Privacy In The Time of COVID-19: Engendering Customer Trust When Governments Ask For Smartphone And Other Data To Track Virus Activity
With the advent of COVID-19, countries around the world are facing a novel challenge that affects them in unprecedented ways economically, socially, and otherwise. From a public health perspective, now perhaps more than ever before, authorities are interested in understanding more about the movement patterns of those within their borders, including where certain individuals have traveled to, who they have met with, and where they are located now. Matching this data with at risk or potential carriers could provide a very valuable tool in the fight against COVID-19.
1. Governments want access to smartphone and other data to combat COVID-19
Governments across the world are either already using data to identify potential carriers of the COVID-19, vulnerable populations, the movements of individuals within their borders, as well as access to certain goods and services.
Current tracking examples at the time of writing include:
• U.S. – The CDC and the Whitehouse are in talks with large tech companies to give them access to at least smartphone location data. Exactly what data may be shared is not clear at this time.
• South Korea – Publishing movements of individuals before they were diagnosed with COVID-19.
• Singapore – Hosted website that provides gender, age and occupation of COVID-19 patients and recent travel locations.
• Japan – Certain data regarding locations visited by COVID-19 patients released, including which gyms, restaurants, and hospitals they visited.
• Germany – Europe’s largest telecommunications company has handed over data to a company assisting the German government. This data may be anonymous and aggregated.
• Italy – Mobile carriers have at least offered extensive aggregated data to be used to track movements of individuals.
2. Types of data Governments will or are accessing for this purpose
The types of data that governments will or are accessing is not known in all cases. In the case of South Korea, it has been reported that at least GPS from phones, as well as credit card records, surveillance video and in person interviews were used. Other countries will take their own approaches based on what they deem appropriate, and their own laws. Given the types of data available, we can expect that countries could access at least:
• GPS location data
• Data from apps and services that allow them to determine if or when specific populations or individuals have been physically near other populations or individuals, as well as data that allows for discerning who has been communicating who to determine potential future movement patterns.
• Purchase data to assess where goods and services are being consumed, and thus inform supply chain considerations.
• Data from apps and services to ascertain concentrations of potentially at risk populations.
3. Customer trust will become more important than ever before
Companies that collect data from their customers depend on customers trusting their policies, procedures and commitments regarding the collection, use, storage, and transfer of customer data. Beyond specific statutory requirements which will vary on a jurisdictional basis, all companies are effectively asking their customers to trust them with their data when customers provide it through any mechanism, whether that may be allowing another company to transfer it, providing it to the company via an interactive web form, or using apps or services that collect data in background while running.
4. Recommended steps to engender customer trust
• Customers want to know and understand what data is being collected about them. Many jurisdictions already have laws that require these types of disclosures in different forms. In this sensitive environment, ensuring that these disclosures are accurate, updated and easy to understand is more important than ever.
• Consider whether anonymized or aggregated data could serve the purpose of the requested data transfer. Customers are likely to be much more sensitive to data transfers that identify them as individuals. Companies should consider if data that cannot be used to identify individuals will suffice for the requested purpose.
• Inform your customers as to your data sharing arrangements as the situation develops. Customers prefer to hear from companies they trust directly. Beyond a privacy policy, consider releasing a statement regarding your data sharing practices as the situation develops and where it is permissible to do so.
• Explain to customers how your data sharing arrangements are assisting in the fight against COVID-19. Where possible consider informing your customers how sharing their data with governmental authorities is assisting with the fight against the virus.
• Continue to provide updates regarding your sharing practices relevant to COVID-19. Sharing the types of data outlined above with governmental authorities may not be common practice in your jurisdiction, and customers may have the expectation that your sharing practices will be limited to that which is necessary and relevant to fight the current COVID-19 crisis. Consider providing periodic updates regarding your practices in this area and how and when decisions will be made to return to normal, pre-existing practices.
We will continue to monitor developments with this situation as it evolves. If you have any questions as to how this this could affect your situation, please contact the team at Mintz.