The dust has not settled on the COVID-19 pandemic that has wreaked havoc across the globe. The disruptions in human livelihoods have affected the global economy, with operations of many small businesses put under test due to unprecedented shutdowns. The world, however, is slowly but surely reviving itself from the aftermath. Governments and authorities have introduced new measures to tackle the spread of the virus, most of which include the collection of people’s Personally Identifiable Information. E.g. gathering travel information during the lockdown, frequent temperature check, and the most common and perhaps, significant, digital apps for contact tracing and self-assessment. All of these efforts have been appreciated but they also raise the significance of data protection and privacy.
Data privacy is an imperative part of the digital experience, thanks to privacy regulations like the European General Data Protection Regulation (GDPR) and the US’ California Consumer Privacy Act (CCPA). With the pandemic forcing many businesses to completely move their operations online and the increase in data collection as mentioned, it raises some challenges for maintaining the users’ right to privacy in the crisis. The proliferation and popularity of the COVID (Covid 19 Virus) and its variants and mutations have led to several questions, not only about their origin and transmission but also on how they can impact data protection and privacy.
We will discuss how the data is being processed for COVID-19 related operations, how the apps developed for contact tracing keeps the users’ data protected, and also the challenges faced and guidelines issued by different data protection authorities.
Data processing amidst COVID-19
The main objective of most of the ruling governments and authorities is to limit the spread of the COVID-19 virus. For that, the measures include limiting movement, frequent health tests, and tracking.
Many countries across the world have restricted human movement by imposing country-wide lockdowns and mandatory travel documents. There are restrictions in gathering, home quarantine, and shut down of educational institutions and offices. The number of health tests has gone high since the virus outbreak, with daily COVID-19 tests, temperature checks and other related medical treatments. Contact-tracing is the most common method in the world to limit the spread and then follow up on people in quarantine and COVID positive tested. Contact tracing is a method of locating and identifying contacts and finding their contacts, and so on until the chain has been broken and there is no further risk.
And now, all countries have started to vaccinate their citizens. All these measures involve some kind of data collection and processing.
These measures are necessary to fight the spread, however, there are a few concerns related to the intrusion of privacy as well. For example, over 136,000 COVID test results of more than 80,000 people were publicly accessible in Germany and Austria. Anyone who creates an account with the software used by the testing centers can access these records. The test certificate has the name, date of birth, address, nationality, and ID number of the people tested. This is an example of mismanagement of people’s records and a cause of serious concern. Similarly, vaccination records or certificate also contains users’ PII, which could be at risk if not protected.
Another change that the pandemic has brought is remote working. Since most working spaces have been closed, the employees are working remotely. And, remote working means likely use of unsafe networks and personal devices that may not have the same protection level as the official ones. This poses a great risk to the privacy of the business’s customers who have shared their data with them. With many industries moving their operations online and making everything digital, it is difficult to balance between mitigating the crisis and honoring privacy. A survey by IDC revealed that 95.1% of organizations have suffered some kind of cyber attack in the last year and over 80% of these attacks led to data corruption.
COVID-19 apps across the globe share the largest chunk of common concerns and issues have for their data collection and tracking practices. Let us look at the security and privacy implications of COVID-19 apps in detail.
Are COVID-19 apps data privacy compliant?
Last year, when the world was facing the disease without any vaccine or cure, technology apps played a huge role in controlling the spread to an extent. The use of mobile apps for contact tracing and self-assessment proved to be effective in people’s awareness and controlling the virus spread. However, are they privacy compliant? These apps collect users’ data, such as name, age, gender, and in some cases, sensitive personal data. So, this is a valid question.
The COVID-19 apps mostly use location-based data for identifying whether the user has come in contact with anyone tested COVID-positive or the number of total cases in their proximity. It could also be based on GPS data.
Many third parties are involved in developing the app and maintaining the database. This makes the users’ data vulnerable to misuse. It may find applications beyond the COVID-19 monitoring. Such apps require regular assessment and proper security measures to protect the data collected.
On April 8, 2020, the EDPB published its Recommendations on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis. It discussed the privacy and data protection aspects of COVID-19 mobile apps (or digital tools). Here are the key highlights from the document:
- The Toolbox or mobile app must follow all necessary privacy and data protection principles.
- Use anonymized or aggregated data, wherever possible.
- Apply cybersecurity measures to protect the “availability, authenticity, integrity, and confidentiality of data”.
- Deleting data and stopping these measures once the pandemic is under control.
- Make privacy settings transparent to ensure trust.
