The world is collectively rushing to curb the coronavirus (COVID-19), and much of the research conducted shows that the best way to stop the spread of the virus is through identifying infected individuals, and isolating the contacts of the infected people through contact tracing. A team of researchers at The University of Oxford has advocated (as per website reference) for an approach that taps into smartphone data to track the spread of infection, which will allow people who have been exposed to be contacted and warned. While contact tracing may be a mainstay of controlling infectious diseases like COVID-19, it also raises issues of data privacy and protection.
Some questions come up spontaneously: Who is in control of such information and apps? What laws are able to protect me? What can they do with my information once the pandemic is over?
Some countries that have first implemented smartphone tracking for the control of COVID-19:
- Mainland China
In many cities across China, the government has required citizens to install software (The Alipay Health Code) on their smartphones. The app assigns individuals a colour code of red, yellow, or green to indicate their health status – travel freely, home isolation for 7 days, or two-week quarantine respectively. The software grants access to personal data, which sends the data subject’s location, city name, and an identifying code to the police, though the link to police is not made very clear in the app. The data is thus able to draw automated conclusions to contagion risk. In other cities, citizens must register their phone number with an app in order to take public transportation.
- South Korea
The method used in South Korea tracks individuals’ smartphone location data, phone records, and credit card data to produce a publically available map. Other citizens are thus able to check whether they have crossed paths with an infected individual. The government also regularly issues regional text messages with details of infected individuals, including information such as the name, age, and places they had previously visited.
Surveillance measures approved by the Israeli Prime Minister in mid-March allows Israel’s Security Agency to track individuals’ phones without a court order. In a similar manner to South Korea, it allows movements of individuals who have tested positive for COVID-19 to be traced and identifies people who may have crossed paths.
Is sharing smartphone data an effective measure?
The methods used in South Korea and China have been reportedly an effective measure. However, it has also reportedly caused fear in Chinese citizens, due to fear of isolation, or arbitrary application of colour codes based on their province. In South Korea, authorities have shared movements of individuals who tested positive for COVID-19, which in some cases have resulted in public shaming. Sir Patrick Vallance, the Chief Medical Officer of the U.K., has stated that the most useful period for location tracking had passed, and the concept “would have been a good idea in January”.
Risks linked to sharing smartphone data
While apps sharing smartphone location may be able to prevent the further spread of COVID-19, more sensitive information may be gleaned from location data. There has also been concern that governmental use of smartphone location data during the current pandemic will prove difficult to step back when the pandemic subsides.
Data Privacy and COVID-19 recent developments in other countries:
As the virus continues to spread, many Privacy Commissioners are lifting data restrictions to allow health officials to better track the outbreak.
The Singapore Government introduced an app Trace Together, which uses Bluetooth signals exchanged between phones, detecting other users of the app within 2 metres. Developed by Singapore’s Government Technology Agency and the Health Ministry, the app allows users to alert the government if they are confirmed to be infected with the virus; the government is then able to identify other users who have been in close contact with the positive user. While the concept of contact tracing is similar to that used by China and South Korea, data stored on the user’s phone is encrypted, and the app will not access information such as the user’s location. The app is also non-compulsory, but encouraged by the local government. The iOS App Store description states that the app’s functionality will be suspended after the epidemic subsides.
- European Union
Certain mobile carriers have shared location data with health authorities in Italy, Germany, and Austria to ensure that social distancing measures are being followed by citizens. Data protection for member states of the European Union is regulated by the General Data Protection Regulation (“GDPR”) in addition to any national data protection laws. Shared location data used by the aforementioned countries is aggregated and anonymous to protect the data privacy of individuals. The German Federal Commissioner for Data Protection and Freedom of Information – Ulrich Kelber – stated to Reuters that tracking-based systems should undergo analysis to ensure an acceptable level of data protection, and be proportionate in that collection serves the intended purpose, and whether there is a less intrusive option available.
- United Kingdom
The Information Commissioner’s Office (“ICO”) has issued a statement clarifying that U.K. data protection laws do not prevent processing of personal data where it is for the purpose of protecting against threats to public interest. While there are currently no measures to utilise phone location data, The Guardian has reported that UK mobile operator BT is in talks with the Government to use location data from smartphones to create maps of anonymised data to track the spread of the virus. The Deputy Commissioner of the ICO has stated that “where [generalised location data] is properly anonymised and aggregated, it does not fall under data protection law because no individual is identified … privacy laws are not breached as long as the appropriate safeguards are in place.”
- United States
The U.S. has no federal privacy law. Reports state that the government has been in discussion with large-scale tech companies, such as Google to “explore ways that aggregated anonymized location information [can] help in the fight against COVID-19.” Aggregated data assists in determining the number of people in a specific area at a point in time. Additionally, while a representative for Facebook states that there have been no requests for location data from the U.S. Government, the company has been “briefing the Centres for Disease Control and Prevention on how it creates de-identified data maps to help researchers track diseases.” However, on 28th March, the Wall Street Journal first reported that the “U.S. federal government, through the Centres for Disease Control and Prevention (“CDC“), has started to receive analyses about the presence and movement of people in certain areas of geographic interest drawn from cellphone data.” The data would be stripped of identifying information, but create a portal from compiled phone geolocation data, showing locations which were still drawing crowds, and can “reveal general levels of compliance with stay-at-home or shelter-in-place orders” or assist in predicting upcoming outbreak zones.
