Privacy Regimes, Crisis Strategies, and Governments’ Legitimizing of Digital Surveillance Technology: Comparing Germany, Norway, and the United Kingdom

ABSTRACT

The future trajectory of government surveillance is unmistakable: it is increasing. Yet, despite an increase in implemented surveillance measures, there is still a lack of understanding about the ways in which governments legitimize new surveillance measures and why that might vary across countries. This paper argues that ways of legitimizing digital surveillance technology are shaped by privacy regime legacies and overarching strategies of problem-solving when facing a crisis. With a cross-country comparison, the study finds both similar and different legitimacy strategies by governments in Germany, Norway, and the United Kingdom. The analysis demonstrates the significance of historical privacy practices and governmental problem-solving capacities in shaping technological change and future directions for public administration.

KEYWORDS:

• COVID-19 pandemic
• crisis management
• governance legitimacy
• legitimization
• strategic communication

Introduction

Looking at the past and looking at the present, the trajectory of government surveillance is unmistakable: it is increasing (Yates & Whitford, 2023). Observers frequently note that the pace of development accelerates during times of crisis, as crises can function as windows of opportunity for governments to introduce (often controversial) surveillance policies (Boersma & Fonio, 2018). To gain and maintain support for such policies, which commonly take the form of digital surveillance technology, governments are generally required to legitimize, persuade, and make sense of their choices (Pauli et al., 2016; Schulze, 2015; Suchman, 1995). If successful in persuading citizens and other stakeholders, there can be long-lasting consequences beyond the single policy, such as institutionalized acceptance, making future mass surveillance policies easier to implement and less disputed. Such technology could increase the government’s efficiency by providing important information about citizens and their behavior that can inform public policy decisions (Lund-Tønnesen & Christensen, 2023a), but could also fulfill predictions of a dystopian society. If unsuccessful, negative perceptions could provide implementation constraints, which on paper could prevent efficient decision-making systems, but also ensure some forms of privacy.

Extant research has concentrated much on citizens’ attitudes and reactions toward general surveillance, as well as specific surveillance tools and agencies (e.g., Davis & Silver, 2004; Degli Esposti et al., 2021; Rykkja et al., 2011), but less on how governments use rhetorical devices to shape citizens’ expectations, commitments, perceptions and acceptance of such tools. Moreover, the public administration literature has paid more attention to stable situations than unsettled crisis situations and has not focused much on governance legitimacy in relation to digital surveillance technology in crisis management (Boersma & Fonio, 2018; A. Boin & Lodge, 2016; Christensen et al., 2016). Therefore, this study aims to fill these gaps by exploring how governments in three different countries strategically legitimize the same digital surveillance technology in a crisis. The legitimizing of contact tracing apps, which were developed as key tools for infection tracking in Germany, Norway, and the UK in the first stage of the COVID-19 pandemic is compared. These three countries represent different historical privacy regimes—i.e., governance arrangements, practices, and legacies related to privacy protection. The study begins with an assumption that governmental legitimacy strategies are expected to largely depend on trajectories of privacy regimes of the past (Bennett & Raab, 2006; Bygrave, 2004), and that path dependency can explain the adopted strategies (Steinmo et al., 1992). As the study is concerned with these strategies in a pandemic, it is also expected that the strategies align with the governments’ overall crisis responses (A. T. Boin et al., 2005; Kuhlmann et al., 2021). Formally, the following questions are addressed:

• How did governments in Germany, Norway, and the United Kingdom legitimize their contact tracing applications in the COVID-19 pandemic?

• To what extent are these approaches in line with the privacy regimes and overall crisis strategies in the three countries?

• How can path dependency explain the adopted legitimacy strategies?

The analysis concentrates on the starting phase of the COVID-19 pandemic, which is roughly March-June 2020. This is a point in time where cross-country learning is in its infancy and a phase where possible convergence between countries has not yet occurred. It is a suitable phase to study variation between countries’ legitimacy strategies, as approaches here are expected to be most constrained and enhanced by existing administrative, cultural, and political features (Christensen et al., 2016).

The article is structured as follows: First, three types of legitimacy strategies are identified and outlined. Thereafter, the institutional contexts with key elements related to path dependency, privacy regimes, and crisis strategies are described. This is followed by a description of the methods and data. Next, the results are presented, focusing on the main differences between the countries. Finally, the findings are discussed, and the study is concluded.

Legitimacy strategies

Strategic legitimacy is a fundamental part of gaining acceptance of government policies and managing crises (Lægreid & Rykkja, 2023; Svenbro & Wester, 2023). In general, legitimacy is about citizens’ perception or assumption of whether the actions of government are desirable, proper, or appropriate within a socially constructed system of beliefs, norms, values, and definitions (Suchman, 1995, p. 574). Strategic legitimacy is about how certain agents, such as governmental actors, work to establish meaning and shared understanding of a situation, ways of dealing with it and communicating that to the public (A. T. Boin et al., 2005; Lægreid & Rykkja, 2023). This process essentially involves three aspects: how legitimacy is gained, maintained, and/or repaired (Suchman, 1995).

Legitimacy strategies in the literature on public discourses more generally are well researched (Van Leeuwen, 2007). This literature shows that legitimacy can be pursued through different linguistic paths that emphasize values, emotions, and hypothetical scenarios (Reyes, 2011). Approaches are often based on the “collective memory” and “shared beliefs” of actors in a social context (Beasley, 2011), where meaning is created by the use of the past and the current context to justify courses of action (Hart et al., 2005; Reyes, 2011). In relation to surveillance, some research has studied legitimacy and based it on the ideas of Suchman (e.g., Pauli et al., 2016; Schulze, 2015). This literature has predominantly been concerned with scandals, and specifically Edward Snowden’s revealing of the American National Security Agency’s (NSA) extensive secret surveillance (Kuehn, 2018; Lischka, 2017; Schulze, 2015; Tiainen, 2017; Wahl-Jorgensen et al., 2017). These contributions largely focus on how legitimacy is repaired after a scandal, as well as the role of media in this legitimizing. The literature has not focused on attempts at gaining or building legitimacy in the first place by governmental actors seeking to introduce surveillance measures, or how experiences with surveillance and privacy in the past might shape governments’ legitimacy strategies.

