As the world grapples with the continued spread of COVID-19, along with the unsettling public health and economic concerns, there are a number of uncertainties surrounding data security and privacy.* Efforts to contain the virus differ from country to country, as do the strategies surrounding the collection of data to aid in “contact tracing” that will surely be the subject of debate for years to come, with legal experts defining—or redefining—just how far governments and tech companies can go.
In order to counter the threat of the virus, countries have been adopting drastic measures, such as utilizing geolocation data and social contact history, leading to a number of complex privacy questions for both public and private entities involved in the process. This has created a substantial need for clarity from legal professionals and data protection authorities (DPAs) across the globe, many of whom are publishing guidance on best practices for collecting and processing personal data related to COVID-19 in order to stay in line with obligations under privacy and data security laws.
Most discussed in the public eye currently is Google and Apple’s recent announcement about their extensive coronavirus partnership. In the next few months, they will unveil updates to their operating systems to enable contact tracing to help identify carriers of the virus so they can be isolated from the public. It works by tracking with whom one comes into contact by recording where one’s Bluetooth connects with other nearby devices. Once approved, government health agencies will be able to utilize the app to track physical proximity among phones. The system is Bluetooth-only, fully opt-in, and collects no location data from users.
It all sounds good in theory; however, security experts are pointing to potential flaws in the system, including techniques that could reveal the identities of COVID-19-positive users and help advertisers track them, or invent false positives from users with malicious intent.
Most countries affected by COVID-19 are adopting their own version of contact tracing, and nearly all are going digital and leveraging the power of smartphones through Bluetooth or geolocation data. The Google and Apple announcement has propelled public attention and concern on the topic of privacy laws.
Governments Consider Surveillance Methods That Push Limits
In China, telecommunications organizations helped the government track and contact those who had traveled through Hubei province in the early days of the virus. Location data was then channeled to China’s Health Commission, which allowed them to trace the steps of those infected.
In Israel, the government passed an emergency law to use mobile phone data to track those who test positive for COVID-19 as well as identify others with whom they have come into contact and may have infected. This method has typically been reserved to counter-terrorism operations, but it is now being used to track infected patients and their phone contacts. If someone found to be positive for COVID-19—or someone who was in close contact with one—disobeys quarantine, they receive a text message or call ordering them to return home. If they don’t, the police are called.
Since the start of the pandemic, countries to the west have been paying close attention to how countries like China and Israel have used data collection and apps as part of their public health response. Many critics have raised concerns about privacy and potential illegal use of data, especially as the virus has spread through Europe and the United States.
The European Union and a “Pan-European” Approach
In the European Union, contact tracing must be compliant with the EU’s privacy law, the General Data Protection Regulation (GDPR), as well as separate laws specific to the given EU country. Still, EU nations can make their own exceptions to the rules temporarily for emergencies. For example, Italy adopted a decree to address the intersection between the GDPR and COVID-19, the need for processing special categories of personal data, and how some data-protection rights could be halted to combat the coronavirus.
GDPR Article 6 provides that processing personal data without consent is lawful where it is necessary for compliance with a legal obligation to protect the public interest or to protect an individual. In fact, it provides specific language on not needing consent for monitoring epidemics, pandemics, and their spread, or in situation of humanitarian emergencies.
Earlier this month, Human Rights Watch and more than 100 other organizations issued a joint call for legal protections on how government can use digital surveillance, including mobile phone location data, to fight the pandemic. Europe is under intense scrutiny by these groups as the European Commission scrambles to develop coronavirus tracking apps, seeking an “EU approach” to contain the disease. As a result, hundreds of researchers from eight countries in Europe have been working on the Pan-European Privacy Preserving Proximity Tracing Project (PEPP-PT) to develop a single app that any county can use and that is compliant with EU privacy laws.
Although there is no main data-protection law at the federal level in the United States like the GDPR, there are several federal and state laws that offer privacy protection to certain types of data, like health information, employment, and location data.
As the United States continues to control the spread of the virus and develop plans to potentially reopen the economy, government agencies have put into place—or contemplated—a variety of tracking and surveillance technology that examines the limits of personal privacy—everything from geolocation tracking that oversees the location of people through their mobile devices, to facial-recognition programs that analyze pictures to determine who may have come into contact with those who later test positive for the coronavirus. In fact, we know that data-mining firm Palantir Inc. has worked with the Centers for Disease Control and Prevention (CDC) to model the virus and its outbreak and continues to do so.
This is leading to a struggle among those in the tech industry and among government officials to find a balance between the deployment of technology and safeguarding patients’ data, specifically medical information. At the same time, privacy advocates worry that little has been announced about what has already been implemented or about to be deployed as governors across the country determine when and how to reopen their states.
Healthcare and Location Data Biggest Concern in United States
Just like in the European Union, the United States has issued guidance on privacy and data security relating to COVID-19. The Department of Health and Human Services (HHS) has waived sanctions and penalties against covered hospitals for certain provisions under HIPAA. The waiver includes the requirement to obtain a patient’s consent before speaking with friends or family members about care, the requirement to distribute a notice of privacy practices, the patient’s right to request privacy limitations, and the patient’s right to request confidential communications.
As the crisis continues in the United States, much-needed additional guidance is being issued by local, state, and federal agencies.
The United States does have The Health Insurance Portability and Accountability Act Privacy Rule, which protects the privacy of a patient’s health information, although its protections are not unconditional. Just this past February, HHS released a bulletin outlining when disclosure of health data is permitted, which includes for public health reasons and “to prevent an imminent threat.”
The U.S. Constitution, specifically the Fourth Amendment, also protects certain expectations of privacy, including one’s physical location. Reference Carpenter vs. U.S., for example, in which the U.S. Supreme Court looked at how to apply the Fourth Amendment to cell phone records, particularly cell-site location information (that looks at a person’s past movements). The government had obtained the records as part of a criminal investigation and argued Carpenter should not have an expectation of privacy in them because he voluntarily provided it to third parties (cell phone carriers). However, the Supreme Court ultimately ruled that the government invaded Carpenter’s reasonable expectation of privacy when it accessed cell-site location information from wireless carriers.
It is likely that as COVID-19 cases continue to exist, creating the need for contact tracing, there will be more discussion in the United States on privacy interests like those discussed in the Carpenter case. As such, the need to quickly address it because of this public health issue seems likely as well.
It is evident that contact tracing and testing technology will very much play a role in forming a sound, strong recovery strategy. Understanding what our privacy laws require in specific situations, like pandemics or public emergencies, as well as how they are applied are going to be crucial to continue managing COVID-19 and reopening our economies.
By tapping into people’s phones and medical records, researchers and public health authorities are hoping to quickly identify potentially infected patients and curb the pandemic. In fact, the federal agency in the United States in charge of policing data breaches already announced it will back off enforcement of some privacy rules to make it easier for healthcare facilities and their vendors to share patient records with public health officials.
Scaling back of these health privacy rules—and justifying them during a crisis—raises the question of what happens when the pandemic ends. Will life return to normal, or will we redefine what we historically knew as our right to privacy? Will we have another version of the Patriot Act in the United States? Will we have countries around the world tracing their citizens movements freely under the excuse of this pandemic?
On a more positive note, how will countries across the globe learn from one another to develop best practices for tracking diseases that, hopefully, respect our privacy?
*John Neocleous is the founder and managing partner of NCI Law Group, a multinational law practice in the United States, United Kingdom, and Switzerland.