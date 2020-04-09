The World Health Organisation declared, on 11 March 2020, COVID-19 (‘Coronavirus’) a pandemic. In light of the rapidly evolving situation, contact tracing has been prioritised by many countries as a fundamental part of outbreak control, along with self-isolation and lockdown measures to minimise the exposure of individuals to risks. Governments, as well as technology companies, have been trying to digitise the process of contact tracing to combat the spread of Coronavirus. Different approaches have been developed, with technologies ranging from Bluetooth and geo-location, to artificial intelligence, to inform individuals about potential risks, as well as support authorities in monitoring and controlling compliance with quarantine measures.

Singapore

The Government of Singapore announced, on 21 March 2020, that SGUnited, GovTech, and the Ministry of Health (‘MOH’) had developed an app called TraceTogether, aimed at enhancing contact tracing in order to mitigate the possible spread of Coronavirus. In particular, the Government outlined that the app enables contact tracing without relying on location-based services or global positioning services (‘GPS’). Furthermore, the Government noted that once installed on a mobile phone, the app detects other nearby phones that have the app installed through the use of Bluetooth technology, and can be used to identify close contacts based on the proximity and duration of an encounter between two users.

Charmian Aw, Counsel at Reed Smith, told OneTrust DataGuidance, “Whilst the Personal Data Protection Act 2012 (No. 26 of 2012) does not bind public agencies such as the MOH and GovTech, they are still subject to internal government rules which are in the process of being updated. The security measures relating to the TraceTogether app, include the following:

the app does not collect any geolocation data of users;

the app does not track users’ contacts;

data is stored locally on users’ phone and in an encrypted form;

data is only stored on users’ phone for a period of 21 days;

data will not be accessed unless a user is identified as a close contact of another user

users’ mobile numbers are substituted by random permanent IDs. A user’s mobile number and its corresponding user ID are stored in as secured server, and as an added layer of protection, temporary IDs are created that change regularly. Only the temporary IDs are exchanged between phones as opposed to actual numbers.”

GovTech highlighted, on 25 March 2020, that contact tracing was essential to contain the Coronavirus, however, that using location data for contact tracing raises serious privacy and data security concerns, which would diminish the ability of the smart system to connect the dots and monitor the spread of Coronavirus. Unlike other systems, TraceTogether only requires location permissions and Bluetooth technology to know the relative distance between users, and the app does not collect or use any real-world geographic information.

In relation to data retention and sharing, Aw highlighted “A user retains the ability at all times to choose whether to grant the MOH access to their app data, including revoking his/her consent at any time. Upon any user revoking their consent, the mobile number and user ID of that person will be deleted from the server.” The data collected through the app can be shared with the MOH so that it can be decrypted and used solely for contact tracing purposes. In addition, it is clearly stated, on the app’s official website, that TraceTogether will only communicate with nearby phones for a limited time and that, once contact tracing ceases, users will be prompted to disable the app’s functionality.

USA

U.S. Senator, Edward J. Markey, announced, on 17 March 2020, that he had sent a letter (‘the Letter’) to the White House Office of Science and Technology Policy (‘OSTP’) regarding reports that it was considering partnerships with technology companies in relation to collecting location data of smartphone users to fight the Coronavirus pandemic. Other stakeholders and human rights organisations, including the Electronic Frontier Foundation and the Electronic Privacy Information Center, have raised questions about the use of such technologies and the protection of personal data of individuals concerned.

Caitlin Potratz Metcalf, Senior Associate at Linklaters LLP told DataGuidance,”While the standard for U.S. companies collecting precise location data or geolocation is to store it in an encrypted format given its sensitive nature, it is often difficult to apply other safeguards, particularly when sharing the data with third parties. There’s no express requirement that location data be encrypted, but the U.S. Securities Exchange Commission expects U.S. publicly-traded companies to take reasonable safeguards to keep consumer data secure and prevent a breach. Notably, the big tech companies reported to be in some discussions with the U.S. government on developing a tracking app are all publicly-traded. In addition to encryption, another safeguard these companies are likely to take is providing data in the aggregate to third parties. Such deidentified data may be an effective workaround to their privacy policies to the extent that companies are not providing personally identifiable information about users. Otherwise, these companies may be left with three main options:

they will need to continue complying with their existing privacy policies, including whatever security measures are disclosed therein;

amend their policies; or

draft newly tailored privacy policies specific to any new Coronavirus tracking app developed.”

The Letter urged the OSTP to balance privacy with any data driven private partner initiative developed by the US Government. Furthermore, Markey warned that the misuse of geolocation data may extend to more sensitive information including employment information, religious affiliations, or political preferences and emphasised that the collection, and processing of the information, even anonymised and aggregated, must be adequality safeguarded, particularly, as the Coronavirus pandemic has led to increase data sharing between private entities. In addition, the Letter raised concerns on data retention policies of geolocation apps and tools.

Metcalf outlined that, “App-providers in the U.S. must simply give consumers the ability to disable or opt-out of geolocation tracking, but how the data is stored, for how long, and who it is shared with is at the companies’ discretion, so long as disclosed in their privacy policies. Even so, many of the proposed Coronavirus tracking apps may not use this type of geolocation data from your device, but rather may collect location data through the mobile device’s Bluetooth capabilities allowing it to identify other nearby devices, cell towers and wifi networks. Another advantage of using this type of location data is that it can be stored locally on the device. [Since] the U.S. generally has no restrictions on the retention of personal data, including geolocation data, companies are at liberty to retain it consistent with their privacy policies. Often companies will retain such data for the duration of a consumer’s active account and for a reasonable time thereafter. Still, there may be practical limits for Coronavirus tracing apps if locally storing data on location and Bluetooth ‘contacts’ on the device itself.”

