The Covid-19 pandemic has spawned a number of novel technologies aimed at suppressing the spread of the coronavirus. In China, for example, the most popular messaging and payment apps contain technology that requires a user to provide his or her national identity or passport number, cellphone number, travel history, and physical symptoms.

A centralized system analyzes the data and assigns a color code – red, amber or green – that signals whether a person may safely be admitted to a restaurant, an office building or other public place. It also assigns a QR code to users that indicates where the user has been in the last 14 days. A visit to a questionable location may result in denial of access. There is no public explanation of how the color codes are assigned or what other data is embedded in the QR code.

Other countries have rolled out similar contact-tracing apps, with mixed rates of adoption. In the United States, developers have been quick to promote such technologies, but state and local governments have so far been reluctant to commit to them. Instead, they appear for now to be planning to engage in traditional, labor-intensive contact tracing. New York, for example, has announced plans to hire as many as 17,000 contact tracers.

Meanwhile, employers are eager to adopt best practices for avoiding Covid-19 infections at their facilities as they resume operations. Facilities where workers must come into close contact with each other are especially apt to transform into Covid-19 hot spots. Contact-tracing technologies may help prevent the spread of Covid-19 at these places of business. However, existing and proposed privacy laws may pose some limitations on their use in the United States.

The Health Information Privacy and Portability Act (HIPPA) imposes strict privacy requirements on health providers and their associated entities. However, that law generally does not apply to companies that are not in the health care arena. Thus, if a frozen foods maker were to collect data regarding the blood temperatures of its employees, HIPPA would have nothing to say about it. Other privacy laws might.

Contact Tracing Apps: Centralized or Decentralized?

Public debate about contact tracing apps has focused on whether they should involve a centralized or decentralized database. A centralized system like the one in China might be more effective but also more subject to scope creep or to hacking that could threaten civil liberties or lead to massive identity theft.

Privacy advocates prefer decentralized tracing apps because, among other things, they do not involve the creation of a massive database that may be susceptible to compromise or misuse. They would prefer, for example, a system in which cell phones interacted with one another in providing warnings about Covid-19 rather than a system in which data about who was in proximity with whom would be uploaded to a central repository. Authorities might then use information from a centralized system to disseminate health warnings or for some purpose unrelated to public health.

In April, Apple and Google announced plans to collaborate on a Bluetooth technology that will enable a decentralized approach and allow for contact tracing across their platforms. The companies’ announcement suggests that they will look to others to develop the apps that utilize the new technology. These apps will cause cellphones to emit Bluetooth “chirps” that will be detected by phones in close proximity. Records of these encounters will be stored on the phones, but location data will not be.

When a user is diagnosed with Covid-19, public health authorities may then cause a message to be sent to those who have been in proximity to the patient warning those people of their recent encounter with a Covid-19 victim. The identity of the patient will not be disclosed. The codes used to identify a device will change frequently, thus protecting user privacy.

Google and Apple intend to release APIs in May that will enable developers to create apps that conform to this standard. Later this year, they intend to build this capability into their cellphone operating systems, so that all Android and Apple phones with current OS updates will emit Bluetooth chirps.

The Google-Apple approach quickly gained support from privacy advocates worldwide and caused Germany to reverse course and commit to the same approach. France, meanwhile is tussling with Apple over its refusal to cooperate with the French plan for contact tracing, which would be more centralized than Apple believes to be appropriate.

While the Google-Apple plan has been lauded as decentralized, that is not entirely correct. Apple’s FAQ no. 6 describes a system that will allow health officials to learn who has been in contact with a Covid-19 patient, requiring transmittal of data to a central repository. The system is sensitive to privacy concerns in that location data will not be included, Apple will not have access to the data, and it will not support targeted advertising. Apple intends to make it available only to highly credible public health entities. The system will be disabled when public health concerns no longer require it. Nonetheless, it has an element of centralization.

Apple has expressed concern about potential profiteering by newcomers to public health. Apple’s developer website indicates that it will only accept Covid-19 apps that are submitted from recognized entities such as government organizations, health-focused NGOs, companies deeply credentialed in health issues, and medical or educational institutions.

What’s an Employer to Do?

Contact tracing technology is more effective if its user base is large. The massive market share of Google and Apple makes it probable that apps based upon their collaboration will eventually be the gold standard, and Apple’s commitment to privacy is likely to ensure compliance with most US privacy laws if the system is used as intended.

Businesses that can’t wait for the rollout of apps using this standard should analyze existing apps with regard to these questions:

• What data does it collect? Is it all necessary for Covid-19 purposes?
• Where does the data go?
• Will it be deployed in a state such as California or Illinois that requires specific user consent to the collection of biometric or location data?
  • If it does collect location data of employees in California, the employer must notify the employee that the data is being collected. Even with this notice, there is the possibility of liability in the event that the data is exposed in a data breach and the employer has been negligent in protecting the data.
• If used in the EU:
  • Will it collect location data? The EU is quite ambiguous about whether this is permissible in the Covid-19 context, requiring a review of the local laws of each member country.
• Will it trigger a right to be forgotten? A right to receive a copy of the data? Other GDPR rights?

There are already contact tracing apps and devices on the market targeted at employers. When considering a rollout, companies should pay attention to the app’s data collection and sharing attributes. A survey published in April by the Future of Privacy Forum contains key information regarding six such apps. Many more are on the way.

Both the facts and the law in this area are changing rapidly. A group of four Republican senators announced a plan on April 30 to introduce the “Covid-19 Consumer Data Protection Act” that would:

• Require most companies to obtain express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of Covid-19.
• Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.

• Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
• Direct companies to provide reports to the public describing their data collection activities related to Covid-19.
• Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
• Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the Covid-19 public health emergency.
• Require companies to publish a detailed privacy policy describing their Covid-19 data collection and analysis.
• Require companies to issue a public report once every 30 days stating how many people have had their data collected, processed or transferred, describing the categories of data collected and transferred, and identifying the purpose for each data category and the recipients of transferred data.
• Authorize the FTC and state attorneys general to enforce the Act.

The proposed legislation would be effective only while there is a declared public health emergency in place. Covered entities would be prohibited from collecting more data than is necessary, and the FTC will issue data minimization guidelines. The bill would preempt state law regulating the collection of data for Covid-19 purposes.

While it is not clear that this bill will become law, it sets out a roadmap of best practices when considering the use of a contact tracing app.

Conclusions

The Covid-19 crisis has triggered a new chapter in privacy law, where the concern for public health and the right to privacy conflict. Contact tracing apps are at the tip of the spear. Employers wishing to deploy them now to protect their employees should undertake a serious review of the privacy compliance aspects of the apps that they are considering.

Companies that can afford to wait for the rollout of apps designed around the Google-Apple alliance should, for the most part, be able to rely on the work that those companies are doing to protect privacy.