To examine this, this study first follows existing research that relies on the differentiation by Suchman (1995) and argues that rhetorical approaches can rest on three dimensions of legitimacy: pragmatic, moral, and cognitive legitimacy. These approaches concern what governments strategically focus on, but not necessarily what they achieve in practice. Table 1 provides an overview of the operationalization of these dimensions. They have two main components in rhetorical communication: 1) justifying governments’ own practices, and 2) specifically addressing citizens to support, accept, and utilize the digital surveillance technology. The pragmatic dimension rests on assessments of self-interest and utility calculations of the government’s immediate audience: citizens. When the government strategically embraces this form of legitimacy it attempts to influence evaluations of self-interest and utility by citizens. Support for a public policy or technology comes from the expected value and benefit for the evaluators (Suchman, 1995, p. 578). The ultimate success of a new technology depends on its technical superiority compared with other means of problem-solving to improve crisis management capacity, and how that superiority is strategically justified and communicated (Suddaby et al., 2017, p. 21). Moreover, when a policy or technology is controversial—as with much of surveillance technology—it can be expected that the government will highlight that its actions are compliant with existing legislation, thereby upholding perceived instrumental demands (Scott, 2014).

Table 1. Operationalization of the dimensions of legitimacy.

Dimension of legitimacy	Indicator
Pragmatic legitimacy	General: Self-interest, within the law, technological superiority, practical consequences Specific: Internal conduct: Follow privacy laws, improve own crisis management capacity External influence: Citizens’ own (or relatives’) health most important, technical superiority compared with other crisis measures, easy to use.
Moral legitimacy	General: Duty, altruism, standards Specific: Internal conduct: Follow standards for relevant technology, consult with IT-experts External influence: Help community to stop infection from spreading, what is best for society/the common good.
Cognitive legitimacy	General: Framing inevitable and inconceivable approaches Specific: Internal conduct: Modern technology obviously must be utilized by government Old ideas of technology challenged External influence: The only way to overcome the crisis (return to “normality” and regain “freedom”) Technology provides a fundamental function in crisis management Difficult to imagine a world without this technology.

Moral legitimacy concerns normative evaluations and approval related to duty and appropriateness (Scott, 2014). Strategically, it is about emphasizing that choices, activities, and approaches are “the right thing to do” (Suchman, 1995, p. 579). This can entail that the policy or technology is developed according to established standards and that socially accepted approaches and techniques are embraced. Consulting experts is one way of doing this. Moreover, to get citizens to support and use an introduced technology, rhetoric appealing to altruistic ideals such as societal welfare is highlighted in this dimension (Suchman, 1995).

Further, cognitive legitimacy is achieved when an organization or a technology becomes so well-integrated into a social system that its characteristics are deemed natural and uncontested (Scott, 2014; Suchman, 1995; Suddaby et al., 2017). Strategically, this dimension is about framing which solutions are conceivable and inevitable, and which are not. The rationale is that if alternatives to proposed approaches are unimaginable, challengers are fewer in number and easier to persuade. When introducing a new surveillance technology, governmental actors need to construct and alter fundamental beliefs for it to gain acceptance (Suddaby & Greenwood, 2005). The overarching objective of government is then to get citizens to imagine that “for things to be otherwise is literally unthinkable” (Suchman, 1995, p. 583, italics in original). In this study, this involves presenting the idea that not using digital surveillance technology would be unthinkable. While constructing and altering such beliefs is difficult (Scott, 2014), situations of high uncertainty, urgency, and ambiguity such as crises present occasions for this type of legitimacy-building (Lund-Tønnesen, 2022). Which of these three different strategies governments adopt regarding digital surveillance technology in the COVID-19 crisis, is expected to be dependent on the pandemic situation, but also the countries’ historical legacy in the realm of surveillance and privacy.

Institutional context and legacies of the past

Applying a comparative case study approach, the selected countries are Germany, Norway, and the United Kingdom. These countries are chosen for comparison because they are Western, developed countries with similar fundamental structural characteristics (democracy, functioning bureaucracy, health system, economic system, level of economic development) (Kuhlmann & Wollmann, 2019), and similar data protection laws, within the framework of the EU General Data Protection Regulation (GDPR). Although the UK and Norway are not members of the EU, they have their own identical versions of the GDPR. The countries also share many characteristics in digital developments and reform in the public-administrative apparatus in recent decades, although levels of digitalization differ somewhat (Hammerschmid et al., 2023). It is also worth noting that Germany is a federal state and that Norway is less populous compared to the other countries. Moreover, measures to deal with the COVID-19 pandemic were introduced at about the same time in the three countries, around March 2020, and importantly, they all developed a digital surveillance technology, a contact tracing app, to combat the coronavirus in the COVID-19 pandemic in the early stages of the pandemic. These apps were part of the governments’ overall public health response and were developed for mobile phones to trace the spread of the coronavirus and notify citizens whether they had been in close proximity with infected citizens (Lund-Tønnesen, 2022). They were seen as controversial because of their unclear effects on infection tracing and potential for mass surveillance. The use of the apps was voluntary, implying that there was a need for persuasion by the government for them to be utilized by the population.

