chevron-down Created with Sketch Beta.

The Business Lawyer

Winter 2021-2022 | Volume 77, Issue 1

The COVID-19 Pandemic One Year On: Finding Balance Between Privacy and Public Health

David E Sella-Villa

Summary

  • As long COVID-19 is part of daily life in the United States, choices balancing privacy and public health will need to be made.
  • Privacy and data protection jurisprudence has helped address the circumstances where an individual’s privacy interests may have been compromised. However, many people have been reluctant to share data in more collective efforts at fighting the COVID-19 pandemic.
  • Discussions of the limited successes of tracking apps and policies related to the administration of the COVID-19 vaccine show that privacy interests during the pandemic may have trumped public health concerns.
  • Time will tell if privacy concerns of certain policies outweighed the public health consequences. New data and technologies that helped approximate in-person interactions have created new data streams, yet the privacy impact from these new data remains to be seen.
The COVID-19 Pandemic One Year On: Finding Balance Between Privacy and Public Health
iStock.com/Maridav

Jump to:

I. Introduction

During the COVID-19 pandemic stay-at-home orders and social distancing requirements limited the possibility of safe and lawful in-person interactions for over a year. Many people in the United States responded to these circumstances by resisting challenges to their sense of decisional privacy—“non-interference in one's decisions and actions.” Instead, they chose to relinquish some data privacy by sharing both new and existing types of data about themselves in efforts to enjoy the simulacrum of human contact.

Use of digital services that helped approximate in-person interactions increased dramatically. Video conferencing features in Zoom and dating apps, for example, collected new types of data about people and offered novel means by which information once exchanged primarily in person could be collected, processed, and stored. Privacy and data protection jurisprudence has helped address the circumstances where an individual’s privacy interests may have been compromised. An overview of the privacy litigation involving Zoom (Part II) provides an illustrative example of some of the privacy consequences of the pandemic.

Many people have been reluctant to share data in more collective efforts at fighting the COVID-19 pandemic. Attempts at adding a digital layer to activities traditionally perceived to be data-light met strong resistance (Parts III and IV). Decisional privacy and data privacy are compromised when some combination of infection, vaccination, location, and demographic data are aggregated, processed, and shared. Discussions of the limited successes of tracking apps and policies related to the administration of the COVID-19 vaccine show that privacy interests during the pandemic may have trumped public health concerns.

II. Zoom Litigation Update

Online meeting platforms have served as the venue for activities that previously took place in person. The Zoom platform was subject to several privacy lawsuits. Uninvited parties entered many private Zoom meetings and disrupted them by displaying graphic images—a practice known as “Zoombombing.” Zoom has since improved the security features of its platform, but liability for potential privacy violations is being determined in court.

Several cases and two class actions alleging Zoom’s privacy violations were consolidated into a proceeding styled In re Zoom Video Communications Inc. Privacy Litigation. These complaints allege that Zoom violated users’ privacy by “(1) sharing Plaintiffs’ personally identifiable information with third parties; (2) misstating Zoom’s security capabilities; and (3) failing to prevent security breaches known as ‘Zoombombing.’” The alleged causes of action include invasion of privacy, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and violations of several California consumer protection statutes.

By addressing its security issues, Zoom has limited incidents where uninvited parties have access to new data—the content of Zoom meetings intended to be private. Independent of the outcome of the Zoom Privacy litigation, many organizations have decided to incorporate remote work into their post-pandemic business models. This means that video communication technologies are likely to be a regular part of at least professional life, and in some cases education, healthcare, and religious experiences as well. Where technologies continue to replace in-person activities new data will continue be generated. The privacy impact of these new data streams remains to be seen.

III. Contact Tracing

Digital contact tracing aided some countries in managing the COVID-19 pandemic. Because of the prevalence of Apple and Android smartphones, the most readily available platforms for contact tracing apps have been the Apple and Google APIs. Google and Apple made their jointly created contact tracing API available only to public health authorities, as a platform upon which they could develop their own contact tracing apps.

