In an emergency in the area of public health, which is based on the fact that people keep an unsocial distance from each other to avoid the spread of a highly contagious virus for which people do not have existing immunity regimes around the world, they quickly approached technology companies turned to get help.
After all, background tracking is what the business models of many internet giants in the field of ad targeting are based on. While recently in the United States, telecommunications companies have been exposed to exchanging highly detailed location data for commercial purposes.
Some of these anti-data protection practices face ongoing challenges under existing data protection laws in Europe – and / or at least have caught the attention of regulators in the United States, where there is a lack of a comprehensive digital data protection framework – but are pandemic clearly an exceptional circumstance. So we see governments turn to the technology sector for help.
US President Donald Trump is said to have called a number of technology companies into the White House last week to discuss how mobile location data could be used to track citizens.
In the UK, the government is also reportedly in talks with telecommunications companies to map movements of mobile users during the crisis – but not at an individual level. It was reported that they had an early meeting with technology companies to ask what resources they could contribute to the fight against COVID-19.
In other parts of Europe, Italy – still the most affected European nation – has reportedly sought anonymized data from Facebook and local telecommunications companies that aggregate user movements to aid contact tracking or other forms of surveillance.
While there are clear public health requirements to ensure that people follow the instructions to reduce social contact, the prospect of Western democracies like China emerging and actively monitoring citizens' movements raises uncomfortable questions about long-term effects such measures based on civil liberties.
If governments attempt to expand state surveillance powers by relying directly on the private sector to keep an eye on citizens, there is a risk that commercial use of privacy will be cemented at a time when background profiling of Ads have been significantly reduced in their behavior towards web users.
"Unprecedented levels of surveillance, data exploitation and misinformation are being tested worldwide," warns Privacy International, a civil rights campaign group that follows up on what it calls "exceptional measures" taken during the pandemic.
Some examples are telecommunications companies in Israel that exchange location data with government agencies for COVID-19 contact tracking, and the UK government that presents emergency laws that relax intercept command rules.
“Many of these measures are based on extraordinary powers that can only be used temporarily in emergencies. Others use exceptions in data protection laws to share data. Some may be effective and based on advice from epidemiologists, others may not. But everyone has to be temporary, necessary and proportionate, ”he adds. “It is important to keep an eye on them. When the pandemic is over, such extraordinary measures must be stopped and brought to justice. "
If the pandemic worsens, all governments will put more pressure on private consumer data to identify:
1) who is infected
2) who they were in contact with ("contact tracking")
This will be an incredibly slippery slope if we are not careful.
– ashkan soltani (@ ashk4n), March 18, 2020
At the same time, employers could be under pressure to monitor their own employees to try to reduce COVID-19 risks now. This raises questions about how they can contribute to an important public health issue without breaking legal boundaries.
We spoke to two Linklaters lawyers to discuss their view of the rules, which include exceptional steps such as tracking citizens' movements and their health data, and how European and US data regulators have been responding to the coronavirus crisis.
Keep in mind that this is a fast moving situation. Some governments (including the UK and Israel) have passed laws to increase state surveillance powers during the pandemic.
The following interviews were edited for the sake of length and clarity
Europe and Great Britain
Dr. Daniel Pauly, technology, media and telecommunications partner at Linklaters in Frankfurt
The data protection law was not suspended. At least when it comes to Europe. The data protection law continues to apply – without restrictions. This is the basis on which we have to work and for which we have to start. Then we have to differentiate between what the government and employers in particular can do.
It is very important to understand that when we look at them, governments have the means to allow themselves a certain use of data. Because there are opening clauses, flexibility clauses, especially in the GDPR, when it comes to public health concerns, there are cross-border threats.
By using the legislative process, they can introduce further powers. To give you an example, the German government responded by creating a special law – the Corona Virus Notification Ordinance. We have already passed a law that regulates the use of personal data in certain serious infections. And they simply added the coronavirus infection to this list, which means that hospitals and doctors have to inform the competent authority about any COVID-19 infection.
That is quite extensive. You must provide names, contact details, gender, date of birth and many other details so that the competent authority can collect and analyze this data.
Another important topic in this area is the use of telecommunication data – especially mobile phone data. The efficient use of this data could be one of the reasons why it was obviously quite successful in China to reduce the threat from the virus.
