Newly Released COVID-19 Privacy Bills Would Regulate Pandemic-Related Data
By Pollyanna Sanderson (Policy Counsel), Stacey Gray (Senior Policy Counsel) & Katelyn Ringrose (Christopher Wolf Diversity Law Fellow)
Yesterday afternoon, leading House and Senate Democrats introduced the Public Health Emergency Privacy Act.The Democratic-led bill, which was introduced by Senators Blumenthal and Warner, as well as Representatives Eshoo, Schakowsky and DelBene, follows the May 10th introduction of a similar COVID-19 data protection bill by leading Senate Republicans. Although the bills are similarly broad in scope and substantively robust, they contain a few important differences.
Both the Democratic-led and the Republican-led COVID-19 privacy bills introduced so far are motivated by an urgent need to build public trust in the use of personal data to address the current pandemic. For example,recent research shows a marked lack oftrust among the American population when it comes to their digital privacy amid the COVID-19 pandemic.
Below, we summarize the Public Health Emergency Privacy Act’s (1) scope of covered data and entities; (2) legal requirements; and (3) a few key differences from its Republican counterpart.
BROAD SCOPE OF COVERED DATA
The Democratic-led Public Health Emergency Privacy Act would create new substantive obligations for a broad range of covered entities processing data to address COVID-19–both public and private, including non-profits and employers with respect to data collected about their employees.
The Act would apply to:
Any private/public sector entity except public health authorities and HIPAA-covered entities, and service providers, if they collect or process “emergency health data.”
“Emergency health data” is defined as data linked, reasonably linkable or inferred as an individual that concerns the public COVID–19 health emergency including: health-related data, geolocation, proximity data, demographic data, and contact information. Such data includestest results; an estimated likelihood of a COVID-19 positive status; and other genetic data, biological samples, and biometrics.
But would not apply to manual contact tracing and case investigation by public health authorities or their “designated agents.”
LEGAL REQUIREMENTS
The Act contains a variety of blanket prohibitions (such as a prohibition on using COVID-19 data for commercial purposes), as well as a few affirmative obligations (such as reporting) on companies, non-profits, and other covered entities.
Covered entities would be prohibited from:
Collecting, processing, or disclosing emergency health data except to the extent that it is “necessary, proportionate, and limited” for a good faith public health purpose (data minimization);
Using emergency health data for: (1) commercial uses, including e-commerce or advertising; (2) offers of employment, finance, credit, insurance, housing, or education opportunities; or (3) discrimination in any place of public accommodation.
Covered entities would be required to:
Obtain affirmative express consent (and provide the opportunity to revoke such consent);
Provide individuals with a mechanism to correct inaccurate information;
Provide transparency about data practices in a privacy policy, and publish public reports every 90 days (for covered entities that collect data of over 100,000 individuals);
Practice “reasonable” security measures; and
Destroy data 60 days after the close of the public health emergency, as defined by the Secretary of HHS (or 30 days after an individual revokes consent).
The Act includes a broad research exemption for public health or scientific research associated with COVID-19when such research iscarried out by a public health authority, nonprofit organization, or an institute of higher education. Furthermore, the Act would not prohibit research, development, manufacturing, or the distribution of COVID-19 related drugs or vaccines.
The Act does not preempt state laws, and includes a private right of actionwith tiered remedies according to whether the violation is negligent ($100-$1,000), or reckless, willful or intentional ($500-$5000).
COMPARISON TO SENATE REPUBLICANS’ COVID-19 PRIVACY BILL
Last week, Senator Roger Wicker, the Republican Chairman of the Senate Commerce Committee, introduced a similarly broad privacy bill with leading Senate Republicans, the COVID-19 Consumer Data Protection Act of 2020.
The two bills contain many similarities, including a requirement that covered entities obtain “affirmative express consent” to collect or process COVID-19 data, a requirement for recurring deletion, and a data minimization requirement that data should not be collected beyond what is necessary and proportionate to public health needs.
We observe a few key differences between the Republican-led bill and this week’s Democratic-led bill:
Broader Scope of Covered Entities: The Democratic-led bill would govern a broader scope of covered entities, applying to both private (commercial) and public (government) entities, including non-profits and common carriers, with a few limited exceptions. In contrast, Senator Wicker’s proposal would govern only commercial entities, and would exclude most COVID-19 data collected by employers about their employees.
Broader Scope of Data:The Democratic-led bill would cover a broader scope of data, including publicly available data. In contrast, Senator Wicker’s proposal contains exemptions for de-identified, aggregated, and “publicly available information,” defined as information widely available to the general public,” including information from a telephone book or online directory, video, internet, or audio content, or the news media or a website that is available to the general public on an unrestricted basis.
Exemption for Research:The Democratic-led bill would seem to create a remarkably broad exemption for data processing for “public health or scientific research,” so long as it is conducted by non-profits, universities, or public health authorities. In contrast, Senator Wicker’s bill does not have an explicit research exemption.
Strong Anti-Discrimination Protections:The Democratic-led bill would prohibit uses of covered data for discriminatory purposes (in the context of employment, finance, credit, insurance, housing, or educational opportunities), and would prohibit discrimination in places of public accommodation (such as restaurants, educational institutions, hotels, or retail stores), on the basis of COVID-19 related data. Furthermore, the Act would require HHS, the FTC, and the US Commission on Civil Rights to produce recurring reports examining the civil rights impact of the collection, use, and disclosure of covered data. In comparison, Senator Wicker’s bill is much more limited, and would only require the FTC to cooperate with other government agencies when it obtains information that a covered entity may have processed or transferred covered data in violation of federal or state anti-discrimination laws.
Preservation of Existing State Laws: The Democratic-led bill would preserve existing state laws that create stronger privacy protections. In contrast, Senator Wicker’s bill would broadly preempt all differing state laws, regulations, rules, requirements, and standards that relate to the same data practices covered in the bill.
Individual Enforcement: The Democratic-led bill includes a private right of action for individuals to challenge violations in court, with tiered remedies according to whether the violation is negligent ($100-$1,000), or reckless, willful or intentional ($500-$5000). In contrast, Senator Wicker’s proposal provides for exclusive enforcement by the Federal Trade Commission and State Attorneys General.
As noted, there are some significant differences between these two proposals. We expect additional bills to emerge, as additional legislators set forward ideas to address COVID data issues, including some that may be more narrowly tailored to specific use cases. And, as the HR Policy Association recently pointed out, hundreds of current local labor and employment laws and regulations are currently applicable to COVID-related activities.
In an op-ed this week calling for legislation, Commissioner Christine Wilson quoted the words of Samuel Johnson: “When a man knows he is to be hanged in a fortnight, it concentrates his mind wonderfully.” We hope the pressure to pass legislation during this crisis can bridge the political divides in Congress, but we also hope legislators appreciate the ongoing urgency of broad comprehensive data protection legislation.
FPF Charts DPAs’ Priorities and Focus Areas for the Next Decade
DPAs across the European Union (EU) are in a unique position to shape the future of digital services and how they impact individuals and societies both through their outstanding enforcement powers and through their policymaking. To address the complexities of digital services and individual rights in the new decade and beyond, several DPAs have published strategic and operational plans, and have set new data protection policy goals to meet these challenges head-on.
Co-authors Charlotte Kress, Rob van Eijk, and Gabriela Zanfir-Fortuna of FPF reviewed twelve publicly available strategic plans, roadmaps, and outlines to identify the top priorities and focus areas of DPAs during the coming decade and beyond. The authors also reviewed recently-released DPA guidance regarding COVID-19.
Their findings indicate that both the local DPAs and the EDPB are concentrating on guidelines for the consistent application of the GDPR, which aligns with ongoing harmonization efforts across the EU and the European Economic Area (EEA), aiming to:
clarify how (relatively) recent technologies and business practices should operate under the GDPR;
prepare for the implications and proliferation of newer technologies, such as artificial intelligence and automated decision-making; and
protect those most vulnerable to the risks of data use practices such as data profiling.
National DPAs identified key topic areas as focus points for enforcement actions arising from DPAs’ “own motion,” such as advertising & marketing, health, and banking & finance. In addition, DPAs’ strategies most commonly enumerated policy-related topics such as artificial intelligence and children & youth privacy.
The summary of findings is a vital resource for understanding how European data protection and privacy law, enforcement, and policy will take shape in the years to come. The inclusion of COVID-related strategies and priorities provides a holistic view of what has become the new, unexpected focus area of DPAs across the continent.
Machine learning-based technologies are playing a substantial role in the response to the COVID-19 pandemic. Experts are using machine learning to study the virus, test potential treatments, diagnose individuals, analyze the public health impacts, and more. Below, we describe some of the leading efforts and identify data protection and ethical issues related to machine learning and COVID-19, with a particular focus on apps directed to health care professionals that leverage audio-visual data, text analysis, chatbots, and sensors. Based on our analysis, we recommend that AI app developers:
“Machine Intelligence (MI) is rapidly becoming an important approach across biomedical discovery, clinical research, medical diagnostics/devices, and precision medicine. Such tools can uncover new possibilities for researchers, physicians, and patients, allowing them to make more informed decisions and achieve better outcomes. When deployed in healthcare settings, these approaches have the potential to enhance efficiency and effectiveness of the health research and care ecosystem, and ultimately improve quality of patient care.”
Now – with the development of the pandemic resulting from the spread of the coronavirus (COVID-19), medical providers, institutions, and commercial developers are all considering whether and how to apply machine learning to confront the threat of this current crisis.
AI, some of which is based on machine learning, is being incorporated into the first lines of defense in the pandemic. Leading epidemiologists insist that we can only succeed in projecting the spread of the virus, and thus take steps to combat this crisis if we: 1) know who has the disease; 2) study the data to reliably predict who is likely to get it; 3) and use existing data to inform the resource and supply chain in the short and long terms. From triage at hospitals, scanning faces to check temperatures, or seeking to track the spread using individual data, various organizations are using machine learning based algorithms with a variety of levels of complexity or sophistication.
