The trade-off between privacy or public health
In December 2020, Hugo de Jonge, the Dutch Minister of Health, Welfare, and Sport, wrote a letter to the House of Representatives in which he presented the risk analysis of the systems that were used for data with regard to COVID-19 (De Jonge, 2020). This risk analysis pointed to the specific risk of a data breach. In this letter, De Jonge promised to take measures that would prevent unauthorized individuals from accessing certain data in order to minimize the risk of data breaches and protect the citizens' privacy.
However, in January 2021, an enormous data breach at the municipal health service (the so-called “GGD” in the Netherlands) became public news. Two employees of a call center of the GGD confessed that they have accessed and stolen the data of thousands of individuals - including telephone numbers, addresses, and social security numbers. One of them has put these data up for sale on the chat service Telegram, which resulted in one transaction (Brabants Dagblad, 2021). Moreover, one of these employees’ lawyers claimed that colleagues also took pictures of data and shared these in a group chat, which also included supervisors who did not intervene (Peters, 2021). In total, seven suspects have been arrested (NU.nl, 2021). The public debate as well as the debate in the Parliament further exploded when De Jonge tried to soften the gravity and reduce the extent of the data leak enormously (Verhagen, 2021b). On top of this, he created the impression that he had fulfilled the promise he had made in December, while in fact very little attention had been paid to these security measures (Klaassen, 2021).
Since privacy implies the “control of personal information” and the “rights to secrecy” (Lyon, 2015, p. 93), this case exemplifies a serious violation of individuals’ right to privacy, but it also shows that the gravity of data breaches and privacy is not always taken seriously. When considering the lack of preventive measures on behalf of De Jonge and his Ministry, we could ask ourselves: does this mean that efforts to stop the spread of COVID-19, and more broadly public health, are more important than our privacy and that we have to give up a part of our privacy in order to ensure public health (van Dijck, 2014)? In order to explore De Jonge’s and the Parliament’s answer to this question, this paper aims to analyze how De Jonge and the Parliament have approached and reacted to this data breach.
Privacy vs. public health: background of the data leak
Before analyzing De Jonge’s and the Parliament’s reactions and approaches, it is meaningful to further investigate the background of this data breach. The first system from which data were stolen is CoronIT, which is used to register all data with regards to COVID-19 testing, and the second system is HPZone, which is used to explore who has been in contact with individuals that tested positive for COVID-19. A significant vulnerability of these systems was the export function that was built into both systems in April 2020, which enabled individuals with access to data to download and export data as an Excel or CSV-file (see Image 1), and thereby to transfer data to external systems (van de Klundert & Schellevis, 2021). This implies that the risk of data breaches was already present for months.
Another significant issue was that the majority of people with access to these data did not have the authority to access these data, including the arrested call center employees. In total, 26.000 employees of the GGD had access to CorinIT and 8.000 employees had access to HPZone. According to the GGD, solely employees who needed access in order to perform their jobs had access to these data. In order to ensure this, the GGD monitored their employees and in case of unauthorized access, the GGD fired this employee and potentially reported this to the authorities (Verhagen, 2021a). Unfortunately, there was no automatic monitoring of every employee, as De Jonge did suggest, but employees were randomly picked out to be monitored, which turned out to be insufficient (Klaassen, 2021).
The only European country in which more data breaches were reported than in the Netherlands is Denmark.
When considering the issue of data breaches more broadly in the Netherlands, it can be concluded that data breaches occur regularly. The only European country in which more[1] data breaches were reported than in the Netherlands is Denmark (McKean, Kurowska-Tober, & Waem, 2021). Next to this, because of the shortage of personnel of the Dutch Authority Personal Data (the so-called “AP”) - an organization that supervises compliance with the regulations for the protection of personal data - the AP is only able to investigate a small number of data breaches (VPNdiensten.nl, 2021). In addition, the government can be considered the most substantial cause of data breaches in the Netherlands, since personal data are regularly forwarded, and sometimes redirected to the wrong person. In 66% of cases in which personal data were redirected to the wrong person, this was part of a data breach (VPNdiensten.nl, 2021). This clearly shows that the risk of a data breach at the GGD should not have been ignored, since data breaches happen oftentimes in the Netherlands.
