再谈新冠疫情中的数据收集和个人隐私

原文始发于微信公众号(瑞中法协):再谈新冠疫情中的数据收集和个人隐私


本文由John Neocleous为《瑞中法律评论》投稿,稿件成文于2020年5月。瑞中法律协会版权保留。


Data Collection, Personal Privacy and COVID-19Contact Tracing – How the Virus and New Tech Triggered Thorough Review andClarification Surrounding Privacy Laws

 数据收集,个人隐私和新冠:联系人跟踪-病毒和新技术如何引发对隐私权法律的全面审查和澄清

         

As the world grapples with the continued spread of COVID-19, alongwith the unsettling public health and economic concerns, there are a number ofuncertainties surrounding data security and privacy. Efforts to contain thevirus differ from country to country, as do the strategies surrounding thecollection of data to aid in “contact tracing” that will surely be the subjectof debate for years to come with legal experts defining – or redefining – justhow far governments and tech companies can go.

随着世界努力应对COVID-19的持续传播以及令人担忧的公共健康和经济问题,围绕数据安全性和隐私存在许多不确定性和挑战。各国对控制病毒的努力有所不同,围绕数据收集的策略以帮助联系追踪的方法也有所不同,随着法律专家对(甚至重新定义)多远的定义,这无疑将是多年来争论的主题。本文皆在再次探讨数据安全与个人隐私的关系。

 

In order to counter the threat of the virus, countries have beenadopting drastic measures, such as geolocation data and social contact history,leading to a number of complex privacy questions for both public and privateentities involved in the process. This has created a substantial need forclarity from legal professionals and data protection authorities (DPAs) acrossthe globe, many of whom are publishing guidance on best practices forcollecting and processing personal data related to COVID-19 – in order to stayin line with obligations under privacy and data security laws.

为了应对这种病毒的威胁,各国一直在采取严厉的措施,例如地理位置数据和社会接触历史记录,从而给参与该过程的公共和私人实体带来了许多复杂的隐私问题。这就引起了全球法律专业人士和数据保护机构(DPA)的高度明确要求,其中许多人正在发布有关收集和处理与COVID-19相关的个人数据的最佳做法的指南为了与隐私和数据安全法规定的义务。

 

Most discussed in the public eye currently is Google and Apple’srecent announcement about their extensive coronavirus partnership. In the nextfew months, they will unveil updates to their operating systems to enablecontact tracing to help identify carriers of the virus so they can be isolatedfrom the public. It works by tracking with whom you come into contact with byrecording where your Bluetooth connects with other devices near you. Onceapproved, government health agencies will be able to utilize the app to trackphysical proximity between phones. The system is Bluetooth-only, fully opt-inand collects no location data from users.

目前,在公众眼中讨论最多的是GoogleApple最近宣布的与他们广泛的冠状病毒合作伙伴关系。在接下来的几个月中,他们将发布其操作系统的更新,以实现联系人跟踪,以帮助识别病毒的携带者,从而可以将其与公众隔离。通过记录蓝牙与附近其他设备的连接位置,可以跟踪与您联系的人。一旦获得批准,政府卫生机构将能够使用该应用程序跟踪手机之间的物理距离。该系统仅支持蓝牙,可以完全启用,并且不会从用户那里收集任何位置数据。

 

It all sounds good in theory. Security experts, however, arepointing to potential flaws in the system, including techniques that couldreveal the identities of COVID-19 positive users, help advertisers track themor false positives from users with malicious intent. 

从理论上讲,这听起来不错。但是,安全专家指出了系统中的潜在缺陷,包括可以揭示COVID-19肯定用户身份,帮助广告商跟踪它们或出于恶意目的从用户那里获得假肯定的技术。

 

Most countries affected by COVID-19 are adopting their own versionof contact tracing and nearly all are going digital and leveraging the power ofsmartphones through Bluetooth or geolocation data. The Google and Appleannouncement has propelled public attention, and concern, on the topic ofprivacy laws.