While the three countries share the characteristics mentioned above, they differ significantly in their privacy regimes, meaning the set of governance legacies, arrangements, and practices related to privacy, personal data, and data protection (Bennett & Raab, 2006; Boersma et al., 2014). This study assumes that these differences, which are elaborated on in the following, can help us understand the countries’ approaches to legitimizing the digital surveillance technology. The theoretical reasoning follows historical institutionalism, which claims that responses to new problems are greatly influenced by existing institutional conditions and experiences of problem-solving in the past (Steinmo et al., 1992). This approach argues that once choices and ideas are institutionalized in a policy area, those patterns are likely to persist and will function as basic templates for future decision-making, so-called “path dependency” (Steinmo, 2008). The outcomes of policy efforts trigger feedback mechanisms that can reinforce the current trajectory and strong forces are needed to overcome the inertia in the system, often characterized as “critical junctures” (Krasner, 1988; Pierson, 2000). In this study, it is assumed that governments’ legitimacy strategies (emphasizing pragmatic, moral, and/or cognitive aspects) must be understood in view of the institutional path dependencies and country-specific historical conditions related to privacy. One can think of the COVID-19 pandemic as a critical juncture, and if legitimacy approaches persist into this crisis, the institutional conditions and legacies in this field are particularly important.

Privacy regimes in Germany, Norway, and the United Kingdom

In a global context, European privacy regulation is often seen as more extensive and bureaucratic compared to other regions, but there are still presumably substantial variations between countries, as with other EU policies (Versluis, 2007). The German tradition of privacy protection has deep roots in ideas of freedom and personality, which can be traced back to the philosophies of Kant, Hegel, and Humboldt (see Whitman, 2004). This became more extensively established in legal and administrative statutes and praxis right after the Second World War. Observers generally view the privacy regime in Germany as among the strictest in the world (Bygrave, 2004; Flaherty, 1989). This view is due to Germany’s exceptional focus on following privacy laws, firm constitutional basis for privacy, and general legalistic administrative culture, as well as systematic integration of privacy concerns in ICT systems, established enforcement mechanisms, and history of privacy information officers in organizations. Moreover, Germans take privacy issues seriously, and privacy has been viewed as a necessary condition for citizens’ political participation and a thriving democracy (Bygrave, 2004; Flaherty, 1989).

Norway has historical cultural values related to personal freedom and integrity, albeit not as intellectually rooted as in Germany. The country was an early adopter of comprehensive privacy laws, in 1978, and has long been committed to protecting individual privacy rights (Bennett & Raab, 2006). Norway enjoys high social and political trust, which has made Norwegian citizens positive toward the use of surveillance in the fight against crime and terrorism (Rykkja et al., 2011). Moreover, the Norwegian government has a history of both protecting privacy in policy and intelligence registers, but also a history of (partly illegally) surveilling citizens belonging to the political left, up until 1989 (Rykkja et al., 2011). After the turn of the century, the government has frequently proposed to implement the EU data storage directive, but faced massive protests and postponed the implementation indefinitely.

In the UK, it has historically been up to data controllers and not privacy regulations or Data Protection Authorities (DPAs) to assess and balance the common law duty of confidentiality with public interests, in line with their common law principles (Bellamy & Raab, 2005). During the Cold War, the UK government extensively surveilled political groups and activists. Moreover, administrative reforms at the end of the 1990s created lasting tensions for the government between improving public policies by use of personal data and protecting privacy (Bellamy & Raab, 2005). The country expanded the surveillance powers of intelligence agencies in 2016, but also implemented the GDPR in 2018. Generally, it is commonly believed that the DPA in the UK is and has been more favorable toward governments’ and businesses’ information needs compared with other European countries (Yeung & Bygrave, 2022).

Overall, all three countries have experience with surveillance and privacy protection, but in different ways. Germany reportedly has a stricter privacy regime than the other countries, while the UK is somewhat more flexible. The characteristics are summed up in Table 2. The role of crisis strategies, and how these two aspects are expected to shape legitimacy strategies are explicated in the following.

Table 2. Overview of country-specific conditions and expectations.

	Germany	Norway	United Kingdom
Institutional history of privacy regime	Strict privacy regime (privacy historically engrained in society and legal- administrative rule-following)	Moderately strict privacy regime (historically committed to protecting privacy, but also perceived leeway to implement surveillance measures when needed)	Comparatively less strict privacy regime (sometimes seen as favorable to businesses and data-driven public organizations)
Overarching crisis strategy in the early stages of the COVID-19 pandemic	Suppression approach with partial lockdown, emphasis on voluntary compliance	Suppression approach with partial lockdown, emphasis on no alternative to draconian regulations, and “dugnad”	Liberal strategy, citizens should make their own risk assessments
Expectations for legitimizing the Digital Surveillance Technology	Predominantly focus on complying with rules and adhering to IT standards. Strongly shaped by privacy legacy and regime. Also, equivalent rules and moral focus following overall crisis strategy.	Stress cognitive dimension more than the others, and moral values of “dugnad.” Mostly influence from overall crisis strategy. Some minor focus on rules and standards based on privacy regime.	Highlight self-interest more than the other countries, due to crisis strategy of making own assessments and because of the less rigorous privacy regime legacy.

Overarching crisis strategies

Governments generally have an overall communication strategy as part of their crisis management. However, the communication, legitimizing, explanation, and values that are embraced for individual crisis measures can vary considerably (A. Boin & Lodge, 2021; Christensen & Lægreid, 2020). An example of this is that in Norway during the pandemic, the government only emphasized self-interest regarding the use of face masks, which is rather different from the overall strategy, as described below (see e.g., Christensen & Lægreid, 2022). In this paper, the legitimacy strategies concerning digital surveillance technologies are viewed as a sub-strategy of the governments’ overall crisis communication strategy. This means that the legitimacy strategies are obviously expected to be shaped by the overall crisis strategy, but that there are variations of the specific measures based on their substantive functions and relation to other measures. This variable is used as a situational variable in this study, which is not uncommon in crisis research where the uniqueness of the studied situation necessitates a nuanced understanding of what is going on.