De Jonge’s perspective: data as a currency for health services
In line with the abovementioned point, the cause of the data breach of the GGD was governmental: employees of a call center of the GGD - a governmental institution - stole data. In De Jonge’s letter to the House of Representatives in December, he promised the following: “In order to minimize the risk of data breaches, a more appropriate authorization management is being set up. This makes it impossible for unqualified and / or unauthorized users to gain access to certain data” (De Jonge, 2020, p. 5). The data breach shows that this authorization management was either not yet set up or not functioning optimally.
When confronted with this situation in Parliament shortly after the data breach, De Jonge attempted to deny the extent of the data breach and to downplay the seriousness of the vulnerabilities of CoronIT and HPZone. De Jonge created the impression that the inspection, with the purpose of checking whether only authorized employees accessed the data, happened automatically, while in fact employees were randomly selected for this inspection. Furthermore, he responded to the Parliament’s displeased reactions with “well, that is how it goes guys” and he declared that no action could be taken against this kind of crime (Verhagen, 2021b). By means of downplaying the gravity of the data breach, De Jonge tried to convince the Parliament and citizens that this was not a serious violation of individuals’ right to privacy. This shows the relevance of framing in his responses (Lyon, 2015, p. 114).
He responded to the Parliament’s displeased reactions with “well, that is how it goes guys”.
On the basis of these responses and the lack of preventive measures, it can be suggested that De Jonge believed that the importance of the efforts to stop the spread of COVID-19 outweighed the risks of a data breach. Therefore, it seemed that individuals should give up part of their privacy for the sake of public health (van Dijck, 2014, p. 197). This is not to say that De Jonge perceived privacy as insignificant, but it does seem that he believed that in times of crisis individuals’ privacy could be traded for public health (Lyon, 2015, p. 97). This exemplifies that informational privacy is often considered less significant than the privacy of our body or territory (Lyon, 2015, p. 94). Moreover, this seems to confirm the point that van Dijck (2014, p. 197) has made, namely that individuals’ data seems to have become a currency nowadays, which individuals use to pay for security services, and in this case, health services (van Dijck, 2014, p. 197). This trade-off appears to have been normalized across citizens (van Dijck, 2014, p. 198), especially relating to public health.
Unlike De Jonge’s initial reactions, he later apologized and admitted that too much attention had been paid to the systems’ velocity and functionality, at the expense of individuals’ privacy (Verhagen, 2021b). At that moment, he again proposed measures that would be taken in order to improve the systems’ security, such as replacing HPZone. This shows that, eventually, he did consider individuals’ privacy as an issue to which attention should be paid, just like public health.
The Parliament’s perspective: violation of the right to privacy and dataism
In contrast to De Jonge’s initial responses, the Parliament treated this data breach as a serious violation of individuals’ right to privacy. They also expressed their indignation with regard to the lack of preventive measures on behalf of De Jonge and they complained about the inappropriateness of De Jonge’s attempt to soften the issue and twist the facts. Maarten Hijink of political party SP wondered: “Was he just not aware of the seriousness of the problem, or did he think he could downplay the problem with a lot of bluffing?” (Verhagen, 2021b). Hijink added that such mistakes should not be covered up, because these mistakes caused many victims.
This line of reasoning corresponds with that of Lyon (2015, p. 92), who mentions that people living in a democracy should be aware of the government’s activities and they should have the opportunity to make queries about them. Hijink also filed a motion to expand the AP’s capacities with the purpose of providing them with sufficient resources to detect data breaches (Verhagen, 2021b). This action appears to be a more concrete step in the direction of preventing future data breaches than De Jonge’s promises. In addition, some Parliament members even questioned De Jonge’s ability to handle this crisis and wondered whether other Ministers should be assigned some of his responsibilities since he failed to fulfill the promise he made in December to make the systems safer (Klaassen, 2021). These responses show that the Parliament believed that even in times of crisis, privacy should not be traded for public health (Lyon, 2015, p. 97).
Maarten Hijink of political party SP wondered: “Was he just not aware of the seriousness of the problem, or did he think he could downplay the problem with a lot of bluffing?”