Finally, the North Dakota Governor, Doug Burgum, announced, on 7 April 2020, that his Office and the North Dakota Department of Health, in partnership with ProudCrowd, had launched a free mobile app to help slow the spread of Coronavirus. The app provides individuals with a random identification number and anonymously cache their locations throughout the day, after which individuals would be encouraged to categorise their movements based on activities. However, the Burgum’s Office noted that the ID number of each individual contains no personal information besides location data, and if an individual tests positive for Coronavirus, they will be given the opportunity to consent to providing their information to the NDDoH to help in contact tracing and forecasting the pandemic’s progression with accurate, real-time data.

In relation to processing of personal health information (‘PHI’), Metcalf explained that “Depending on the type of health data and whether the company collecting it is a regulated healthcare provider, encryption—among other privacy and security safeguards—may be required under the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’). The Department of Health and Human Services has stressed that privacy and security requirements not be set aside during this public health emergency. HIPAA also requires that medical records be retained for at least six years. It’s safe to assume that the big tech companies likely involved in developing a Coronavirus tracking app aren’t HIPAA-covered entities, though they could be captured by HIPAA if acting as a business associate of a covered entity. It will depend on how the data is collected (voluntarily by those with symptoms and/or confirmed cases versus receiving PHI directly from healthcare providers, insurers, and the like).”

EU

Across Europe, various governments or health authorities have launched or proposed apps which utilise the location data from the user’s mobile device to construct a digital map of Coronavirus cases and notify users of their interaction with such cases. In most cases, the apps are voluntary and the data is anonymised or aggregated. However, the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) apply to such apps which collect and process data which is personal and is not anonymised or aggregated. In particular, Angela Livgieri, Junior Partner of ALG Manousakis Law Firm, told OneTrust DataGuidance, “These apps trigger the pan-European applicability of GDPR along with the upcoming ePrivacy Regulation, the principles of Directive on Application of Patients’ Rights in Cross Border Healthcare and the Decision on Serious Cross-Border Threats to Health (No. 1082/2013/EU) which lays down specific rules on epidemiological surveillance, monitoring, early warning of, and combating serious cross-border threats to health.”

The responses from European data protection authorities highlight the need to balance the advantages of using digital tools to prevent the spread of Coronavirus with the potential adverse impact on the fundamental right to private life of European citizens. In particular, the European Data Protection Supervisor, Wojciech Wiewiórowski, called for, on 6 April 2020, a pan-European approach and ‘digital solidarity’ in the reaction to the pandemic, noting that the use of big data tools must not constitute the ‘discredited business models of constant surveillance and targeting.’

Following this, the European Parliament announced, on 7 April 2020, that the Chair of the Civil Liberties Committee (‘LIBE’), Juan Fernando López Aguilar, had addressed the use of smartphone data to manage the Coronavirus and approved the use of data which is protected by “strong security measures”, anonymised, and does not allow the direct or indirect identification of individuals. As part of this, Aguilar specified that “the GDPR and e-Privacy Directive must continue to apply and be respected” and that LIBE would be closely following the development of these apps due to the potential adverse consequences to the fundamental right to privacy.

Regarding the nature of the data collected through such an app, Livgieri lists, among others, the following as a cross-section of what is being collected in apps across Europe: “contact details, name, surname, full home address, reason for going out, work address when work is the reason for going out, telephone number, date of birth, gender, location data, date/time, telephone number, device IDs, communication partners, creation of movement profiles, credit card records, data from face-to-face interviews, health related data (lack of oxygen sensation, fever up to 37.5 degrees, dry cough, mucus, muscle pain and general malaise), details re-visits to risk areas in the last 14 days, details re-contact with patients.”

Most recently, the European Commission published, on 8 April 2020, its Recommendation on a Common Union Toolbox for the Use of Technology and Data to Combat and Exit From the COVID-19 Crisis, in particular Concerning Mobile Applications and the Use of Anonymised Mobility Data (‘the Recommendation’). In particular, the Recommendation aims at developing a pan-European coordinated approach for the use of mobile applications in order to enable citizens to take effective and more targeted social distancing measures, as well as a common approach for modelling and predicting the evolution of the virus through anonymised and aggregated mobile location data.

In light of the emergence of such apps, Livgieri explained, “Many governments and non-governmental institutions have considered the usage of infection tracking systems (e.g. tracking via mobile network data, locally installed tracking apps) to deal with the Coronavirus. For instance, Poland has implemented ‘Quarantine Surveillance’ as an alternative method to police checks, an app for location confirmation of a person covered by the quarantine restrictions and for conducting basic health assessment, while in Switzerland a ‘WeTrace’ app has been proposed to trace contacts via Bluetooth of an infected person. The data is encrypted, and the server is used for broadcasts of notices to proximity contacts which can be set by each user switching his or her settings to ‘infected.’ Risks should be assessed and, only if deemed necessary and proportionate, the implementation of virus tracking systems could be possible so that compliance with data protection principles is ensured.”

AMELIA WILLIAMS, EDIDIONG UDOH, MONA BENAISSA Privacy Analysts