In the COVID-19 pandemic, Germany had an overall suppression strategy with a partial lockdown to handle the coronavirus. The overarching strategy involved implementing legally mandatory regulations together with communicating and encouraging voluntary compliance, with relative coherence of the measures between regions (Kuhlmann et al., 2021). Although regional powers are strong in Germany, many decisions were coordinated at the central level to ensure national standards. Expert institutions and advice played a central role in Germany, and both politicians and experts were active in communicating, explaining, and legitimizing crisis measures (Kuhlmann et al., 2022).

The Norwegian government’s overall crisis strategy to deal with the coronavirus was similar to Germany’s strategy, with a suppression approach and partial lockdown. The government’s communication strategy was generally about appealing to collective action, solidarity, and voluntary work using the slogan “working together” and the Norwegian cultural concept of “dugnad” (Arora et al., 2022; Christensen & Lægreid, 2020). Implementation of the strict regulations was justified with the argument that there was no alternative to draconian rules and that it was an extreme situation where unusual measures were necessary (Christensen & Lægreid, 2020, p. 719).

The UK initially had a liberal strategy for dealing with the pandemic, where a hard lockdown was not seen as an option (A. Boin & Lodge, 2021). Early on, communication from the government was about risk and enabling citizens to make their own risk decisions, and expert advice was not frequently used (C. Boin et al., 2023, pp. 331 and 336). This pandemic response, with its reluctant decision-making compared to other European countries, was frequently criticized by the public and experts and viewed as a governance failure. It highlighted the shortcomings and failures of leadership and communication to the public. Eventually, the lockdown strategy changed, and extensive and intrusive measures were implemented (C. Boin et al., 2023).

Expectations

Based on the previous elaborations, the following is expected: first, in general, the legitimacy strategies of digital surveillance technology are in line with existing privacy regimes, thus demonstrating that there are national trajectories and paths of legitimizing surveillance. This reasoning follows the idea that legacies of the past regarding privacy and surveillance management provide basic templates for current practices through path dependency (Steinmo et al., 1992). Second, the strategies are expected to be shaped by context-specific conditions related to overall crisis strategies in the COVID-19 pandemic.

Specifically, due to Germany’s legacy of having a heavy privacy focus and privacy rule-following, it is expected that the government emphasizes compliance with privacy laws and adhering to IT standards, and that the influence of the overall crisis strategy—with a focus on rules and moral values—is not incongruent, but complementary to the legitimizing approach. Norway is also expected to emphasize privacy rule-following and IT standards, albeit not as much as Germany. In addition, the Norwegian government is expected to stress the cognitive dimension more than the other countries, by presenting the app as absolutely necessary to overcoming the crisis, in line with the communication in the overall crisis strategy. Relatedly, it is also expected that moral values such as “dugnad” are highlighted. The United Kingdom is expected to underline pragmatic legitimacy the most, with emphasis on self-interest and citizens’ own health, due to its comparatively more flexible privacy regime, which opens for more importance of the overall crisis strategy. It is not expected that the UK will emphasize cognitive legitimacy, as the overall crisis measures were not presented as inevitable or unequivocally intrusive and necessary. Overall, it is not claimed that the governments focus exclusively on one or the other, because in crisis situations governments might play all their cards, but it is expected that differences in ways of legitimizing can clearly be observed.

Method and data

The data consists of official press releases, press briefs, transcripts of government press conferences, question times and speeches, government reports, government blogs, statements on government websites, and news statements by politicians and experts communicating on behalf of the government. Throughout the pandemic, these were the main ways of communicating and justifying the crisis measures in the three countries. All three countries have a relatively transparent public sector, making relevant data easily accessible. To obtain the data, the websites of the governments, the departments of health, health agencies, and relevant IT partners, which were the main actors involved in developing the technology, were thoroughly searched for all information related to the contact tracing apps.

Specifically, the websites of the German government (www.bundesregierung.de), the Norwegian government (www.regjeringen.no), and the UK government (www.gov.uk/government) provided press releases, press briefs, and statements made by key actors involved in communication regarding the apps. Additionally, these websites displayed what other channels were used in communication to the public (e.g., reports, blogs, and the websites of the health ministries or agencies responsible for developing the app (Federal Ministry of Health (FMH) in Germany, Norwegian Institute of Public Health (NIPH) in Norway, and the National Health Service (NHS) in the UK), and their respective IT partners). Complementary to this was the communication efforts through other platforms, such as on TV, in the news media, and on social media such as Facebook and LinkedIn, which were also identified through the governments’ websites. An overview of the data sources is provided in Supplementary Materials Appendix A. The type of actors who communicated and legitimized the apps varied slightly between countries, but it mainly involved the prime minister, the minister of health, directors of the health authorities or other top administrative executives, and IT/health experts who were involved in developing the app. As some of the statements were archived or updated, Wayback Machine was used to retrieve original statements.

Collectively, these data sources give a comprehensive account of the rhetoric used to legitimize the digital surveillance technologies. The essential arguments and viewpoints that the governments embrace to justify their own decisions and get citizens to use the apps are contained in these sources. Consequently, because the main measures to handle the COVID-19 pandemic gained quite a lot of public attention, this data provides a rare opportunity to compare strategic legitimizing of the same digital surveillance technology between countries.

The data was analyzed using qualitative content analysis, which is a widely used approach that allows researchers to capture the qualitative content of text material, and subsequently identify and interpret key features of the data (Braun & Clarke, 2006; Mayring, 2000). The approach enables the categorization of similarities and differences in the text, which comprise the basis for identifying major themes in the data (Graneheim et al., 2017). The analysis was conducted in two stages. The first stage focused on identifying major topics and key communication actors within the data. In this stage, the range of beliefs, values, explanations, and justifications surrounding the apps was identified to ensure that the analysis encompassed the relevant communication and arguments, laying the foundation for the second stage.