Moreover, Kees Verhoeven of political party D66 addressed the fundamental problem of this issue. He mentioned that there is currently a “holy faith in data combined with blind trust, blind spots and blinders” (Verhagen, 2021b). This is exactly the problem of the datafication paradigm: individuals have blind trust in the government’s capacity and willingness to ensure that their privacy will not be violated in any way, which can be called the ideology of “dataism” (van Dijck, 2014, p. 198). Individuals believe that it is the government’s responsibility to protect their privacy and to ensure that the entities that possess their data have integrity (van Dijck, 2014, p. 202). This data breach violated individuals’ trust in the government, which can be seen from the enormous decline of people that scheduled a COVID-19 test appointment the days after the data breach. The purple line in Image 2 indicates the number of performed COVID-19 tests in the week after the data breach, whereas the green and yellow lines indicate the number of performed COVID-19 tests in the two weeks before the data breach (de Hond, 2021). Citizens’ trust was violated because data that was collected for the purpose of public health and that was supposedly protected from any other parties with interest in these data, ended up in the hands of these other parties with malicious intentions (Lyon, 2015, p. 101).
This case also exemplifies that individuals cannot automatically assume that the entities that collect their data function independently, which is something that “dataists” believe (van Dijck, 2014, p. 203). The reason for this is that employees of a call center of a governmental institution, who individual citizens trust, intentionally shared their data with others. One employee mentioned that he was looking for data on celebrities and acquaintances (Peters, 2021), which illustrates that multiple entities share an interest in individuals’ data, although for different reasons. This data breach demonstrates that blind trust in the government to protect individuals’ privacy can be misplaced, since the government failed to accomplish this task.
What do we value more?
Based on De Jonge’s initial attempt to downplay the gravity of the data breach and the lack of preventive measures on his behalf, it can be concluded that De Jonge believed that privacy could be traded for public health in times of crisis. This approach, however, does not align with how privacy should be approached in a democracy such as the Netherlands. Indeed, Lyon (2015, p. 101) also declared this: “Privacy is an essential component of democracy and of a decent human life”. The Parliament, on the other hand, expressed their indignation with regards to De Jonge’s lack of preventive measures in order to ensure individuals’ privacy, while many resources were devoted to the systems’ velocity and functionality (Verhagen, 2021b). This resulted in De Jonge apologizing for his inappropriate responses to the data breach and admitting his shortcomings (Verhagen, 2021b). Therefore, it can be concluded that although De Jonge initially approached the data breach differently, both De Jonge and the Parliament eventually agreed on the idea that individuals’ privacy should not be traded for public health, even in times of crisis.
References
Brabants Dagblad. (2021, May 4). Verdachte GGD-datadiefstal was op zoek naar gegevens BN’ers: ‘Ik heb echt domme dingen gedaan’.
van Dijck, J. (2014). Datafication, dataism and dataveillance: Big Data between scientific paradigm and ideology. Surveillance & Society, 12(2), 197-208.
de Hond, M. (2021, February 8). Het GGD-datalek verblindt ons zicht op de Britse mutant [Article].
De Jonge, H. (2020). Kamerbrief reactie op 92e OMT-advies testbeleid, bron- en contactonderzoek en vaccinatie [Letter to the House of Representatives].
Klaassen, N. (2021, February 3). GGD-datalek: ‘We hebben er onvoldoende aandacht voor gehad’.
van de Klundert, M. & Schellevis, J. (2021, January 28). Lek in GGD-systeem al driekwart jaar aanwezig.
Lyon, D. (2015). Surveillance after Snowden. Cambridge, England: Polity.
McKean, R., Kurowska-Tober, E., & Waem, H. (2021, January 19). DLA Piper GDPR fines and data breach survey: January 2021 [Report].
NU.nl. (2021, March 19). Zeker duizend Nederlanders waren slachtoffer van datalek bij GGD.
Peters, J. (2021, May 4). Verdachten bekennen delen van privégegevens uit coronasystemen van GGD.
Verhagen, L. (2021a, January 26). Datalek bij GGD: gegevens van miljoenen Nederlanders incriminele handen.
Verhagen, L. (2021b, February 3). De Jonge in debat met geïritteerde Kamer door het stof over datalek GGD.
VPNdiensten.nl. (2021, April 7). Datalekken in Nederland [Article].
[1] Number of data breaches weighed against country populations.