Another Victim of COVID-19: Your Personal Information

April 1, 2020 In Blog, News, Privacy, Technology By Charles Wollman

As the number of COVID-19 cases and governmental responses pour into our newsfeeds at a dizzying rate, the legal implications follow in kind. This post intends to highlight the emerging data privacy issues and briefly outline some of the latest developments.

Countries without strong data privacy laws—including China, South Korea, Russia, Israel and India—are using technologies like facial recognition and cell phone tracking to identify possible infections and enforce quarantines.^[1] The European Union has so far has largely avoided such measures since its exceptionally tough GDPR rules likely require individual consent to implement those tracking procedures.^[2] In one notable exception so far (which may foreshadow how other countries respond if their situation worsens^[3]), Italy has recently approved emergency provisions to their red tape.^[4] The United States, which lacks clear federal data privacy regulation,^[5] is reportedly in talks with major data companies about some form of data tracking.^[6] Whether governments keep the data anonymized (rather than target individuals) remains a key sticking point for data privacy concerns.^[7]

Employers are also struggling as they attempt to balance the privacy of one employee with the safety of the others. When an employee has been infected, EU and U.S. employers can share only a generalized precautionary message to relevant employees, not the identity of the employee—a tricky task in some circumstances.^[8] While U.S. employers are allowed to test employee temperatures and ask whether employees have traveled to certain high-risk countries,^[9] EU countries have taken diverse and more limited approaches.^[10] For example, Italy only allows medical checks to be administered by medical professionals, not by company employees.^[11] France rules out temperature checks altogether^[12] and Ireland requires proof of “strong justification” before questioning employees about travel.^[13] Expect countries to modify these rules as they enter their own “ upward curve” of the pandemic.

With much of their workforce now working remotely, companies are also wary of compromising protected information of its clients and employees, as well as its own.^[14] Many businesses lack a robust and secure technological remote interface for accessing and sharing data.^[15] Other businesses may have some system in place, but not enough of its employees are sufficiently trained to use it safely or their system lacks the capacity to properly support so many users.^[16]

The pandemic especially challenges those companies already in the process of revamping their data protection measures under the new rules implemented under California’s Consumer Privacy Act (CCPA) on January 1. California is unlikely to formally postpone CCPA adoption, as requested by several industry groups, but experts believe good-faith compliance errors relating to the pandemic will not face prosecution.^[17]

Healthcare providers and facilities handling coronavirus patients also must carefully follow disclosure regulations relating to a patient’s status. The U.S. Department of Health and Human Services issued an important “bulletin” about patient privacy (governed by HIPAA rules) and the virus.^[18] Among other rules, it permits disclosure without patient authorization to and at the direction of certain government authorities, as well as to those at particular risk due to contact with the patient.^[19]

As many countries expect conditions to worsen over the coming weeks and months, these data privacy challenges—and new ones—will continue to grow as well.

Footnotes[+]