The second stage of the analysis was concerned with categorizing and capturing the specific types of legitimacy. Here, the computer software NVivo was used to structure and systematize the data. A coding scheme was created for analyzing all the text segments that contain the justification of choices and rhetoric to get citizens to use the contact tracing apps. The analytical process involved moving from relevant text data, to condensed meaning units, to abstracted rhetorical content, and finally to the general categories of legitimizing strategies. All relevant text was coded based on the operationalization of the three dimensions in Table 1, which builds upon relevant literature (Suchman, 1995; Suddaby & Greenwood, 2005; Suddaby et al., 2017). This was done two times to ensure coding reliability. As shown in Supplementary Materials Appendix B, these statements ranged from a single sentence to longer paragraphs.

In such an analysis, statements will occasionally encompass more than one dimension of legitimacy. In those cases, statements were coded as multiple dimensions, but the most prominent one was emphasized. Sometimes, it was the case that the presence of another dimension corroborated the main standpoint, but it could also be its own argument.

Results

The results show that all three countries use several rhetorical strategies to legitimize their choices and to influence citizens to support, accept, and use the contact tracing app in the COVID-19 pandemic. However, variations can clearly be observed. The countries’ legitimacy strategies can be distinguished not only by their stance on how the app would fit their own crisis management systems and crisis response, but also by the rhetorical content in their communication to the public. Table 3 gives an overview of the apps and the actors involved in developing them, and Table 4 provides an overview of the countries’ approaches in legitimizing the digital surveillance technology in the COVID-19 pandemic. Furthermore, Supplementary Materials Appendix B provides a range of examples of statements and how they are coded in addition to those highlighted in the following.

Table 3. Overview of the apps and actors involved in developing the technology.

	Germany	Norway	United Kingdom
App name and organizations involved in development	Corona-Warn-App (developed by Robert Koch Institute, SAP, and Deutsche Telekom).	Smittestopp (developed by the Norwegian Institute of Public Health and the public research institute Simula).	NHS COVID-19 (developed by the National Health Service and company VMware).

Table 4. Overview of the legitimacy strategies, rhetorical content, condensed meaning, and representative quotes in Germany, Norway, and the United Kingdom.

	Germany	Norway	United Kingdom
Overall legitimacy strategy	Main strategy: Moral legitimizing Combined with: Pragmatic legitimizing	Main Strategy: Pragmatic legitimizing Combined with: Cognitive legitimizing and occasional moral legitimizing	Main strategy: Pragmatic legitimizing
Abstracted rhetorical content	Focus on moral duty and adhere to IT standards. Stress regulatory compliance.	Increase crisis management capacity. Emphasize taken-for-granted beliefs (freedom).	Accentuate citizens’ self-interests and their own benefits. Stress regulatory compliance, and non-cognitive approach.
Condensed meaning unit	Protect people that you do not know. Use of personal data will comply with data protection laws and be transparent.	Increase government’s infection tracking capacity by using the app to assess the effect of crisis measures. The app is imperative for a return to “normality.”	Protect yourself and the people you care about. Use of personal data will comply with data protection laws, but society should not rely too much on technology.
Representative quotes	“I don’t know anything about you, but I’ll protect you.” (Slogan when the app was launched). “Telekom are doing everything we can to complete this app as quickly as possible. Fast, secure in accordance with #gdprcompliance (DSGVO) and fully transparent through #opensource … ”	“Smittestopp is an app that is connected to several other things we want to do, such as … follow and study the development and impact of the [other] measures. It is absolutely crucial to be able to stop measures that harm society and that are difficult to live with over time.” “In order for us to be able to open up more in the coming weeks and months, there are several prerequisites that must be met. More automated and efficient tracking is one of these prerequisites. That is why I [Prime Minister] am asking you all to take part in another ‘Dugnad’ … ”	“Gran doesn’t need the app to benefit from it. If you download the app, you’re protected and you’re more likely to be protecting the people you care about around you.” “One of the things it has taught us is that it is the human contact that is most valued by people. There is a danger in being too technological … ”

First, Germany primarily embraced a moral strategy in legitimizing its app, the Corona-Warn-app,¹ which concerned two overall aspects: protecting the community and highlighting normative values concerning transparency and IT standards. The content analysis reveals that different aspects of the app are focused on by different actors, using different forms of encouragement, which are all predominantly anchored in moral legitimization in some way. The core of this approach is well illustrated by Chancellor Angela Merkel, the leading face of Germany’s crisis management, in her main speech about the app:

Everyone who uses the app is helping to keep the virus under control, now and in the future … It was worthwhile insisting on absolute transparency, comprehensive data privacy, and the most rigorous IT security standards. Today we can say that the app deserves your trust. It protects your privacy since all data generated is encrypted, or pseudonomized, as the experts put it.

The importance of standards such as transparency and data security (e.g., encryption) are highlighted, and are validated by references to experts to signify the appropriateness of this approach.She also draws attention to how citizens by utilizing the app help society not only in the present, but also in the future, reflecting an altruistic notion. What she tells next illustrates the core of the moral approach along with some of the pragmatic flavor in Germany:

It is important to stress one thing, however, which is that using the app is entirely voluntary. There are no rewards for using it, and nobody will be penalized for not using it. … It’s obviously in our own interests to know if we have been exposed to the risk of infection. But the app also offers benefits for the community as a whole. And the more people who use the app, the greater the benefits. By acting sensibly and responsibly, together, we have contained the spread of the virus.

