By: David Galpern, Rutgers Law School Class of 2023
As states continue to try and find innovative approaches to combat COVID-19, robust contact-tracing programs have become a focus of many state health departments. And to help undertake this monumental effort, many states are now turning to contact-tracing apps to assist them in locating and notifying people who may have been exposed to the virus. Large tech companies are lending their support as well; a number of states, including Virginia and Pennsylvania, have recently launched official COVID-19 contact tracing apps, using software jointly developed by both Google and Apple that uses Bluetooth signals from a user’s phone to track close encounters with COVID-positive people.
However, a critical limitation of these apps is that in order to be effective, they have to be widespread in use among the target population. And for many officials, that is proving to be a daunting task. Privacy concerns have severely limited many state and city health department efforts to institute comprehensive contact tracing, especially among immigrant groups fearful that the information they give could lead to potential ICE enforcement actions. In fact, here in New Jersey, contact tracers have only been successful in reaching out to 64% of reported cases, and only 53% of reported contacts. Contact tracing apps have faced similar difficulty, especially in the wake of sweeping data privacy legislation such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Norway made headlines when in June, the Norwegian Data Protection Authority temporarily suspending the use of its contact tracing application, citing its “highly invasive” intrusion on users’ privacy. And in South Carolina, lawmakers prohibited the state from using contact tracing apps due to privacy concerns, forcing the State health department to stop its roll-out of an app.
This conflict between the government’s need to efficiently locate and notify people who may have been exposed to the virus, and the public concerns for their personal privacy, has compelled many states to adopt legislation regulating what information these apps can collect and how they may use it. Here in New Jersey, Assemblyman Andrew Zwicker (D-Middlesex) introduced legislation (A4170/S2539) that would require any public health entity or third party entity contracted to conduct contact tracing to adhere to certain data privacy practices. These include ensuring the data is de-identified and deleted no more than 90 days after receipt, restricting the use of this data for only contact tracing or research purposes (as well as other purposes related to the State’s COVID-19 response), and attestations that the personal data will not be re-identified. The bill also institutes civil penalties for violations of its provisions. This bill passed the full Assembly by a vote of 55-18 on July 30th, 2020, and now must be voted on in the Senate Health, Human Services and Senior Citizens Committee before it can move to the Senate floor.
Unprecedented crises like COVID-19 require everyone, from public health officials, to government leaders, to giants of tech, to work together and come up with innovative solutions to address problems they may have never seen before. But as state and local leaders begin to turn to technology as a way to enhance their efforts in combatting the virus, solutions to substantial data privacy issues must be addressed to prevent future misuse of personal information and ensure residents feel safe in using the apps. Just as importantly, as we as a nation begin to move beyond this crisis, conversations need to continue about the correct way to protect sensitive health information as we further evolve into a society dominated by technology.