X

Coronavirus pandemic changes how your privacy is protected

Data protection officials around the world are loosening rules on how your data can be used during the COVID-19 outbreak.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
9 min read
Person wearing a face mask next to a stoplight sign that reads "photo enforced"

Privacy protections around the world are getting lifted during the coronavirus outbreak.

James Martin/CNET

As the coronavirus pandemic gets worse, privacy commissioners are lifting data restrictions for health officials to keep track of the outbreak. A review of policy changes around the world shows that data protection agencies are prioritizing lives over privacy, and it could be a sign of what's to come for the US.  

In Hong Kong, the city's privacy commissioner said in February that authorities would track quarantined people with their permission via smartphone tracking. In the UK, the Information Commissioner's Office gave an advisory on enforcement as recently as March 12. The Global Privacy Assembly, a group of more than 130 data protection authorities, noted changes surrounding data privacy brought on by the pandemic in at least 27 countries. 

The organization said it's committed to making sure people's data is not abused.

"We are confident that data protection requirements will not stop the critical sharing of information to support efforts to tackle this global pandemic," the GPA's executive committee said in a statement on Tuesday. "The universal data protection principles in all our laws will enable the use of data in the public interest and still provide the protections the public expects."

The changes to guidelines have varied across countries, but a clear trend has emerged. In regions where conditions are worst, officials are focusing on public health over privacy. That's led some governments to use phone location data to track the coronavirus' spread and decide on how to quarantine communities affected by COVID-19, the respiratory illness caused by the virus. 

The method, used in China and South Korea, has been lauded as successful. The World Health Organization has discussed how public health surveillance can provide an early warning for outbreaks and allow for effective policies. 

At a media briefing on March 16, the WHO's director-general, Tedros Adhanom Ghebreyesus, said there needed to be more technological measures for tracking the coronavirus outbreak. 

"We haven't seen an urgent enough escalation in testing, isolation and contact tracing, which is the backbone of the COVID-19 response," he said. "You cannot fight a fire blindfolded. And we cannot stop this pandemic if we don't know who is infected." 

 But the tracking carries privacy risks because location data can reveal a lot of sensitive information about our lives. The US is considering similar measures and could rely on data collected by Facebook , Google and other companies. That's raised concerns among some legislators, including Sen. Ed Markey, a Democrat from Massachusetts. 

Unlike many countries, the US doesn't have a sole office tasked with data privacy issues. Still, government agencies are altering privacy standards to deal with the coronavirus outbreak. On Tuesday, the Department of Health and Human Services said it was waiving penalties for violations related to health data privacy standards so more doctors could video chat with patients

If changes enacted in other countries are an indication, further loosening of US privacy protections could be on the way. The government has already consulted with the tech industry about ways to use aggregated data to determine population density, according to a person familiar with the discussions. Requests for data, however, could get more specific if the pandemic worsens in the US.

The Trump administration didn't respond to a request for comment.

"With the pandemic, government, companies and research institutions are scrambling to respond in a way that makes optimal use of information about individuals' whereabouts and health conditions, while maintaining our democratic values and civil liberties," Omer Tene, vice president of the International Association of Privacy Professionals, said in a statement. "In contrast, in its response, China could weigh heavily on the side of public safety, throwing individual rights under the bus. For us, this isn't a plausible approach."

Trace Together app

The TraceTogether app from Singapore's government uses Bluetooth on people's phones to track who they've been in contact with. 

Screenshot by Alfred Ng / CNET

Asia

The epicenter of the coronavirus outbreak is Wuhan, China, a city about 570 miles north of Hong Kong. 

Hong Kong, which experts say has contained the virus' spread, has fewer than 170 cases and four deaths, thanks to its drastic measures to track and quarantine those with the disease. Those measures include using location data to track people's movement during its quarantine, and checking in to make sure people are staying place if quarantined. 

Authorities obtained consent from people under quarantine before tracking them, according to Hong Kong's privacy commissioner. It's unclear how that consent was obtained. 

On Feb. 12, the agency said health crises were exempt from its privacy laws. Protecting lives during an outbreak like the coronavirus is more important than privacy, it said.

"The right to life refers not only to the right of life of the data subject, but also to the right to life of others in society," the Hong Kong data commissioner's office said. "This right is particularly important in epidemics." 

Singapore has taken similar measures, on Friday launching an app called TraceTogether that's designed to build a record of people exposed to a potentially infected person. The app tracks, identifies and keeps a log of those who've been within two meters of each other for at least 30 minutes by using a phone's Bluetooth technology to connect with other devices that have the app installed and Bluetooth enabled. 

"Contact tracing is a key part of our strategy here to limit local spread, and in the contact tracing process, time matters," Janil Puthucheary, minister-in-charge of Singapore's Government Technology Agency, which developed the app, said at a press conference. "The faster the contact tracing process can be initiated and can identify the people at risk, the faster we'll be able to intervene and post quarantines if necessary and limit the spread locally."

The app is voluntary to download, but the country's government has been encouraging citizens to use it as part of a public health effort. Officials said that the data is encrypted locally and the government will only get data from people who give consent. But if you don't give consent, you could be prosecuted under Singapore's Infectious Disease Act.