The quote demonstrates that the basis of the crisis communication is largely about appealing to common moral values to guide and direct social behavior, by highlighting altruistic ideals and emphasizing that it is not about personal rewards, but about the community working together, while also not disregarding the benefits it also has for the individual. The German Chancellor was not the only one involved in legitimizing the app. The Minister of Health Jens Spahn said that “Every hour we gain by an early warning is a gain in our fight against this virus … », showing how the app can benefit the crisis management capacity of the government (pragmatic legitimizing), with a focus on the community fighting the virus together (moral legitimizing).

Several German experts who were involved in developing the app were also involved in legitimizing the app. They tell much of the same story, reinforcing the importance of voluntary usage and benefits for society. They also emphasize how the app is complying with existing privacy legislation, which types of data protection impact assessments were carried out, and the value of open source not only for transparency to increase the number of downloads, but also to verify regulatory compliance. Moreover, experts highlight how other experts from the Federal DPA were involved from the start in developing the app, and how they work to increase interoperability with apps in other EU countries, to increase crisis management capacity. These choices contain both pragmatic and moral elements. There is little cognitive legitimizing from the German government. The only aspect that seems to be cognitively oriented is that one expert mentioned that the app is important because it can be superior to pen-and-paper methods in infection tracking. However, the same expert also highlights how the app is in no way a panacea. Thus, the analysis reveals that there is nothing in the rhetorical arguments that indicates that the German crisis management system is entirely dependent on the app, or that if the German society is to return to a state of “normality” this technology is an inevitable solution toward achieving this.

The Norwegian government legitimized its app somewhat differently compared to Germany. The analysis of the data reveals mainly the use of a pragmatic approach, which is combined with elements of cognitive and moral legitimizing. The pragmatic approach in Norway was about the government and the Norwegian Institute of Public Health (NIPH) increasing their infection tracking capacity, and how the app provides important data about the movements of groups in society to measure the effect of other crisis measures to deal with the spread of the virus. In their communication, The NIPH highlighted that the app would have immediate utility in assessing other crisis measures, and utility for individual citizens when they get notifications from being in contact with infected persons. Moreover, the NIPH stressed that infection tracking is done manually in the municipalities which is time-consuming. The Minister of Health endorsed this pragmatic-cognitive approach by stating that:

Today’s technology gives us the opportunity that no one has had before to prevent infection, disease, and death. We must dare to adopt new technology and develop new methods, but it can be demanding.

The minister highlights the technological superiority that digital contact tracing can have in solving current problems society faces and challenges old ideas about technology at a cognitive level. Perhaps the most prominent figure in crisis communication in Norway during the pandemic was Prime Minister Erna Solberg. Her rhetorical vocabulary points very clearly to cognitive legitimizing, where she draws on fundamental beliefs about society, such as envisioning the pre-pandemic world where people can go back to work, the economy works as usual, and people can live their normal lives. In her speech, the contact tracing technology is presented as an essential prerequisite and an inevitable solution to overcoming the major crisis, to “reclaim” these basic social values, and to return to a sense of “normality.” In addition to one of the quotes in Table 4, two other quotes exemplify the content of her call to the Norwegian people: “If we want more freedom faster, this is the way to go” and “If we are to get our everyday life back, as many people as possible should download the app.” Emphasizing these beliefs is thus an attempt to influence collective meaning for how citizens are to interpret and respond to situations of great threat and uncertainty. Moreover, The Prime Minister also said that downloading the app is a continuation of the “dugnad,” meaning voluntary community work, that all Norwegian citizens were already involved in. This message is not a radical divergence from the overall crisis response in Norway and reflects that the app is a tool where all citizens need to work together for an open society. Any notion that citizens should make their own evaluations for using the app is practically rejected.

Even with strong contentions of necessity, the app in Norway was eventually deactivated, due to a combination of privacy concerns and low infection numbers (Lund-Tønnesen, 2022). As a response to this, the director of the NIPH expressed publicly that “we are dependent on legitimacy,” and that with the ban “we weaken an important part of our preparedness against the increased spread of infection.” In the same vein, the director stressed how the app is about improving capacity in crisis management:

The pandemic is not over. We have no immunity in the population, no vaccine, and no effective treatment. Without the Smittestopp app, we will be less equipped to prevent outbreaks that may occur locally or nationally.

This language demonstrates notions of how the government views the app as a central part of the crisis management system to maintain pragmatic legitimacy. In other words, the legitimizing approach in Norway was not about specific benefits for citizens or stressing how individuals must make their own evaluations regarding whether the app should be used or not, but about how about the app is a crucial prerequisite for overcoming the pandemic.

Furthermore, the content analysis shows that the United Kingdom (UK) government also focuses much on pragmatic legitimacy, but other aspects compared to Norway. The government’s approach concerned how citizens are encouraged to utilize the app based on their self-interest, as well as how the government adheres to privacy regulations in designing the technology. Regarding the first aspect, these encouragements to download the app largely focused on citizens’ own assessments and benefits for the health of themselves or someone close to them, and not so much for unknown others, although the community and nation-state are occasionally mentioned. This rhetorical approach is well illustrated in the major TV campaign for the app, where the government advertised extensively with the slogan: “Protect your loved ones. Get the app.” In the same regard, when launching the pilot version of the app, the NHSX chief executive Matt Gould said that “the app will give the public a simple way to make a difference and to help keep themselves and their families safe.” Similarly, health secretary Matt Hancock said that by downloading the app “you are protecting your own health, you are protecting the health of your loved ones and the health of your community.” This can be interpreted as relatively clear calls anchored in pragmatic legitimizing, where citizens’ self-interest is among what the government perceives as a crucial motivation for why the app is to be utilized by citizens.

