Coronavirus contact tracing raises privacy concerns

Legal issues concerning data privacy aren’t new, of course.

But what if personal information is necessary to help protect the public health of your state or your local community? And, ultimately, what happens to the information once it is fairly and legally collected?

Contact tracing system in the United States

In a nutshell, those are among the chief questions swirling in early 2021 regarding data privacy and protection amid COVID-19. Nearly a year after its emergence nationwide, the coronavirus spreads its influence far and wide, including on the topic of contact tracing and related new technologies.

Government officials and public health experts agree that the contact tracing of people who test positive for COVID-19 is an essential part of disease control. Contact tracing for other contagious diseases has been used for decades to help ensure public health.

At the same time, however, successful contact tracing depends on public trust and willing participation. And, with mounting uneasiness surrounding data protection as new technologies are employed — applications that use GPS location or Bluetooth location proximity data, for example — that trust and participation have become no sure things. In addition, just like testing for the virus, immediate action is required.

That’s the view of Laura Hecht-Felella, the George A. Katz Fellow with the Brennan Center for Justice’s Liberty and National Security Program. The Brennan Center, a bipartisan law and public policy institute at New York University Law School, has emerged as a leading advocate for privacy protection.

“There is no comprehensive data privacy law in the United States. Instead, a piecemeal statutory structure protects certain types of personal data,” said Hecht-Felella, an attorney who focuses on civil rights and technology, as well as content moderation and online speech.

Federal legislation for confidentiality protection could be on the way, but that represents a big “if” because it hasn’t happened in any broad statutory structure, Hecht-Felella added. “There are a lot of doubts out there.”

The federal Stored Communications Act and the Telecommunications Act represent the most relevant protections regarding the disclosure of location or proximity data to the government. For one, the Stored Communications Act prohibits entities that provide phone, messaging, data storage or data-processing services to the public from voluntarily disclosing content of communications to the government. The Telecommunications Act prohibits phone carriers from disclosing their customers’ personally identifiable call location information to any entity, including the government and data brokers.

Significant gaps in privacy, though, still exist, Hecht-Felella said. Adding to those gaps are new technologies encompassing in-home testing, according to Brennan Center research.

At-home polymerase chain reaction (PCR) tests, for instance, are designed so nasal or saliva samples can be collected by a customer outside of a medical setting and sent to a laboratory for analysis. Results are provided by phone, email or app, and the lab is required to report positive test results to public health authorities.

At-home test providers and partnering laboratories collect personal and health data on their customers through several channels, including through online symptom surveys, purchase information, customer interactions with provider websites or apps, and test results. Some companies also collect data from third-party sites such as social media platforms.

Federal legislation, at least at the moment, doesn’t offer much comprehensive protection, Hecht-Felella asserted.

The primary federal legal regime protecting health data is HIPAA, which sets national standards for the protection of some personal health information. Whether HIPAA applies to an at-home Covid-19 test depends on two factors: whether the test provider is considered a covered entity and whether the information collected falls within the scope of protected health information. Covered entities include health care providers who transmit health information electronically, while protected health information refers to individually identifiable health data.

That privacy protection, though, is limited. Even when providers are covered entities, HIPAA may not impose meaningful safeguards on the full breadth of customer information collected. For example, a customer’s social media information is likely to fall outside the scope of HIPAA’s protections for individually identifiable health information.

“Whatever ends up coming out of the proposed legislation I think will be a starting point,” Hecht-Felella said. “I think it would be the beginning of a broader conversation that the country needs to have about data privacy.”

More specifically, according to privacy advocates, the contact tracing information protected in future bills should explicitly include any geolocation or proximity data gathered through digital contact tracing tools. Further, future bills should require the deletion of contact tracing data. While contact tracing has been used for decades to limit the spread of diseases like tuberculosis, HIV, and Ebola, it has never been implemented in the United States on the scale envisioned today.

State legislation signed into New York law last year just might offer a promising model. The bill requires that information collected for COVID-19 contact tracing be kept confidential and not be disclosed other than as necessary to carry out contact tracing or a permitted purpose.

Last spring, following the introduction of that proposed legislation, Richard Gottfried, a member of the New York State Assembly, said: “Contact tracing is not going to work unless people are confident the information they give to contact tracers is not going to be used against them, is not going to be given to the police, to immigration, or their employer.”

In essence, the legislation establishes broad confidentiality protections for contact tracing data, at least for residents of New York. And it could be a helpful start — particularly in limiting the information exchange between public health agencies and police and immigration enforcement, and between commercial vendors and customs/border protection authorities.

Meanwhile, the world — in the form of the United Nations and groups such as the World Health Organization — is watching. As the pandemic rages on, United Nations Secretary-General António Guterres, for one, is seeking greater human rights. As part of a policy brief on COVID-19, he said last year: “We have an obligation to ensure everyone is protected and included in the response to this crisis. … This is not a time to neglect human rights; it is a time when, more than ever, human rights are needed to navigate this crisis in a way that will allow us, as soon as possible, to focus again on achieving equitable sustain- able development and sustaining peace.”

Privacy advocates, such the Brennan Center, remain hopeful.

“COVID-19 has brought the data-privacy issue to the forefront. It’s important, and it has been needed for a long time,” Hecht-Felella concluded. “I’m hopeful that out of the horrors of the pandemic will come better protection.”