Privacy in the Age of Contact Tracing: An Analysis of Contact Tracing Apps in Different Statutory and Disease Frameworks
University of Pennsylvania Journal of Law and Innovation, Vol. 5, 2021
58 Pages Posted: 16 Jun 2021 Last revised: 3 Jul 2022
Date Written: April 8, 2021
The Covid-19 pandemic is a historic pandemic that has affected the lives of virtually everyone on the globe. One approach to slowing the spread of the disease is to use contact tracing, facilitated by our internet-connected smartphones. Different nations and states have partnered to develop a variety of contact tracing apps that use different technologies and architectures.
This paper investigates how five contact tracing apps—Germany’s Corona-Warn-App, Israel’s HaMagen, North Dakota’s Care19 Diary and Alert apps, and India’s Aarogya Setu—fare in privacy-oriented statutory frameworks to understand the design choices and public health implications shaped by these statutes. The three statutes—the Health Insurance Portability and Accountability Act, the California Consumer Privacy Act, and the European Union’s General Data Protection Regulation—provide different incentives to app developers across eight categories of design choices: notice and consent, consent requirements for medical data disclosed to third parties, location identifying technologies, data profiles and data collection, minimizing data categories collected, data sale and sharing with non-research third parties, third party and researcher access to data, and affirmative user rights. Each framework balances incentives to app developers with the need for governments to cater to pressing emergencies like public health needs. Some of the incentives in each framework end up favoring less privacy-protective design choices, whereas other provisions make it harder for public health authorities to flexibly respond to crises.
Finally, this paper investigates how these frameworks would fare with different disease variables, by applying the analysis above to three different diseases that could require contact tracing: SARS, Ebola, and HIV. Our conclusion is that the disease variables themselves will affect whether the balance tilts towards public health or privacy, and that the statutes give varying levels of flexibility to cater to more pressing emergencies.
Keywords: Contact Tracing, Privacy, Covid-19, Health Technology
Suggested Citation: Suggested Citation