Long recognized by public health officials as a means to track and curb the spread of communicable diseases, “contact tracing” has now entered the lexicon of HR departments, corporate boards, and legislative bodies, thanks to Covid-19. As businesses start to reopen, contact tracing apps are among the options under consideration for safer workplaces and communities.
Understandably, many national governments have embraced the technology. The MIT Technology Review has compiled a “Covid Tracing Tracker” of nearly 30 countries that have backed a tracing app. France, for example, has deployed an app known as “StopCovid”—which France’s data protection authority has approved, in part because its use would not be mandatory and the data collected would be pseudonymized.
The use of contact tracing apps is not limited to the government authorities, however, and U.S. lawmakers are taking note.
Legislative Restrictions Proposed
On the federal level, for example, S. 3663 seeks to prevent businesses from employing any tracking measures without prior notice and affirmative express consent. The bill would apply to any entity subject to the Federal Trade Commission Act, as well as to common carriers and nonprofits.
Similar measures have been introduced at the state level.
In Minnesota, HF 4665 would prohibit employers from requiring employees to install contact tracing apps on their phones, or from otherwise requiring employees to provide location information for the purposes of determining whether they may be at risk of contracting a communicable disease.
New York’s SB 8327 would similarly prohibit the mandatory installation of contact tracing apps, but it also creates a private right of action—including class actions—for anyone aggrieved by a violation. (It’s not often that one sees a private right of action sponsored by a Republican.)
Kansas appears to be on the verge of enacting contact tracing legislation. HB 2016 has already passed both the House and Senate and was presented to Governor Laura Kelly on June 5.
Section 16 of the enrolled bill is titled the “COVID-19 Contact Tracing Privacy Act.” It generally permits contact tracing by Kansas government officials, but it prohibits “the use of any service or means that uses cellphone location data to identify or track, directly or indirectly, the movement of persons.” (Emphasis added.)
Unfortunately, the bill does not define “cellphone location data,” so it’s unclear whether it would exclude Bluetooth-based tracking or if the use of any “proximity tracking” technology would be regarded as “indirectly” tracking the movement of persons.
In any event, to the extent a “third party” (again, undefined in the bill) wishes to voluntarily disclose contact tracing data to state officials, it would be permitted to do so only with the consent of the affected individual.
If signed by the governor, the COVID-19 Contact Tracing Privacy Act will expire on May 1, 2021.
Business Best Practices
Employers evaluating the use of contact tracing apps can take a few cues from these legislative proposals, as well as from guidance in Europe.
For starters, mandatory use appears to be roundly denounced and informed consent widely embraced. Still, employee consent is disfavored—especially in the context of the General Data Protection Regulation (GDPR)—so unless use of an app is required by statute or local ordinance, employers may wish to clarify that its use would be entirely voluntary and without negative repercussions should an employee choose not to participate.
“Necessity and proportionality are the cornerstones of any tracing strategy,” according to Rob Corbet, Head of the Technology Practice at Arthur Cox in Dublin. “For most organizations, employees can be adequately protected through voluntary measures, so it tends to be only in areas of demonstrable high risk—hospitals, nursing homes, meat processing factories—where an employer can show that a mandatory scheme is necessary and proportionate.”
Employers should also consider economies of scale. Given the size of your organization, what level of usage would be necessary? And would such usage reliably address the problem?
“Would a contact tracing app be the right tool?” asks Rosa Barcelo, co-chair the global Data Privacy & Cybersecurity Practice at Squire Patton Boggs in Brussels.
When combined with other measures—such as social distancing, mask wearing, and disinfecting—the impact of contact tracing may be lessened, or not needed at all. Regardless of the method employed, however, Barcelo cautions that a data protection impact assessment may be required.
Corbet also warns that countries, especially in the EU, differ significantly in their views as to what level of contact tracing can be supported by domestic health, employment, and privacy laws. Multinational corporations should not assume that an app can be deployed in the same manner across the EU.
End in Sight?
For employers prudent enough to hit the pause button, it’s best to follow the lead of Kansas by also including a “stop” button. Just as HB 2016 includes an expiration date, any pandemic-specific measure incorporated into business operations should also feature an end date, with an allowance for renewal if warranted.
As Rob Corbet advises: “Data points collected for seemingly innocent purposes can be redeployed for other non-obvious and potentially harmful purposes down the line.” That’s why purpose limitation, data minimization, and storage limitation are core data protection principles to be considered in any collection efforts.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.