Data privacy and governance is a key concern amid COVID-19. Measures need to be in place.
With the power to collect and use vital personal information of users, contact tracing apps are a double edged sword in the fight against COVID-19, as the same data that can reduce a community’s vulnerability to the virus can increase the data subjects’ vulnerability to privacy violations. The information collected by Technology Assisted Contact Tracing (TACT) is not just protected as personal information, like health status and personal health information, but is also the type of information particularly vulnerable to abuse and stigmatization. Contact tracing app providers and technology vendors providing the foundational technology systems and services should be transparent about their privacy and data collection practices, and should commit to restricting their use of the data for contact tracing purposes. Organizational users, like governments, employers and universities implementing TACT systems should make similar commitments to limited use and transparency to reduce the risk of privacy violations and establish trust with users to encourage the pervasive use of the system required for it to be effective.
Privacy risks associated with COVID-19 can be largely classified into:
1)Individual risks
2(Compliance and regulation risks
3)Physical risks
4)Human rights risks
Technology assisted contact tracing (“TACT”), including contact tracing apps, have quickly become a component in many organizations’ and communities’ plans to combat COVID-19. Just as quickly as TACT entered the conversation, so did privacy concerns. In the haste to implement TACT solutions, there are concerns that TACT systems are not being narrowly tailored to achieve the goals of contact tracing, and that broader TACT operations may create unnecessary vulnerabilities to users’ privacy. The Country of Norway dealt with these privacy issues head-on when the county’s data protection authority raised these tailoring concerns in June, determining that the app proposed a disproportionate threat to user privacy and requiring the country to entirely halt use of its nationwide contact tracing app.
It is not just privacy watchdogs who are policing the use of TACT and its privacy implications. The individual users and potential users have enormous influence over the effectiveness of TACT. Widespread adoption is crucial for the success of a TACT system, with some studies suggesting that 60% of a population would need to install and use a contact tracing app to effectively slow the spread. However, consumers’ privacy concerns can be a heavy barrier to adoption. TACT requires collection not only of static personal data about users, but also (depending on the particular technology used) locations, movements, and relationships between users. Privacy conscious consumers are particularly sensitive to location tracking, and many will not participate in a TACT system they do not trust to protect such personal and vulnerable data. This may be particularly true in the United States, where there is no national or uniform set of laws regulating how personal information may be collected or used by TACT systems.
While TACT systems by nature need to collect personal data about their users, there are technical and administrative safeguards TACT system vendors and authorities can take to assuage user concerns and reduce privacy risks to build the trust in the system that its requires to succeed. Norway’s fraught implementation outlines some of the privacy implications and risks associated with TACT that users are wary of, and those protective measures that organizations and communities should consider implementing in connection with any TACT system to help mitigate those vulnerabilities and protect user privacy.