In Europe, the government may not simply use cell phone data and movement data – it must first anonymize it, and in Germany and other European countries – including the UK – anonymised cell phone data has been given to organizations that are beginning to analyze this data to get a better overview of it how people behave, how people move and what they have to do to limit further movement. Or to limit public life. This is the government's view, at least in Europe and the UK.
(When Internet companies like Google are asked by European governments to share information about users for corona virus tracking purposes), it must be taken into account that they have not included this in their processing activity records – their privacy notices and information.
At least from a purely legal point of view, this would be a big step – and I wonder if this would be possible without the introduction of special laws by governments.
If (EU) governments used private companies to provide them with data that was not collected for such purposes, this would be a big step, at least from the perspective of the GDPR. I don't know anything like that. I have certainly read that discussions are currently underway with Netflix to reduce net traffic, but I have not heard about the use of Google data.
I would not expect it in Europe – and especially in Germany. Tracking, tracking, and monitoring what they're doing is almost the last resort – so I wouldn't expect that in the next few weeks. And I hope it's over.
(So far) in my view (to the coronavirus crisis) the European regulators have reacted quite reasonably by saying that in particular any response to the virus must be proportionate.
We still have this law in place and we need to take into account that the data we are talking about is health data – it is the best protected data of all. However, there are at least some ways the GDPR allows the government and employers to use this data. Especially when it comes to processing for a significant public interest. Or if it is necessary for the purposes of preventive medicine or for reasons of public interest.
So the legislature was smart enough to include clauses that allow the use of such data in certain circumstances, and there are a number of regulators that have already issued public guidelines for the use of these legal permits. And what they basically said was that it always has to be found on a case-by-case basis whether the data is really needed in the specific case.
To give you an example, it has been clarified that an employer may not ask an employee where he was on vacation – but can he ask if you were in any of the risk areas? And then the sufficient answer is yes or no. You do not need any further data. So it's always a smart way – if you're smart, you get the information you need. It is not the suddenly opened lock gate.
You really need to look at the specific case and find out how to get the data you need. Usually it is a yes or no, which is sufficient in individual cases.
Caitlin Potratz Metcalf, senior US employee at Linklaters and certified data protection specialist (CIPP / US)
Even if you don't have a structured data protection framework in the US – or a special regulator that covers data protection – you have some of the same problems. The FCC (Federal Communications Commission) will take care of companies that take measures that are inconsistent with their privacy policies. And that would be misleading for consumers. Their initial focus is on consumer protection, not privacy, but they have worn two hats in recent years. Therefore, the focus is on data protection, although we do not have a national data protection law (which corresponds to the GDPR of the EU in its scope), but this is done from the perspective of consumer protection.
They didn't impose these fines, but it was announced that they could fine $ 208 million on these four companies: AT&T, Verizon *, T-Mobile, Sprint … so you're taking it very seriously how this data is protected, how it is shared. And the fact that we're in a state of emergency doesn't change this emphasis on consumer protection.
You will see that this also applies to the Ministry of Health and Human Services (HHS) – which is responsible for all medical or health data.
This is really limited to companies that fall under the HIPAA (Health Insurance Portability and Accountability Act) or their business partners. So it doesn't apply to everyone across the board. However, if you are a hospital health plan provider, whether you are an employer and have a group health plan, an insurer, or a business partner who supports one of these insured facilities, you must adhere to HIPAA to the extent that you do so protected health information. And that's a little narrower than the definition of personal data you would have under GDPR.
So you're really looking for identifying information for that patient: his medical status, date of birth, address, things that may be very identifiable and related to the person. But you could share things that are more general. For example, you have a middle-aged man from this county who has tested positive for COVID and is in an XYZ facility being treated and his condition is stable. Or his condition is critical. So you could share this level of detail – but not further.
And so in February HHS published a bullet that emphasized that you cannot override the data protection and security measures within the scope of HIPAA in an emergency. You emphasized to all affected companies that you still have to comply with the law – there are still sanctions. And to the extent that you need to disclose some of the protected health information, it must do so to the minimum. And this can either be communicated to other hospitals or a regulatory agency to curb the spread of COVID and to treat a patient. Therefore, they have listed several different exceptions to how you can share this information without emphasizing the minimum required.
The same goes for an employer – like a group health plan – when trying to share information about employees, but it will be very narrow what it can actually share. And they cannot just make an exception that this serves the public health interest. You don't necessarily have to disclose what country they were in, but only in a region that is on a restricted travel list. So it's about finding creative ways to share the information you need, and if something is less intrusive, you have to go that route.
