By Trent Martinet, Camila Tobón, Alex Paalborg and Adrienne Kovac
DAVIS GRAHAM & STUBBS
Technology is playing a central role in helping governments and public health authorities manage the response to the COVID-19 pandemic. But what are the privacy implications?
Governments and technology companies from all over the world are using technology to leverage data, including location data, to develop and shape containment and mitigation strategies to combat the spread of the virus. One Big Tech giant, which already uses aggregated location data to fuel its products and services, recently leveraged such data to assess responses to “stay-at-home” and “shelter-in-place” orders. Reports taken from this data reveal a marked decrease in the number of individuals visiting retail stores, parks, transit stations and other public venues after the issuance of such orders, thereby demonstrating the effectiveness of such policies.
Several technology companies are also developing new tools to help mitigate the spread of COVID-19. Two leading technology market players are collaborating on a new approach to contact tracing — a strategy which involves identifying all the individuals an infected person may have come into contact with — to speed up the process of identifying individuals that may be infected with COVID-19 by automating what would otherwise be a manual exercise. The approach would be opt-in, run on mobile device operating systems and use Bluetooth to transmit anonymous IDs over short ranges to track proximity to other mobile devices. If a user tests positive for COVID-19, they would report it through a mobile app, which would then notify other users who had been in close proximity with the infected person’s phone in the prior 14 days, so they can seek testing and self-quarantine.
Other countries are also using location data to enforce quarantine orders and perform contract tracing. In Hong Kong, electronic wristbands and an app work together to determine whether people under quarantine are staying in their homes and, if not, to alert local authorities to take enforcement action. In South Korea, government contact tracing efforts have been supplemented by private apps that alert users of diagnosed COVID-19 patients within the user’s geographic radius, and other personal information about the patient, such as age, gender and nationality. These apps are also used by the South Korean government to monitor the location of users supposed to be in quarantine. In Israel, government officials use cell phone location data to identify individuals they believe to have been exposed to a COVID-19 patient and then send a text alert directing those individuals to self-quarantine. In Singapore, the government developed a contact tracing app that records Bluetooth signals accessible to the health ministry to identify those who were in close contact with the user.
While some countries have found success in limiting the spread of the virus with contact tracing, using digital technologies to track and harness sensitive information, like location and infection status data, raises significant privacy and civil liberties concerns.
Chief among these is the potential for mission creep, data repurposing and indefinite monitoring. Data collected for contact tracing purposes may later be used by the private sector for product development or advertising purposes, for example. Governments may also later use such data and tracking tools for surveillance and law enforcement purposes unrelated to containing COVID-19.
The difficulty in effectively anonymizing data, and location data in particular, also creates risks that infected people may be identified and harassed. As part of South Korea’s initial contact tracing efforts, some infected individuals were subject to harassment because they were identified from the detailed location histories posted by the government.
Even sufficiently anonymized data can have significant implications. Contact-tracing tools may leave out or misrepresent entire communities and result in the biased distribution of important healthcare resources. Such tools may also be used in discriminatory ways to, for example, limit where an infected person can eat, work, shop or travel.
The European Data Protection Board, which is tasked with oversight of the EU General Data Protection Regulation, recently issued separate sets of guidance on the collection of location data for public health purposes and on developing contact-tracing apps. Like the GDPR’s principles-based approach to regulating the handling of personal data, the EDPB’s guidance emphasizes several principles including data anonymization, proportionality, purpose limitation and data minimization. The EDPB recommends that location data be used in an anonymous way, so individuals and their movements cannot be traced. The least intrusive means should always be adopted, and any uses of location data should be limited in duration and scope. Such data should only be used for a defined purpose and then deleted when no longer necessary.
Regarding contact tracing apps, the EDPB stresses accountability and transparency so individuals know how the app works and what data it collects and so the scientific community can scrutinize the app to confirm effectiveness. The EDPB also recommends that app developers engage in an appropriate assessment of the app’s risks to the rights and freedoms of individuals (through a data protection impact assessment) and that they employ Privacy by Design, which involves building privacy controls into the app during the development phase. The EDPB concludes by stressing that when the crisis is over, these tools should cease to be used and any data associated with them should be deleted or anonymized.
While there are numerous privacy concerns with location tracking and contact tracing, it will be important to address such concerns to build the level of trust necessary for any program to be effective. Programs should be time-bound and include strict use and purpose limitations to reduce the potential for mission creep. To reduce the risk that infected people will be identified, collection should be limited to only that data strictly necessary for containment and all such data should be sufficiently anonymized. Contact-tracing programs should also include mechanisms that address the risk of underrepresenting entire demographics, and they should have systems in place to prevent any discrimination or stigmatization that may result from using such data.
— Trent Martinet, partner; Camila Tobón, of counsel; Alex Paalborg, associate; and Adrienne Kovac, associate, practice in the finance and acquisitions department of Davis Graham & Stubbs.