COVID-19影响的大多数国家/地区都采用自己的联系人跟踪版本,几乎所有国家/地区都开始数字化,并通过蓝牙或地理位置数据利用智能手机的功能。GoogleApple的公告引起了公众对隐私法这一话题的关注。

 


再谈新冠疫情中的数据收集和个人隐私

Governments Consider Surveillance Methods That Push Limits

政府考虑采用可以突破限制的监控方法

 

再谈新冠疫情中的数据收集和个人隐私


In China, telecommunicationsorganizations helped the government track and contact those who had traveledthrough Hubei province in the early days of the virus. Location data was then channeledto China’s Health Commission, which allowed them to re-form the steps of thoseinfected.

在中国,电信组织帮助政府追踪并联系了在病毒爆发初期曾穿越湖北省旅行的人。然后将位置数据传送给中国的卫生委员会,使他们能够重新制定被感染者的步骤。

In Israel, thegovernment passed an emergency law to use mobile phone data for tracking thosewho test positive for COVID-19 as well as the ability to identify andquarantine others they have come into contact with and may have becomeinfected. This method has typically been reserved to counter terrorismoperations, but now, it’s being used to track infected patients and their phonecontacts. If someone found to be positive for COVID-19 – or someone who was inclose contact with one – disobeys quarantine, they receive a text message orcall ordering them to return home. If they don’t, the police are called. 3

在以色列,政府通过了一项紧急法律,使用手机数据来跟踪那些对COVID-19测试呈阳性的人,以及识别和隔离与他们接触过并可能已经感染的其他人的能力。通常保留这种方法来打击恐怖主义行动,但是现在,它被用于跟踪受感染的患者及其电话联系。如果发现某人对COVID-19呈阳性,或者与某人有密切接触,则违反了隔离措施,他们会收到一条短信或打电话命令他们返回家中。如果他们不这样做,便会报警。

Since the start of the pandemic – countries to thewest have been paying close attention to how countries like China and Israelhave used data collection and apps as part of their public health response. And, many criticshave raised concerns about privacy and potential illegal use of data,especially as the virus began spreading through Europe and the United Statesafter that.

自大流行以来,西方国家一直密切关注中国和以色列等国家如何将数据收集和应用程序用作其公共卫生应对措施的一部分。而且,许多批评家对隐私和潜在的非法使用数据提出了担忧,尤其是在此之后该病毒开始在欧洲和美国传播的同时。

 


再谈新冠疫情中的数据收集和个人隐私

The EU and a “Pan-European”approach

欧盟与泛欧方针

再谈新冠疫情中的数据收集和个人隐私



 

In the European Union, contact tracing must be compliant with theEU’s privacy law, the General Data Protection Regulation (GDPR), as well as separatelaws specific to the given EU country. Still, EU nations can make their ownexceptions to the rules temporarily for emergencies. For example, Italy adopteda decree to address the intersection between the GDPR and COVID-19, the needfor processing special categories of personal data and how some data protectionrights could be halted to combat the coronavirus.

在欧盟,联系人跟踪必须符合欧盟的隐私法,通用数据保护条例(GDPR)以及特定于特定欧盟国家的单独法律。不过,欧盟国家可以在紧急情况下暂时将自己的规则作为例外。例如,意大利通过了一项法令,以解决GDPRCOVID-19之间的交叉点,处理特殊类别的个人数据的需求以及如何停止某些数据保护权以对抗冠状病毒。

 

The GDPR’s ‘Article 6’ says that processing personal data withoutconsent is lawful where it’s necessary for compliance with a legal obligationto protect vital interests of the public interest or protection of anindividual. In fact, it also provides specific language on not needing consentfor monitoring epidemics, pandemics and their spread or in situation ofhumanitarian emergencies.

GDPR6规定,在有必要履行保护公共利益或个人利益的法律义务的情况下,未经同意处理个人数据是合法的。实际上,它也提供了特定的语言,表示无需征得监测流行病,大流行及其蔓延或人道主义紧急情况的同意。

 

Earlier this month, Human Rights Watch and more than 100 otherorganizations issued a joint call for legal protections on how government canuse digital surveillance, including mobile phone location data, to fight thepandemic. Europe is under intense scrutiny by these groups as there is ascramble to develop coronavirus tracking apps by the European Commission seekingan “EU approach” to contain the disease. As a result, hundreds of researchersfrom eight countries in Europe have been working on the Pan-European PrivacyPreserving Proximity Tracing Project (PEPP-PT) to develop a single app that anycounty can use and would be compliant with EU privacy laws.

