It’s no secret that the COVID-19 pandemic has caused massive disruptions across all areas of life, from a surge in remote work to widespread measures of containment, which often include quarantine or “stay at home” orders. A growing number of countries have even pursued more aggressive measures to combat COVID-19, including using private data to track infected citizens. It’s quickly become abundantly clear that one of the greatest resources right now is data – specifically, location data.
Countries that are trying to be proactive in their response to the threat of COVID-19 have resorted to using location data in phones to varying degrees. Taiwan, a country globally praised in its response, has instituted a “data fence” policy for those who are meant to be in quarantine. Similar to an ankle bracelet, the phone transmits the user’s location data to the local officials and police. If the phone goes outside of the allowed area or stops transmitting, authorities are dispatched to make sure quarantine rules are being followed.
South Korea uses similar information to aid in the process of contact tracing. When a citizen is confirmed to have COVID-19, the location data from their phone can be leveraged to create a map of potential contaminated areas – which is then relayed to an app that anyone in South Korea can download to see locations that should be avoided. The authorities can also send out mass alerts to the phones of its citizens alerting them of a confirmed case that includes detailed information all the way down to the age of the person and all previous locations visited.
Taiwan and South Korea are not alone in utilizing location and tracking data, though they do represent some of the more far-reaching cases. Certainly one of the most unexpected countries to adopt a tracking app, however, is the EU.
In 2018, the EU adopted the General Data Protection Regulation (“GDPR”), which limits what companies can and can’t do with their users’ data. It classifies certain attributes as “personal data” – location, demographics, name, address, etc. was the direct result of a growing concern over privacy in the age of big data.
Despite the crackdown on data use, the EU has managed to create the Pan-European Privacy-Preserving Proximity Tracing (“PEPP-PT”) app in compliance with GDPR by using anonymous Bluetooth technology. Data would be stored on the phone, rather than a server, and the collected data from phones would only be accessible by authorities for contact tracing purposes or to privately alert an individual that they may have come into contact with a positive COVID-19 case.
But the sentiments that created GDPR in the first place are ever looming as the EU moves quickly to adopt a set of common rules for the use of any and all proposed apps that track data in order to monitor the spread of COVID-19. While the urge for solutions to the current situation is present, it hasn’t abated the concerns over privacy.
Americans have recently expressed similar concerns over the amount of personal data that is made available. Two states, so far, have rolled out protection acts including:
These acts set some boundaries on how personal data can and can’t be used, as well as allowing for easier opt-out options. Like GDPR in the EU, these concerns arose from how personal data is treated. Currently, however, there has not been a single, unified data protection legislation for the United States. Case law and the laws of individual states exist, making up a patchwork of rules that a contact tracing app would have to navigate in order to stay compliant country-wide. Which begs the question: are people willing to give up some of the privacy they have over their personal data in order to combat COVID-19 and, if so, what happens after this is all over?
Countries who were early adopters of these apps, Taiwan and South Korea in particular, have seen positive results. There is no doubt that such tracking can greatly help contact tracing, which is considered one of the key components of being able to control a pandemic. However, the existing laws in the US were put into place out of a very real concern for data privacy and protection. While the proposed EU app does not necessarily cross the lines drawn in the sand, it certainly toes them.
In January, the idea of an app that tracks and distributes that much personal data would have been nearly unthinkable, however, Google and Apple have announced that they are teaming up to create an US-based version of the app. According to interviews, the app would be entirely voluntary and responses kept anonymous. The proposed app would track people’s proximity to one another to determine if they were close enough for long enough to potentially catch the virus. If a user who was close to others tests positive and updates the app, an alert is sent to other users that they were in close contact to a positive case and may have potentially contracted the virus.
Both Google and Apple have stressed their interest in maintaining the privacy of the users who voluntarily submit to having their location tracked in this way. As an act of good faith, they have stated that they will publicly release information on their work to be as open as possible.
The COVID-19 pandemic will end, it’s just a matter of time. When it does, everyone will be anxious to develop some semblance of normalcy. When countries are at the point where they can look back at the reliance placed on location tracking during this time of crisis, what will people make of how fast and easy it was for their privacy to become negotiable? In the midst of a pandemic, individuals may be far more willing to let their data be used in ways that can help mitigate the rising risks. But after it’s over, will people be even more unsettled by the extensive use of their personal data?
Prior to the COVID-19 outbreak, the US was on the path for wider adoption of data privacy protection acts. Whether or not the app proposed by Google and Apple comes to widescale adoption, criticism has already been voiced about the slippery slope created by the apps that already do exist. A desire for a unified right to personal data privacy was a major driving force in adopting what policies the US does have in place long before the COVID-19 outbreak.
The backlash of these apps, while helpful during the COVID-19 pandemic, may very well trigger another round of privacy protection policies, such as the ones currently being considered by the EU even as they proceed with the PEPP-PT. The US may see far more policies come into place like the NY Shield Act and CCPA when the current crisis ends and people come to terms with having relinquished their privacy.