SERIES: COVID-19’s Long-Term Policy Implications - The Implications of COVID-19 on Privacy
The COVID-19 crisis has become a national emergency with serious social, economic, and health implications. Looking forward, the virus could shape actions and attitudes related to data privacy.
Global Lessons Learned on the Use of Syndromic Surveillance
Mandatory data collection could become an accepted norm around the world as nations seek to halt the spread of infection. Rigorous syndromic surveillance programs have been imposed in Asian countries, including Singapore and China, as part of their COVID-19 response strategies, with some success. For example, South Korea has managed to flatten the COVID-19 curve by monitoring individual body temperatures in public spaces.
The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) is a new project with participating member countries Austria, Belgium, Denmark, France, Germany, Italy, Switzerland and Spain that utilizes Bluetooth signals to detect those individuals who are not practicing social distancing, and alerting those who are in close enough contact to risk infection. The data is temporarily stored in individual phones and remains encrypted to conceal identifying information.
While European countries like Germany are still wary of more invasive, mandatory programs that its citizens perceive as an unjust breach of data privacy, others are less hesitant. Poland, for example, has implemented mandatory tracking apps, which would retain data for six years with no clear guarantee of deletion. Poland’s numbers of reported cases and deaths remain relatively low but continue to rise.
Private Sector Solutions
Private companies are launching voluntary data collection initiatives to assist policymakers and health researchers in tracking the spread of the virus. The following efforts stress user anonymity as a priority:
Facebook & Carnegie Mellon University’s COVID-19 Symptom Map invites users to self-report any COVID-19 or flu-like symptoms experienced in the last 24 hours to forecast potential outbreaks.
Google’s COVID-19 Community Mobility Reports use data from users who have opted in to storing their location history with Google to help illustrate the degree to which people are following shelter-in-place and work-from-home orders.
Apple’s Mobility Trends Report randomly pulls anonymous information from Apple Maps routing requests to detect the volume of user mobility within a given geographic region.
Vantiq and its partners are using a host of technologies including artificial intelligence (AI), thermal imaging, facial recognition, and Internet of Things (IoT) sensors, to develop operational systems and applications for clients like governments and private industries around the world.
Apple and Google have announced joint implementation of an app programing interface (API) that lets public health organizations use smartphone Bluetooth radios to monitor users and alert them if they come into contact with an infected individual.
Microsoft has outlined seven policy principles to guide governments and companies in safeguarding online privacy. They have also partnered with the Centers for Disease Control (CDC) on a variety of initiatives, including a coronavirus self-checker tool and a coronavirus tracker on Bing.
American’s Changing Attitudes Toward Privacy
COVID-19 is likely to change the way Americans think about privacy, especially if syndromic surveillance and contract tracing solutions are ultimately used to reopen the economy.
A 2019 poll conducted by the Pew Research Center found that two thirds of respondents are concerned about the information being collected by the government and private companies. Additionally, the large majority of those surveyed noted a lack of oversight and little reward for the risks incurred. Finally, 75 percent of respondents supported greater government regulation of data protection.
In response to the coronavirus outbreak, there has been some voluntary data sharing between American users and private companies like Apple and Facebook. However, Americans of all age groups still bristle at the idea of mandatory data collection and the long-term storage of personally identifiable information. COVID-19 could signal a rapid development in the oversight and accountability of data collection and retention by both private companies and the federal government, as both entities seek to overcome obstacles to the launch of syndromic surveillance programs to flatten the curve within the U.S.
Americans now might be more willing to share their health and location data if it helps lift COVID-19 restrictions and reopen the economy. If these solutions do come into play, we could also see entities like the Federal Trade Commission (FTC) stepping in to ensure data that is shared voluntarily is used as intended.
The Legislative Outlook
There has been a patch-work effort at the state level to implement legislation related to contact tracing. For example, Massachusetts Governor Charlie Baker announced the state’s COVID-19 Community Tracing Collaborative (CTC), increasing its capacity for contact tracing and widespread testing.
At the federal level, Congress has been struggling to enact a national privacy standard. Prior to the onset of COVID-19, bipartisan talks between Sens. Roger Wicker (R-MS) and Maria Cantwell (D-WA) had slowed significantly, if not reached a complete standstill. Additional work between Sens. Jerry Moran (R-KS) and Richard Blumenthal (D-CT) cratered under the weight of ideological differences on key issues like preemption and private right of action. Finally, while House Energy and Commerce Committee staff continued to solicit feedback on draft bipartisan legislation, the next steps remained unclear.
There is now fresh thinking COVID-19 could create opportunities to make some progress in federal policymaking on privacy, even if it is specifically targeted to the pandemic. On contact tracing specifically, U.S. policymakers have outlined a path forward where data collection could be aggregated and anonymous, responding to fears that such data collection efforts could be abused by tech platforms, especially those who have previously overstepped commitments on consumer privacy.
On April 9, the Senate Committee on Commerce, Science, and Transportation held a paper hearing on “Enlisting Big Data in the Fight Against Coronavirus” to examine how anonymized data collection could curb the spread of the virus and subsequently how the government will address the collected data following the resolution of the pandemic. Federal legislative outcomes may presently be uncertain, but it is clear efforts are being made to maintain the tenuous balance between public safety and personal security.
COVID-19, Privacy, and Political Campaigns
Earlier in his term, President Donald Trump signed legislation repealing privacy rules approved during the Obama Administration that required internet service providers (ISPs) to do more to protect consumers’ privacy than websites. The administration expressed some interest in working with Congress on privacy legislation and held some stakeholder meetings, but this effort has slowed as a result of personnel changes and all attention now focused on the fight against COVID-19.
The Biden campaign has not outlined a comprehensive online privacy plan, but is expected to follow the model of the 2012 “Consumer Data Privacy Bill of Rights,” which sought greater control of data protection for consumers and greater transparency from private companies. These principles for consumer data privacy are defined in Section II of the Obama administration’s “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy.”