The Business Lawyer
American Bar Association
image
An Early Evaluation of the Privacy Impacts of the COVID-19 Pandemic
DOI 10.928/ac.2021.03.31 , Volume: 76 , Issue: 1
Sella-Villa: An Early Evaluation of the Privacy Impacts of the COVID-19 Pandemic

I. Introduction

At the time of this writing in mid-2020, the COVID-19 pandemic has gripped the world and frustrated health experts. In the interest of “flattening the curve” of new cases, state and local government officials have implemented a variety of legal measures including stay-at-home orders,1 social distancing requirements,2 and mandates to wear masks in public.3 These legal responses to the pandemic have created both new sources of data about people and new avenues for accessing existing data that may have been difficult to access before the pandemic.

This survey will address four common scenarios related to these data streams that these policies have fostered. The impact of these data streams on people’s privacy is just starting to be understood. The term “privacy” in this survey refers to an individual’s ability to control disclosure of her personally identifiable information. This survey explores some early answers to the question of how the COVID-19 pandemic has impacted people’s privacy in the U.S. context.

II. Increased Use of Video Conferencing Software: The Case of Zoom

During the COVID-19 pandemic millions have abruptly discontinued face-to-face activities such as schooling, employment, and social meetings and replaced them with substitutes conducted exclusively from home. This has been made possible in part because of the explosive growth in the use of video conferencing software, most notably Zoom.4 The use of Zoom has produced both new data—information about people’s use and habits during video conferences—and a new means to access an array of other data about Zoom users—information about users’ devices and the very information exchanged among users that would have otherwise been delivered in person. Access to these data streams, by both Zoom and others, has already impacted people’s privacy in at least two ways.

First, the Zoom platform has suffered hacks and data breaches. Although Zoom presented itself as a secure platform,5 Zoom’s security features came under widespread scrutiny, including from the New York State Attorney General.6 Uninvited participants have allegedly accessed numerous videoconferences, viewing these meetings7 or “Zoombombing” the proceedings by displaying graphic images through screen sharing features.8 Zoom’s alleged failure to provide a platform that protects people’s privacy has spurred the filing of several class actions based on theories of negligence, breach of implied contract, and invasion of privacy, as well as violations of the California Consumer Privacy Act and unfair competition laws.9

Second, the exponential growth in usership gave Zoom access to new, valuable data. Class sessions, professional meetings, and social gatherings that in the past would have happened in person are taking place almost exclusively on Zoom. Zoom, therefore, has impacted people’s privacy by having direct access to information that would have been incredibly challenging for any single digital platform to gather before the pandemic.10 Realizing its value, Zoom allegedly mines its expanding data trove and sells it to advertisers and intermediaries.11 Additional class action filings have focused on Zoom’s data sales, alleging negligence, breach of implied contract, unjust enrichment, and violations of state consumer protection laws and the California Consumer Privacy Act.12

III. Contact Tracing Apps

Public health officials have long used contact tracing to limit the spread of communicable diseases by notifying the potentially exposed and directing appropriate resources strategically.13 Contact tracing apps seek to improve this process by combining location data with information about who has contracted the COVID-19 virus.14 The privacy implications have the potential to be significant if enough people use contact tracing apps.15

Many features of contact tracing apps can affect privacy, but three key factors stand out: which organization deploys the app, the type of location data that is collected, and how the app gathers data. Public health authorities deploying contact tracing apps must abide by laws and data management practices that aim to strike a balance between important public health interests and individual privacy.16 For employees required to use such apps as a condition of returning to work,17 some laws limit employers’ collection and use of employees’ health information.18 But employers may have fewer limitations on collecting location data.19 Other parties who have access to contact tracing data would generally have the fewest restrictions on using individuals’ health or location data.20

Relative location data systems created via Bluetooth arguably impact privacy less than a geolocation-based system.21 A relative location system only operates when devices come within range of each other while a geolocation system needs to monitor a device’s location regularly.22 A similar range of privacy consequences can be found in how the apps gather data. An app with direct user inputs and specific opt-ins impacts an individual’s privacy less than apps that automatically collect an array of data without specific user consents.23 A contact tracing app that automatically collects user data, uses a geolocation system, and shares that information with government agencies not involved in public health will have the greatest impact on individual privacy.