The government said that it would end the app once the coronavirus outbreak is over, and people will be instructed on how to delete the data stored on their phones

"The engineering that our GovTech team has spent thousands of man-hours on is fairly elegant in the sense that it preserves a fair degree of privacy," Puthucheary said. 

Europe

Man wearing a face mask in Milan, Italy.

In Italy, telecom company Vodafone has been offering location data sets to analyze quarantine efforts.

Marco Piraccini/Mondadori Portfolio via Getty Images

On Thursday, the death toll in Italy rose to 3,405, overtaking China. Ten days earlier, the Italian government changed broad policies, including data policies, to help deal with the coronavirus outbreak. Most of the changes addressed resources for its National Health Service.

Tucked away under "Other Provisions" in the changes, the government noted alterations to how it handles personal data in a national emergency, which Italy declared on Jan. 31. Because of the national emergency, the notice read, restrictions on processing personal data would be lifted until at least July 30. 

Lifting restrictions make it easier to share data, including biometrics and health information, with the government and health workers. Stil, the new provisions aren't open-ended. They are specifically restricted to data that will help manage the COVID-19 health crisis, according to a translation of the notice. 

Vodafone , a major phone provider in Europe, said it is producing an aggregated and anonymized heat map for Italy's Lombardy region, which it said would help health officials understand how the population is moving around. 

"It may become increasingly important for governments to understand people's movements to contain the spread of the virus, especially inside and to/from areas under quarantine," the company said in a statement. "Wherever technically possible, and legally permissible, Vodafone will be willing to assist governments in developing insights based on large anonymised data sets."

A Wired Italy article stated that Facebook  has been providing an anonymized data set of people's movement to the University of Pavia. The data shows the flow of movement from the northern to southern regions in the country on March 7, according to the report. Facebook didn't respond to a request for comment. 

Italy is a part of the European Union, which has its own view on how data privacy should be handled during the pandemic. The EU's General Data Protection Regulation typically requires consent for processing personal data, but it also allows for public health officials to gather that information without permission during epidemics. 

Watch this: Coronavirus and COVID-19: Everything you need to know

On Monday, the European Data Protection Board noted that additional rules still apply to phone location data. The board said that public officials should make sure that location data can be anonymized and collected in a way that doesn't tie it to a specific individual. 

"Data protection rules [such as GDPR ] do not hinder measures taken in the fight against the coronavirus pandemic," said Andrea Jelinek, the board's chair. "However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects." 

Countries managing GDPR compliance have responded differently to the coronavirus outbreak. In Germany, the country's federal commissioner for data protection, Ulrich Kelber, said that "the health of the citizens is now the focus" and the goal is to ensure that privacy laws aren't hindering health measures. 

Ireland's data protection commission said that the coronavirus outbreak presented "unprecedented challenges" and that it would require a "proportionate regulatory approach." The commission also noted possible delays in responding to GDPR requests during the pandemic. 

On Thursday, coronavirus deaths in the UK rose to 144, with 3,269 people testing positive for the disease. The country's Information Commissioner's Office said on March 12 that it would be taking the coronavirus outbreak into account when looking at data privacy violations.

The ICO has told organizations in the UK, which is no longer part of the EU, that it wouldn't penalize them for delays in responding to data requests during the outbreak. 

The Guardian reported that the UK government has been in talks with a mobile company to use phone location data to track its quarantine measures. 

The US 

The US doesn't have a federal privacy law. But several states have passed their own laws regulating how tech companies can use people's data. Already, the coronavirus pandemic has impacted California's Consumer Privacy Act, which went into effect on Jan. 1. 

California's attorney general's office said it would start enforcing the law by July 1, but a group of 34 trade organizations have asked the office to postpone it until Jan. 2, 2021. An adviser to Attorney General Xavier Becerra said that the office was committed to keeping the original deadline. 

The US government hasn't publicly undertaken measures to use phone location data to track the spread of coronavirus. But it's discussed the concept with tech companies that are capable of doing so. 

In an earlier statement to CNET, Google said it was "exploring ways that aggregated anonymized location information could help in the fight against COVID-19." 

On Wednesday, Facebook CEO Mark Zuckerberg said he hasn't spoken with the US government about providing location data. A Facebook spokeswoman on Thursday said that the company has been briefing the Centers for Disease Control and Prevention on how it creates de-identified data maps to help researchers track diseases, but hasn't provided any data to the government. 

"There is no agreement to share people's location data with governments," Facebook said in a statement. "We have not received requests for location data from the US government." 

The Trump administration has been in discussions with major tech companies on how it can use their data to track the coronavirus outbreak, similar to measures that China and South Korea have taken. 

The discussions so far have been about aggregated data, like determining how many people are in an area at certain times, a person familiar with the discussions told CNET. Google already collects and publishes data like this to show how crowded areas are. 

The discussions haven't involved data about specific individuals. 

Still, the person familiar with discussions said the consensus among tech companies is that requests for data could get more specific if the pandemic gets worse in the US. 

"In the absence of a federal privacy law," said Tene, of the International Association of Privacy Professionals, "there's great uncertainty and disarray around the scope of and guardrails around legitimate uses of personal information."

Coronavirus: Scenes from an eerily empty San Francisco

See all photos
The information contained in this article is for educational and informational purposes only and is not intended as health or medical advice. Always consult a physician or other qualified health provider regarding any questions you may have about a medical condition or health objectives.