In general, effective AI can either replicate what humans can do faster and more consistently (look at CCTV cameras, detect faces, read CT scans and identify ‘findings’ of pneumonia that radiologists can otherwise also find) or these systems can do things that humans can’t do (such as rapidly comb through thousands of chemical compounds to identify promising drug candidates). As the disease spreads, we see medical researchers around the world rushing to make sense of available data – facing the need to try to complete reliable analysis in a timeframe to be useful to others. In a recent paper, Artificial Intelligence Distinguishes COVID-19 from Community Acquired Pneumonia on Chest CT, a group of Chinese doctors took the data from the first months of the outbreak there to attempt a model that could provide automatic and accurate detection of COVID-19 using chest CTs. Their goal in the study was to develop a fully automatic framework to detect COVID-19 using only these regular chest scans and to evaluate its performance. Their study concluded that a deep learning model can accurately detect COVID-19 and differentiate it from other lung diseases. Others have pushed back against these claims, however, with concerns that this AI system learning was over fit to COVID-19 data subjects, although still an impressive feat given speed and circumstance, and likely a useful tool to a more measured degree.
Researchers from Carnegie Mellon considered an early version of COVID Voice Detector, an app that would analyze a user’s voice to detect an infection. Although since put on hiatus, this proposed application demonstrated the variety of “out of the box” ways diagnosis are being addressed. The app assigns a score to each voice sample based on similarities to voices of those diagnosed with COVID-19. If implemented, the app will be dependent on crowdsourcing through collecting training data via voice samples from both healthy and infected individuals. By analyzing the voice beyond what the human ear can hear, it would identify vocal biomarkers that will enable the healthcare community to get insights on the symptoms and hopefully the onset of the COVID-19 virus. The app works by using Artificial Intelligence to analyze and to correlate the voice with the symptoms of the COVID-19. Then an alert is triggered describing early symptoms and describing ways to monitor at home using only a smartphone.
Machine learning can also help expedite the drug development process, provide insight into which current antivirals might provide benefits, forecast infection rates, and help screen patients faster. Canadian start up, BlueDot, first identified the emergence of COVID-19 by citing an increase in pneumonia cases in Wuhan using a ML natural language processing program which monitored global health care reports and news outlets.
Many of these new and expedited applications are possible because of the compilations springing up of lists of datasets and use cases of machine learning applied to coronavirus. Consideration of these datasets and analyses points out the importance of incorporating review and involvement from scientists, such as biologists, chemists, and other appropriate specialists so that the integration of data is done competently (asking the right questions, designed to solve the actual problems) and also to ensure that outcomes not to contribute to the false information springing up around pandemic conversations (i.e. gargling hot water – turns out, isnot helpful).
Ethical implications abound as well. This emergency is creating real life examples of commonly posed challenges to AI systems. Should AI help make life-or-death decisions in the coronavirus fight? Chinese researchers say they have developed an AI tool that can assist doctors in triaging Covid-19 patients. It analyses blood samples to predict comparable survival rates. But this raises the complex questions about whether survivability/treatability should be a deciding factor in triage prioritization. Likewise with questions about the age of the patient, a doctor’s intuition, or how to design a formula that incorporates and weights several such factors. It is possible that AI can assist in the steps of this even if not used as the final determinor – that is, help identify quickly which markers (in blood, for example) correlate most to survival rates, or seriousness of condition, and so on.
Similar ethical and practical considerations arise when considering whether AI can responsibly provide medical assistance at an individual level? What if people ask a digital assistant or go online to a chatbot from a provider, insurer, or other platform?
Hospitals, public health agencies, and commercial health companies are seeking accessible ways to screen patients – such as online symptom checkers, which could allow them to screen themselves – for signs of COVID-19. The question is whether these AI-based access points can both keep healthy people from inundating emergency rooms while still protecting those who need care? There is an important risk/benefit analysis to provide useful care to patients, while not being overly exclusive or allowing the spread of harmful misinformation? Amazon announced that Alexa can now assist users in determining whether they might have contracted the virus by asking a series of questions related to travel history, symptoms, and possible exposure to COVID-19. Alexa also offers advice to users based on the Center for Disease Control (CDC) recommendations. Other features include singing a 20-second song to help time how long people should wash their hands.
The emergence of AI/ML in medicine also creates regulatory challenges, such as which medical AI/ML-based products should be reviewed as medical devices or services, and what evidence should be required to permit marketing for AI/ML-based software as a medical device (SaMD). The U.S. Food and Drug Administration recently proposed a discussion paperto address some of these issues, and a Nature.com paper responded by arguing that evaluation should be focused on assessing whole systems rather than individual ML-based products.
Finally, AR (augmented reality) and VR (virtual reality) technology are other AI-based systems that aim to provide services for COVID-19 patients and educate others. One example is USA Today’s “Flatten the Curve: A Week in Social Distancing” AR app. The app accesses the device camera and overlays an AR city onto a blank surface. The user addresses situations moving through a city and must choose between two options to learn how to maximize effective social distancing.
Other AR/VR platforms provide for COVID-19 patients to engage in group therapy. XR Health recently announced a VR telehealth support group, virtually bringing together COVID-19-positive patients along with medical professionals. The team behind XR Health hopes the VR experience will improve on traditional teleconferencing to increase the therapeutic benefits of interaction, encouraging patients to share personal experiences and emotions.
Political and structural responses:
The White House announced the launch of the COVID-19 High Performance Computing Consortium with the goal to advance the pace of scientific discovery by funding research proposals with this aim.
Meanwhile, Stanford University is hosting COVID-19 and AI: A Virtual Conference to address this public health crisis by convening experts to advance the understanding of the virus and its impact on society, not just AI applications in diagnostics and treatment, and forecasting of the spread of the virus, but also information and disinformation, and the broader impact of pandemics on economies, culture, government, and human behavior. C3.ai, an AI company based in California, recently founded a research consortium called the C3.ai Digital Transformation Instituteincluding leading academic institutions, Microsoft, and C3.ai with the goal of tackling challenges posed by COVID-19 using AI. Strategies might include tracking the spread of the virus, predicting its evolution, repurposing and developing new drugs, and fighting future outbreaks.
As a further shared resource, there are numerous tracking resources on AI and COVID19 on Github, Google’s data science competition platform Kaggle, and the COIVD-19 Open Research Dataset (CORD-19) — created in collaboration of Microsoft, the Allen Institute for AI, National Institutes of Health (NIH), and the White House Office of Science and Technology (OSTP) — contain news reports, research studies, available data sets, and more.
II. Analysis of COVID-19 Apps for Health Practitioners
Healthcare practitioners, from physicians to radiology technicians, are grappling with the practical difficulties of working under the high stress, resource constrained, environment brought about by the COVID-19 pandemic. Calls by practitioners and concerned politicians focus on the need for both low-tech solutions (e.g., face masks), conventional technologies (e.g., ventilators), and high-tech tools (e.g., AI enabled rapid triage) to help these workers protect themselves and serve their patients. A range of existing high-tech tools, specifically those using artificial intelligence, are already part of the landscape of tools available to practitioners. What are some of those AI tools? And what forms of artificial intelligence power them?
We review below some of the apps and tools available to healthcare practitioners, some of which were already deployed prior to the pandemic, but are now described as having new capabilities based upon COVID-19 data use.
Voice Data
Suki is an “AI- powered voice assistant” used by physicians to record and auto-complete clinical notes, whether for patients suspected of COVID-19 disease or for ordinary clinic visits. Suki is described as powered by AI and machine learning, specifically natural language processing, which enables the system to “understand the context of the doctor’s practice and learn the doctor’s preferences. Suki determines intent and accurately selects from similar terms”. Because Suki data is highly sensitive, being derived from clinical interactions and health records, the data is described as “encrypted in-transit and at-rest with modern ciphers and maximum strength cryptography. Real time analysis is conducted to detect anomalies or suspicious software behavior, to protect against breaches”. Based upon information available on their website, Suki “is currently free to all Urgent Care, Hospitalists, Critical Care, pop up & triage clinics and locum physician assignments until May 31”.
Kara, a product for iPhones produced by Saykara, is another form of physician voice enabled assistant that has recently been augmented with COVID-19 specific uses and availability. Described by some as “Alexa for doctors”, this voice to text app automates the process of updating medical records in real time, interfacing with multiple charting systems (e.g., EPIC). This “ambient” system, “listens, interpreting conversations with patients, so you (physician) can enter a room, treat the patient and be done charting”. Within the context of the COVID-19 pandemic, Kara has been recently described as “test-piloting the solution” specifically designed to accommodate the charting of remote patient encounters (e.g., telehealth). Improving charting during telemedicine encounters may improve the quality and granularity of health data available for novel and normal medicine. Kara is also available for limited free use by contacting the company.
EPIC, the electronic health records giant, has a similar voice enabled virtual assistant with new information allowing for monitoring of COVID-19 patients specifically. EPIC has notably partnered with app developers to create symptom apps and to share its EHR data with a select group of organizations striving to improve AI and other data-driven COVID-19 responses.
Other Audio Data
Eko, is an “AI powered stethoscope”. Eko’s cardiac products use deep neural networks to differentiate between normal and abnormal sounds produced by blood flow through the heart. Likewise, neural networks built upon extensive databases of labeled echocardiogram (ECG aka EKG) data detect abnormal heart rhythms. The otherwise conventional tool of a stethoscope has been embedded with learning systems to ingest and analyze heart and lung sounds to ensure effective monitoring of cardiopulmonary function in patients using telemedicine functions. On the front lines, Eko is a product that offers practitioners directly treating patients a suite of products that allow for “wireless auscultation” of the heart and/or lungs. This allows practitioners wearing significant amounts of protective equipment the ability to listen to their patients at a distance.
Building audio data based AI tools is also bringing in startups, such as Cough for the Cure, who are developing tools to score individuals’ likelihood of suffering COVID-19 disease based upon the sounds of their cough. A similar tool is being developed by Coughvid. If developed, such a tool might help practitioners engage in more accurate triage of patients who present with cough as a symptom.