As of mid-2020, deployment and use rates of contact tracing apps in the United States have been relatively low.24 Accordingly, the privacy impacts of contact tracing apps are most likely to be felt among smaller groups with a higher app-usage rate, like among the employees of an organization.

IV. Organizations Collecting Symptom-Related Information from People Entering Establishments

In conjunction with governments promulgating public health policies,25 other institutions are taking measures to help stop the virus’ spread.26 Employers, schools, and organizations open to the public have begun reading patrons’ and employees’ temperatures and asking them questions about symptoms associated with COVID-19.27 This data can help them bar physical entry to people who exhibit relevant symptoms and may help slow the virus’ spread.28

Disease symptom data is not a new type of information for HIPAA-covered entities or public health organizations,29 but many other organizations are gathering this information for the first time. Businesses are striving to balance the potential liabilities resulting from a COVID-19 infected workforce30 with the privacy implications of gathering (and potentially sharing)31 employees’ and patrons’ health information daily.32 But limiting the spread of the virus arguably creates a condition that exempts employers from following the prohibition in the Americans with Disabilities Act on collecting employee health information.33

Nevertheless, employers must ensure that the manners of collecting, using, and sharing this health information do not discriminate against protected classes.34 Data management best practices can help strike the necessary balance between business needs and privacy. By focusing on data security measures like limiting who has access to employee symptom data and retaining such data for only a limited time,35 employers can potentially reduce the spread of COVID-19 in the workplace while protecting employee privacy interests. Careful handling of sensitive information will allow employers to slow the spread of the virus while at the same time complying with anti-discrimination laws and avoiding other privacy causes of action like defamation36 and data breach laws.37

V. Novel Uses of Existing Technologies Applied to the Pandemic

Existing technologies have been redeployed in attempts to deal with the COVID-19 pandemic. This brief discussion highlights some new data sources as well as new ways of using existing data sources.

Facial recognition technologies have been seen as an alternative to high-traffic points of physical contact, such as fingerprint readers.38 There are some indications that these technologies can be used to identify those who may violate pandemic-related public health regulations,39 but the widespread use of face coverings may impact facial recognition’s efficacy.40 The use of facial recognition technologies in the COVID-19 context, therefore, has the potential to impact privacy, particularly in states that protect biometric information.41

Researchers have developed algorithms utilizing artificial intelligence systems (“AIs”) to aid in the diagnosis42 and treatment43 of COVID-19. These algorithms process vast amounts of health information. While HIPAA privacy protections generally apply to the health information used in this research, similar protections do not extend to other instances of pandemic-related data mining. For example, researchers have run social media postings through location-identifying algorithms to find instances of people breaking quarantine rules.44 Other AIs have been able to predict outbreaks of the virus by analyzing social media posts.45 Both strategies ostensibly aim to aid public health officials by using what could be considered public information. These are further examples of responses to the pandemic finding new avenues to existing data.

But because of social distancing orders, social media information has become more important in many people’s lives. To maintain their mental health under quarantine, people divulge on social media what they may have shared only in person before the pandemic.46 Accordingly, the balance between privacy and public health may need to take greater account of privacy in the wake of COVID-19.

VI. Conclusion

At the time of this writing, the privacy impacts of the COVID-19 pandemic are just starting to be observed. It may take quite a while to fully grasp the extent of COVID-19’s impact on privacy in the United States. What can be said, though, is that these early responses to the pandemic have created both new sources of data about people and new avenues to existing data that may have been difficult to access before the pandemic. Future analyses of the privacy impacts of the COVID-19 pandemic could benefit by considering this distinction.