月初,人权观察组织和其他100多个组织联合发出了法律呼吁,要求政府保护政府如何使用数字监控(包括手机位置数据)来对抗这种流行病。这些组织对欧洲进行了严格的审查,因为欧洲委员会正在争相开发冠状病毒追踪应用程序,以寻求遏制这种疾病的欧盟方法。结果,来自欧洲八个国家的数百名研究人员一直在进行泛欧洲隐私保护邻近性跟踪项目(PEPP-PT),以开发一个可被任何区使用并符合欧盟隐私法律的单一应用程序。

 


再谈新冠疫情中的数据收集和个人隐私

U.S. Law

美国法

再谈新冠疫情中的数据收集和个人隐私



While there’s no main data protection law at the federal level in the UnitedStates like those in Europe benefit from (like GDPR), there are several federaland state laws that offer privacy protection to certain types of data, likehealth information, employment, and location data.

尽管美国没有像欧洲的国家那样从(例如GDPR)受益于美国联邦一级的主要数据保护法律,但是有几部联邦和州法律为某些类型的数据提供了隐私保护,例如健康信息,就业和位置数据。 

As the U.S. continues to control the spread of the virus anddevelop plans to potentially reopen the economy, government agencies have putin place – or contemplated – a variety of tracking and surveillance tech that examinesthe limits of personal privacy.

 随着美国继续控制病毒的传播并制定可能重新开放经济的计划,政府机构已经采取或正在考虑采用各种跟踪和监视技术来检查个人隐私的局限性。

 Everything from geolocation tracking that oversees the locationsof people through their mobile devices to facial-recognition programs thatanalyze pictures to determine who may have come into contact with those wholater test positive for the coronavirus. In fact, we know that data-mining firmPalantir Inc. has worked with the Centers for Disease Control and Prevention(CDC) to model the virus and its outbreak and continue to do so.

从地理位置跟踪(可通过移动设备监控人员的位置)到面部识别程序(分析图片以确定谁可能与后来测试冠状病毒的人接触过的人),所有内容都可以。实际上,我们知道数据挖掘公司Palantir Inc.已与疾病控制与预防中心(CDC)合作对病毒及其爆发进行建模,并将继续这样做。 

This is leading to the tech industry and government officials tostruggle in finding a balance between the deployment of technology and safeguardingpatients’ data, specifically medical information. At the same time, privacy advocatesworry that little has been announced about what has already been implemented orabout to be deployed as governors across the country determine when and how toreopen their states.

这导致科技行业和政府官员努力在技术部署与保护患者数据(尤其是医疗信息)之间寻求平衡。同时,隐私权倡导者担心,随着全国各地的州长确定何时以及如何重新开放自己的州,几乎没有宣布已经实施或将要部署的内容。

 


再谈新冠疫情中的数据收集和个人隐私

Healthcareand location data biggest concern in U.S.                       

医疗保健和位置数据是美国最大的担忧

再谈新冠疫情中的数据收集和个人隐私


 

Just like in the EU, the United States has issued guidance on privacyand data security relating to COVID-19. The Department of Health and HumanServices (HHS) has waivedsanctions and penalties against covered hospitals forcertain provisions under HIPAA – the waiver includes the requirement to obtaina patient’s consent before speaking with friends or family members about care,the requirement to distribute a notice of privacy practices, the patients rightto request privacy limitations and the patients right to request confidentialcommunications.

与欧盟一样,美国也发布了与COVID-19相关的隐私和数据安全性指南。卫生和公共服务部(HHS)已根据HIPAA的某些规定,免除了对受覆盖医院的制裁和处罚豁免包括要求在与朋友或家人谈论护理之前获得患者同意,分发通知的要求隐私惯例,患者要求隐私限制的权利和患者要求保密通信的权利。

 As the crisis continues in the United States, additional guidanceis being issued – and is needed – by local, state and federal agencies.

随着美国危机的继续,地方,州和联邦机构正在发布(并且需要)其他指导。

 The U.S. does have The HealthInsurance Portability and Accountability Act Privacy Rule which protects theprivacy of a patient’s health information. Although, its protections aren’t unconditional.Just this last February, the U.S Department of Health and Human Servicesreleased a “Bulletin” outlining when disclosure of health data is permitted.It includes for public health reasons and “to prevent an imminent threat.”