Video
Whether the use of thermal-scanning face cameras count as use of video data could be debated. The Care.aisuite of “autonomous monitoring sensors for healthcare” use computer vision tools, including facial recognition (and emotion and intention detection), to support an “always on” platform for monitoring patients’ status, practitioner-patient engagement, behaviors and events pertinent to regulatory compliance, and building administrative data records. This suite of sensor tools is now leveraging thermal scanning capabilityto “look for fevers, sweating, and discoloration”. The specific AI tools used to interpret thermal imaging and how this does or does not integrate into the neural-network driven data that is a normal part of the Care.ai suite of tools is not obvious, however.
Image
The initial discussion of the power of AI for addressing COVID-19 diagnostics arose from the powerful uses of AI when analyzing radiological data in China. Deep learning techniques were used to analyze x-rays, Computed Tomography (CT), Magnetic Resonance Imaging (MRI), and Positron Emission Technology (PET) scans, to identify lesions or speed image interpretation time. English language reporting of similar efforts to develop neural networking techniques, such as convolutional neural networks, for image recognition are appearing at increasing frequency on venues such as Radiology.
Development of deep learning to improve speed and accuracy in interpretation of diagnostic imaging, such as chest x-rays for patients with suspected pneumonia, is accelerating through innovations by companies such as behold.ai. Behold.ai used deep learning to develop their “red dot” algorithm to create heatmaps identifying areas of concern for superimposition onto chest x-rays. Behold.ai posits that it’s “red dot algorithm trained on over 30,000 CXRs with detailed annotations from certified radiologists” catalyzes interpretation, comprehension, and action based upon images.
BioMind AI, already identified as using deep learning for classification of lesions in the brain, uses neural network models to perform image segmentation, reconstruction of images, and automated reporting of recommendations based on interpretation of images.
Text
While deep learning for images helps speed diagnostics on the basis of imaging, laboratory tests continue to be a significant component to COVID-19 diagnostics. As described by Surgisphere, developer of the QuartzClinical healthcare data analytics platform, has developed a “decision support tool” using a “machine learning model” that uses “three common laboratory tests to identify patients likely to have coronavirus infection”. This tool leverages increases amount of data sharing collaboration between healthcare systems to increase the sample size of COVID-19 patients.
JVion is a clinical AI platform built on the concept of modeling individual patient’s proximity to known risks which are approximated with “The Eigen Sphere engine” or “an n-dimensional space upon which millions of patients are mapped against tens-of-thousands of Eigen Spheres. Each Eigen Sphere comprises patients who clinically and/or behaviorally demonstrate similarities”. The JVion COVID Community Vulnerability Map uses multiple forms of data, including de-identified patient records, Census information, population statistics, and socioeconomic data (e.g., access to employment), to create a community level view for “identification of the populations at risk”. Unlike other AI tools that use neural networks or are built for diagnosis and treatment of individual patients, JVion’s suite of tools is built for reduction of patient and community risks based upon mathematical modeling incorporated into the background of other predictive modeling.
Similar mapping technology built upon uses of GIS data from multiple sources, such as Esri, HERE, Garmin, and USGS, and county level data, Definitive Healthcare built a mapping tool to identify the number of licensed and staffed hospital beds available. This healthcare data analytics company does not promise to use AI tools, but incorporates many of the sources of data already used by others who do make explicit claims to their uses of AI.Qventus, provides similar bed capacity mapping resources to track the available hospital infrastructure capacity. Qventus also offers an analytics dashboard to assist in COVID-19 planning.
ChatBots
Microsoft Azure is the backbone of the newCDC COVID-19 chatbot, Clara. Using the customizability of Microsoft’s healthcare bot service, the CDC built this widely available chat bot for individuals to use when making decisions regarding their pursuit of additional healthcare services for diagnosis or treatment of COVID-19. Other health systems, such as Providence, are using Microsofts tools to build chat bots for individuals to understand their own risk and, if needed, to connect them to providers. Whether powered by Azure or other platforms, the quality of COVID-19 chatbots is reported to be uneven, possibly due to the fast pace of the data streams used to train them.
Another conversation-engine based application, developed by Curai, uses text data to help patients understand and explain their symptoms, and physicians to understand patients. Using NLP, deep learning, and knowledge base tools, Curai tools help patients and practitioners interact in both telemedicine and direct contact environments.
Sensors
Biofourmis, known from early discussions of COVID-19 monitoring in Hong Kong, re-tooled its Biovitals Sentinel platform and its Everion biosensor to help monitor patients under home quarantine. This suite of sensors, “including optical, temperature, electrodermal, accelerometer and barometer” forms the major components of the Biovitals Sentinel dashboard platform.
Ouraring is a biosensor that is being used in a limited study for tracking of healthcare workers biometric data. In the on-going study, Ouraring users are responding to symptom surveys to determine whether biometric data can help to “identify patterns that could predict onset, progression, and recovery in future cases of COVID-19.”
While not designed for monitoring of healthcare workers specifically, Scripps Research is conducting research to determine if any of the many wearable devices that monitor health data, such as heart rate, can be used to predict or monitor COVID-19 infections.
What should AI app developers do to respond to the COVID-19 pandemic
Responding to the needs of healthcare practitioners during the COVID-19 pandemic is undeniably a whole-community effort. What can individuals who are working in the AI space do to help healthcare practitioners? What AI tools can others, such as the manufacturing community, use to help healthcare workers now?
Responding to calls from policy experts, even the White House, data scientists, machine learning experts, and artificial intelligence experts, are gathering as a community to derive new insights for guiding drug development, diagnostic apps, contact tracing, information production and tracking, and more. The COVID-19 pandemic is also prompting AI startups to pivot towards building products to meet patient and practitioner needs. Engaging with Kaggle competitions and other competitions, such asdrug discovery competitions, working with epidemiologists, physicians, and other relevant domain experts is the most obvious way to help those on the sharp end of the pandemic.
However, there are more “ordinary” things that AI/ML experts can do right now while waiting for optimal partnership opportunities. In brief, these are:
Improve FAIRness of the data
Code check the apps
Validate the models of existing systems
Improve confidence in recommendations
AI/ML and other data experts know well that the quality of any system built is predicated on the quality of the data. In the context of COVID-19, where data in general is relatively limited and there are only a few trusted repositories, such as theCDC Collection, C3.ai’s data lake, WHO’s research database, CORD-19, Go.Data, the SAS GitHub repository, or the Functional Genomics Platform, finding the material to build systems can be a serious challenge. While synthetic data may be useful for this space, more baseline efforts to improvedata should be revisited. As data experts and others, such as the National Academies pointed out repeatedly in 2018 and 2019, the lack of quality, interoperable, FAIR, and ethically reusable data, holds back the performance of AI systems in health. Improving the quality of the metadata attached to COVID relevant data sets is the task for organizations such as GO FAIR’s VODAN or CEDAR. Interfacing with these specific initiatives is one way to help but, improving the FAIRness of data sources generally, the utility of which is not yet known, is also an area in which data experts can help.
The rush to build applications for COVID-19 response and preparedness may increase the number of products that may be beautiful but ultimately not useful. Some performance problems may be due to developers striving to jump over the quotidian tasks of code checking to launch their applications. Detecting those performance problems will require both openness of the code used to power the systems, and open use of human and machine code analysis tools to find and de-bug programs. Of interest to those specifically curious to help evaluate the utility of some of the AI products described above, is that there were no obvious pointers to code (e.g. GitHub) or supporting AI/ML research (i.e., via PubMed) for these products (Curai being an exception).
Model validation is an ongoing task for performance tracking of any learning system. Validating any model is difficult, but validating models with low amounts of data (training or testing) of varying quality, changing numbers of relevant parameters and changing performance expectations, is a challenging task. Validating the usefulness of the output of a model for the end users is also another important validation task.
Across the globe, individuals and groups are grappling for actionable recommendations. One way that AI/ML experts are helping researchers to improve confidence in their hypotheses is by participation in Kaggle competitions to use NLP to build literature reviewsfor research development. Specific to development of resources for front-line practitioners, the degree of confidence that a practitioner should have in the recommendation produced by a learning system emerges through use in a setting where recommendations lead to positive outcomes. However, aggregating the success rate of a particular app to understand how wide a confidence interval should be attached to a recommendation statement is an on-going challenge.
European Union’s Data-Based Policy Against the Pandemic, Explained
Benefitting from a mature and largely harmonized data protection legal framework, the European Union and its Member States are taking policymaking steps towards a pan-European approach to enlisting data and technology against the spread of COVID-19 and to support the gradual restarting of the economy. Here is an overview of key recent events essential to understand EU’s data-based approach against the pandemic:
Early on, the European Data Protection Supervisor (EDPS) – which is the supervisory authority of the EU institutions and bodies and also the consultative body on EU legislation that may impact data protection, issued Comments on the European Commission’s plan to access telecommunications data from telecommunications service providers to monitor the COVID-19 spread (March 25), and also issued a public call for a pan-European approach against the pandemic (April 6).
Following a detailed Recommendation issued by the European Commission on April 8, the eHealth Network, a voluntary network providing a platform of Member States’ competent authorities dealing with digital health, published a week later a common EU Toolbox for Member States on contact tracing mobile applications.
The Presidents of the European Commission and the European Council – which reunites the heads of state or government of EU Member States, published on April 15 an exit strategy, or Joint European Roadmap towards lifting COVID-19 containment measures, where the first two of seven measures proposed are based on the collection and use of data.
The Commission also issued guidelines specifically on how these mobile applications should be designed and implemented to respect data protection requirements (April 16).
The European Parliament adopted, on April 17, a resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences, including specific recommendations and even ‘demands’ for certain safeguards around contact tracing applications, including a decentralized approach.
The European Data Protection Board, the EU body reuniting the leaders of all Data Protection Authorities (DPAs) in the EU – meaning the only authorities that are competent to enforce data protection law within Member States both in the public and private sectors, published its Guidelines on contact tracing apps and the use of telecommunications data to fight the effects of the pandemic and Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (April 23). These guidelines come after several other instances where the EDPB quickly provided its view on related pressing issues: a letter to the Commission responding to a consultation on its data protection guidelines mentioned above, and a Statement on the processing of personal data in the context of the COVID-19 outbreak, with a focus on the employer-employee relationship.
