本文由John Neocleous为《瑞中法律评论》投稿,稿件成文于2020年5月。瑞中法律协会版权保留。

Data Collection, Personal Privacy and COVID-19Contact Tracing – How the Virus and New Tech Triggered Thorough Review andClarification Surrounding Privacy Laws



As the world grapples with the continued spread of COVID-19, alongwith the unsettling public health and economic concerns, there are a number ofuncertainties surrounding data security and privacy. Efforts to contain thevirus differ from country to country, as do the strategies surrounding thecollection of data to aid in “contact tracing” that will surely be the subjectof debate for years to come with legal experts defining – or redefining – justhow far governments and tech companies can go.



In order to counter the threat of the virus, countries have beenadopting drastic measures, such as geolocation data and social contact history,leading to a number of complex privacy questions for both public and privateentities involved in the process. This has created a substantial need forclarity from legal professionals and data protection authorities (DPAs) acrossthe globe, many of whom are publishing guidance on best practices forcollecting and processing personal data related to COVID-19 – in order to stayin line with obligations under privacy and data security laws.



Most discussed in the public eye currently is Google and Apple’srecent announcement about their extensive coronavirus partnership. In the nextfew months, they will unveil updates to their operating systems to enablecontact tracing to help identify carriers of the virus so they can be isolatedfrom the public. It works by tracking with whom you come into contact with byrecording where your Bluetooth connects with other devices near you. Onceapproved, government health agencies will be able to utilize the app to trackphysical proximity between phones. The system is Bluetooth-only, fully opt-inand collects no location data from users.



It all sounds good in theory. Security experts, however, arepointing to potential flaws in the system, including techniques that couldreveal the identities of COVID-19 positive users, help advertisers track themor false positives from users with malicious intent. 



Most countries affected by COVID-19 are adopting their own versionof contact tracing and nearly all are going digital and leveraging the power ofsmartphones through Bluetooth or geolocation data. The Google and Appleannouncement has propelled public attention, and concern, on the topic ofprivacy laws.




Governments Consider Surveillance Methods That Push Limits




In China, telecommunicationsorganizations helped the government track and contact those who had traveledthrough Hubei province in the early days of the virus. Location data was then channeledto China’s Health Commission, which allowed them to re-form the steps of thoseinfected.


In Israel, thegovernment passed an emergency law to use mobile phone data for tracking thosewho test positive for COVID-19 as well as the ability to identify andquarantine others they have come into contact with and may have becomeinfected. This method has typically been reserved to counter terrorismoperations, but now, it’s being used to track infected patients and their phonecontacts. If someone found to be positive for COVID-19 – or someone who was inclose contact with one – disobeys quarantine, they receive a text message orcall ordering them to return home. If they don’t, the police are called. 3


Since the start of the pandemic – countries to thewest have been paying close attention to how countries like China and Israelhave used data collection and apps as part of their public health response. And, many criticshave raised concerns about privacy and potential illegal use of data,especially as the virus began spreading through Europe and the United Statesafter that.




The EU and a “Pan-European”approach




In the European Union, contact tracing must be compliant with theEU’s privacy law, the General Data Protection Regulation (GDPR), as well as separatelaws specific to the given EU country. Still, EU nations can make their ownexceptions to the rules temporarily for emergencies. For example, Italy adopteda decree to address the intersection between the GDPR and COVID-19, the needfor processing special categories of personal data and how some data protectionrights could be halted to combat the coronavirus.



The GDPR’s ‘Article 6’ says that processing personal data withoutconsent is lawful where it’s necessary for compliance with a legal obligationto protect vital interests of the public interest or protection of anindividual. In fact, it also provides specific language on not needing consentfor monitoring epidemics, pandemics and their spread or in situation ofhumanitarian emergencies.



Earlier this month, Human Rights Watch and more than 100 otherorganizations issued a joint call for legal protections on how government canuse digital surveillance, including mobile phone location data, to fight thepandemic. Europe is under intense scrutiny by these groups as there is ascramble to develop coronavirus tracking apps by the European Commission seekingan “EU approach” to contain the disease. As a result, hundreds of researchersfrom eight countries in Europe have been working on the Pan-European PrivacyPreserving Proximity Tracing Project (PEPP-PT) to develop a single app that anycounty can use and would be compliant with EU privacy laws.




