Privacy, Data Protection, and Contact-Tracing Apps
Contact tracing is fast becoming a necessary tool to combat the spread of COVID-19 ('Coronavirus'). This webinar covers key data protection and privacy elements in contact tracing apps in the Coronavirus era. Our expert speakers discuss the latest developments regarding contact tracing apps, the US federal legislation that was introduced in response to the pandemic and compare approaches in the EU and the US.
Case investigation and contact tracing
The case investigation is part of the process of supporting patients with suspected or confirmed infection in which the goal is to help the patient recall everyone with whom they have had close contact during the timeframe while they may have been infectious. Contact tracing involves warning the potentially exposed individuals (contacts) of their potential exposure as rapidly and as sensitively as possible. In this case, contacts are only told they 'may’ have been exposed. Whilst maintaining the anonymity of a patient who may have exposed them is crucial, equally important is educating the potentially infected individuals on risk, mitigation, and symptoms. This also helps to encourage individuals to self-isolate with the ultimate goal of stopping the chain of disease transmission.
Manual v. automated tracing
Contact tracing is still conducted manually in 2020. Public and private employers are automating the tracing process via data-driven technology. Examples include contact tracing apps installed on mobile phones with the ultimate goal to identify persons who may have been exposed to COVID-19 ('Coronavirus'). The contact tracing apps function to identify those who have been near someone identified as having an actual or suspected case of Coronavirus. There are warnings issued to exposed persons and each app can be designed for specific settings, e.g. employment monitoring. There have been many talks about making said apps as decentralised as possible and less intrusive. Some ways this can be accomplished is through Bluetooth or GPS technology. Bluetooth is more privacy-friendly and less intrusive to an individual's privacy and data can be kept on an phone. In addition, proximity data is less invasive than geolocation data
EU v. US approaches to privacy and data regulation
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') provides comprehensive data protection to covered data subjects, extraterritorial reach, and significant penalties for violation. The Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ('the ePrivacy Directive'), which remains in effect while an update is being negotiated, strictly regulates the processing of personal data online. The European Data Protection Board issued, on 22 June 2020, a statement that said the "GDPR remains applicable and allows for efficient response to the pandemic, while at the same time protecting the fundamental rights and freedom." EU institutions have recognised the importance of contact tracing apps in ending the lockdown and the institutions have taken the lead in providing guidance to app developers and Member States that are using and developing contact-tracing apps. The eHealth Network, a voluntary network setup under Directive 2011/24 EU on the Application of Patients' Rights in Cross-border Healthcare, has developed and maintained an EU toolbox for the use of mobile applications that sets forth essential requirements and best practices. The Parliament cautioned, among other things, that the use of such apps should be voluntary, not mandatory.
Unlike Europe, the US takes a sector approach to data privacy. At the moment in the US, there is no federal contact tracing app. US-based organisations and health officials who want to use contact tracing apps must look to a patchwork of laws potentially regulating their use (e.g. the Health Insurance Portability and Accountability Act of 1996, the California Consumer Privacy Act of 2018, and the California Consumer Privacy Rights Act, etc.). The sector-specific and state laws apply based on the nature of the data being collected, the type of person from whom the data is being collected, the purpose of the processing, who will have access to the data during the data lifecycle, geographic location of both the organisation, and individuals that the organisation seeks to use contact-tracing apps to protect.
US federal privacy law
Unlike the EU, the US has failed to pass comprehensive federal privacy legislation. Since early May, three COVID-19 related federal privacy laws have been introduced in Congress. Senate Bill ('SB') 3663 for the COVID-19 Consumer Data Protection Act of 2020 ('CCDPA') was introduced by Republican U.S. Senators Roger Wicker, Jim Thune, Jerry Moran, and Marsha Blackburn on 7 May 2020, SB 3749 for the Public Health Emergency Privacy Act of 2020 ('PHEPA') was introduced by Democratic U.S. Senators Richard Blumenthal and Mark Warner, and U.S. Representatives Anna Eshoo, Jan Schakowvsky and Suzan DelBene on 14 May 2020, and the bipartisan SB 3861 for the Exposure Notification Privacy Act ('ENPA') followed on 1 June 2020.
The CCDPA covers entities including non-profits and covers data such as precise geolocation data, persistent identifiers, and personal health information. The PHEPA covers any entity that collects emergency health data, excluding health care providers, service providers, and public health authorities, and doesn’t apply to entities covered by HIPAA. The ENPA includes non-profits and is an operator of an automated exposure notification service, other than a public health authority. The requirements of each bill can vary. The CCDPA establishes affirmative express consent by and individual (the natural person residing in the US), the PHEPA has affirmative express consent by an individual and the ENPA outlines express consent by an individual in which the operator must collaborate with a public health authority in the operation of a service and it must only process an "authorised diagnosis." Authorised diagnosis means an actual, potential, or presumptive positive diagnosis confirmed by a public health authority or licensed health care provider. The purposes of each bill can also be different. The CCDPA tracks the spread, signs, or symptoms of Coronavirus, measures compliance with social distancing guidelines or other requirements imposed under federal, state, or local government order, and conducts contact tracing. The PHEPA covers entities that collect emergency health data which shall only do so if necessary, proportionate, and limited for a good-faith public health purpose and mandates that the data cannot be collected, used or disclosed for e-commerce or to discriminate by creating or taking away opportunities (i.e. jobs, health benefits, etc.). The ENPA implements automated exposure notification services for public health purposes and cannot collect or process data for any commercial purposes.
How OneTrust DataGuidance helps
OneTrust DataGuidance™ is the industry’s most in-depth and up-to-date source of privacy and security research, powered by a contributor network of over 500 lawyers, 40 in-house legal researchers, and 14 full time in-house translators. OneTrust DataGuidance™ offers solutions for your research, planning, benchmarking, and training.
OneTrust DataGuidance provides daily updates and analysis of relevant global regulatory developments. By leveraging customised email alerts and newsletters, and creating dedicated spaces for projects, jurisdictions and topics, you can stay on top of developments as they happen, including in relation to COVID-19 through our dedicated portal.
OneTrust DataGuidance solutions are integrated directly into OneTrust products, enabling organisations to leverage OneTrust to drive compliance with hundreds of global privacy and security laws and frameworks. This approach provides the only solution that gives privacy departments the tools they need to efficiently monitor and manage the complex and changing world of privacy management.