This report will further look closer to each of these guidelines, opinions, recommendations, resolutions, to analyze what are the solutions for processing personal data through contact tracing apps or the creation of heat maps based on mobility data in support of lifting the COVID-19 containment measures in the EU, and their data protection implications (see Table 1 for a list of relevant documents, in chronological order). This contribution looks solely at EU-level policy, which will trickle down to national level. The responses of national data protection authorities will be analyzed in a second part. It is important to keep in mind that the EDPB acts as a liant between EU level/agreed-upon data protection policy and national implementation.
1. Preamble: Scientists were here first
Before the calls and guidelines of policymakers at EU level favoring a pan-European approach, scientists and researchers across Europe (from several EU Member States, but also from Switzerland and the UK) were the first ones that rallied to propose a pan-European technical solution for contact tracing apps, at the end of March, initially as part of a broader pan-European project (in the meantime, the broader project seems to lose partners and support due to lack of transparency, including about its original conveners, and differences among scientists on whether centralized or decentralized solutions are preferable).
A lot of attention is now paid to one protocol developed initially under that umbrella but which became independent: the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol. This protocol was developed by ‘over 25 scientists and academic researchers from across Europe’ and ‘it was also scrutinized and improved by the wider community’ after being published. The DP-3T project is ‘an open protocol for COVID-19 proximity tracing using Bluetooth Low Energy functionality on mobile devices that ensures personal data and computation stays entirely on an individual’s phone’ (a decentralized solution). The protocol is being implemented in a ‘soon-to-be-released, open-sourced app and server’. Its data protection and security claims are scrutinized and open to feedback on GitHub.
Apple and Google announced a joint program early on in this debate that supports the creation of infrastructure on their platforms suited for the decentralized approach to contact tracing, leaving a centralized approach with few technical options for implementation.
Officials from Switzerland (non-EU, but ‘associated country’), Austria (EU) and Estonia (EU) announced they plan to implement the DP-3T protocol. But other Member States, like France (who even called for Apple and Google to modify their decentralized framework) and Italy (where the debate is still ongoing), are pushing for a different architecture of a national contact tracing app, based on centralization of information, mimicking the real life contact tracing that is conducted by public health authorities and relies on centralization and identification of all contacts a person that tested positive recalls of having been in touch with. These decisions are currently being taken at national level, with the debate shifting every day.
2. The European Data Protection Supervisor: Early call for Digital Solidarity in the EU
EDPS’ first call for a European approach to rely on data to fight the pandemic came in the Comments the institution issued on March 25 in response to a consultation from the European Commission on a proposal to rely on telecommunications data, shared by service providers, to monitor the spread of COVID-19. The EDPS called for ‘an urgent establishment of a coordinated European approach to handle the emergency in the most efficient, effective and compliant way possible’, considering that fragmentation at national level may stay in the way of effectiveness. The EDPS also pointed out in the Comments that ‘data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics.’
As for the safeguards proposed for the use of telecommunications data, they focused on transparency about the data sets to be made available by telecommunications service providers and how will they be used; anonymization to the extent possible, and aggregation of data; contractualaccountability for all third parties that will process the data; limitation of access rights to authorized experts in spatial epidemiology, data protection and data science; strict retention limitation – ‘the data obtained from mobile operators would be deleted as soon as the current emergency comes to an end.’
On April 6, the European Data Protection Supervisor, Wojciech Wiewiórowski, doubled down on the European approach against the pandemic and issued a public message for EU Digital Solidarity. He recalled that ‘big data means big responsibility’ and pointed out that responsibility also means ‘we should not hesitate to act when it is necessary. There is also responsibility for not using the tools we have in our hands to fight the pandemic.’
Wiewiórowski called for a pan-European model of a COVID-19 mobile application, ‘coordinated at EU level.’ ‘Legality, transparency and proportionality are essential’, the Supervisor added.
There are four key safeguards the EDPS proposes so the data-based solutions to counter the effects of the pandemic are compliant with data protection law: the measures are temporary – ‘they are not here to stay after the crisis’; ‘Their purposes are limited – we know what we are doing’; ‘Access to the data is limited – we know who is doing what’; and ‘We know what we will do both with results of our operations and with raw data used in the process’ – which seems to refer to justifiable necessity of such measures.
3. The European Commission: Recommendation for a common approach to contact tracing apps and eHealth Network’s Toolbox
On April 8, the European Commission published a Recommendation on ‘a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data’. This Recommendation set up a process for developing a common approach within the EU to use digital means to address this crisis, referred to as a Toolbox.
3.1. The Recommendation: Build a common Toolbox, a fragmented approach will not be effective
In this early document, the Commission acknowledged that ‘digital technologies and data have a valuable role to play in combating the COVID-19 crisis, given that many people in Europe are connected to the internet via mobile devices.’ It also pointed out that ‘a fragmented and uncoordinated approachrisks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing serious harm to the single market and to fundamental rights and freedoms.’ Therefore, the Commission considers that a pan-European approach is necessary both for the economy – preserving the single market, and for a coherent fundamental rights approach across the EU.
The Commission enumerated several factors that would render these applications effective, such as user penetration, public trust that the data will be protected by appropriate data protection and security measures, integration and data sharing with other systems and applications, cross-border and cross-regional interoperability with other systems. According to the Commission, interoperability between applications is recommended, as well as the possibility of national health authorities supervising infection transmission chains to be able to ‘exchange interoperable information about users that have tested positive with other Member States or regions in order to address cross-border transmission chains.’
In addition to a pan-European approach for mobile apps designed to fight the pandemic, the Recommendation also pushes for ‘a common scheme for using anonymized and aggregated data on mobility of populations’, specifically in order to:
Model and predict the evolution of the disease;
Monitor the effectiveness of decision-making by Member States’ authorities on measures such as social distancing and confinement;
Inform a coordinated strategy for exiting from the COVID-19 crisis.
According to the Commission, ‘respect for all fundamental rights, notably privacy as well as data protection, the prevention of surveillance and stigmatization’ should be ‘paramount throughout the process’. To this end, three key principles are laid out. The proposed Toolbox should:
Strictly apply the purpose limitation principle (‘ensure that the personal data are not used for any other purposes such as law enforcement or commercial purposes’);
Ensure regular review of the technical solutions proposed and ‘set appropriate sunset clauses’;
Ensure that ‘the processing is effectively terminated and the personal data concerned irreversibly destroyed’, unless their scientific values for research outweighs the impact on the rights concerned. Any such further processing should be done ‘on the advice of ethics boards and data protection authorities’.
Further recommendations are made for each of the two envisaged scenarios involving data – mobile apps and the use of aggregated telecommunications data. The Commission does not express any preference for a specific architecture of contact tracing apps (centralized v. decentralized). Importantly, this Recommendation highlights the key role DPAs play: ‘consultation with data protection authorities … is essential to ensure that personal data is processed lawfully and that the rights of the individuals concerned are respected.’
3.2. The Common Toolbox: adopted by the eHealth Network and pushed against tech solutionism
Version 1 of the CommonEU Toolbox called for in this Recommendation was developed at incredible speed and it was published a week later, on April 15. The Toolbox was adopted by the ‘eHealth Network’ which is a voluntary network1 that provides a platform of Member States’ competent authorities dealing with digital health. Enlisting the support of Member States for a pan-European approach of relying on data to fight the pandemic is essential. This is because the European Union does not have exclusive competence on health matters. Primary responsibility for health protection and, in particular, healthcare systems continues to lie with the Member States.2
The document solely focuses on mobile apps for contact tracing. As opposed to most recent policy documents in this area, it also contains an explanation of what contact tracing means during an epidemic or pandemic and it details how it is usually carried out manually, by public health authorities: ‘This is a time-consuming process where cases are interviewed in order to determine who they remember being in contact with from 48 hours before symptom onset and up to the point of self-isolation and diagnosis. (…) Such manual processes rely on the patient’s memory and obviously cannot trace individuals who have been in contact with the patient but who are unknown to him/her.’ Nonetheless, the eHealth Network is clear in its recommendation that mobile apps should be complemented by manual contact tracing, which will ‘continue to play an important role, in particular for those, such as elderly or disabled persons, who could be more vulnerable to infection but less likely to have a mobile phone or have access to these applications’.
The Toolbox was built by taking the position that both centralized and decentralized solutions can be relied on, without a preference being expressed for either, and with advantages and shortcomings of both being laid out in the document. For the decentralized option, the Toolbox notes that ‘this approach would considerably reduce the risks to privacy as close contacts would not be directly identifiable and this option would thereby enhance the attractiveness of the application’, but in this case public health authorities would not have ‘access to any anonymised and aggregated information on social distancing, on the effectiveness of the app or on the potential diffusion of the virus’ and ‘this information can be important to manage the exit of the crisis’. The centralized option described in the Toolbox presupposes that ‘users cannot be directly identified’ through the data stored in the backend server, which are ‘arbitrary identifiers generated by the app’. According to the eHealth Network, ‘the advantage is that the data stored in the server can be anonymised by aggregation and further used by public authorities as a source of important aggregated information on the intensity of contacts in the population, on the effectiveness of the app in tracing and alerting contacts and on the aggregated number of people that could potentially develop symptoms.’
The Toolbox concludes that ‘none of the above two options includes storing of unnecessary personal information’. However, it alerts developers that centralized solutions which do involve ‘directly-identifiable data on every person downloading the app’ that is held centrally by public health authorities, ‘would have major disadvantage, as noted by the EDPB in its response to consultation on Commission draft guidance on data protection and tracing apps.’
Compared to other guidelines, there is more detailed focus in this Toolbox on the epidemiological relevance of any technological solution proposed. As such, apps should be following national legislation and international guidance ‘that defines which contacts should be followed up and what the management of these contacts should be’ under the coordination of public health authorities.
