COVID-19 Data Privacy

COVID-19 data privacy concerns refer to the balance between health and privacy during the pandemic and the concerns that citizens have over their personal information. As COVID-19 caused a global emergency in March 2020, several restrictions were put in place by governments and institutions in order to save lives. Mounting evidence demonstrates that the collection, use, sharing, and further processing of data can help limit the spread of the virus and aid in accelerating the recovery, especially through digital contact tracing^[1]. Data collection could include vast amounts of personal and non-personal sensitive data. There have been several concerns from the public that certain measures put in place during the COVID-19 pandemic have led to the infringement of fundamental human rights and freedoms.

Privacy in relation to COVID-19^[2]

Concerns by Country

China

China, known as country-0^[3], used artificial intelligence, cloud computing, big data, blockchain and 5G to control the spread of COVID-19^[4]. Baidu Research, a leader in AI research and development, open-sourced its linear-time AI algorithm called LinearFold to epidemic prevention centers, gene testing institutions, and global scientific research institutions^[4]. This algorithm reduced the time taken to predict and study coronavirus’s RNA secondary structure from 55 minutes to just 27 seconds, ultimately improving speed 120 times^[4]. Furthermore, artificial intelligence was developed for the Beijing subway police to identify commuters who were not wearing masks, and new temperature measurements were created to quickly take commuters temperatures. All of these measures were implemented without the consent of passengers^[4]. Baidu also has an online consultation service, which has handled over 15 million inquiries^[5]. Chinese legislation doesn’t limit Baidu in what they can do with health information from its users, giving power to a company whose intentions may be unclear^[5]. Furthermore, Qihoo 360, a Chinese internet company who has a history of inappropriate data collection and usage^[6], posted a Big Data Migration Map which allowed citizens to view the trends and hotspots of COVID-19^[4]. Alibaba, the world’s largest e-commerce company, launched a drug delivery service to treat people with chronic illnesses. The service entered health information from patients into an extensive database, which also tracked their online purchases^[5]. In August of 2019, Comparitech ranked China's cities took eight of the top ten for the world's most surveilled cities ^[7], and 95% of respondents to a survey from a Chinese newspaper stated their personal data had been stolen, making it unsurprising that the country has enough data on their citizens to control the pandemic ^[8].

South Korea

In South Korea, the government has taken action to combat the virus through tracking movements of its citizens who have tested positive for COVID-19. These different tracking measures include credit/debit card transactions, phone GPS, and South Korea’s own surveillance cameras.^[9] The country argues these methods help them trace the whereabouts of infected persons before they were notified and inform people they may have been in contact with. The system with this information also publicly shares patient info, regularly scrutinized to impede individuals’ privacy.

Often praised for their ability to stop the virus from spreading, South Korea had been in a similar situation in 2015 with a Middle East Respiratory Syndrome (MERS) outbreak. Learning from this experience, South Korea implemented a Reform of the National Infectious Disease Disease Response System^[10] outlining how they will address future viruses. The results of these guidelines increase public surveillance and public health tracking tools. In the wake of COVID-19, they launched an app, Self Quarantine Safety Protection App, for users to report symptoms and monitor individuals in quarantine to ensure they do not leave their respective homes.^[11]

Coronavirus mobile app in South Korea^[12]

Israel

When Israel ordered citizens to stay at home, it used a cell phone tracking tool, also used to track terrorists, so that the government could identify if citizens were breaking protocols. Some politicians in Israel referred to the mobile phone tracking system as an assault on the privacy of Israelis. Supercom, a biometric company headquartered in Israel, introduced an electronic monitoring and tracking platform for the population.^[13]

United States

In the US, the government worked with data-mining company, Palantir, to model the virus outbreak. The government also worked with various companies to scrape public social media data to monitor public discussion of symptoms. Furthermore, they also had active talks with Facebook and Google (among others) about using location data from Americans’ phones to map the spread of the infection.^[14]

Concerns by Practice

Contact Tracing

Contact tracing is the process of identifying individuals who may have come into contact with an infected person and subsequent collection of further information about these contacts. According to the World Health Organization (WHO), data protection and privacy laws need to be in place to provide a legal basis for data processing, restrictions on data use, measures to establish oversight, and sunset clauses to dismantle certain technologies. The WHO also outlined several principles for the appropriate use of tracking technologies, which include time limitation, data minimization, and transparency.^[15]