Footnotes
1	See Josephine Wolff, How to (Carefully) Use Tech to Contain the Coronavirus, N.Y. Times (Mar. 25, 2020) https://www.nytimes.com/2020/03/25/opinion/coronavirus-privacy-phone-data.html [https://perma.cc/4U5A-NVKE].
2	Location Data, Information Commissioner’s Office, https://ico.org.uk/for-organisations/guide-to-pecr/communications-networks-and-services/location-data [https://perma.cc/HNC4-QF46]; see also 2016 O.J. (L 119) 679.
3	Watchdog Approves Use of UK Phone Data to Help Fight Coronavirus, The Guardian (Mar. 27, 2020), https://www.theguardian.com/world/2020/mar/27/watchdog-approves-use-uk-phone-data-if-helps-fight-coronavirus [https://perma.cc/73E6-ZPDM].
4	See Natasha Singer and Choe Sang-Hun, As Coronavirus Surveillance Escalates, Personal Privacy Plummets, N.Y. Times (Mar. 24, 2020) https://www.nytimes.com/2020/03/23/technology/coronavirus-surveillance-tracking-privacy.html [https://perma.cc/M3X3-ZTBR]; Alfred Ng, Coronavirus Pandemic Changes How Your Privacy Is Protected, CNET (Mar. 21, 2020) https://www.cnet.com/news/coronavirus-pandemic-changes-how-your-privacy-is-protected [https://perma.cc/TK3S-28VW].
5	Comprehensive Federal Privacy Law Still Pending, Nat’l L. Rev. (Jan. 22, 2020) https://www.natlawreview.com/article/comprehensive-federal-privacy-law-still-pending [https://perma.cc/5ZWK-MB8J].
6	Tony Romm et al., U.S. Government, Tech Industry Discussing Ways To Use Smartphone Location Data To Combat Coronavirus, Wash. Post (Mar. 17, 2020) https://www.washingtonpost.com/technology/2020/03/17/white-house-location-data-coronavirus [https://perma.cc/R9RC-4MBU].
7	Craig Timberg and Drew Harwell, Government Efforts To Track Virus Through Phone Location Data Complicated By Privacy Concerns, Wash. Post (Mar. 19, 2020) https://www.washingtonpost.com/technology/2020/03/19/privacy-coronavirus-phone-data [https://perma.cc/7NQW-ZPUY].
8	Interim Guidance for Businesses and Employers to Plan and Respond to Coronavirus Disease 2019 (COVID-19), Centers for Disease Control and Prevention (last accessed Mar. 28, 2020), https://www.cdc.gov/coronavirus/2019-ncov/community/guidance-business-response.html?CDC_AA_refVal=https%3A%2F%2Fwww.cdc.gov%2Fcoronavirus%2F2019-ncov%2Fspecific-groups%2Fguidance-business-response.html [https://perma.cc/2G6X-SJWB].
9	Bonnie Puckett and Simon J. McMenemy, Maintaining Employees’ Privacy During a Public Health Crisis, Nat’l L. Rev. (Mar. 3, 2020) https://www.natlawreview.com/article/maintaining-employees-privacy-during-public-health-crisis [https://perma.cc/Q8HE-T6HL].
10	Tess Blair et al., Coronavirus v. GDPR: Suspending Data Privacy Protection During Civil Crisis – The eData Guide To GDPR, Morgan Lewis LLP (Mar. 10, 2020), https://www.jdsupra.com/legalnews/coronavirus-v-gdpr-suspending-data-85584 [https://perma.cc/C2FJ-RM4B].
11	Neil Hodge, Advice For European Compliance Officers Dealing With Coronavirus, Compliance Week (last accessed Mar. 28, 2020) https://www.complianceweek.com/europe/advice-for-european-compliance-officers-dealing-with-coronavirus/28609.article [https://perma.cc/U5AL-G8FC].
12	Coronavirus (Covid-19): Reminders From The CNIL On The Collection Of Personal Data, Nat’l Comm’n for Info. Tech. and Liberties (CNIL) (Mar. 6, 2020), https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles?mod=article_inline [https://perma.cc/C9K8-RMDL].
13	Data Protection and COVID-19, Data Protection Comm’n (Mar. 6, 2020), https://www.dataprotection.ie/en/news-media/blogs/data-protection-and-covid-19?mod=article_inline [https://perma.cc/VZP7-JF8D].
14	Daniel R. Stroller & Sara Merken, Employee Remote Work Amid Coronavirus Risks Security Flaws (1), Bloomberg (Mar. 5, 2020), https://news.bloomberglaw.com/privacy-and-data-security/employee-remote-work-amid-coronavirus-may-reveal-security-flaws [https://perma.cc/P4WB-ED6Y].
15	Mark McCreary, Webinar: COVID-19 Privacy Concerns & Response Strategies, Fox Rothchild LLP (delivered on Mar. 17, 2020).
16	Id.
17	Lori Tripoli, CCPA, SHIELD Act to Take Back Seat During Coronavirus Pandemic?, Compliance Week (last accessed Mar. 28, 2020), https://www.complianceweek.com/data-privacy/ccpa-shield-act-to-take-back-seat-during-coronavirus-pandemic/28659.article [https://perma.cc/3SEC-EUX8].
18	BULLETIN: HIPAA Privacy and Novel Coronavirus, Office for Civil Rights, U.S. Department of Health and Human Services (February 2020) https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf [https://perma.cc/XA9U-8X9K].
19	Id.

Charles Wollman

Charles Wollman is a second-year J.D. candidate at Fordham University School of Law and a staff member of the Intellectual Property, Media & Entertainment Law Journal. He is also a member of the Vis International Commercial Arbitration Moot Court Competition Team. He holds a B.A. from Yeshiva University.

Another Victim of COVID-19: Your Personal Information

Another Victim of COVID-19: Your Personal Information

Share this:

Related

Charles Wollman