The Privacy Concerns of Contact Tracing

Social distancing. What about digital distancing? How private are digital handshakes? The spread of coronavirus has prompted government officials across the world to use technology to monitor infected individuals’ contacts. The result: digital contact tracing using a smartphone app. The costs: privacy, identity, and possibly more.

Nations throughout the world have developed smartphone apps to conduct digital contact tracing using the Bluetooth feature in smartphones. The first-generation contact tracing apps faced many technical issues, which led to a solution by tech companies. Apple and Google, in a joint venture, created the Exposure Notification System, an application programming interface only available to government health agencies. Nations that have currently partnered with Apple/Google to use the Exposure Notification System include Canada, Japan, Switzerland, Italy, Germany and other European Union members, as well as several states in the United States.

Most contact tracing apps follow a similar workflow, relying on the Exposure Notification System on the backend. A user downloads the app and consents to its terms of service. While the app is running, the Exposure Notification System creates and assigns an anonymous unique identifier code for the device every 10 to 20 minutes. As the user moves near other devices, the identifier codes are exchanged using Bluetooth (digital handshaking) and stored locally on the device. The device periodically downloads the identifier codes of flagged cases from the public registry. If there is a match between the locally stored codes and the downloaded database of positive cases, the user will receive a notification with instructions from public health authorities.

The meteoric rise of contact tracing apps has generated discussion on potential privacy pitfalls and the appropriate balance between privacy and public health. In “COVID-19 Contact Tracing Apps: A Stress Test for Privacy, the GDPR, and Data Protection Regimes,” published in the Journal of Law and the Biosciences, Laura Bradford et. al. analyze the level of privacy protection provided by EU and US privacy laws.

The US and EU approach data privacy differently. The US utilizes a sector-specific approach whereby legal protections derive from the data’s source and subject matter. Conversely, the EU has enacted an omnibus data privacy legal framework called the General Data Protection Regulation which is expansive in scope. According to Bradford et al., the Exposure Notification System and contrat tracing apps would be subject to GDPR. Most consequential is Article 5, which promotes a series of binding principles, including lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. These principles have resulted in the defining of clear rights of app users and obligations of data controllers/processors.

Specifically, data controllers/processors are required to record all data processing activities, provide reasoning for the act, ensure it is done securely, and conduct impact assessments. They must provide users first with an explanation of terms in plain language and then ask for consent. This is key to the GDPR as it allows the user to exercise their privacy rights, compared to the alternative of receiving notice of data collection written in language requiring fluency in the law. GDPR’s consent requirement ensures that users have the opportunity to understand what they are exchanging for use of the app and are explicitly able to choose whether they wish to participate.

The GDPR treats health information as a “special category of personal data” requiring greater care by data controllers. Both the Exposure Notification System and contact tracing app may receive information about a positive COVID-19 diagnosis – a form of health information. Thus, Bradford et al. advise that contact tracing app data be treated under the special category by data controllers in the EU. The organization would need to confirm that they have the grounds to collect this data; the authors suggest that health information collection by contact tracing apps could be justified as a means to protect the public from the coronavirus disease. Furthermore, the organization would need to comply with any national restrictions and obligations to safeguard this type of data.

Apple/Google claim that the collected data, including information about a positive diagnosis, is ‘anonymized’ and thus may not be subject to GDPR. However, algorithms may be developed that could extract identifiable information from the anonymized data and thus compromise privacy. To mitigate liability from misclassifying the data, Apple and Google have implemented additional measures to be in accordance with GDPR’s pseudonymization requirements. Bradford et al. could not determine if data collected by contact tracing apps was truly ‘anonymized’, thus they recommend treating the data under the special category. Fortunately for users of contact tracing apps in the EU, the GDPR provides them the right to access the data, seek erasure, file complaints, and seek legal remedies and compensation. This is quite beneficial as without a framework outlining these rights, users could be left defenseless in privacy concerns against data controllers.

The most likely US federal law to regulate data collected by contact tracing apps is the Health Insurance Portability and Accountability Act. HIPAA protections only apply to data collected by healthcare providers and their associates. Additionally, some states have enacted privacy laws to fill in the gaps federal law has left open. For example, the California Consumer Privacy Act provides users the right to access data, obtain disclosure of data sold, request data not be merchandised, seek erasure, and be protected against discrimination for the exercising of these rights. California residents are only protected under the CCPA if their data was collected while they were in the state. The CCPA applies to any business around the world that receives personal information from California residents, and meets the minimum revenue and personal data possession/sale criteria.

Bradford et al. posits that data collected by contact tracing apps would likely fall outside of the scope of HIPAA. While Californians could claim protection under CCPA, uncertainty remains as to whether the statutory protections extend to pseudonymized data. If protections are afforded to pseudonymized data, user consent would not be required and Californians would simply receive notification of use of collected data.

The lack of data privacy restrictions may promote innovation, but it also leaves society vulnerable to harms stemming from data misuse by private parties, companies, and government agencies. Further, users are left vulnerable to identify theft. Given regulatory uncertainty, the only practical option for Americans is direct engagement with data controllers – opting out of downloading the app, not providing consent, or turning off the Exposure Notification System. According to Bradford et al., privacy rules such as those introduced by GDPR are not a hindrance to contact tracing, but rather an advantage: they allow users to trust the app. The restriction on data collection and dissemination creates a suitable environment for contact tracing apps. Under the GDPR, both data controllers and users know their rights and are able to conduct themselves appropriately, as well as with certainty regarding liability.

The absence of a comprehensive federal privacy policy coupled with the rise of contact tracing apps in the US has prompted the drafting of a bipartisan bill called the Exposure Notification Privacy Act (ENPA). The bill aims to protect individuals who do not wish to have their data collected, nor used commercially, and to introduce civil penalties for companies who abuse privacy. ENPA would require firms developing contact tracing apps to work with public health authorities. Apple/Google already lists this as a requirement for developers using the Exposure Notification System. The draft legislation also contains language prohibiting discriminating against employees opting out of contact tracing. Recently, PricewaterhouseCoopers introduced a corporate contact tracing app for businesses that wish to have real-time proximity information for employees who could be at risk of infection (PricewaterhouseCoopers n.d.).

Although the ENPA provides some privacy assurances to users of contact tracing apps, many of the components of the bill are already implemented in Apple/Google’s Exposure Notification System terms of use. While government regulation gives some confidence that the Tech Giants won’t be able to go back on their word, there are many scenarios that are not covered by the bill. For instance, an app may be too broad and developed without partnership with public health authorities, thus falling outside of the ENPA.

Given that the US lacks data and privacy regulation, particularly in health tech, it is no surprise that a June survey from Avira found that 71% of Americans would not download a COVID-19 contact tracing app. The pandemic has tested privacy and data protection regulations, or lack thereof, and demonstrated the need to develop a framework. COVID-19 has required changes in daily life, but has provided even more reasons not to pause the development of privacy and data protection policy.

---

Bradford, Laura, Mateo Aboy, and Kathleen Liddell. 2020. “COVID-19 contact tracing apps: a stress test for privacy, the GDPR, and data protection regimes.” Journal of Law and the Biosciences 7, no. 1: 1-21. https://doi.org/10.1093/jlb/lsaa034.