The Toolbox sets out various relevant parameters to enable a coordinated development and use of ‘officially recognized contact tracing applications and the monitoring of their performances.’ It provides a detailed list of baseline requirements and functionalities that should be taken into account (see Annex I of the document), which have been ‘identified collectively by Member State authorities who are considering the launch of an app to support contact tracing.’ In eHealth Network’s view, the essential requirements for national apps are that they should be:
Voluntary;
Approved by the national health authority;
Privacy-preserving, with personal data securely encrypted;
Dismantled as soon as no longer necessary.
4. Joint Statement of the Presidents of the Commission and the Council: EU Exit Strategy Roadmap enlists data as key to lifting confinement
European Commission’s President, Ursula von der Leyen, and the President of the European Council, Charles Michel, co-signed a Joint European Roadmap towards lifting COVID-19 containment measures, on April 15, which sets out recommendations to Member States with the goal of preserving public health while gradually lifting containment measures to restart community life and the economy. This Roadmap contains principles that should guide the Member States and the EU in their exit strategy and a set of seven recommended measures. The first two of these seven measures rely on using data.
The first recommended measure is to ‘gather data and develop a robust system of reporting’. By this, the Roadmap means ‘gathering and sharing of data at national and subnational level by public health authorities in a harmonised way on the spread of the virus, the characteristics of infected and recovered persons and their potential direct contacts’. Recognizing that reporting only cases that are known to health authorities is not enough (they ‘may only represent the tip of the iceberg’), the document refers to both ‘social media and mobile network operators’ as being in the position to ‘offer a wealth of data on mobility, social interactions, as well as voluntary reports of mild disease cases (e.g. via participatory surveillance) and/or indirect early signals of disease spread (e.g. searches/posts on unusual symptoms).’
The Roadmap refers to anonymizing and aggregating such data before being used, and offers the Joint Research Center and the European Center for Disease Control as centralizing bodies for this data collection and for conducting modelling work. This is interesting, since this is the only instance where social media data is being brought to the discussion among the different EU-level policymaking sources. On the other hand, telecommunications data has been enlisted early on in the pandemic to offer an EU-wide window into how individuals are moving during lockdowns, following a push initiated by Thierry Breton, the commissioner for the internal market (see also Section 2 of this report).
The second recommended measure is to ‘create a framework for contact tracing and warning with the use of mobile apps which respect data privacy’. According to the signatories of the Joint Statement, contact tracing apps are ‘particularly relevant in the phase of lifting containment measures’. Because they can ‘help interrupt infection chains and reduce the risk of further transmission’, contact tracing apps ‘should be an important element in the strategies put in place by Member States’, as long as they complement other measures, including increased testing capacities. In fact, the third recommended measures in the document is expanding testing capacity and harmonising testing methodologies. As for the mobile apps, it is recommended in the Exit Strategy that they are voluntary and that ‘national health authorities should be involved in the design of the system.’
The safeguards proposed are a mix of technical safeguards – anonymization and aggregation of data, no tracking of users; and governance safeguards – transparency and expiration ‘as soon as the COVID-19 crisis is over’, with a recommendation to erase any remaining data at that time and have the apps being deactivated. According to the document, ‘confidence in these applications and their respect of privacy and data protection are paramount to their success and effectiveness.’ The document refers to the earlier Recommendation made by the Commission to set up the framework for a data protection centered contact tracing app and to guidance by the Commission on how such apps can be respectful of data protection law. However, the Roadmap omits to include the crucial role that Data Protection Authorities and their pan-EU body, the European Data Protection Board, will have in ensuring contact tracing apps, if deployed, are fully respectful of the rights and freedoms of individuals by complying with data protection law requirements.
Finally, the Presidents of the Commission and the Council state that a pan-EU reference app, or at least interoperability and sharing of results between contact tracing apps at EU level, ‘allows a more effective warning of people concerned and a more efficient public health policy follow-up’. Indeed, the lack of a pan-EU approach to deploying and relying on contact tracing apps would risk enderanging the freedom of movement which is so central to the EU.
5. The European Commission: Data protection guidance on apps to support the fight against COVID-19
To complement the features recommended in the Toolbox for contact tracing apps by the eHealth Network, the Commission published separately, on April 16, data protection guidance for apps to support the fight against COVID-19. This abundance of data protection guidance may be confusing for app developers and for the public authorities wanting to implement apps, considering that both the EDPS and the EDPB have been very active in giving input, following their specific mandate. In fact, the Commission includes as the last point in its guidance the fact that DPAs ‘should be fully involved and consulted in the context of the development of the app and they should keep its deployment under review.’
One interesting nuance is that the Commission includes in the scope of its analysis several variations of mobile apps that could potentially be useful in the fight against the pandemic: apps that provide accurate information to individuals about the COVID-19 pandemic; that provide questionnaires for self-assessment and for guidance to individuals (symptom checker functionality); that provide contact tracing and warning functionality; and that provide a communication forum between patients and doctors in situation of self isolation or where further diagnosis and treatment advice is provided (increased use of telemedicine).
This guidance identifies and details ten elements that ensure ‘a trustful and accountable use of apps’:
National health authorities (or entities carrying out tasks in the public interest in the field of health) should be the data controller.
Ensuring that the individual remains in control (for example, different app functionalities – like information, symptom checker, contact tracing and warning functionalities, should not be bundled so that the individual can provide his/her consent specifically for each functionality).
As lawful grounds for processing: relying on consent for the installation of the apps and for placing information, such as random identifiers, on devices, in compliance with the ePrivacy Directive; for further processing, relying on a legal obligation for processing of the personal data by health authorities (Article 6(1)(c) and Article 9(2)(i) GDPR), as long as the law, even if pre-existent to the COVID-19 pandemic, provides for measures allowing for the monitoring of epidemics and meets further requirements set out in Article 6(3) GDPR; keeping in mind that there is a ‘prohibition’ of subjecting individuals to a decision based solely on automated processing which produces legal effect or similarly significantly affects the individual (Article 22 GDPR).
Data minimisation (for example, ‘if the purpose of the functionality is symptom checking or telemedicine, these purposes do not require access to the contact list of the person owning the device’; for contact tracing, the Commission recommends the use of Bluetooth Low Energy (BLE) communications data, or data generated by equivalent technology, to determine proximity, considering that ‘for the metering of proximity and close contacts BLE communications between devices appears more precise, and therefore more appropriate, than the use of geolocation data (GNSS/GPS, or cellular location data).
Limiting the disclosure of/access to data, with different recommended access permissions depending on the functionality of the app.
Providing for precise purposes of processing: the Commission also advises against the use of the data gathered under the above conditions for other purposes than the fight against COVID-19, recommending additional limitations even with regard to processing for scientific research and statistics, which ‘should be included in the original list of purposes and clearly communicated to users.’
Setting strict limits to data storage: timelines should be based on ‘medical relevance’, as well as ‘realistic durations for administrative steps that may need to be taken’; for example, proximity data collected by contact tracing apps should be deleted ‘after maximum one month (incubation period plus margin) or after the person was tested and the result is negative’; health authorities may retain it for longer periods ‘for surveillance reporting and research provided it is in an anonymised form.’
Ensuring data security: the Commission recommends that the data should be stored on the terminal device of the individual ‘in an encrypted form using state-of-the art cryptographic techniques’; in the case that the data is stored in a central server, the access, including the administrative access, should be logged.
Ensuring the accuracy of data: accuracy on whether a contact with an infected person (epidemiological distance and duration) has taken place is essential, to minimise the risk of having false positives.
Involving DPAs, which should be consulted in the context of the development of the app; further along, they should keep its deployment under review.
The Guidelines do not specifically recommend a centralized or decentralized approach to contact tracing apps, but they do highlight that ‘the decentralised solution is more in line with the minimisation principle’. This specification was included in the letter the EDPB sent to the Commission in response to a consultation on this draft guidance. The Commission also states that ‘health authorities should have access only to proximity data from the device of an infected person so that they are able to contact people at risk of infection.’ This would mean that proximity data ‘will be available to the health authorities only after the infected person (after having been tested) proactively shares these data with them.’
6. The European Parliament: A Resolution on EU coordinated action to combat the COVID-19 pandemic
The European Parliament adopted on April 17 a Resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences, where it recalled that ‘solidarity among the Member States is not an option but a Treaty obligation and forms part of the European values’ and it sanctioned the lack of coordination and solidarity among Member States at the beginning of the pandemic. The Resolution is broad in scope and it looks beyond an immediate exit strategy, by tackling issues related to longer term public health goals, solutions to overcome the economic and social consequences and recommendations to protect democracy, rule of law and fundamental rights. Under this latter headline, the Resolution includes specific references to relying on telecommunications data and on contact tracing applications in a way that is congruent with fundamental rights.
The Parliament took a stance unequivocally in favor of decentralized contact tracing apps, as opposed to centralized apps, and it pushed for transparency and demonstrable necessity of these apps. It used strong wording and noted that it ‘demands that all storage of data be decentralised, full transparency be given on (non-EU) commercial interests of developers of these applications, and that clear projections be demonstrated as regards how the use of contact tracing apps by a part of the population, in combination with specific other measures, will lead to a significantly lower number of infected people.’ In its Resolution, the Parliament also asked for the code of contact tracing apps to be public and recommended that ‘sunset clauses are set and the principles of data protection by design and data minimisation are fully observed’.
While recommending a pan-European approach to the use of contact tracing apps, the Parliament also acknowledged these initiatives seem to be primarily national at this point. Therefore, it called for both the Commission and the Member States ‘to publish the details of these schemes and allow for public scrutiny and full oversight by data protection authorities’. As opposed to the Roadmap published by the Presidents of the Commission and the Council, the European Parliament not only acknowledged the key role DPAs play, but called for their full oversight and urged ‘national and EU authorities’ to fully comply with both data protection and privacy legislation, as well as ‘national DPA oversight and guidance’.
7. The European Data Protection Board: Ample guidance on enlisting data against the spread of the COVID-19 pandemic
In an extraordinary step, at the beginning of April the EDPB converted its monthly plenary meetings into weekly plenary meetings, to respond to the urgency of measures proposed across the EU to rely on personal data in the fight against the COVID-19 pandemic. On April 21, it adopted two sets of Guidelines which are essential to inform the responses at national level, one focused on the use of location data and contact tracing tools, and the other one on the processing of health data for research purposes in the context of the COVID-19 pandemic.