However, HHS only released another bullet last week that said they would waive HIPAA sanctions and penalties during the nationwide public health emergency. However, it was only aimed at hospitals and therefore does not apply to all companies listed.
They also published another bulletin, saying that they would relax the restrictions on the basic exchange of data on the use of electronic means. Therefore, there are very strict restrictions on how you can exchange data electronically when it relates to medical and health information. This allowed doctors to communicate via FaceTime or video chat and other methods that may not be encrypted or secure. Or communicate with patients, etc. You are giving up or just ameliorating some of the restrictions associated with the electronic transmission of health data.
So you can see the situation is evolving, but you are still taking a very reserved and conservative approach. They really emphasize that you have to fulfill your obligation to protect health data. Here are the strongest implementations. And then the FCC comes up with that from a consumer protection perspective.
Back to the point you mentioned earlier about sharing data with Google (with governments) – you could get there, it just depends on how their privacy policies are structured.
Regarding the persecution of people, we don't have a national law like GDPR to prevent this, but it would also be very difficult to anonymize this data because it is tied to individuals – it's like your DNA. You can assign a person who leaves home, goes to work or school, goes to a doctor's office, returns home – and it really contains very confidential information. Because of all the specific data points, it is very difficult to anonymize and provide it in a format that would not violate a person's privacy without their consent. Even though you may not need full consent in the United States, you still need to be informed and transparent about the policies.
Then it would be a little different if you were resident in California – the degree that the new California law (CCPA) requires you to provide information and to allow individuals to unsubscribe if you disclose their information. In this case, where telecommunications companies may be sued by the FCC for exchanging data with third parties, this would in particular violate the new California law if consumers were not given the opportunity to refuse to sell their information.
So there are many different pieces of the puzzle that fit together, because we have a patchwork quilt for data protection – depending on the different state and federal laws.
I think the government could issue other mandates or regulations (to request telecommunications data for a COVID-related public health purpose) – I don't know that it will. I would rather imagine a call to arms to seek support and support from the private sector. Given the structure of our government, no mandate that you have to share your data. Unless things get incredibly bad, I don't see a mandate for companies to share certain data to track patients.
(If Google uses health-related searches / queries to enrich user profiles that it uses for commercial purposes), health information in and of itself would not be protected.
Google is not a (HIPAA) covered company. And depending on the type of support it provides to covered companies, it may be considered a business partner under certain circumstances that could be subject to HIPAA, but this would not be regulated in the context of mere collection of consumer data.
Perhaps what's interesting for me is the approach Asia has taken – where they have a lot more influence over the commercial sector and data tracking – and you actually have the regulator that steps in and does more tracking, not just private companies. However, private companies can provide tracking information.
You actually see it at Uber. You have given consumers additional privacy notices. As we become aware of a passenger who had COVID or a driver, we will notify people who have been in contact with this Uber for a period of time. They are trying to take the initiative to do their own tracking to protect workers and consumers.
And they can – you just have to be careful how many details you share about personal information. Don't give the names of those affected (say something like) "In the past 24 hours, you may have been in an Uber that has been affected or is known to have an infected person in the Uber".
(When it comes to telehealth platforms and privacy) it depends on whether you are considered a business partner of a covered company. So you may not be a covered entity yourself, but if you are a business partner who supports a covered entity – for example, a hospital or clinic or insurer who shares this data and relies on a telehealth platform. In this context, they would be subject to some of the same data protection and security requirements under HIPAA.
Some of these differ slightly for a business partner from those of a covered company. In general, however, you will assume the role of the covered company if you handle the covered company data and the same restrictions apply to you.
Aggregated data would not be considered as protected health information. You could therefore share (for example) a symptom heat map that does not identify certain people or patients and their health data.
(But) standalone telemedicine apps that collect data directly from consumers are not covered by HIPAA.
This is actually a huge gap in terms of consumer protection and privacy protection with regard to health data. You have the same problem for all health fitness apps – whether it is your Fitbit or other health apps or if you are pregnant and have an app that records your motherhood or your period or the like. All data collected is not protected.
So it is a completely different approach than under GDPR, which is much more comprehensive.
That doesn't mean we may see stricter restrictions in the future, but individuals are free to share this information – and, in theory, should read the privacy policies provided when you sign up for the app. But most users will probably not read this and then this data can be shared with other third parties.
* Disclosure: Verizon is theinformationsuperhighway's parent company