Unlike the UK, data was not provided by cellphone carriers, but rather by the mobile advertising industry. There was no response to requests for comment by the CDC and the White House. Google also announced on 3rd March its plans on to publish a series of “Community Mobility Reports” that reveal portion of data on people’s movements across 131 countries and regions, including the U.S., with a detailed breakdown of each state.
The situation in Hong Kong
In Hong Kong data privacy is regulated by the Personal Data (Privacy) Ordinance, Cap. 486 (“PDPO”). In general, personal data collected must comply with the six Data Protection Principles (“DPP”), which we have already discussed in previous articles related to Data Privacy. However, the Privacy Commissioner for Personal Data (“Privacy Commissioner”) notes in a statement that the right to personal data privacy is not absolute; it is subject to other competing rights or interests, such as the right to life, and interests of the public (such as public health) – including the prevalence of infectious disease.
As the control of COVID-19 is currently a global priority, individuals who have tested positive for the virus may legally be tracked (without need for consent from the individual) via their smartphones to reveal their location. However, the authorities have indicated that consent was obtained from quarantined individuals before their movements are tracked, to ensure that they are complying with the quarantine measures.
The Compulsory Quarantine of Persons Arriving at Hong Kong from Foreign Places Regulation (Cap. 599E) was gazetted on 18th March; as the title suggests, it imposes 14-days compulsory quarantine orders on all persons arriving from places outside of China, regardless of the individuals’ nationality and travel documents used. Beginning on 14th March, inbound travellers to Hong Kong were also issued Bluetooth wristbands at the airport; the wristbands connected to their smartphones via an app, “Stay Home Safe (居安抗疫)” synced with Bluetooth. After individuals fill in a mandatory Health Declaration Form, a QR code is issued to present to the Immigration Department on arrival, which will be scanned using the app. However, users need to input their phone number, which will provide a pin via SMS that must be entered to log in. Connected text messages are also sent via SMS, requesting the app user to respond within an hour; where the user misses the stipulated deadline, a call will follow up.
Janis Wong, a PhD candidate studying law, tech and ethics in data science at the University of St. Andrews documented her arrival to Hong Kong in a series of Tweets. Wong shared screenshots of access permissions that may be requested by the app on an Android phone, which included items such as “connect and disconnect from Wi-Fi”, “have full network access”, or even “read” or “modify or delete the contents of your SD card,” contrary to the statement in the Government’s guide that “the app will not read any information in your smartphone” and the “detection and analysis of environmental signals do not involve collection of personal data.”
Due to the monitoring requirement, individuals in mandatory quarantine are not permitted to turn off their smartphones at night, so that the app can continue to operate. Many users left 1 star reviews on the iOS app store, stating their frustrations with troubles logging into the app and the unavailability of the help hotline provided, amongst other complaints.
In its iOS App Store description, the app is described to apply “big data analytics and artificial intelligence technologies, in conjunction with electronic wristband, to ensure without infringing on personal privacy that the confinee stay in the designated location during the quarantine period. When the mobile app finds the location of the confine suspicious, it will follow up immediately.” Developed by the Office of the Government Chief Information Officer of Hong Kong Special Administrative Region, the login page of Stay Home Safe disclaims that “user will automatically opt-out from all camera, Bluetooth and background location permissions after 14 days.” The information about the app states that it may “use your location even when it isn’t open.” In a guide issued by the Government, it states that the app detects and analyses “environmental communication signals at your dwelling place, such as Bluetooth, Wi-Fi and geospatial signals in the neighborhood, and their respective strengths.” However, the government claims that the app poses no privacy concerns, as it uses “geofencing technology”, sampling the strength of communication signals in the home rather than GPS location tracking. The Personal Information Collection Statement (“PICS”) for the app states that the “personal data provided will be used by the Department of Health for the purpose of preventing the occurrence or spread of an infectious disease” pursuant to the Prevention and Control of Disease Ordinance, Cap. 599, and information provided may be disclosed to other governmental departments or unspecified “relevant parties.” The PICS does not state the retention period.
During the pandemic, governments must ensure that the methods used are no more than necessary, proportional with the purpose, and legal. Transparency from authorities as to the methods of processing our personal data will benefit data subjects and increase accountability and citizens’ confidence in their government. While the use of location-tracking technology can assist in the time of crisis, such as we are experiencing with COVID-19, the most significant data privacy issues lie in the time beyond the pandemic. Authorities should be clear as to the data retention period, what will happen to the app following the pandemic, and assure that the personal data provided is not misused.
If you would like to understand more on the business and legal implications for your organization and as individuals related to the COVID-19 pandemic, you can contact Hugill & Ip’s Data Privacy team of solicitors.
This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.