Moreover, the UK government frequently communicated how the app is compliant with UK GDPR and highlighted that the system in the app “is an ultra-secure way of using the Bluetooth in your phone to work out how close you have been to someone who has tested positive for coronavirus.” In a similar manner, they occasionally highlight standards of privacy pertaining to the app, stating that: “as part of our commitment to transparency, we will be publishing the key security and privacy designs alongside the source code so privacy experts can ‘look under the bonnet’ and help us ensure the security is absolutely world class.” These claims reveal how the UK government seeks to comply with prevailing perceptions of how to appropriately develop modern digital surveillance technology. The approach comprises elements of adhering to privacy rules as well as adhering to privacy and technology standards, meaning a combination of pragmatic and moral legitimizing.

Furthermore, as the app encountered technical problems and was opposed by many, the health secretary backtracked the previously stated importance of the app, and rather embraced what can be seen as the opposite of a cognitive approach when he stated that it was better to “get confidence that people are following the advice that’s given by human beings before introducing the technological element.” Lord Bethell, the minister responsible for the UK’s tracing app, reinforced this approach and stated that: “One of the things it [the pandemic] has taught us is that it is the human contact that is most valued by people. There is a danger in being too technological and relying too much on texts and emails … ”. This can be understood as the opposite of framing the digital surveillance technology as an inevitable course of action. The above key actors do not express any difficulties with imaging a world without this technology, consistent with a “non-cognitive” way of legitimizing. Prime Minister Boris Johnson, who was not much involved in legitimizing the app, united these justifications by saying that the contact tracing app was not a crucial part of contact tracing work but rather the “icing on the cake.” Thus, the UK government’s legitimacy strategy generally had a main emphasis on pragmatic legitimacy and citizens’ own assessments, accompanied by some elements of the other ways of legitimizing.

Discussion

This article shows how governments in Germany, Norway, and the United Kingdom deployed different strategies to legitimize digital tracing technologies during the COVID-19 pandemic. Due to the urgency of the pandemic and the limited knowledge regarding the coronavirus’ clinical-epidemiological features, the potential consequences of crisis measures, including digital surveillance technologies, were not sufficiently evaluated by any government (Hu & Liu, 2022). These factors left governments in a state of uncertainty regarding the reactions to potentially intrusive measures. It is interesting to note that, at the times, the specific measure of contact tracing technology received more negative media attention compared to other rushed measures that had potentially more immediate detrimental repercussions for individuals and society, such as movement restrictions, complete lockdown of society, distancing limitations, and limitations on the number of attendees at social events (Lund-Tønnesen & Christensen, 2023b; Villius Zetterholm et al., 2021). The negativity surrounding surveillance may be because of its unclear purposes. Although the apps were said to be in line with the GDPR, the purposes may still be unclear for citizens, which is a common phenomenon when implementing surveillance (Trüdinger & Steckermeier, 2017). Therefore, appropriately legitimizing a controversial policy such as those involving surveillance is likely particularly important for governments when the policy is ambiguous, and the situation and problem are also rather ambiguous (Christensen & Lægreid, 2022).

Going back to the theoretical assumptions based on path dependency, this construct can be used to interpret several aspects of the main results regarding surveillance legitimizing. A main finding is that Germany extensively stresses moral values for using the technology and compliance with privacy rules. This can be understood based on the country’s legacy of taking privacy issues very seriously, which stems from privacy being ingrained in German culture and in established legal-administrative principles that have rule-following at their core (Bygrave, 2004). This backdrop makes it near unthinkable to deviate from existing regulations when developing important technologies, even to improve own crisis management capacity.

Norway has a history of protecting privacy but also perceived leeway for the government to utilize surveillance when combating extensive societal problems (Rykkja et al., 2011), which can help us understand why some privacy concerns are given less importance by the government when surveillance is asserted to be inevitable for returning to “normality” and for improving crisis management capacity. In such a manner, the Norwegian government’s approaches to dealing with privacy and surveillance come across as relatively path-dependent.

In the UK, the self-interest aspect of the pragmatic dimension is considerably more highlighted than in the other countries. This reflects the overall crisis approach at the time, which stressed that citizens must do their own assessments. Somewhat surprisingly, the UK also focused much on rule-following and regulatory compliance, which was not expected based on the assumptions about path dependency. One possible explanation for this is that because the government did not communicate a sense of urgency or uncertainty about the pandemic at this early stage, the cards it could play to legitimize the app were limited.

By and large, Germany emphasizes values and justifications in accordance with what one would expect from a country with a history of strict and extensive rules of privacy. Moreover, because governments in Norway and the UK have less of a tradition of being overly strict with regards to privacy matters and have some perceived leeway in utilizing digital technology that includes the collection and use of personal data about citizens, they stress these matters less and focus on other aspects. Path dependency thus demonstrates explanatory power in this policy area and is a valuable construct in understanding how history matters for surveillance legitimizing. Yet, privacy legacies alone do not shape all of the legitimacy aspects that are embraced, and the overarching crisis strategy must also be taken into account (Christensen & Lægreid, 2020). In Norway, the crisis strategy is important, and the legitimizing reflects the approach of stressing cognitive beliefs. In the UK, the crisis strategy seems to complement the privacy legacy where the regime is more flexible. Germany’s crisis strategy based on moral values and semi-lockdown seems to be in accordance with its privacy regime. In this way, there is a need to supplement the path dependency interpretations by also viewing the pandemic as a unique situation that involves strategies that depart from existing trajectories. One can therefore view the COVID-19 pandemic as a key point in the evolution of government surveillance and see it as a critical juncture that might determine new, but also reinforce old pathways and directions for institutional development and changes in privacy regimes and legacies.

