Contact Tracing: Balancing Privacy Concerns While Halting the Spread of COVID-19

With the rapid spread of COVID-19, countries around the world are implementing contact-tracing practices, which involve identifying people who may have COVID-19 and notifying those individuals’ contacts for them to get tested and/or quarantined. Although contact tracing is an effective tool to interrupt further transmission of a virus, it raises privacy concerns. Some of these privacy concerns include whether the government authority or private sector partner (e.g., a mobile application service provider) is: (1) providing adequate notice to data subjects regarding the personal data collected, what it is used for, and who it is shared with; (2) obtaining the data subjects’ consent before collecting the personal data; (3) limiting the amount of personal data collected; (4) using the personal data only for its intended purpose; (5) deleting the personal data when it is no longer needed; and (6) providing data subjects certain rights, such as the right to access, correct and delete their personal data. These privacy measures are particularly important in the modern era because contact-tracing mobile applications have the capacity to collect massive amounts of personal data relating to a person’s daily life, including their precise geolocation data, the persons they interact with, and the places they frequently visit, which may include places of worship and political organizations.

In April 2020, the Australian government appears to have addressed these privacy concerns with the launch of its contact-tracing mobile application program, called COVIDSafe. The application, which is voluntary to download and use, works by alerting people if they may have been exposed to the virus based on contacts with others, and informing them if they need to get tested and/or quarantined. To encourage individuals to voluntarily download COVIDSafe, the Australian government tried to ease individuals’ privacy concerns in an April 26, 2020 press release by emphasizing the use of encryption to safeguard the data and the limited access to the personal data: 

All information collected by the app is securely encrypted and stored in the app on the user’s phone. . . . Unless and until a person is diagnosed with COVID-19, no contact information collected in the app is disclosed or able to be accessed. Then, once the person agrees and uploads the data, only the relevant state or territory public health officials will have access to information. The only information they are allowed to access is that of close contacts.

Australia is also transparent about COVIDSafe’s data collection practices, and provides disclosures in its privacy policy regarding the personal data collected, what it is used for, whether it is disclosed to others, and that the personal data will not be retained longer than necessary for contact tracing. Critically, COVIDSafe further offers individuals important data privacy rights, such as the right to access, correct and delete their personal data.

While Australia has taken significant measures to address privacy concerns through its contact-tracing program, other countries have been willing to circumvent privacy issues to aggressively stop the transmission of COVID-19. For example, the Chinese government pulled and processed location data from citizens’ phones without providing notice or obtaining consent. South Korea also used location data tracking to effectively halt the spread of COVID-19. While factors like its single payer healthcare system, population size, mass testing, and pre-existing mask culture likely contributed to curbing the virus, South Korea’s comprehensive contact tracing seems to have played a major role as well. Without providing its residents an ability to opt-out, South Korea collected cell phone GPS data, CCTV footage, and credit card usage data to track its residents and notify individuals who had come into contact with someone who had tested positive for COVID-19. Despite privacy concerns, South Korea’s contact tracing practices have been effective. Since April 2020, Korea has recorded fewer than 100 new daily coronavirus cases. 

In the United States, Virginia was the first state to roll out a contact-tracing app, called COVIDWISE, in August 2020. To balance the need to protect individuals’ privacy through government intrusion and to combat the further spread of COVID-19, COVIDWISE generates a unique “key” for each phone every ten to twenty minutes. If two people have downloaded the app and come within six feet of each other for longer than fifteen minutes (what the Centers for Disease Control and Prevention guidelines deem to be enough exposure to risk transmission), then the phones automatically exchange these keys. The keys are stored in the phone for fourteen days and can identify if the phone owner has encountered an infected person, without revealing the infected person’s identity. The key features of Virginia’s COVIDWISE are the anonymity of the keys and the lack of central storage. The keys are stored on the individual users’ phones and automatically delete after fourteen days.

However, the Virginia app has several drawbacks. First, it is voluntary, not mandatory, to download. The app can only alert a user if he or she has met an infected person who has opted to download the app. Second, while the app will work across state lines, it was developed for the state of Virginia and only Virginia Health Department- verified users will be able to upload a positive COVID-19 result. Across state lines, different users may have different applications that do not connect to Virginia’s COVIDWISE, which limits its efficacy to Virginia residents physically in Virginia.

Efficacy of any contact tracing technology requires mass adoption. Absent a government mandate or endorsement of a single contact tracing application, mass adoption of a tracing solution among United States citizens may prove difficult unless the government can convince the public to participate through an effective public relations campaign. The United States has the additional challenge of 50 potential contact-tracing systems, rather than just one in Australia. Ultimately, it will be up to each state to determine whether it is willing to circumvent privacy issues to aggressively tackle COVID-19 or adopt a less effective contact-tracing program that respects privacy rights.