Testing

COVID-19 testing has led to increased data collection from citizens. Personal data and test results are sometimes shared freely between health care providers and public health officials. In some cases, first responders have been given the addresses of people who have tested positive for COVID-19. Several countries, including the UK, US, and Germany, have considered using antibody test information as “immunity certificates.”^[16] There have been concerns that employers testing their workers for COVID-19 could inadvertently collect biometric information in violation of state privacy laws.^[17]

Vaccines

Vaccinations for COVID-19 require data collection from the general public. In an effort to vaccinate the population quickly, Philadelphia partnered with a nonprofit, Philly Fighting COVID. It was eventually discovered that the nonprofit changed its status to ‘for profit’ and its private policy claimed that it could sell preregistration data it collected. The data it collected included name, birthday, address, and occupation.^[18] There have also been concerns that collecting personal data could dissuade undocumented people from getting vaccinated.^[19]

Future Concerns

The Digital Health Pass App created by IBM^[20]

Various factors surrounding COVID-19 data can potentially impact individuals in the future. If data is breached by cybercriminals through databases or apps, this would create an opportunity for identity theft. Although unknown who it would target, this could negatively impact many lives where their data and information is misused.^[21] Criminals can also steal an individual’s identity by posting their paper vaccination card on social media. When they have access to your date of birth, it’s easier for them to piece together your social security number, giving them access to all of your personal information which can then be sold on platforms like the black market.^[22]

Some countries such as Isreal have implemented a COVID-19 “vaccination passport” app created by companies like IBM^[23] and The World Economic Forum.^[24] These apps are designed to store vaccine and health data for individuals who have been fully vaccinated. Vaccine passes can be utilized to scan and get access to hotels, restaurants, gyms, and other open spaces. Although this would bring back some normalcy to our everyday lives, it could also be used to track individuals’ movements without them even knowing.^[25] Access to this proprietary information by owners of this data could reveal more than people anticipate. It can disclose habits, sexual preferences, religion, political affiliations, and different search results^[26] people don’t know these applications have access to.

“Vaccine passport” apps could create a larger divide between those who have access to the vaccine and those who do not or do not plan on getting it themselves, portraying a skewed and unrealistic representation of data.

Legislation

Consumer Data Protection Act

Introduced in April 2020, the COVID-19 Consumer Data Protection Act,^[27] would make it unlawful for a covered entity to “collect, process, or transfer the covered data of an individual” without prior notice and express consent unless necessary to comply with a legal obligation. Covered in the bill, entities would need to provide individuals with the right to opt-out from having data collected. Entities would also be required to delete information when it is no longer useful and minimize their collection of data.^[28]

Public Health Emergency Privacy Act

Senators are trying to pass better privacy health laws in order reassure the public that their health information stays private. The Public Health Emergency Privacy Act^[29] is one piece of legislation that would provide some legal safeguards. The act, introduced in May 2020, would do the following:

• Ensure that data collected for public health is strictly limited for use in public health;
• Explicitly prohibit the use of health data for discriminatory, unrelated, or intrusive purposes, including commercial advertising, e-commerce, or efforts to gate access to employment, finance, insurance, housing, or education opportunities;
• Prevent the potential misuse of health data by government agencies with no role in public health;
• Require meaningful data security and data integrity protections – including data minimization and accuracy – and mandate deletion by tech firms after the public health emergency;
• Protect voting rights by prohibiting conditioning the right to vote based on a medical condition or use of contact tracing apps;
• Require regular reports on the impact of digital collection tools on civil rights;
• Give the public control over their participation in these efforts by mandating meaningful transparency and requiring opt-in consent;
• Provide for robust private and public enforcement, with rulemaking from an expert agency while recognizing the continuing role of states in legislation and enforcement.