Overall, this study finds that institutional conditions and established practices shape the legitimacy strategies employed by governments, which is consistent with existing research (Ochoa et al., 2021; Pauli et al., 2016; Villar & Magnawa, 2022). However, by distinguishing between different types of legitimacy strategies in the creation of legitimacy of digital surveillance technologies, this study goes beyond existing research to offer valuable insight into the rhetoric and argumentation patterns surrounding surveillance legitimacy. Additionally, this study builds on the public administration literature that emphasizes the critical role of contextual factors in the comparative analysis of administrative systems (Casula & Pazos-Vidal, 2021; Hammerschmid et al., 2023; Kuhlmann et al., 2021; Van Der Wal et al., 2021). It shows the importance of understanding not only the levels of digitalization in governments but also the specific context of privacy and surveillance, particularly in conjunction with other circumstances such as crisis, when seeking insight into the implementation of digital technologies. By focusing on different country contexts, this study also contributes to the ongoing comparative research in public administration that seeks to make sense of how different governments navigate in a world of digital technology (Greve et al., 2020; Verhoest et al., 2024).

Viewing these findings in relation to the mega-trend of digitalization and emerging technologies such as artificial intelligence, one can anticipate higher uncertainty and frequent changes in expectations, norms, values, and ideologies in public administrations’ institutional environment than before (Fossheim & Lund-Tønnesen, 2023). The challenges of legitimizing future digital surveillance technologies and their impact on the public administrative apparatus are likely not so much about the technical aspects themselves, but the inconsistent political, social, and moral values and expectations that they bring with them (Ahn & Chen, 2022; Fossheim & Lund-Tønnesen, 2023), combined with the uncertain crisis conditions in which many surveillance measures are introduced (Boersma & Fonio, 2018; Villar & Magnawa, 2022). Dealing with these changing values and expectations seems to be an increasingly precarious endeavor for public administrations, yet one that some believe surveillance could assist in by providing data to improve decision-making.

However, more digital surveillance technology means more personal data, which generates more demand for secure systems that protect that data from adversaries, unintended use, and data leaks (Boersma & Fonio, 2018). This gives rise to demands for legitimate systems of surveillance. If legitimacy is high, governments might obtain slack to implement more surveillance technologies (Lund-Tønnesen & Christensen, 2023a). However, this can also lead to a complicated development where some surveillance technologies of some organizations are more legitimate and utilized than others, thereby increasing complexity in the public administrative system and in the public organizations that have personal data as a core part of their problem-solving functions, such as tax, welfare and health administrations, national security organizations and the police.

Conclusion

Overall, the study finds that the governments in Germany, Norway, and the United Kingdom legitimized their digital contact tracing apps in both similar and different ways. These approaches—involving pragmatic, moral, and cognitive legitimizing strategies—are in line with the three countries’ respective privacy regimes and legacies, as well as their overall crisis strategies employed to combat the COVID-19 pandemic (Bennett & Raab, 2006; Christensen & Lægreid, 2020). Path dependency plausibly explains much of the approaches to legitimizing the digital surveillance technology in the three countries, demonstrating how privacy arrangements and practices are shaped historically. In this way, the study makes a significant contribution to the field of comparative public administration by highlighting the importance of context in the implementation of digital technology, and also extends this line of research by addressing aspects of privacy and surveillance, which have received little attention in previous studies (Greve et al., 2020; Hammerschmid et al., 2023; Verhoest et al., 2024).

Despite presumptions of equivalent surveillance and privacy approaches grounded in a common EU framework for data protection regulation, the findings show how historical legacies of privacy still shape countries’ practices today. This has added value to the study of the politics of surveillance and privacy in times of crisis (Bennett & Raab, 2006; Boersma & Fonio, 2018), beyond the one tool examined in this study. By focusing on the underexplored aspect of how and under what conditions the legitimacy of surveillance is gained and created, the study also contributes to and advances the literature on legitimizing surveillance (e.g., Kuehn, 2018; Schulze, 2015; Tiainen, 2017). Importantly, it also demonstrates the need to understand the implementation of digital surveillance technology in crisis management not only as a matter of governance capacity but also governance legitimacy (Christensen et al., 2016).

The analytical way of viewing legitimacy strategies developed in this study, by focusing on pragmatic, moral, and cognitive legitimacy, will be applicable in other countries and contexts as well. However, the actual outcomes of the strategies are expected to vary, just as in the three studied countries. Variations might be greater in other regions, as the three countries in this study are all situated in Europe, a region where privacy regulations have in the last 50 years been generally stricter (Bennett & Raab, 2006). That is a limitation of this study. Another important limitation is that the focus has been solely on one type of digital surveillance technology, and there may be different ways of legitimization across other measures and policy areas.

An expected development in the digital age is that surveillance becomes more ubiquitous (Yates & Whitford, 2023). That can lead to more demands for transparency from citizens and regulators. In future crises, even if those situations are deemed exceptional, governments may need to provide more clarity about technicalities, intended goals, and duration of surveillance in order to gain and maintain legitimacy. These demands will likely vary between different technologies. Future research should investigate the legitimizing of other digital surveillance technologies, for example those that involve artificial intelligence, machine learning, and big data, and advance the comparative work on the significance of privacy regimes and situations involving uncertainty and complexity which this study has only begun to explore.

Acknowledgments

The author would like to thank Tobias Bach, Lise Rykkja, the special issue editors, and the anonymous reviewers for helpful comments. Thanks also to participants at the EGPA conference in September 2023, the PBO research seminar at the University of Oslo in May 2022, the Geilo Research Seminar in Norway in October 2023, and participants at a research seminar at the University of Potsdam, Germany in April 2022 for feedback on earlier versions.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Supplementary material

Supplemental data for this article can be accessed online at https://doi.org/10.1080/01900692.2024.2344105.

Notes

1. While Germany ended up also using another app, the Luca app, developed by private actors, this was launched substantially later in the pandemic, with different functions.