The Guidelines of the EDPB are very important from two points of view. First, they represent the agreed position of all national DPAs, which are the only administrative entities that have competence to enforce the GDPR and the Law Enforcement Directive at national level, both against government bodies and private organizations. Second, they are capable of ensuring a harmonized approach across the EU, at a time when national governments prefer to act by themselves, contributing thus decisively to a pan-European approach of the data-based response to the COVID-19 pandemic.
7.1. Processing of health data for research purposes
Starting from the premise that ‘the GDPR is a broad piece of legislation and provides for several provisions that allow to handle the processing of personal data for the purpose of scientific research connected to the COVID-19 pandemic in compliance with the fundamental rights to privacy and personal data protection’, the EDPB published guidance to support compliant scientific research involving health data. Here are some of the key points:
What is ‘scientific research’? The EDPB noted that the special GDPR regime for processing of personal data for scientific research purposes applies to ‘a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice’ and the term scientific research ‘may not be stretched beyond its common meaning.’ The EDPB also clarified that when talking about processing of health data for the purpose of scientific research, there are two types of data uses:
Research on personal (health) data which consists in the use of data directly collected for the purpose of scientific studies (“primary use”).
Research on personal (health) data which consists of the further processing of data initially collected for another purpose (“secondary use”).’
Compatible purposes for secondary uses. The EDPB notes that this distinction is important in the context of identifying the lawful ground for processing. Even though not specifically explained in the guidance, this has to do with the fact that secondary uses of data are permissible without the need for an additional lawful ground, as long as they are compatible with the purpose for which the data was originally collected. However, the EDPB does not give specific guidance on compatibility of purposes in this context and only mentions that ‘this topic, due to its horizontal and complex nature, will be considered in more detail in the planned EDPB guidelines on the processing of health data for the purpose of scientific research.’ However, the Board emphasizes that strong security measures are highly advisable ‘considering the sensitive nature of health data and the risks when re-using health data for the purpose of scientific research’.
Lawful grounds for processing. A general lawful ground from Article 6 GDPR has to be complemented by a permissible use for special categories of data in Article 9(2) GDPR. EDPB explains that besides consent (as long as all conditions for valid consent are met, including the possibility for individuals to withdraw consent at any time), controllers can also possibly rely on necessity for the performance of a task in the public interest by a public authority – Article 6(1)(e) GDPR, or the legitimate interests of the controller or a third party – Article 6(1)(f) GDPR, in combination with the enacted derogations under Article 9(2)(j) or Article 9(2)(i) GDPR. Under these two paragraphs of Article 9(2), both the EU or the national legislators at Member State level may enact specific laws ‘to provide a legal basis for the processing of health data for the purpose of scientific research’.
International data transfers. A section of the guidance is dedicated to international data transfers, considering the global nature of the COVID-19 pandemic and that ‘there will probably be a need for international cooperation that may also imply international transfers of health data for the purpose of scientific research outside of the EEA [European Economic Area].’ The EDPB gives the green light for health data to be transferred on the basis of derogations, where an adequacy decision is not in place or where one of the other appropriate safeguards are absent (like Standard Contractual Clauses). In particular, data can be transferred on the basis of the express consent of the data subject, or on the basis of the transfer being necessary for important reasons of public interest. The EDPB remarks that not only public authorities, but also private entities playing a role in pursuing a public interest related to the COVID-19 pandemic, such as a university’s research institute cooperating on the development of a vaccine in the context of an international partnership, could, under the current pandemic context, rely upon those derogations. However, the EDPB highlights that such transfers must be ‘a temporary measure, due to the urgency of the medical situation globally’. It adds that while the COVID-19 crisis may justify the initial transfers of data, repetitive transfers, part of a long lasting research project would need to be framed with appropriate safeguards in accordance with Article 46 GDPR (e.g. standard contractual clauses, certification mechanisms, contracts approved by DPAs etc.).
7.2. Location data, ‘notoriously difficult to anonymize’
In the guidance on location data and contact tracing apps, the EDPB expresses its firm belief that ‘when processing of personal data is necessary for managing the COVID-19 pandemic, data protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures’. It also clearly calls for ‘a common European approach in response to the current crisis’, or to ‘at least put in place an interoperable framework’, considering that ‘the virus knows no borders’.
The EDPB recalls that ‘the general principles of effectiveness, necessity and proportionality must guide any measure adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19’. This is a call for any data-based solutions to be grounded in actual needs of authorities to manage the pandemic. ‘Such applications need to be a part of a comprehensive public health strategy to fight the pandemic, including, inter alia, testing and subsequent manual contact tracing for the purpose of doubt removal’.
When discussing the processing of location data, the EDPB points out that there are two principal sources of such data available for modelling the spread of the virus and the overall effectiveness of confinement measures: location data collected by electronic communication service providers (such as mobile telecommunication operators) in the course of the provision of their service and location data collected by information society service providers’ applications whose functionality requires the use of such data.
Accessing or collecting location data from both these sources falls under the provisions of the ePrivacy Directive. As such, location data collected from electronic communication providers may only be processed under the conditions of Articles 6 and 9 of the ePrivacy Directive. This means that the location data ‘can only be transmitted to authorities or other third parties if they have been anonymised by the provider or, for data indicating the geographic position of the terminal equipment of a user, which are not traffic data, with the prior consent of the users’. As for collecting location data and other information directly from the terminal equipment (device) of a user, Article 5(3) of the ePrivacy Directive is applicable. As such, ‘the storing of information on the user’s device or gaining access to the information already stored is allowed only if:
(i) the user has given consent;
(ii) the storage and/or access is strictly necessary for the information society service explicitly requested by the user.’
The EDPB stopped short of giving some examples on what type of services in the context of COVID-19 can argue they need access to location data because it is strictly necessary to provide the service.
The guidelines point out that derogations to these rules are possible only ‘when they constitute a necessary, appropriate and proportionate measure within a democratic society for certain objectives’, according to Article 15 of the ePrivacy Directive. However, these exceptions can only be adopted if they concern national security, defence, public security and the prosecution of criminal offenses. In addition, according to existing case-law of the CJEU interpreting Article 15, all these areas ‘constitute activities of the State or of State authorities unrelated to the fields of activity of individuals’ (Case C-275/06 Promusicae). This seems to indicate that exceptions can be applicable only if the controllers are public authorities and if Member States can justify they concern one of the areas enumerated, such as public security.
The EDPB established that after the location data has been accessed in compliance with Article 5(3) ePrivacy, they can be further processed only on the basis of additional consent or on the basis of a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) GDPR. Even though technically organizations could rely on the fact that further processing of location data for modelling purposes to combat the pandemic is compatible with the original purpose of accessing the data, the EDPB considers that further processing on the basis of a compatibility test according to Article 6(4) GDPR is not possible in these cases where original access is obtained under the conditions of the ePrivacy Directive, since it would undermine the data protection standard of the ePrivacy Directive, as explained in the earlier Guidelines on Connected Vehicles.3
The EDPB advises that preference should always be given to the processing of anonymized data rather than personal data, but cautions that location data ‘are known to be notoriously difficult to anonymize’, since ‘mobility traces of individuals are inherently highly correlated and unique’ and ‘they can be vulnerable to re-identification attempts under certain circumstances.’ The EDPB further states that ‘data cannot be anonymized on their own, meaning that only datasets as a whole may or may not be made anonymous’. To highlight this point, it is further argued that ‘any intervention ona single data pattern (by means of encryption, or any other mathematical transformations) can at best be considered a pseudonymisation.’
The EDPB also proposes a test to evaluate the robustness of anonymization, which relies on three criteria:
‘(i) singling-out (isolating an individual in a larger group based on the data);
(ii) linkability (linking together two records concerning the same individual); and
(iii) inference (deducing, with significant probability, unknown information about an individual).’
7.3. Contact tracing: the door was kept open for both centralized and decentralized apps
With regard to contact tracing apps, the EDPB points out from the outset that ‘the systematic and large scale monitoring of location and/or contacts between natural persons is a grave intrusion into their privacy.’ This is why ‘it can only be legitimised by relying on a voluntary adoption by the users’. The EDPB continues with a series of recommendations:
Responsibility: As a first rule, the EDPB underscores that the controller of any contact tracing application should be clearly defined, to ensure accountability. Public health authorities are a natural choice, but ‘other controllers may also be envisaged’. In any case, regardless of the number and nature of actors involved in controlling the data processing through the app, their responsibilities ‘must be clearly established from the outset and be explained to users.’
Purpose limitation: the purposes of the app must be specific enough to exclude further processing for purposes unrelated to the management of COVID-19, like commercial or law enforcement purposes.
General lawful basis: the storage and access to information already stored on devices are subject to Article 5(3) GDPR, which means that for all data that is not strictly necessary to provide the service requested by the user, consent will be required. For the further processing of data, the EDPB highlights that ‘the mere fact that the use of contact-tracing applications takes place on a voluntary basis does not mean that the processing of personal data will necessarily be based on consent.’ The Board advises that Article 6(1)(e) GDPR is the most relevant legal basis whenever public health authorities or other public authorities are the controllers (meaning the necessity to process data for the performance of a task in a public interest). If this lawful ground will be relied on, additional Union or Member State laws that detail the tasks must be in place. The EDPB seems to suggest new, dedicated legislation is needed, because it will have to provide for meaningful safeguards, including ‘a reference to the voluntary nature of the application’, a clear specification of purpose and explicit limitations concerning the further use of personal data, a clear identification of the controllers involved, and, potentially, ‘as soon as practicable, the criteria to determine when the application shall be dismantled and which entity shall be responsible and accountable for making that determination. Controllers could also rely on consent as a basis for processing, but in that case they need to ensure all conditions for valid consent are met, including the possibility for users to withdraw consent at any time.
