As the novel coronavirus continues to spread and affect people across the world, countries are beginning to use technology to try and limit the spread as much as possible. In early March, China’s system of using an app to assign a color to individuals based on their health status made headlines, as this information would then be shared with law enforcement authorities. [1] As the virus continues to spread, countries around the world are grappling with how to balance the use of an app to protect public health with the need to protect individual data privacy.
It is possible for this data to be used to limit the spread of the virus while also maintaining data privacy of individuals. One potential tool is the use of Bluetooth as a proximity detector. [2] An example of this technology is the “StopCovid” mobile app, which utilizes Bluetooth signals to see who is within two meters of each other. The app can consider this proximity to be a “contact event”, and record the event. If someone were to become ill, the app could communicate this to those who shared a “contact event.” The app can do this without recording location data or linking this information to someone’s identity.[3] An MIT project is also looking at ways to utilize GPS technology while limiting surveillance over individuals. [4] Nonetheless, individuals will likely be concerned as these apps continue to roll out over the next few weeks and months with how the information collected will be used and to whom the information could be given.
Although these apps may prove to ultimately be helpful in preventing the spread of COVID-19, there are significant data privacy implications. In the European Union (EU), companies and apps that want to store sensitive data are restricted by the EU’s General Data Protection Regulation (GDPR).[5] The European Data Protection Board (EDPB) made clear that even though these are unique and exceptional circumstances, there must still be protection of personal data.[6] The EDPB stressed that potential apps should process location data anonymously – meaning that the data cannot be used to re-identify individuals. If it is not possible to aggregate this data anonymously, then it is up to member countries to implement legislative measures that protect data privacy and security, including a right to a judicial remedy.[7] As leaders in data protection call for a standard mobile app across Europe [8], individual nations and app developers must work together to create an app that meets the data privacy requirements throughout Europe.
However, in Europe, these apps and technologies have already run into legal difficulties. France has been working on the Bluetooth-enabled, “StopCovid” app, and there are concerns that this could violate French law which forbids the tracking of individual smartphones.[9] In the United Kingdom, Britain’s National Health Service is working to decide how to use data most efficiently. The Health Secretary, Matt Hancock, stated in a tweet in mid-March that “we are all having to give up some of our liberties; rights under GDPR have always been balanced against other public interests,” suggesting that however the UK decides to use data, it may not meet the standards set under the GDPR. [10]
In the United States, data is already being used from companies such as Google and Facebook. These companies already collect large amounts of data on location from websites and mobile apps and are now taking this data, anonymizing it, and giving it to researchers, health authorities and government agencies that are working to prevent the spread of the virus. [11] Apple has also released a screening app and website in coordination with the Centers for Disease Control (CDC). [12] These measures have been met with hesitance from a few Democratic senators, who have expressed data privacy concerns. In a letter to Apple, Senators Robert Menendez, Richard Blumenthal, Kamala Harris, and Cory Booker expressed concerns about Apple’s use of personal information and its compliance with the Health insurance Portability and Accountability Act (HIPAA). [13]
Most recently, Apple and Google announced they were working together to implement software into phones to alert people if they had recent contact with someone with COVID-19. [14] Instead of an app that people could download, the program would be built directly into the operating system of mobile devices. This technology would be able to run constantly in the background, therefore recording all nearby devices at all times – alleviating an issue faced by third-party apps. If someone had tested positive for COVID-19, they would report this to a public health app, which would use this technology to alert those who may have had contact with the infected person. Apple and Google did not disclose what information they would be collecting, or what information would be shared with the public health organizations or people who were identified as having contact. There are concerns with constantly monitoring locations of individuals 24/7, and how voluntary or mandatory such a program may be. An independent cybersecurity researcher expressed caution at this new development as although surveillance tools may begin as voluntary, they often quickly become mandatory. [15] As the development of these apps continues, app developers must work together with legislators to ensure that data privacy rights are not being eroded in the name of protecting public health.
Footnotes
[1] https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html
[2] https://www.wired.com/story/covid-19-contact-tracing-apps-cryptography/
[3] Id.
[4] Id.
[5] https://www.weforum.org/agenda/2020/03/restore-data-privacy-after-coronavirus-pandemic/
[6] https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statement_2020_processingpersonaldataandcovid-19_en.pdf
[7] Id.
[8] https://www.nytimes.com/reuters/2020/04/06/technology/06reuters-health-coronavirus-tech-privacy.html
[9] https://www.nytimes.com/reuters/2020/04/08/technology/08reuters-health-coronavirus-france-apps.html
[10] https://www.bloomberg.com/news/articles/2020-04-04/how-europe-is-bumping-against-privacy-laws-in-coronavirus-battle
[12] https://www.cnbc.com/2020/04/03/senators-ask-apple-ceo-about-the-companys-covid-19-app-privacy-practices.html
[13] Id.
[14] https://www.nytimes.com/2020/04/10/technology/apple-google-coronavirus-contact-tracing.html?action=click&module=Top%20Stories&pgtype=Homepage
[15] Id.