Several features of these platforms that emphasized individual decisional privacy and data privacy over public health goals meant that contact-tracing apps have proven not to be an effective tool for U.S. public health authorities. Individuals had to choose to download the contact tracing app, rather than having it pushed to their devices. Individuals who downloaded the app then would have to choose to enter their COVID-19 status, thereby preserving individuals’ decisional privacy about whether to share their COVID-19 status with public health authorities. The API only allows use of Bluetooth beacons alone, and not in combination with other location data, thereby preserving greater data privacy by limiting the amount and type of location data collected about individual app users. This and other potentially relevant data is stored on users’ devices, not in a centralized location, where it might be more easily correlated with other data relevant to stopping the spread of COVID-19. Only then could public health authorities use the app to alert individuals that they have potentially been exposed to someone who may been infected with the coronavirus.

Due to their emphasis on decisional privacy and data privacy, “the [U.S.] COVID-19 apps in operation today are underpowered and undersubscribed.” In short, contact tracing apps in the United States did not have a negative impact on people’s privacy because they were designed to prioritize decisional privacy. Though private entities may have been able to require employees or customers to use contact tracing apps (even ones with more effective, data-intensive options), public sentiment would likely be against it.

IV. Vaccines, Data, and Privacy

According to public health officials, if a large enough percentage of the U.S. population receives a COVID-19 vaccine then “herd immunity” will stop the spread of the virus. The vaccination program generates a tremendous amount of new data in the form of digital records of every vaccination. To date, no level of government in the United States has required every resident in its jurisdiction to receive a COVID-19 vaccine. The lack of a government-enforced vaccine mandate prioritizes decisional privacy. In preserving decisional privacy, efforts at achieving herd immunity use personal data from other sources to target populations with lower vaccination rates.

In the absence of vaccine mandates from governments, privacy considerations play an important role not only in administering vaccines but also in communicating vaccine status to help communities reopen without COVID-19-related limitations. Current activities relating to vaccine administration, vaccine mandates, and vaccine passports all raise interrelated decisional privacy and data privacy issues. From one perspective, an individual’s vaccination status constitutes personal healthcare information. But information about vaccine status is also relevant to public health authorities working to end a pandemic. Considering the strong protections for healthcare information under U.S. law, the COVID-19 vaccination program must operate with careful attention to data privacy issues.

State, federal, and tribal programs have made COVID-19 vaccines widely available across the United States. Vaccination rates, though, vary greatly across sensitive demographic criteria such as race and income levels. Persons of color have suffered higher mortality rates from exposure to the coronavirus than white Americans. Efforts to address these disparities involve consideration of at least two types of sensitive personal information—ethnicity and medical information. From a privacy best practices perspective this may constitute a new instance of data processing and therefore would necessitate a reexamination of the privacy risk for the individuals potentially affected.

The case of Stanford Medical Center highlights how a proposed vaccine distribution system could have exacerbated the disparate racial and social impact of COVID-19. The Stanford Medical Center proposed a vaccine distribution formula that prioritized age as a risk factor. The result was a proposed distribution schedule that deprioritized vaccinations for front-line healthcare workers, often the group that has the highest percentage of medical professionals who happen to be people of color.

Private employers and educational institutions have issued vaccine mandates. Decisional privacy is less of a legal issue in these established relationships because individuals lose some privacy protections to receive the benefits of employment or a formal education. In many contexts employees and students must submit themselves to drug testing as a condition of their employment or education, thereby limiting the number of otherwise legal substances they might consume. Employees and students might choose to limit their communications because technology use policies grant employers and schools access to electronic communications that would be considered private in other contexts. In the same vein, nothing under federal law prevents “an employer from requiring all employees physically entering the workplace to be vaccinated for COVID-19.” If an employer imposes such a vaccine mandate the Equal Employment Opportunity Commission cautions that information about an employee’s COVID-19 vaccination is confidential medical information under the Americans with Disabilities Act. This information “must be kept confidential and stored separately from the employee’s personnel files.”