Notes

1 E.g., Governor Gretchen Whitmer, Executive Order No. 2020-42 (COVID-19), State of Mich. (Apr. 9, 2020), https://www.michigan.gov/whitmer/0,9309,7-387-90499_90705-525182–,00.html.
2 E.g., Cnty. of Los Angeles, Order of the Health Officer, Safer at Home Order for Control of COVID-19 (Apr. 10, 2020), https://covid19.lacounty.gov/wp-content/uploads/HOO_Safer-at-Home-Order-for-Control-of-COVID_04102020.pdf.
3 Id.
4 Theron Mohamed, Zoom Expects to Boost Revenue by 200% and Profits by 300% This Year, Bus. Insider (June 3, 2020), https://markets.businessinsider.com/news/stocks/zoom-expects-200-revenue300-profit-growth-5-charts-2020-6-1029277092#zoom-expects-nearly-200-revenue-growth1.
5 Micah Lee & Yael Grauer, Zoom Meetings Aren’t End-to-End Encrypted, Despite Misleading Marketing, Intercept (Mar. 31, 2020), https://theintercept.com/2020/03/31/zoom-meeting-encryption/.
6 State of N.Y., Office of the Att’y Gen., Letter Agreement Between Zoom and the NYAG (May 7, 2020), https://ag.ny.gov/sites/default/files/nyag_zoom_letter_agreement_final_counter-signed.pdf.
7 Class Action Complaint at para. 75, Simins v. Zoom Video Commc’ns, Inc., No. 5:20-cv-2893 (N.D. Cal. Apr. 27, 2020), https://www.classaction.org/media/simins-v-zoom-video-communicationsinc.pdf [hereinafter Simins]; Drew Harwell, Thousands of Zoom Video Calls Left Exposed on Open Web, Wash. Post (Apr. 3, 2020, 3:43 PM), https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/.
8 E.g., Class Action Complaint at para. 3, Saint Paulus Lutheran Church v. Zoom Video Commc’ns, Inc., No. 5:20-cv-03252-SVK (N.D. Cal. May 13, 2020), https://www.classaction.org/media/saint-paulus-lutheran-church-et-al-v-zoom-video-communications-inc.pdf.
9 See, e.g., id.; Simins, supra note 7.
10 For example, Zoom may have access to registration information showing who attended a meeting, or to the results of polls conducted in a meeting. See Generating Meeting Reports for Registration and Polling, Zoom Help Ctr., https://support.zoom.us/hc/en-us/articles/216378603-Generating-Meeting-Reports-for-Registration-and-Polling (last visited Sept. 25, 2020). Zoom at one time included a feature called “attention tracking,” which notified the meeting host when a meeting participant clicked into a non-Zoom window on his computer for more than thirty seconds. See Zoom Can Track Who’s Not Paying Attention in Your Video Call. Here’s How, HuffPost (Mar. 25, 2020), https://www.huffpost.com/entry/zoom-tracks-not-paying-attention-video-call_l_5e7b96b5c5b6b7d80959ea96. Zoom has since deleted that feature. Attendee Attention Tracking, Zoom Help Ctr., https://support.zoom.us/hc/en-us/articles/115000538083-Attendee-attention-tracking (last visited Sept. 25, 2020).
11 Class Action Complaint at paras. 4, 6, Taylor v. Zoom Video Commc’ns, Inc., No. 3:20-cv-02170 (N.D. Cal. Mar. 31, 2020), https://pdfserver.amlaw.com/legalradar/33254248_complaint.pdf.
12 See id.; Complaint, Cullen v. Zoom Video Commc’ns, Inc., No. 5:20-cv-02155-SVK (N.D. Cal. Mar. 30, 2020), https://cdn.arstechnica.net/wp-content/uploads/2020/03/Zoom-Class-Action-Lawsuit.pdf; accord First Amended Complaint, Hurvitz v. Facebook, No. 3:20-cv-03258-JD (C.D. Cal. May 12, 2020), https://pdfserver.amlaw.com/legalradar/34295189_complaint.pdf.
13 See, e.g., Lawrence O. Gostin et al., The Law and the Public’s Health: A Study of Infectious Disease Law in the United States, 99 Colum. L. Rev. 59, 71 (1999).
14 See Mark Zastrow, Coronavirus Contact-Tracing Apps: Can They Slow the Spread of COVID-19?, Nature (May 19, 2020), https://www.nature.com/articles/d41586-020-01514-2.