Notes

1. ↑ World Health Organization. "Joint Statement on Data Protection and Privacy in the COVID-19 Response" 19, Nov. 2020
2. ↑ https://www.coe.int/en/web/human-rights-rule-of-law/-/corona-apps-chair-of-the-committee-of-convention-108-and-data-protection-commissioner-on-the-need-to-avoid-unwanted-effects
3. ↑ Duarte, F. (2020, February 23). Who is 'Patient Zero' in the Coronavirus Outbreak? Retrieved April 06, 2021, from https://www.bbc.com/future/article/20200221-coronavirus-the-harmful-hunt-for-covid-19s-patient-zero
4. ↑ ^{4.0 4.1 4.2 4.3 4.4} Xiaxoxia, Q. (2020, April 08). How Emerging Technologies Helped Tackle COVID-19 in China: World Economic Forum. Retrieved April 06, 2021, from https://perma.cc/TU48-DG2K
5. ↑ ^{5.0 5.1 5.2} Claypoole, Theodore. "COVID-19 and Data Privacy: Health vs. Privacy" 26, March 2020
6. ↑ Obel, M. (2015, December 06). Privacy Issues With China's Qihoo 360 technology, Which Provides Free Antivirus Software, Are Becoming More Public; But Qihoo Strongly Rebuts Accusations. Retrieved April 06, 2021, from https://www.ibtimes.com/privacy-issues-chinas-qihoo-360-technology-which-provides-free-antivirus-software-are-1181437
7. ↑ Chen, L. (2020, January 27). China Wakes Up to Wide Web of Online Data Leaks And Privacy Concerns. Retrieved April 06, 2021, from https://perma.cc/S2N7-PCPS
8. ↑ Zhang, L. (2020, June 01). Regulating Electronic Means to Fight the Spread of COVID-19. Retrieved April 06, 2021, from https://www.loc.gov/law/help/coronavirus-apps/china.php#_ftn4
9. ↑ Cellan-Jones, Rory. "Tech Tent: Can we learn about coronavirus-tracing from South Korea?" 15, May 2020
10. ↑ Jeong Jin-yeop. "Confirmation and announcement of plans to reform the national defense system"
11. ↑ Kim, Max. "South Korea is watching quarantined citizens with a smartphone app" 6, March 2020
12. ↑ Watson, Ivan. "Coronavirus mobile apps are surging in popularity in South Korea" 28, Feb. 2020
13. ↑ Claypoole, Theodore. "COVID-19 and Data Privacy: Health vs. Privacy" 26, March 2020
14. ↑ Grind, K., McMillan, R., and Wilde, A. "To Track Virus, Governments Weigh Surveillance Tools That Push Privacy Limits" 17, March 2020
15. ↑ World Health Organization. "Ethical considerations to guide the use of digital proximity tracking technologies for COVID-19 contact tracing" 28, May 2020
16. ↑ Bracy, Jedidiah. "Should first responders know the addresses of those with COVID-19?" 10, April 2020
17. ↑ https://www.businessinsurance.com/article/20201110/NEWS06/912337665/Workplace-COVID-19-testing-raises-biometric-privacy-concerns-Michael-Jerinic-v-
18. ↑ Morrison, Sara. "Are vaccine providers selling your health data? There’s not much stopping them." 28, Jan. 2021
19. ↑ Drees, Jackie. "State officials express privacy concerns over CDC's call for COVID-19 vaccine data registry" 8, Dec. 2020
20. ↑ IBM.“IBM Digital Health Pass”
21. ↑ Altuglu, V., Salgado, M., Celmanbet, O., Haque, R., Yanguas, L. “Assessing Damages in Data Privacy and Data Breach Class Actions Involving Health Data in the Wake of COVID-19” 15, March 2021
22. ↑ Irick, Whitney.“Here's Why You Shouldn't Post Your COVID-19 Vaccine Card on Social Media” 17, March 2021
23. ↑ IBM.“IBM Digital Health Pass”
24. ↑ World Economic Forum.“Common Trust Network”
25. ↑ WKRC.“Why COVID-19 "vaccine passports" could be "Pandora's box" for data privacy, ethical issues” 15, March 2021
26. ↑ Bernal, Paul.“Data gathering, surveillance and human rights: recasting the debate” 2016
27. ↑ Fazlioglu, Muge.“Republican senators to introduce the COVID-19 Consumer Data Protection Act” 1, May 2021
28. ↑ U.S. Senate.“S.3663 - COVID-19 Consumer Data Protection Act of 2020” 7, May 2021
29. ↑ U.S. Senate.“S.3749 - Public Health Emergency Privacy Act” 14, May 2021