Permissible use for sensitive data. Since personal data related to health may be collected by a contact tracing app, one of the permissible uses under article 9(2) must also be in place, in addition to the general lawful ground for processing. ‘Processing of such data is allowed when such processing is necessary for reasons of public interest in the area of public health, meeting the conditions of art. 9(2)(i) GDPR14 or for healthcare purposes as described in Art. 9(2)(h) GDPR. Depending on the legal basis, it might also be based on explicit consent (Art. 9(2)(a) GDPR).’
Data retention should be dependent on true needs and medical relevance. ‘Personal data should be kept only for the duration of the COVID-19 crisis. Afterwards, as a general rule, all personal data should be erased or anonymized.’
Human supervision. Given that contact tracing apps cannot replace, but only support manual contact tracing, the EDPB underlines that ‘procedures and processes including respective algorithms implemented by the contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives.’
Fairness and accountability: ‘algorithms must be auditable and should be regularly reviewed by independent experts.’ To this end, ‘source code should be made publicly available for the widest possible scrutiny.’
Risk assessment: a data protection impact assessment must be carried out before implementing contact tracing apps, and the EDPB ‘strongly recommends’ its publication.
Data minimisation, Data protection by design and by default: the application should not collect unrelated or not needed information, ‘which may include civil status, communication identifiers, equipment director items, messages, call logs, location data, device identifiers, etc.’
Centralization v. Decentralization. The members of the EDPB did not agree on a recommendation that would harmonize approaches EU-wide in the centralization versus decentralization debate, a fact which may end up hampering the pan-European approach if Member States will end up implementing different architecture which are not interoperable. The EDPB merely stated that ‘both should be considered viable options, provided that adequate security measures are in place, each being accompanied by a set of advantages and disadvantages.’ It did add in a footnote that ‘in general, the decentralised solution is more in line with the minimisation principle’. However, the guidelines leave the door open to both types of architectures, while giving specific recommendations for servers to rely on pseudonymous identifiers and very short retention times.
Data security: State-of-the-art cryptographic techniques must be implemented to secure the data, as well as mutual authentication between the application and the server, proper authorization for reporting infected users.
In its closing remarks, the EDPB showed that ‘data and digital technologies can be key components in the fight against COVID-19’, but it also warned against the ‘ratchet effect’: ‘It is our responsibility to ensure that every measure taken in these extraordinary circumstances are necessary, limited in time, of minimal extent and subject to periodic and genuine review as well as to scientific evaluation.’ The EDPB added that one should not have to choose between an efficient response to the current crisis and the protection of our fundamental rights. ‘We can achieve both, and moreover data protection principles can play a very important role in the fight against the virus’.
8. Conclusion
The EU took advantage of its mature data protection legal framework and acted rapidly to outline the possibility of a pan-European approach to support the fight against the pandemic with data, be it under the guise of mobility data for heat maps and modelling, health data for research purposes or proximity data for contact tracing, while ensuring fundamental rights and freedoms remain protected. The push for a pan-European approach, which was sparked by scientists working across borders to build a protocol for a contact tracing app that is privacy preserving, seems to be successful, even if not entirely. Several Member States already announced they will implement the same decentralized protocol for a contact tracing app (Estonia, Austria, but also Switzerland as associated country to the EU), with others, like Germany and Italy, considering now a decentralized approach to contact tracing after having initially announced plans for a centralized approach.
Developments at national level, at least in the Member States of the EU, will be ultimately influenced by EU policy. Even if public health is primarily a regulatory area where national governments lead – with the EU just complementing policies, data protection is an area where the EU has been granted powers to lead the rulemaking (see Article 16 of the Treaty on the Functioning of the European Union). Be it a decentralized or centralized approach to contact tracing, or any of the other necessary uses of personal data for modelling or research in the context of the COVID-19 pandemic, they will all need to follow data protection rules and principles, as provided by EU law.
Table 1. List of EU policy documents and guidance in relation to COVID-19 and data protection
FPF Submits Comments to NIH on the NIH-Wide Strategic Plan for Fiscal Years 2021-2025
Earlier this month, the Future of Privacy Forum (FPF) submitted comments to the National Institutes of Health (NIH) on the NIH-Wide Strategic Plan covering fiscal years 2021-2025. In the letter, Health Policy Counsel Rachele Hendricks-Sturrup and Artificial Intelligence Policy Counsel Sara Jordan propose the addition of a cross-cutting theme to NIH’s strategic plan as well as opportunities for collaboration between the two organizations.
Overall, FPF prompts the NIH to:
Consider “balancing health data privacy with data access and use” as an additional cross-cutting theme. By adding this additional cross-cutting theme, a balance might be achieved between the NIH’s drive to advance health and preserving the privacy of individuals who offer their data for the development of new medical procedures, products, pharmaceuticals, and devices.
Support research resources and infrastructure with ethical review models. In particular, the NIH should consider adopting or working with FPF to refine our ethical review tools, which could help the NIH identify, consider, and mitigate privacy risks raised by the terms of use and re-use of data held in the NIH repositories; and
Foster a culture of good scientific stewardship around consent to data use. Consent may be an appropriate mechanism for protecting the privacy and data rights of research participants in many cases, but not in all cases, especially given that health data is no longer exclusively generated or processed by health care providers and insurers.
Paper highlights de-identification standards, re-identification research, and emerging technical, contractual, and policy protections that can safeguard genetic data while supporting research.
Genomic data is arguably the most personal of all personally identifiable information (“PII”). Techniques to de-identify genomic data to limit privacy and security risks to individuals–while that data is used for research and statistical purposes–are at the center of discussions among stakeholders engaged in genetic research.
The Future of Privacy Forum (FPF) andPrivacy Analytics have partnered to publish “A Practical Path Toward Genetic Privacy in the United States.” The white paper is intended to highlight the personal nature of genetic data, describe existing regulatory requirements, and discuss emerging developments regarding the de-identification & re-identification of genetic data while highlighting consensus practices organizations are taking to safeguard genomic information.
“Genetics has become increasingly valuable to cutting-edge medical research, with implications from public health to rare disease diagnostics,” said Katelyn Ringrose, FPF Policy Fellow. “Observing this evolution, FPF and Privacy Analytics collaborated to create a practical path forward; one which will protect the privacy of those individuals who contribute their genomes to fuel such incredible discoveries.”
The white paper explores and drives discussion around two prominent examples of privacy engineering solutions applicable to genetic privacy: differential privacy and secure (multi-party) computation. Although technical solutions like these show promise in protecting genetic data, companies should also follow emerging privacy and security-centric norms that are evolving in the space, including the use of:
Access Controls – Depending on the nature of the data and its identifiability, access controls can limit access to certain individuals and institutions.
Contractual Controls – Researchers and institutions can be required to enter into a data use agreement prior to being able to access data, in order to ensure that that data is accessed only for legitimate purposes and that identifiability remains low.
Security Protocols – Organizations sharing genetic data can create specific security protocols dictating how researchers utilize data in open access or controlled-access data repositories.
FPF hopes that this white paper will help guide stakeholders in the genetics arena, including those stakeholders providing and utilizing genetic data to identify health risks, learning more about rare diseases, and creating new treatments and precise diagnostics. We look forward to continuing to support cutting-edge research, while aiming to mitigate the risks associated with the use of genetic data.
For additional information about this publication or the Future of Privacy Forum’s health working group, please contact Rachele Hendricks Sturrup ([email protected]) and Katelyn Ringrose ([email protected]).
Privacy & Pandemics Virtual Workshop: The Role of Mobile Apps
The Future of Privacy Forum and the Israel Tech Policy Instituterecently convened a briefing with experts from government,academia, and leading companies about the use of mobile apps related to the COVID-19 public health crisis, and how data protection and ethics can be managed when sensitive health and location data are collected. The briefing featured privacy experts from around the world, including:
SaritDeshe, Head of Nationwide Information Projects Department, Ministry of Health Israel
Talia Agmon, Deputy Chief Legal Counsel, Ministry of Health Israel
Professor Michael Birnhack, Associate Dean for Research, The Buchmann Faculty of Law, Tel Aviv University
Hyunik Kim, Deputy Director, Planning & Management Division, and Head, International Cooperation for Personal Information Protection Commission (PIPC), Republic of Korea
Steve Penrod, Vice President of Product Development, TripleBlind (U.S.)
Bart Preneel, leads COSIC (Computer Security and Industrial Cryptography group) in the Department of Electrical Engineering at KU Leuven, Belgium
Leaders from the Future of Privacy Forum and the Israel Tech Policy Institute, including FPF CEO Jules Polonetsky, Managing Director of the Israel Tech Policy InstituteLimorShmerlingMagazanik,FPF Director of Technology and Privacy Research Christy Harris, Policy Counsel Polly Sanderson, and FPF Managing Director for Europe Rob van Eijk.
Participants discussed the privacy implications and utility of storing data locally versuscentrally; strategies for improving the accuracy of data; promotion of apps to ensure sufficient scale; and how to assess the usefulness of certain data types (such as Bluetooth data) for public health purposes. Insights from the discussion will inform FPF’s ongoing work with stakeholders to identify best practices and policy recommendations for decision–makers.
To complement the virtual workshop, FPF released a detailed comparison of specific objectives and methods employed by“contact tracing” apps and software development kits (SDKs) that have been developed in various countries and regions to help public and private entities mitigatethe COVID-19 pandemic. Stakeholders interested in how leading apps are collecting and using data in response to the COVID-19 pandemic andpolicymakers considering the use of one of these appswill want to take a look at the chart.
Through a series of original Privacy &Pandemics publications and resources,FPF is exploringthe challenges the COVID-19 pandemic poses to existing ethical, privacy, and data protection frameworks. Thisseries is intended to help governments, researchers, companies, and other organizations navigate essential privacy questions regarding the collection and use of data in response to a global pandemic.
FPF Provides Senate Testimony on Strategies to Mitigate Privacy Risks of Using Data to Combat COVID-19
Future of Privacy Forum (FPF) Senior Counsel Stacey Gray today provided the Senate Committee on Commerce, Science, and Transportation with written testimony, including recommendations based on how experts in the U.S. and around the world are currently mitigating the risks of using data to combat the COVID-19 pandemic.
