Response to the COVID-19 pandemic has been a “triage emergency situation,” said California Sen. Scott Wiener, D-San Francisco, and the privacy implications of data use, contact tracing, surveillance and other response measures is “sort of like fixing the plane while you are flying it.
“We were told that in order to open up states, you have to have massive testing, easy testing, contact tracing, followed by quarantine or isolation,” Wiener said during a recent panel discussion hosted by The Bar Association of San Francisco, titled “Privacy Implications of ‘Solving’ Pandemics.” “The system gets set up and then the privacy implications get thought about, hopefully, maybe at the same time or afterward.”
That’s the problem and the challenge during the COVID-19 crisis, Hogan Lovells Partner Melissa Bianchi said.
“We all have experience thinking about these data issues, but we don’t have time now to have the detailed discussions, at least over a long period of time as we have to move quickly given the nature of the crisis,” she said. “One of the challenges I see is how do you collect the data and use it for research purposes, for public health purposes, without creating unintended consequences.”
Wiener and Bianchi joined Electronic Frontier Foundation Senior Staff Attorney Lee Tien and Co-Director of the Berkeley Center for Law and Technology Professor Ken Bamberger discussing the value of data in pandemic response, its collection and use in efforts to limit the spread of the virus, like contact and location tracing and exposure notification, and whether information can be collected and accessed securely while still fighting the spread.
A public health epidemic in today’s day and age has much more technical infrastructure available than previous crises, placing a high value on data, Tien said. While mining that data is believed to be valuable in the response, there must be a “corresponding level of transparency and accountability,” he said. That’s a piece missing today, he added, as in some response, data is being collected without individuals understanding or having control over how it will be used and maintained and without knowing whether it will ultimately be useful in response to the crisis.
Privacy legislation has been proposed in relation to the pandemic. Senate Republicans introduced the COVID-19 Consumer Data Protection Act, while Democrats introduced the Public Health Emergency Privacy Act, and there have been proposals at the state level, as well, like in Kansas where the Legislature passed the Contact Tracing Privacy Act.
Bianchi said it’s important to be mindful of the unintended consequences of legislative restrictions on data, adding she worries that proposals may be unintentionally restrictive of public health uses of data needed to move past the COVID-19 pandemic.
“We want to build trust and we want to be careful about unintended uses of the data, but we also don’t want to restrict uses of the data that are going to solve this problem now,” she said. “I think contact tracing as part of reopening is key and so we have to be able to do that in order to go back and really reopen society and figure out how to do that in a way that supports public health and allows us all to reopen in a safer way, pending a vaccine. But until then, we really have to use contact tracing. I worry about shutting down too much use of the information in order to create that use and privacy balance.”
While legislation and regulations have an important role, decisions about privacy, fairness and efficacy of data are made in the design process of pandemic responses, Bamberger said. Are systems mandatory or voluntary? Do they track location and health data, or are they measuring proximity using Bluetooth technology? Is data decentralized? Who has access to it, and who is it shared with?
“We want to get the information for specific purposes of promoting public health, but it’s true all the time that privacy is contextual,” he said. “We need to be really clear upfront. These design decisions are sticky. Once they are in place, you can’t really go back and retrofit the whole technology system you have designed, so we kind of have to decide now, totally on the fly, on the plane while we are fixing it, what the pieces are that are in place.”
Limits on collection, use and storage of data also need to have “some teeth behind them” in terms of enforcement, Bamberger said.
“I think it’s important to go one step beyond notice, which is to say we are making a decision as a society to say these uses have societal benefits and you just can’t use this data for other uses, and that has to be put into law,” he said. “We need a way to both put into place the limits within which you would get notice and give consent and at the same time, we need a way to enforce them.”
While federal privacy legislation has been stalled for years, Bamberger said both proposals before Congress include key components privacy advocates have said are needed in regulation, and they will have long-lasting implications for privacy. Both the COVID-19 Consumer Data Protection Act and Public Health Emergency Privacy Act include protections for individual rights and require consent to process data and that data collection be kept to a minimum.
“Maybe one of the lasting impacts of COVID-19 will not be ‘OK, in case of an emergency, we can take all of your data,’ and as we move forward, that’s going to be the new norm. But, maybe, it’s the notion that, ‘Wow, this stuff is serious,’” he said.
Photo by engin akyurt on Unsplash