- Safeguards to prevent de-anonymization of data and avoid identification of the users.
- Avoid using data for any purpose other than combating the COVID-19 crisis and avoid third-party sharing.
Other than these, such tools must follow some basic guidelines, such as:
- Obtaining user consent to collect their data.
- Integrating and verifying the security features in the app.
- Avoiding the collection of more data than necessary for the defined purpose.
- Deleting data after its use.
- Avoiding the use of data for any purpose other than related to COVID-19.
- Encrypting data to avoid identification of the users.
- Providing special protection to sensitive data.
Some apps have pledged to respect user privacy. One such initiative was undertaken by the tech giants Google and Apple. In 2020, Apple and Google jointly launched “Exposure Notifications” (rolled out as an in-app setting in the latest iPhone updates) to alert their users of possible exposure to the COVID-19. It uses Bluetooth to trace the COVID-19 exposure ad keep a log once the users opt in for the service. If the user has been exposed, their public health authority will notify them.
Apple and Google’s Exposure Notifications seem to have got the “right to privacy” aspect right as it:
- takes consent to activate the app and share or store data.
- does not collect personally identifiable information.
- does not share data with the third party (Apple and Google do not receive the data either).
- allows only verified public health authorities that meet specific privacy, security, and data control criteria, to use its API.
- generates random, periodically changing identifiers for the phones to avoid the identification of the users.
- allows the users to disable it.
Here is a visual guide of how the app works:
What are the challenges faced by data protection regulators?
The data protection regulators are committed to protecting the rights and freedom of people The COVID-19 has presented an unprecedented challenge before them. Not all the measures taken by health authorities may come under the jurisdiction of data protection regulators, however, all the aspects related to data collection will be regulated by them.
Data protection authorities had to face setbacks as well. EU country Hungary upset data protection authorities by suspending several articles of the GDPR and relaxing notification viewing the “state of emergency” due to the pandemic. The UK government was also found to violate GDPR in the NHS Test and Trace program.
Last year, the UK’s Information Commissioner’s Office (ICO) updated its regulatory approach in response to the COVID-19 pandemic. The issue underlines the significance of data protection and privacy and its continued regulatory responsibilities in the crisis. The ICO stated that all the data protection principles and standards will continue to apply. However, it will take into consideration the effects of the pandemic, such as economic impact, affordability, or operation restrictions. The levels of fines may be reduced owing to the financial setbacks due to the pandemic.
Therefore, the biggest challenge for data protection regulators in the pandemic is to find a perfect balance between a regulatory and pragmatic approach. E.g., with the delay in operations, many organizations may take longer to respond to their users’ requests for data access or deletion. Or, the changes in operations may lead to non-compliance. In such cases, the regulatory bodies are expected to take measures that protect the users’ data but at the same time, understand the crisis the organizations are in.
The EDPB and the ICO have published guidelines and recommendations for protecting data and privacy. Here are the important details to be noted from them:
- Carry out a risk assessment to identify possible risks and threats to users’ data.
- You should have a legal basis for processing personal data, especially health data (sensitive category). These are consent, legal obligation, contractual obligation, the vital interest of people, legitimate interest or public interest. Most of the COVID-19 related information collection could be attributed to the public interest. However, being a sensitive type of data, it is also advisable to get user consent, especially for contract-tracing apps.
- Do not collect data more than necessary for your lawful purpose or use it for any other undefined purpose.
- Store data safely and no longer than necessary for processing.
- Encrypt or anonymize personal data and use aggregated data to avoid user identification.
- Ensure appropriate safety measures to avoid decryption of data and breaches.
- Honor the users’ rights, such as data access, deletion and correction. You must respond to them as soon as possible.
- Get a risk response team ready, in case something goes wrong, to respond, investigate, prepare reports and take necessary actions to mitigate the damage.
- Document all processing steps and measures taken, and periodically update the document.
If you want an all-comprehensive checklist, check out good data protection practices for COVID-19 management by Asia Pacific Privacy Authorities (APPA) Technology Working Group (TWG) members. It is a goldmine of resources.
Pandemic or not, data protection and privacy will continue to be important factors while dealing with personal data. COVID-19 just made us underline the importance of it. While data collection may have helped health authorities and similar organizations to serve people, it may also have made the data more vulnerable. Given the weight of the matter, it is not surprising that many different jurisdictions have developed new laws restricting data processing. While these new laws are still being developed, businesses that process personal data will have to be aware of these trends and ensure proper compliance.