U.S. Law



While there’s no main data protection law at the federal level in the UnitedStates like those in Europe benefit from (like GDPR), there are several federaland state laws that offer privacy protection to certain types of data, likehealth information, employment, and location data.


As the U.S. continues to control the spread of the virus anddevelop plans to potentially reopen the economy, government agencies have putin place – or contemplated – a variety of tracking and surveillance tech that examinesthe limits of personal privacy.


 Everything from geolocation tracking that oversees the locationsof people through their mobile devices to facial-recognition programs thatanalyze pictures to determine who may have come into contact with those wholater test positive for the coronavirus. In fact, we know that data-mining firmPalantir Inc. has worked with the Centers for Disease Control and Prevention(CDC) to model the virus and its outbreak and continue to do so.

从地理位置跟踪(可通过移动设备监控人员的位置)到面部识别程序(分析图片以确定谁可能与后来测试冠状病毒的人接触过的人),所有内容都可以。实际上,我们知道数据挖掘公司Palantir Inc.已与疾病控制与预防中心(CDC)合作对病毒及其爆发进行建模,并将继续这样做。 

This is leading to the tech industry and government officials tostruggle in finding a balance between the deployment of technology and safeguardingpatients’ data, specifically medical information. At the same time, privacy advocatesworry that little has been announced about what has already been implemented orabout to be deployed as governors across the country determine when and how toreopen their states.




Healthcareand location data biggest concern in U.S.                       




Just like in the EU, the United States has issued guidance on privacyand data security relating to COVID-19. The Department of Health and HumanServices (HHS) has waivedsanctions and penalties against covered hospitals forcertain provisions under HIPAA – the waiver includes the requirement to obtaina patient’s consent before speaking with friends or family members about care,the requirement to distribute a notice of privacy practices, the patients rightto request privacy limitations and the patients right to request confidentialcommunications.


 As the crisis continues in the United States, additional guidanceis being issued – and is needed – by local, state and federal agencies.


 The U.S. does have The HealthInsurance Portability and Accountability Act Privacy Rule which protects theprivacy of a patient’s health information. Although, its protections aren’t unconditional.Just this last February, the U.S Department of Health and Human Servicesreleased a “Bulletin” outlining when disclosure of health data is permitted.It includes for public health reasons and “to prevent an imminent threat.”


 The U.S. Constitution, specifically the Fourth Amendment,also protects certain expectations of privacy, including one’s physicallocation. Reference Carpenter vs. U.S., for example. The Supreme Court looked at how toapply the Fourth Amendment to cell phone records, particularly cell-sitelocation information (that looks at a person’s past movements). The governmenthad obtained the records as part of a criminal investigation. They arguedCarpenter shouldn’t have an expectation of privacy because he voluntarilyprovided it to third parties (cell phone carriers).


But the Supreme Court ultimately ruled that thegovernment invaded Carpenter’s reasonable expectation of privacy when itaccessed cell-site location information from wireless carriers.


It is likely that, as the number of COVID-19 cases continueto exist creating the need for contact tracing, there will be more discussionin the U.S. on privacy interests like discussed in the Carpenter case. As such,the need to quickly address it because of this public health issue seems likelyas well.



Main Takeaways



It’s evident that contact tracing and testing technologywill very much play a role in forming a sound, strong recovery strategy.


Understanding what our privacy laws require in specificsituations, like pandemics or public emergencies, as well as how they are appliedare going to be crucial to continue managing COVID-19 and reopening oureconomies.


By tapping into people’s phones and medical records,researchers and public health authorities are hoping to quickly identifypotentially infected patients and curb the pandemic. In fact, already, thefederal agency in the United States in charge of policing data breaches announcedit will back offenforcement of some privacy rules to make iteasier for healthcare facilities and their vendors to share patient recordswith public health officials.


With the scaling back of these health privacy rules – andjustifying them during a crisis – it does raise the question of what happenswhen the pandemic ends.


Will life return to normal or will we redefine what wehistorically knew as our right to privacy? Will we have another version of thePatriot Act in the United States? Will we have countries around the worldtracing their citizens movements freely under the excuse of this pandemic?

And, in a more positive note, how will countries acrossthe globe learn from one another to develop best practices for trackingdiseases that, hopefully, respects our privacy?


Share on facebook
Share on twitter
Share on linkedin
Share on pinterest