“The collection and use of data, including personal data, to respond to a public health crisis like a pandemic can be compatible with privacy and data protection principles,” said Gray. “In many cases, commercial data can be shared in a way that does not reveal any information about identified or identifiable individuals.”
Gray offered recommendations, based on recent FPF workshops with global experts, to mitigate the risks of processing location data and other consumer data for public health initiatives, including:
Follow the lead of public health experts. Rather than leading the way with data that is already available, technology companies should play a supporting role to epidemiologists, established research partners, and public health experts and rely on their expertise in determining what data is useful to achieving specific, clear public health goals.
Ensure transparency and lawfulness. In order to ensure public trust, including in the use of voluntary pandemic apps, companies should be as transparent as possible about data shared with government or public health officials.
Apply privacy enhancing technologies (PETs). Companies should take advantage of advances made by privacy engineers in recent years, and apply privacy enhancing technologies (PETs), such as differential privacy, in accordance with principles of data minimization and privacy by design.
Employ privacy risk assessments. Companies should use well-established privacy and data protection impact assessment frameworks to help identify risks and find ways to mitigate or eliminate them.
Follow core purpose limitation principles. Any personal data collection and use enlisted to fight the pandemic should be limited in time and limited to a specific, well-defined purpose identified in advance, with clear limitations on secondary uses.
Gray also explored the commercial sources and relative risks and benefits of precise location data generated by consumer devices, and highlighted the needs for baseline federal consumer privacy legislation. In addition to providing legal protections for individuals, a federal privacy law would also provide much-needed legal clarity for US companies to be able to respond quickly and understand what kind of data they may or may not share legally and ethically to support emergency public health initiatives.
Gray provided testimony to a full Commerce, Science, and Transportation Committee paper hearing, “Enlisting Big Data in the Fight Against Coronavirus.” Witness testimony was published by the committee on Thursday, April 9, 2020, at 10:00 a.m. Questions from committee members will be posted by the end of the day, and witnesses will have 96 business hours to respond.
FPF is exploring the challenges posed by the COVID-19 pandemic to existing ethical, privacy, and data protection frameworks through a series of original Privacy and Pandemics publications, workshops, and resources, accessible on the FPF website. The series is intended to help governments, researchers, companies, and other organizations navigate essential privacy questions regarding the response to the coronavirus pandemic. Resources include a chart that compares the specific objectives and methods of apps and software development kits (SDKs) that have been deployed to help public and private entities tackle the COVID-19 pandemic, and lessons learned from a workshop on corporate data-sharing for COVID-19 research.
ICYMI: FPF Experts Raise Concerns about Protecting Student Privacy During Rapid Switch to Online Learning
Experts from the Future of Privacy Forum, the nation’s leading think tank focused on advancing responsible consumer privacy practices, have spokenout in numerousarticles and publications to raise awareness about privacy concerns stemming from the rapid adoption of general-use technologies to support online learning at K-12 and higher education institutions nationwide.
Vance said, “You obviously have all of the privacy concerns that carry over from the use of ed tech generally… Is this company using data in an inappropriate way? Is this a privacy-protected product? Does the school have a data governance policy? When is information going to be deleted? Who has access to that information? Do people just have what information they need to do their job and no more? Because every additional person who has access to information can increase the risk that that information is shared and inappropriately or breached.”
As more schools and teachers move to quickly adapt existing general use apps and software for the virtual classroom, Vance warned in EdSurge, “We are likely to see more uncontrolled and unregulated use of technology by educators and others who suddenly have to move things online without clear guidance from the institution.”
In an interview with the Washington Post, Vance stated, “There is a very complex legal landscape around student privacy, and products made for consumers generally—for offices, for adults—are unlikely to comply with those laws.” She added to EdSurge that those products generally have not been set-up in a private-protective way, noting that “many companies are set up to allow ease of access and broad information collection as default settings instead of thinking more completely about preventing harms or protecting privacy.”
FPF CEO Jules Polonetsky spoke to the New York Times about the expanded use of Zoom in the virtual classroom. From the article: “some of [Zoom’s] standard terms are not consistent with the Family Educational Rights and Privacy Act, or FERPA, ‘in addition to many of the 130+ state student privacy laws passed since 2014,’ [Polonetsky] added.”
Vance echoed Polonetsky’s concerns about Zoom in interviews with EdSurge and NPR, flagging the privacy and legal implications of the tool: “A standard Zoom account is ‘not at all’ compliant with FERPA, COPPA or state student privacy laws” according to Vance.
She recommended that “schools stick with platforms designed for education” and noted to NPR that this problem is not unique to Zoom, saying’ “‘I don’t know that Zoom is any worse, and it may in many ways be better than a lot of the platforms out there, especially when it comes to security, accessibility and certainly when it comes to ease of use.’ But, she says, Zoom could have anticipated these privacy issues. “‘And now Zoom has the very difficult task of attempting to regain trust.’”
Vance also spoke with Inside Higher Ed about the potential for online learning to result in increased monitoring of students due to accountability reporting requirements. “Moving classes online will also raise questions about the extent to which school-issued devices with surveillance software pre-installed will monitor student activity at home, since officials are still supposed to ensure that students are receiving an education at home. Vance asks: “‘How comfortable will we be with schools monitoring students and what they do at home, now that home is going to be school?’”
Last Friday, FPF hosted a webinar with California IT in Education (CITE) and education law firm Fagen Friedman & Fulfrost (F3) entitled “Classrooms in the Cloud: Student Privacy & Safety During the COVID-19 Pandemic” that examined the tough privacy questions facing K-12 schools and higher education institutions during the rapid transition to online learning platforms. View the archived webinar here.
To learn more about the Future of Privacy Forum’s student privacy work, visit studentprivacycompass.org.
About FPF
The Future of Privacy Forum (FPF) is a Washington, DC-based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts and includes an advisory board comprised of leading figures from industry, academia, law, and advocacy groups. For more information, visit www.fpf.org.
Why Data Protection Law Is Uniquely Equipped to Let Us Fight a Pandemic with Personal Data
Data protection law is different than “privacy”. We, data protection lawyers, have been complacent recently and have failed to clarify this loud and clear for the general public. Perhaps happy to finally see this field of law taking the front stage of public debate through the GDPR, we have not stopped anyone from saying that the GDPR is a privacy law.
The truth is, the GDPR is a “data protection” law (it stands for the General “Data Protection” Regulation). And this makes a world of difference these days, when governments, individuals, companies, public health authorities are looking at the collection of personal data and digital tracking of people as a potential effective way to stop the spread of the COVID-19 pandemic.
The GDPR is the culmination of about half a century of legislative developments in Europe, which saw data protection evolve from a preoccupation of regional laws, to national laws, to EU laws, to a fundamental right in the EU Charter of Fundamental Rights. A fundamental right (Article 8) which is provided for distinctly than the fundamental right to respect for private and family life (Article 7). What a wonderous distinction!
The right to the protection of personal data has been conceived particularly to support societies in facing the reality of massive automation of systems fed with data about individuals. At the very beginning, the introduction of computerized databases in public administration pushed for the necessity of adopting detailed safeguards that would ensure the rights of individuals are not breached by the collection and use of their data.
In the following decades, waves of development added layers to those safeguards and shaped data protection law as we know it today, layers such as the need for a justification to collect and use personal data; fair information principles like purpose limitation and data minimization; transparency and fairness; control of data subjects over their own data through specific rights like access, correction and deletion; the need of having a dedicated, independent supervisory authority to explain and enforce data protection law; accountability of whomever is responsible for the collection and use of personal data.
The right to data protection is procedural in nature. It does have a flavor of substantial protection, which will certainly grow in importance and will likely be developed in the age of AI and Machine Learning – in particular I am thinking of fairness, but at its core the right to data protection remains procedural. Data protection sets up specific measures or safeguards that must be implemented to reach its goal, in relation to personal data being collected and used.
Importantly, the goal of data protection is to ensure that information relating to individuals are collected and used in such a way that all their other fundamental rights are protected. This includes freedom of speech, the right to private life/privacy, the right to life, the right to security, the right to non-discrimination and so on. Even though I have not seen this spelled out anywhere, I believe it has also been developed to support the rule of law.
This is why data protection is uniquely equipped to let us fight the pandemic using personal data. It has literally been conceived and developed to allow the use of personal data by automated systems in a way that guarantees the rule of law and the respect of all fundamental rights. This might be the golden hour for data protection.
That is, if its imperatives are being applied to any technological or digital responses to the COVID-19 pandemic relying on personal data:
The dataflow proposed must be clear, including all the categories of data that will be collected and used.
The purpose(s) must be clear, specific, granular, well-defined.
Have a lawful ground for processing in place.
Building any solution that necessitates personal data must be done by taking into account from the outset data protection requirements (data protection by design).
The web of responsibility must be clear (who are the controllers and the processors?).
Personal data must not be shared, or given access to, beyond the defined web of responsibility (for example, through controller-processor agreements).
There must be transparency in an intelligible way for the individuals whose personal data are collected.
The necessity of collecting any of the personal data items must be assessed (can the project do without some of them and achieve the same purpose?).
All personal data must be accurate.
Ensure that individuals have a way to obtain access to their own data and to ask for correction, erasure if it is justified (as well as for the other rights they have).
Ensure the security of data.
The personal data collected must be retained only for as long as it is necessary to achieve the purpose (afterwards, it must be deleted; anonymization may be accepted as an alternative to deletion, but there is an ongoing debate about this).
Data Protection Impact Assessments (even if loose) should be conducted and then engaging with supervisory authorities to discuss the risks identified which cannot be mitigated could be helpful (and may even be obligatory under certain circumstances).
Therefore, all the data-based solutions proposed to diminish the effects of the COVID-19 pandemic are not being proposed and accepted in Europe in spite of the GDPR, as media has been portraying it. It is almost as if data protection has been developing in the past half a century to give us the right instruments to be able to face this challenge and preserve our freedoms and our democracies. I hope we will be smart enough to properly use them.
