Privacy in the Age of Contact Tracing: An Analysis of Contact Tracing Apps in Different Statutory and Disease Frameworks

University of Pennsylvania Journal of Law and Innovation, Vol. 5, 2021

58 Pages Posted: 16 Jun 2021 Last revised: 3 Jul 2022

See all articles by Christopher S. Yoo

Christopher S. Yoo

University of Pennsylvania Carey Law School; University of Pennsylvania - Annenberg School for Communication; University of Pennsylvania - School of Engineering and Applied Science

Apratim Vidyarthi

University of Pennsylvania Carey Law School

Date Written: April 8, 2021

Abstract

The Covid-19 pandemic is a historic pandemic that has affected the lives of virtually everyone on the globe. One approach to slowing the spread of the disease is to use contact tracing, facilitated by our internet-connected smartphones. Different nations and states have partnered to develop a variety of contact tracing apps that use different technologies and architectures.

This paper investigates how five contact tracing apps—Germany’s Corona-Warn-App, Israel’s HaMagen, North Dakota’s Care19 Diary and Alert apps, and India’s Aarogya Setu—fare in privacy-oriented statutory frameworks to understand the design choices and public health implications shaped by these statutes. The three statutes—the Health Insurance Portability and Accountability Act, the California Consumer Privacy Act, and the European Union’s General Data Protection Regulation—provide different incentives to app developers across eight categories of design choices: notice and consent, consent requirements for medical data disclosed to third parties, location identifying technologies, data profiles and data collection, minimizing data categories collected, data sale and sharing with non-research third parties, third party and researcher access to data, and affirmative user rights. Each framework balances incentives to app developers with the need for governments to cater to pressing emergencies like public health needs. Some of the incentives in each framework end up favoring less privacy-protective design choices, whereas other provisions make it harder for public health authorities to flexibly respond to crises.

Finally, this paper investigates how these frameworks would fare with different disease variables, by applying the analysis above to three different diseases that could require contact tracing: SARS, Ebola, and HIV. Our conclusion is that the disease variables themselves will affect whether the balance tilts towards public health or privacy, and that the statutes give varying levels of flexibility to cater to more pressing emergencies.

Keywords: Contact Tracing, Privacy, Covid-19, Health Technology

Suggested Citation

Yoo, Christopher S. and Vidyarthi, Apratim, Privacy in the Age of Contact Tracing: An Analysis of Contact Tracing Apps in Different Statutory and Disease Frameworks (April 8, 2021). University of Pennsylvania Journal of Law and Innovation, Vol. 5, 2021, Available at SSRN: https://ssrn.com/abstract=3861268

Christopher S. Yoo

University of Pennsylvania Carey Law School ( email )

3501 Sansom St.
Philadelphia, PA 19104-6204
United States
(215) 746-8772 (Phone)

HOME PAGE: http://www.law.upenn.edu/faculty/csyoo/

University of Pennsylvania - Annenberg School for Communication ( email )

3620 Walnut St.
Philadelphia, PA 19104-6220
United States
(215) 746-8772 (Phone)

University of Pennsylvania - School of Engineering and Applied Science ( email )

3330 Walnut St.
Philadelphia, PA 19104-6309
United States
(215) 746-8772 (Phone)

Apratim Vidyarthi (Contact Author)

University of Pennsylvania Carey Law School ( email )

New York City, NY
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
161
Abstract Views
1,456
Rank
373,736
PlumX Metrics