Consistent with privacy best practices, the separate storage of employees’ COVID-19 information calls for a reexamination of the privacy risks for at least two reasons. For many employers, this may be a new type of data. Employers who do not typically collect medical information will have to set up data governance separate from employees’ personnel files to collect and store vaccination information. Some vaccine data repositories run by states have extensive policies and safeguards, such as de-identification and privacy audits, to help protect people’s privacy interests. Employers who fail to institute similar policies and safeguards may adversely impact their employees’ privacy interests.

Additionally, vaccination rates have not been equal across protected classes under the federal employment laws. The EEOC cautions that a vaccine mandate from an employer may have a discriminatory disparate impact. Personnel files often contain information about employees’ age, race, color, religion, sex, or national origin. But because vaccine information must be kept confidential and stored separately from personnel files, an employer may not be able to correlate the two data sets to determine if in fact a vaccine mandate is having a disparate impact. These circumstances essentially pit privacy protection against discrimination avoidance. Employers with vaccine mandates can make reasonable accommodations or offer incentives aimed at limiting the potential discriminatory impact of the vaccine mandate, but the potential privacy impact of the proliferation of new data sets remains.

From a privacy perspective vaccine mandates are effectively a single exchange of data. An employee, for example, delivers proof of vaccination once and the employer makes a record of that event. Privacy protections apply to that single data record. Vaccine passports, though, are not limited to a single exchange of data. They require people to demonstrate their vaccination status to entities with whom they do not have established relationships. Privacy protections, therefore, need to cover any records created from each of these data exchanges.

The easiest way to protect privacy while proving vaccine status is to have no record of the data exchange. The entity that administers each vaccine provides recipients with a physical COVID-19 Vaccination Record Card (“Vaccine Card”). Just as a person might present her ID to a bouncer at a bar who visually inspects but does not retain it, so might she present her Vaccine Card and a form of identification for visual inspection by someone at the entrance to an establishment requiring vaccination. The establishment keeps no record of this data exchange. In this way the physical Vaccine Card serves as a vaccine passport.

This approach to vaccine passports has several drawbacks. Vaccine Cards are too large for most wallets and medical experts advise against laminating them. Additionally, official Vaccine Cards can be difficult to replace. For these reasons, people are reluctant to carry their Vaccine Cards around with them. Physical Vaccine Cards are easy to forge. Establishments, therefore, have reason not to trust them. Digital vaccine passports address many of these concerns, but also have the potential to create a new data set—records of where someone presented a digital vaccine passport. This proliferation of data means that digital vaccine passports have potentially significant privacy implications.

New York’s Excelsior Pass program serves as a useful example. Built on IBM’s Digital Health Pass technology, Excelsior Pass’s privacy-protecting features include decentralized data storage and data minimization. When scanned at an establishment, “the Excelsior Pass Scanner app collects analytics about the type of Pass and the result of the scan. No personal information from Passes is collected or stored.”

Policy makers have weighed these privacy concerns against the social and public health need to end the COVID-19 pandemic. Some states, like New York, believe that their vaccine passport programs will produce public health benefits that outweigh the privacy impacts. New York’s program has taken particular steps to address data privacy risks. Other states like Montana and Arkansas find the privacy costs of vaccine passports too great to bear, even considering the continued social and public health impact of the pandemic.

V. Conclusion

As long COVID-19 is part of daily life in the United States, choices balancing privacy and public health will need to be made. Only time and history will judge if the privacy impact of certain policies outweighed the public health consequences. New data related to the virus, its treatment, and policy outcomes will continue to be generated. Additionally, technologies that helped approximate in-person interactions have created new data streams. The privacy impact from this new data remains to be seen.

The views and opinions expressed in this survey are those of the author in his individual capacity, and do not reflect the opinions, policies, or positions of any of his employers or affiliated organizations or agencies.

    Authors