Contact-tracing apps designed to track populations during the COVID-19 pandemic are raising red flags around data privacy. It has unveiled a clash between the need to protect privacy and the need to protect public health.
While these apps may help health officials contain the virus, they also pose many questions around privacy, including:
- Who owns the data, how will the data be used, and who is liable if the data is misused?
- What are the rules around using third-party apps, which may not be in compliance with regulations?
- What are the potential consequences for users?
“It could lead to bias in its application and involuntary surveillance and questions as to who holds the data remains—the government or a private company—and whether the data and the process itself is auditable,” Cynthia Cole, a special counsel at the law firm Baker Botts, told Reuters. “There must also be some system for deleting the data, but it is not clear how that would be enforced.”
What Regulations Currently Protect Data Privacy?
In Europe, a law known as the General Data Protection Regulation (GDPR) oversees data privacy across the continent. Nevertheless, the race to track the coronavirus through mobile apps in various European countries has revealed that complying with the regulation, especially during an emergency, isn’t easy.
For example, England’s Department of Health acknowledged that its COVID-19 contact-tracing program began without any review of its potential effect on privacy. While there haven’t been any reported data breaches, this admission indicates that the program may have been operating illegally since its introduction in May. Lithuania also ordered the discontinuation of its contact-tracing app over suspicions that it violated regulations.
In Norway, contact tracing posed an even more complicated problem. Because too few citizens downloaded the app (under 15%), the nation’s Data Protection Authority forced the Institute of Public Health to suspend use of the app and erase all the data gathered. It found that the low download rates posed too great a risk to user privacy.
Meanwhile, in the U.S., no federal law currently exists that regulates data privacy. In the absence of such a law, some limited guidance is offered under the Health Insurance Portability and Accountability Act (HIPAA), requirements from the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA), and guidance from the Equal Employment Opportunity Commission (EEOC) that pertains to organizations collecting employee health data.
Some state laws such as the California Consumer Privacy Act (CCPA) and New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) attempt to regulate data privacy. However, they are only applicable to those states. In South Carolina, a state with over 95,000 confirmed COVID-19 cases as of 6 August, lawmakers prevented the health department from deploying a contact-tracing app due to privacy concerns.
Furthermore, even in states with regulations like California, organizations aren’t necessarily meeting requirements. According to a recent survey from TechRepublic, which received responses from 186 professionals, 26% of respondents said their organizations were meeting or making an effort to meet requirements under the CCPA, while 14% said they were not, and 28% were uncertain.
What Should a U.S. Federal Privacy Data Law Include?
Some experts are calling for a U.S. federal law that gives clear guidance around data privacy and evenly weighs the needs of citizens, businesses, and government. According to Jerry Jones, EVP, Chief Ethics and Legal Officer of LiveRamp, such a law needs to be flexible, should designate a regulatory authority responsible for ensuring compliance to the law, and should recognize an individual’s right to pursue legal action should an organization violate their privacy.
Privacy’s Increasing Role in Technology
Every organization today is in some state of digital transformation. While the understanding of security needs in the digital age has matured significantly in the last 2 decades, the implication for data privacy and in particular, its interaction with security, are still not well understood. As data regulations and laws continue to evolve all around the world, organizations require an increased understanding of privacy requirements and their impact on technology solutions.
In the next IEEE Virtual Tech Talk: Privacy’s Increasing Role in Technology—A View from the IAPP, experts will share the evolution of privacy, discuss key privacy topics like Privacy by Design and the NIST Privacy framework, share their perspectives of the overlap between Security and Privacy and highlight the criticality of understanding the current implications of data privacy today.
Save your seat for 12 August 2020 at 9am ET.
Jones, Jerry. (23 July 2020). Let’s close the gap and finally pass a federal data privacy law. TechCrunch.
Ehret, Todd. (21 July 2020). Data privacy laws collide with contact tracing efforts; privacy is prevailing. Reuters.
Cellan-Jones, Rory. (20 July 2020). Coronavirus: England’s test and trace programme ‘breaks GDPR data law.’ BBC.
Wolkoff Wachsame, Melanie. (July.) Survey: Barriers prevent data privacy initiatives.