美国确实有《健康保险可移植性和责任制法案》隐私规则,该规则保护患者健康信息的隐私。虽然,它的保护不是无条件的。就在去年2月,美国卫生与公共服务部发布了公告,概述了允许披露健康数据的情况。它包括出于公共卫生原因和防止迫在眉睫的威胁

 The U.S. Constitution, specifically the Fourth Amendment,also protects certain expectations of privacy, including one’s physicallocation. Reference Carpenter vs. U.S., for example. The Supreme Court looked at how toapply the Fourth Amendment to cell phone records, particularly cell-sitelocation information (that looks at a person’s past movements). The governmenthad obtained the records as part of a criminal investigation. They arguedCarpenter shouldn’t have an expectation of privacy because he voluntarilyprovided it to third parties (cell phone carriers).

美国宪法,特别是第四修正案,也保护了对隐私的某些期望,包括一个人的身体位置。例如参考木匠与美国。最高法院研究了如何将第四修正案应用于手机记录,尤其是手机站点的位置信息(该信息可以查看一个人的过去活动)。政府已将这些记录作为刑事调查的一部分。他们认为,卡彭特(Carpenter)不应期望隐私,因为他自愿将其提供给第三方(手机运营商)。

But the Supreme Court ultimately ruled that thegovernment invaded Carpenter’s reasonable expectation of privacy when itaccessed cell-site location information from wireless carriers.

但是最高法院最终裁定,政府在从无线运营商访问蜂窝站点位置信息时侵犯了卡彭特对隐私的合理期望。

It is likely that, as the number of COVID-19 cases continueto exist creating the need for contact tracing, there will be more discussionin the U.S. on privacy interests like discussed in the Carpenter case. As such,the need to quickly address it because of this public health issue seems likelyas well.

随着COVID-19案件数量的不断增加,有可能需要进行联系人追踪,在美国,关于隐私权的讨论将如Carpenter案中所述,将有更多讨论。因此,由于这一公共卫生问题,似乎也有必要迅速解决这一问题。


再谈新冠疫情中的数据收集和个人隐私

Main Takeaways

小结

再谈新冠疫情中的数据收集和个人隐私



It’s evident that contact tracing and testing technologywill very much play a role in forming a sound, strong recovery strategy.

显然,联系人跟踪和测试技术将在形成合理,强大的恢复策略中发挥重要作用。

Understanding what our privacy laws require in specificsituations, like pandemics or public emergencies, as well as how they are appliedare going to be crucial to continue managing COVID-19 and reopening oureconomies.

要想继续管理COVID-19并重新开放经济,了解流行病或公共紧急情况等特定情况下我们的隐私法要求以及如何应用这些法律至关重要。

By tapping into people’s phones and medical records,researchers and public health authorities are hoping to quickly identifypotentially infected patients and curb the pandemic. In fact, already, thefederal agency in the United States in charge of policing data breaches announcedit will back offenforcement of some privacy rules to make iteasier for healthcare facilities and their vendors to share patient recordswith public health officials.

通过利用人们的电话和病历,研究人员和公共卫生当局希望能够迅速识别出可能感染的患者并遏制这种流行病。实际上,已经有负责处理数据泄露问题的美国联邦机构宣布,它将停止执行某些隐私规则,以使医疗机构及其供应商更容易与公共卫生官员共享患者记录。

With the scaling back of these health privacy rules – andjustifying them during a crisis – it does raise the question of what happenswhen the pandemic ends.

随着这些健康隐私规则的缩减(并在危机期间对其进行辩护),确实引发了一个问题,即大流行结束时会发生什么。

Will life return to normal or will we redefine what wehistorically knew as our right to privacy? Will we have another version of thePatriot Act in the United States? Will we have countries around the worldtracing their citizens movements freely under the excuse of this pandemic?

And, in a more positive note, how will countries acrossthe globe learn from one another to develop best practices for trackingdiseases that, hopefully, respects our privacy?

生活会恢复正常吗?还是我们将重新定义我们历史上称为隐私权的内容?美国会否再有《爱国者法案》的另一版本?我们会否以这种大流行为借口,在世界各地自由追踪其公民运动?


Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注