Just as the U.S. economy won’t immediately spring back from the damage done by the coronavirus, companies won’t return straight to normal operations after weeks of employees working remotely. In Colorado, Gov. Jared Polis announced a plan to allow workforces to return at 50% capacity on April 27 — though Denver’s stay-at-home order remains in place until early May. And employers are concerned with monitoring their workers’ health to protect others without invading privacy. There has been a spike in interest in apps and other technology tools for “social-contact tracing.”
Social-contact tracing technology is intended to track whether a person has come in contact with someone else who has had COVID-19 and supposedly stops short of tracing movements in more detail.
Denverite has reported on the Denver Department of Public Health and Environment’s goal to trace contacts of people infected by the coronavirus as the city prepares to reopen, with city staffers dedicated to the task.
But technology used for social-contact tracing brings anticipated fears about whether its use opens the door for more sinister uses of the collected data, either by the companies gathering it, governments or third-party actors.
The Electronic Frontier Foundation, which has been analogized as the American Civil Liberties Union for the internet, wrote about the organization’s concerns about social-contact tracing in an April 10 blog post. Kurt Opsahl, Andrew Crocker and Bennett Cyphers wrote it’s possible to use social-contact tracing technology without running afoul of personal privacy, and doing so requires developers and governments to mind legal limits on the use of the technology.
“COVID-19 is a worldwide crisis, one which threatens to kill millions and upend society, but history has shown that exceptions to civil liberties protections made in a time of crisis often persist much longer than the crisis itself,” reads the post. “Above all, the choice to use them should lie with individual users, who should inform themselves of the risks and limitations, and insist on necessary safeguards.”
Ballard Spahr partner Greg Szewczyk said existing state laws in data privacy and security would serve as the backstop for the use and protection of information collected by tools using contact tracing technology. The most high-profile example is the California Consumer Privacy Act, which went into effect at the beginning of this year.
“The CCPA would come into play because you have to provide notice at the point of collection that you’re collecting this information. You also have to provide the business reason for doing so,” Szewczyk said. “If you’re talking about a California resident for a company that is subject to the CCPA, that would limit their use of that information for any purpose besides the disclosed purpose.” But he added companies could still have multiple uses for data collected for social-contact tracing, such as keeping the information or sharing it with other companies, as long as they disclose each use.
Every state now has a law governing data breaches of private companies, but just a handful of states have a data privacy statute.
Dave Stauss, a partner with Husch Blackwell, said a patchwork of local approaches highlights the U.S.’s lack of a national data privacy or security law that applies to all industries. It’s a contrast to the European Union’s General Data Protection Regulation, the law regulating data protection and privacy.
“In the United States, it’s kind of helter-skelter,” he said. “I haven’t even seen anything on a state level yet. It’s been all local municipalities like Denver and local jurisdictions looking into this.”
Szewczyk said the collection of data for social-contact tracing spotlights the issue of handling data disposal, because containing the spread of the coronavirus is a temporary purpose that companies may not want the lingering responsibilities and liability exposure associated with holding onto the data.
“They feel like they need to collect this information now for public safety and health reasons, but they don’t necessarily want to keep it on their hands. They have no intention of trying to monetize it in any way,” he said. “I think that might have some positive corollary effects of taking a look at the other data you have and to start thinking, ‘Do we really need this?’”
But even putting aside privacy concerns, implementing social-contact tracing now might be akin to surgically removing a tumor after the cancer has already spread.
Craig Konnoth, an associate professor at the University of Colorado Law School and director of the Silicon Flatirons Health Data and Technology Initiative, said he believes many areas have passed the point in the coronavirus’s spread to make contact tracing useful.
“Contact tracing is useful when you’ve got a condition that hasn’t spread very far [and] when you’re still trying to identify what’s happening,” he said. “And COVID seems so infectious that it would be really hard to do in any targeted way.”
He added the dearth of definitive information about how COVID-19 spreads also limits the effectiveness of social-contact tracing.
The six-foot social distance requirement, for example, is “subject to a whole range of factors, which we don’t understand. What if I speak to 25 people, but stay 10 feet away from them? Is that worse than speaking to one person, but staying four feet away from them? We really just don’t know the answers to questions like that.”
Stauss said he doesn’t think privacy concerns about data collected for social-contact tracing will immediately light a fire under federal lawmakers to pass a generally applicable privacy law. More feasible, he said, would be for lawmakers to regulate narrow areas of law such as strictly focusing on contact tracing.
“Rather than having some sort of overarching privacy law that applies across the board to all businesses, it’s a much easier thing to take a very unique subset [like] contact tracing and legislate around that.”
—Julia Cardi