Are Countries Willing To Bend The Privacy Rules To Track COVID-19

Written by: Richard Sheinis, Esq.

Many countries are using geolocation data from phones to track COVID-19.  Singapore, the United Kingdom and Israel have developed their own apps for tracking people’s movements.  In Europe, mobile phone companies such as Vodafone, have agreed to share location data. The European Data Protection Board has appointed a group of experts to develop guidelines for how geolocation data can be used during the COVID-19 crisis.  In the U.S., the $2 trillion stimulus Bill includes $500 million for the CDC to start a new surveillance and data collection system to monitor the spread of COVID-19.

Some states are getting in on the act.  The Kansas Department of Health and Environment is using a social distancing dashboard recently launched by Unacast, a location data and analytics firm, that uses phone GPS data to show the spread of COVID-19.  Google is lending a hand by using anonymized GPS data collected from mobile devices that opted into location tracking services.  This data is then used to show trends of how busy certain types of locations may be.  Google publishes Community Mobility Reports that show movement trend differences at country, state, county or regional levels.

The $64,000 question is whether all of this tracking complies with privacy laws of the various countries and jurisdictions, or if the COVID-19 crisis is allowing privacy laws to be bent, if not broken.  Since each country has their own privacy laws, the use of geolocation data must be evaluated based upon the applicable laws.  For instance, the European Data Protection Board has stated that Articles 6 and 9 of the EU General Protection Regulation already allow for the sharing of data in the interest of public health.

Almost every privacy law allows for the sharing of personal information if it has been deidentified or anonymized.  However, we are left to representations of companies sharing the data, that it has been anonymized prior to sharing.  Are these statements trustworthy or are they simply platitudes?  One organization, Privacy International, is tracking these measures so that at some point, we can evaluate if privacy laws were followed or discarded.

In the end, the analysis will likely be similar to the analysis of COVID-19 itself.  Have countries respected their own privacy laws, or should privacy laws be revised to allow for the sharing of personal information when faced with a global crisis?  Lastly, will this sharing of geolocation data, whether anonymized or not, become the new normal, or will we return to the strict views of privacy that were prevalent prior the COVID-19 crisis?