15 Cf. Natalia Drozdiak et al., Contact-Tracing Apps Fail to Deliver on Tech Boosters’ Promises, Bloomberg L. News (June 30, 2020, 12:01 AM), https://news.bloomberglaw.com/health-law-and-business/contact-tracing-apps-fail-to-deliver-on-tech-boosters-promises (noting that low app-use rates in several countries have limited their efficacy).
16 Compare Tex. Health & Safety Code Ann. §§ 81.001–81.015 (West 2019) (regulating the prevention and treatment of communicable diseases), with Tex. Health & Safety Code Ann. § 182.103 (West 2019) (requiring privacy protections for medical records).
17 E.g., Kif Leswing, Companies Could Require Employees to Install Coronavirus-Tracing Apps Like This One from PwC Before Coming Back to Work, CNBC (May 6, 2020, 8:24 AM), https://www.cnbc.com/2020/05/06/pwc-is-building-coronavirus-contact-tracing-software-for-companies.html.
18 See infra note 32.
20 Cf. Press Release, N.Y. Att’y Gen., Attorney General James Urges Apple and Google to Take Steps to Protect Consumers Using Coronavirus Contact Tracing Apps ( June 15, 2020), https://ag.ny. gov/press-release/2020/attorney-general-james-urges-apple-and-google-take-steps-protect-consumers-using.
21 DAniel Kahn Gillmor, Am. Civil Liberties Union, Principles for Technology-Assisted Contact-tracing 3 (Apr. 16, 2020), https://www.aclu.org/report/aclu-white-paper-principles-technology-assisted-contact-tracing.
22 Id. at 1–3.
23 See Chance Miller, Here’s How Apple and Google’s Exposure Notification API Works While Securing Privacy, 9to5Mac ( June 19, 2020, 10:20 AM), https://9to5mac.com/2020/06/19/apple-and-google-exposure-notification-api/.
24 See Zac Hall, Which U.S. States Are Using Apple’s Exposure Notification API for COVID-19 Contact Tracing?, 9to5Mac (June 30, 2020, 12:00 AM), https://9to5mac.com/2020/06/05/covid-19-exposure-notification-api-states/ (the version of June 5, 2020, 12:00 AM is on file with the author).
25 See supra notes 2–3.
26 E.g., What You Need to Know: Student Life, W. Va. Univ., https://www.wvu.edu/return-to-campus/what-you-need-to-know/student-life-2 (last visited Sept. 25, 2020).
27 See Utah Dep’t of Health, COVID-19 Business Manual 37 (May 2020), https://coronavirus-download.utah.gov/business/COVID-19_Business_Packet_FIN.pdf.
28 See Va. Dep’t of Health, VDH Interim Guidance for Daily COVID-19 Screening of Patrons (June 17, 2020), https://www.vdh.virginia.gov/content/uploads/sites/182/2020/06/Visitor-Screening.pdf.
29 E. g., U.S. Dep’t of Health&Human Servs., Officefor Civil Rights, COVID-19 and HIPAA: Disclosures to Law Enforcement, Paramedics, Other First Responders and Public Health Authorities (May 2020), https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf.
30 See Complaint, Palmer v. Amazon.com, Inc., No. 1:20-cv-02468 (E.D.N.Y. June 3, 2020), https://www.plainsite.org/dockets/4a4zhtrzf/new-york-eastern-district-court/palmer-et-al-v-amazoncom-inc-et-al/; Complaint, Benjamin v. JBS S.A., No. 200500370 (Pa. Ct. Common. Pleas May, 7, 2020), https://www.spilmanlaw.com/Spilman/media/PDF/Estate-of-Benjamin-v-JBS.pdf; Massey v. McDonald’s Corp., No. 20 CH 4247 (Ill. Cir. Ct. June 24, 2020) (order) (on file with author).
31 Cf. Interim Guidance for Businesses and Employers Responding to Coronavirus Disease 2019 (COVID-19), May 2020, Ctrs. Disease Control & Prevention (May 5, 2020), https://www.cdc.gov/coronavirus/2019-ncov/community/guidance-business-response.html (directing employers to “[i]nform employees of their possible exposure to COVID-19 in the workplace but maintain confidentiality”).
32 What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws, EEOC (June 17, 2020), https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws (see part B.2).
33 Id. (see part G.1).
34 Id. (see part E).
