Data Privacy

Ellie Soskin, MJLST Staffer

As COVID-19 cases continue to surge, states have ramped up containment efforts in the form of mask mandates, business closures, and other public health interventions. Contact tracing is a vital part of those efforts: health officials identify those who have been in close contact with individuals diagnosed with COVID-19 and alert them of their potential exposure to the virus, while withholding identifying information. But traditional contact tracing for a true global pandemic requires a lot of resources. Accordingly, a number of regions have looked to smartphone-based exposure notification technology as an innovative way to both supplement and automate containment efforts.

Minnesota is one of the latest states to adopt this approach: on November 23rd, the state released “COVIDaware” a phone application designed to notify individuals if they’ve been exposed to someone diagnosed with COVID-19. Minnesota’s application utilizes a notification technology developed jointly by Apple and Google, joining sixteen other states and the District of Columbia, with more expected to roll out in the coming weeks. The nature of the technology raises a number of complex concerns over data protection and privacy. Additionally, these apps are more effective the more people use them and lingering questions remain as to compliance and the feasibility of mandating use.

The joint Apple/Google notification software used in Minnesota is designed with an emphasis on privacy. The software uses anonymous identifying numbers (“keys”) that change rapidly, does not solicit identifying information, does not provide access to GPS data, and only stores data locally on each user’s phone, rather than in a server. The keys are exchanged via localized Bluetooth connection operating in the background. It can also be turned off and relies wholly on self-reports. For Minnesota, accurate reports come in the form of state-issued verification codes provided with positive test results. The COVIDaware app checks daily to see if any keys contacted within the last 14 days have recorded positive test results. Minnesota policymakers, likely aware of the intense privacy concerns triggered by contact tracing apps, have emphasized the minimal data collection required by COVIDaware.

The data privacy regulatory scheme in the United States is incredibly complex, as there is no single unified federal data protection policy. Instead, the sphere is dominated by individual states. Federal law enters into the picture primarily via the Health Insurance Portability and Accountability Act (“HIPAA”), which does not apply to patients voluntarily giving health information to third parties. In response to concerns over contact tracing app data, multiple data privacy bills were introduced to Congress, but even the bipartisan “Exposure Notification Privacy Act” remains unpassed.

Given the decentralized nature of the internet, applications tend to be designed to comply with all 50 states’ policies. However, in this case, state-created contact tracing applications are designed for local use, so from a practical perspective states may only have to worry about compliance with neighboring states’ data privacy acts. The Minnesota Government Data Practices Act passed in 1974 is the only substantive Minnesota state statute affecting data collection and neighboring states’ (Wisconsin, Iowa, North Dakota, and South Dakota) laws have similarly limited or dated schemes. In this specific case, the privacy-focused Apple/Google API that forms the backbone of COVIDaware and the design of the app itself, described briefly above, likely keep it complaint. In fact, some states have expressed frustration at the degree of individual privacy afforded by the Apple/Google API, saying it can stymie coordinated public health efforts.

Of course, one solution to even minimal data privacy concerns is simply not to use the application. But the efficacy of contact tracing apps depends entirely on whether people actually download and use them. Some countries have opted for degrees of mandatory use: China has mandated adoption of its contact tracing app for every citizen, utilizing unprecedented government surveillance to flag individuals potentially exposed, and India has made employers responsible for ensuring every employee download its government-developed contact tracing app. While a similar employer-based approach is not legally impossible in the United States, any such mandate would be legally complex, and anyone following the controversy over mask mandates should instinctively recognize that a mandated government tracking app is a hard sell (to put it lightly).

But mandates may not even be necessary. Experts have emphasized that universal compliance isn’t necessary for an app to be effective: every user helps. Germany and Ireland have not mandated use, but have download rates of 20% and 37% respectively. Some have proposed small, community-focused launches of tracking apps, similar to successful start-ups. With proper marketing and transparency, states need not even enter the sticky legal mess that is mandating compliance.

Virtually every policy response to COVID in the United States has been met with heated controversy and tracking apps are no different. As these apps are in their infancy, legal challenges have yet to emerge, but the area in general is something of a minefield. The limited and voluntary nature of Minnesota’s COVIDaware app likely places it out of the realm of significant legal challenges and significant data privacy concerns, at least for the moment. The general conversation around contact tracing apps is a much larger one, however, and has helped put data privacy and end user control into the global conversation.