across the world to demonstrate this tension between public health and privacy, Singapore first employed a centralised model known as TraceTogether, an app which can use Bluetooth to identify people who have been within two metres of a confirmed case for at least 30 minutes. Once users granted the app permission, it began to log other people using the app who the user has come in close contact with. Where data showed that they had come into close contact with someone who had tested positive for the virus, the user could then opt to share their log data (ie, data on other people) with the government. This has since become a hybrid model, with decentralised contact logging and centralised contact tracing and follow-up.
South Korea used Corona 100m, a central tracking app that provides a publicly available map for users to check if they have been within the vicinity of a known case, and proactively informs users where they have been. Concerns have been raised, however, over the level of information that was provided to the public, as such data can include surname, gender, age, profession and travel history of the infected individual.
A number of countries in Europe, including Germany, have adopted the decentralised approach, with privacy concerns remaining a central theme and area of concern with the centralised model. Interestingly, in the UK, the NHSX app was originally developed to adopt a centralised approach. However, the UK government recently announced its plans to change to a decentralised app amid privacy concerns. For cities, it is vital that, whatever the approach, there is sufficient uptake from citizens to enable successful contact tracing.
Covid-19, cities and data: long-term
While this data collection and analysis arguably has been, and continues to be, necessary in the shorter term in our attempts to control the virus, in the longer term there is a question of whether this should, or will, have any lasting impact or influence on the future relationship between cities and their citizens. Covid-19 presents an ideal opportunity for cities to adapt and change the way they operate, just as pandemics before have forced cities to do. Think of the cholera epidemics in London in the 19th century that led to the construction of sanitation facilities. Now data is becoming the sanitation of the 21st century.
The current pandemic could be viewed as the catalyst for cities and organisations to put in place capabilities allowing effective collection and use of data with minimal impact on privacy, to enable us to be better prepared to handle the next pandemic. That could be either to flag potential problems for a quicker response or to create pandemic resilience in a post-Covid-19 world. This will range from the way we live and move changing based on data, and the technologies that we are exposed to.
To start with the former, a city’s public transport system provides a useful example. Limits on occupancy will inevitably need to be put in place and will likely be here to stay. In Beijing, a reservation system has been introduced in the subway to combat overcrowding. Passengers are able to book a 10-minute reservation slot through an app on their phone to enter the station, giving them a 30-minute window - from 10 minutes before the slot to 10 minutes after - to enter via a fast track lane using a QR code generated on the app. While the UK government has, in the short term, deployed thousands of transport marshals to prevent services becoming overcrowded, it is not hard to envision a future where data and technology can be used to close stations for periods of time as part of traffic management when they are too congested, or apps used to proactively send notifications to commuters to warn of crowded transport and encouraging alternative routes.
Indeed, this does not stop at transport. Similar initiatives could be rolled out more widely to touch every aspect of our daily lives – resulting in a person’s digital footprint being left everywhere they go in urban areas, particularly as society looks to make interactions as contactless as possible.
This can then neatly be rolled into the next change that we can expect to see – the technologies that we are exposed to in urban environments. This could involve increased use of facial recognition and wearable technologies as we move around an increasingly contactless world. Further, technologies that have been developed in the response to Covid-19 will not necessarily magically disappear when this is declared "over" – like facial recognition technologies that are being developed that can allow authorities to potentially identify people in real-time, even when wearing masks. These technologies and the data they collect could possibly stay in place for future contact tracing, for when the next pandemic inevitably hits.
Future cities and privacy
However, this does cause the conversation to turn to what may be described as "creeping authoritarianism". Of course, this is not brand new to us – for some time, many aspects of our lives have left digital traces, but that digital footprint is set to expand, with the result being that there may be ways to derive personal data of citizens as a result of the aggregation of several data sources, such as the combination of GPS and device ID data.
And the decisions we as individuals make to opt-in to data collection and analysis now, at the time of this pandemic, might not align with the decisions we would make at other times. So while data-rich cities in the future may be touted as being better and safer in a post-Covid-19 world, it is becoming increasingly difficult to draw the line between data collection and surveillance. As Yuval Noah Harari has said: we can choose to protect our health not by instituting totalitarian surveillance regimes, but rather by empowering citizens.
As such, it is more important than ever that a new relationship of trust must be brokered between the citizen and their city. To demonstrate the importance of trust and transparency, let us consider two relevant examples to this discussion. Firstly, Singapore’s TraceTogether app mentioned earlier, where it was estimated that only approximately 20% of the population downloaded the app, with privacy and trust concerns cited as reasons (among others) for limited uptake. Given that the success of any contact-tracing app depends upon citizen uptake, governments and cities need to get this right. Secondly, the recent shutdown of Alphabet’s Sidewalk Labs smart city project in Toronto following citizen concerns around privacy and data collection.
This relationship of trust should not just cover data collection, but also citizen engagement in determining a workable standard that not only adheres to data protection regulation but is also ethically acceptable to all. While data protection laws have arguably been somewhat malleable during this pandemic period, it has always been the case that legislation is by its nature reactive and has never truly been able to keep pace with technology. The pandemic looks set to further fuel this, and the gap between technology and regulation is becoming increasingly stark.
Let’s just briefly consider the GDPR. It took the European Commission six years to get the GDPR agreed, approved and into force – but six years is a lifetime in the world of technology. As a natural consequence of this, the spotlight does fall on the ethics of data use – shifting the dial from "what can we do with data" to "what should we do". This remains true in the midst of a pandemic and for building future resilience, and so, as technology offers more powerful ways to collect, handle and analyse data, both cities and citizens together have to determine where the limits should be.
Transparency is key to this. Creating future city frameworks that contemplate flexibility around data decision making is important. It should also be clearly articulated as to what data is being collected, how it is being used, who it is being shared with and any potential future uses, if any data is not de-identified, and if there are any opt-out abilities. Most concerns typically centre around these issues: awareness and assurances that it is not aggregated and used in a way that we would not want or expect. Data authority, governance and security is similarly paramount. To build sufficient trust between cities and citizens for forthcoming technological changes, ethical frameworks should be put in place to govern decisions around data use, as well as seek to embed data ethics as a key aspect of adaptive governance and consideration given to the use of data trusts.
Only then can we distinguish the strategic advantages of using data for smart urban living in a post-Covid-19 world from the dangers of personal surveillance and the end of privacy as we know it.
This article was first published in Global Data Review, July 2020
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2021