35 But see Access to Employee Exposure and Medical Records, 29 C.F.R. § 1910.1020 (2019) (requiring that exposure records be maintained for thirty years).
36 See Ethan Krasnoo, Insight: Sorting Out Defamation and Covid-19 Transmission Accusations, Bloomberg L. ( June 23, 2020, 4:01 AM), https://news.bloomberglaw.com/us-law-week/insight-sorting-out-defamation-and-covid-19-transmission-accusations.
37 Cf. Class Action Complaint, Julius v. Deloitte Consulting LLP, No. 3:20-cv-542 (S.D. Ill. June 8, 2020), https://classactionsreporter.com/wp-content/uploads/Deloitte-Public-Access-to-PII-Complaint.pdf (regarding the breach of a new data system handling PII data related to unemployment filings).
38 Lindsey O’Donnell, Covid-19 Spurs Facial Recognition Tracking, Privacy Fears, Threat Post (Mar. 20, 2020, 9:54 AM), https://threatpost.com/covid-19-spurs-facial-recognition-tracking-privacy-fears/153953/.
39 See Max Dible, Hawai’i to Institute Facial Recognition at Airports, Big Island Now ( June 11, 2020, 7:30 AM HST), https://bigislandnow.com/2020/06/11/hawaii-to-institute-facial-recognition-at-airports/.
40 NIST Launches Studies into Masks’ Effect on Face Recognition Software, NIST (July 27, 2020), https://www.nist.gov/news-events/news/2020/07/nist-launches-studies-masks-effect-face-recognition-software(“Algorithm accuracy with masked faces declined substantially across the board.”).
41 See Y. Douglas Yang, The California Data Privacy Implications of Using Facial Recognition in the Wake of the COVID-19 Pandemic, N.at’ L. REV. (May 14, 2020), https://www.natlawreview.com/article/california-data-privacy-implications-using-facial-recognition-wake-covid-19-pandemic.
42 See Claire Jarvis, AI Learns from Lung CT Scans to Diagnose COVID-19, Scientist ( June 10, 2020), https://www.the-scientist.com/news-opinion/ai-learns-from-lung-ct-scans-to-diagnose-covid-19-67625.
43 See AI Accelerating Drug Discovery to Fight COVID-19, Nat’l Sci. Found. (Apr. 28, 2020), https://www.nsf.gov/discoveries/disc_summ.jsp?cntn_id=300481&org=NSF&from=news.
44 See Alfred Ng, Governments Could Track COVID-19 Lockdowns Through Social Media Posts, CNET (Mar. 25, 2020, 5:00 AM), https://www.cnet.com/health/governments-could-track-covid-19-lockdowns-through-social-media-posts/.
45 See Kathleen Holder, “Sick Posts” on Social Media Help Early Tracking of COVID-19, UC Davis (Apr. 16, 2020), https://www.ucdavis.edu/coronavirus/news/sick-posts-social-media-help-early-tracking-covid-19/.
46 See Coping with Stress, Ctrs. Disease Control & Prevention ( July 1, 2020), https://www.cdc.gov/coronavirus/2019-ncov/daily-life-coping/managing-stress-anxiety.html (“While social distancing measures are in place, consider connecting online, through social media, or by phone or mail.”); Alexandra Samet, 2020 US Social Media Usage: How the Coronavirus Is Changing Consumer Behavior, Bus. Insider (June 9, 2020, 12:58 PM), https://www.businessinsider.com/2020-us-social-media-usage-report (“[B]etween 46% and 51% of US adults were using social media more since the outbreak began.”); Sandro Galea et al., The Mental Health Consequences of COVID-19 and Physical Distancing: The Need for Prevention and Early Intervention, 180 Jama Internal Med. 817, 817 (Apr. 10, 2020), https://jamanetwork.com/journals/jamainternalmedicine/fullarticle/2764404 (“Social media can also be used to encourage groups to connect and direct individuals to trusted resources for mental health support.”).
https://test.researchpad.co/tools/openurl?pubtype=article&doi=10.928/ac.2021.03.31&title=An Early Evaluation of the Privacy Impacts of the COVID-19 Pandemic&author=David Sella-Villa,&keyword=&subject=Report,