Data privacy laws collide with contact tracing efforts; privacy is prevailing

NEW YORK(Thomson Reuters Regulatory Intelligence) - *To read more by the Thomson Reuters Regulatory Intelligence team click here:

The startup screen of the Swisscovid contact tracing application of Switzerland, using Bluetooth and a design called Decentralised Privacy-Preserving Proximity Tracing (DP-3T) to ease the lockdown caused by the coronavirus disease (COVID-19) outbreak is seen in this illustration taken June 24, 2020.

Data privacy and personal information protection became top priorities of lawmakers, regulatory bodies, businesses, and individuals in recent years. Now, however, the widespread rollout of “contact-tracing” applications to fight the COVID-19 pandemic could derail decades of progress in privacy laws, experts fear. However, the new laws might have the opposite effect longer-term by raising the overall awareness of data privacy.

As firms prepare for employees to return to offices, senior managers, compliance, and legal departments are grappling with a complex legal landscape. Actions intended to protect employees may also violate various privacy regulations. Furthermore, an overarching question of the efficacy of such new apps in containing the pandemic indicates that data privacy regulations are not about to fall by the wayside.

Below is an overview of the challenges associated with data privacy, of implications for efforts to fight the pandemic, and guidance for legal and compliance professionals.


When it comes to privacy, the list of laws, rules, and regulations is exhaustive and dates back several decades. Specific to health and employment regulations, the Health Insurance Portability and Accountability Act (HIPAA)[] requirements and the U.S. Department of Labor's Occupational Safety and Health Administration (OSHA) are the most significant. OSHA has recently published several resources related to the COVID-19 pandemic and workplace-related issues[].

The Americans with Disabilities Act (ADA) and state-specific versions of the law generally prohibit employers from disclosing confidential medical information regarding an employee, which includes the employee's identity[here].

The Equal Employment Opportunity Commission (EEOC) announced in guidance on April 22 that employers will be allowed to test employees for COVID-19 before entering a worksite without running afoul of the ADA. But the EEOC stated that employers must maintain all information about employee illness as a confidential medical record in compliance with the ADA.

Newer data privacy laws, such as the European Union's General Data Protection Regulation (GDPR)[], the California Consumer Privacy Act (CCPA)[], and New York's Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)[] have been at the forefront of priorities for legal and compliance departments at virtually all businesses in the past couple of years.

Despite the absence of an overarching federal data privacy regulation in the U.S., several states besides California have forged ahead, creating a complex patchwork of regulations.

On the heels of that push, several states, with the help of technology giants, Google and Apple, were also quick to roll out technology to track and control the spread of the coronavirus. The apps were described as voluntary and anonymous, based on Bluetooth tracking technology. Critics have voiced concerns that they could set back years of regulatory efforts with a flood of privacy-compromising data.


Low participation rates, privacy concerns, and technology glitches have plagued the rollout of similar tracing apps around the world.

Among the states that quickly rolled out contact-tracing apps, in South Carolina, privacy concerns halted tracking efforts by its health department. A coronavirus pandemic spending bill adopted by the state forbade public health officials from using contact-tracing apps on cellular devices.

Other states have taken a “wait-and-see” approach as some have struggled with poor adoption rates and technology glitches.

Norway was an early adopter, when it rolled out its coronavirus contact-tracing app in April. However, in June, the Norwegian Data Protection Authority ordered the Norwegian Institute of Public Health to suspend the app’s use and delete all data collected by the technology. The Data Protection Authority said the app presented a disproportionate risk to privacy given low download rates, estimated at less than 15 percent of individuals over the age of 16.

Norway’s move came after Lithuania halted its use of a similar app for suspected violations of EU privacy rules.

The conflict between the Norwegian agencies was viewed as a watershed event by many privacy experts and advocates, as privacy prevailed over public health concerns. Additionally, it bolstered the view that contact-tracing apps are ineffective unless public participation rates exceed 50 percent.

When Singapore rolled out a similar initiative called "TraceTogether,"[here] only one-fifth of the population agreed to download it, too few to be effective.


Corporations also have moved cautiously, and are assessing their options and obligations to their employees surrounding workplace safety.

Debates have emerged on mandatory testing (for COVID-19 and antibodies), temperature monitoring, attestations, vaccinations (when available), and contact-tracing for employees. Privacy and employment attorneys agree that the issues raise “very complex” legal questions covering many rules, regulations, and laws.

Cynthia Cole, special counsel in the Palo Alto technology practice at the law firm Baker Botts, said “contact-tracing apps have been portrayed as anonymized, deletable, and non-violating of existing privacy laws. However, the jury is still out on that.”

Cole told Regulatory Intelligence there are significant and multi-faceted concerns in moving forward with this technology. “It could lead to bias in its application and involuntary surveillance and questions as to who holds the data remains — the government or a private company — and whether the data and the process itself is auditable. There must also be some system for deleting the data, but it is not clear how that would be enforced,” she said.

Despite the emergency nature of the pandemic, Cole said, “privacy laws such as CCPA and the SHIELD Act still apply.”

“Employers should have a full understanding of what information is being collected, the reason for collecting it, where it’s being stored, who has access to it, and how it will be used,” Cole said.


As companies plan and contemplate reopening offices, there is a long list of well-intentioned considerations to ensure a safe and healthy workplace. Some considerations are simple and raise little concerns from a privacy or legal standpoint. Others are not as clear cut and could open companies to potential litigation and, or violations of regulations or laws.

The lawyers at Baker Botts and many other firms have published recommendations and best practices to consider when reopening offices. Areas for consideration include; the use of health declarations and questionnaires, thermal screening or temperature-taking, and manual and technological contract-tracing.

Several regulators and law enforcement, including the FBI, have reported an increase in cyber attacks amid the pandemic. Therefore, firms should be mindful not to lower any technology requirements or safeguards, particularly about personal privacy.

Employers must be mindful of laws prohibiting discrimination based on race, color, national origin, and other protected classifications. They should administer testing consistently and avoid discriminatory use.

Companies must clarify the purpose for collecting data from those being tested and tailor the collection to that purpose.

There should be strict prohibitions on the use of any personal data gathered for any other purpose than COVID-19-related health and safety purposes. The data collected should be carefully protected with a plan of disposal when it is no longer needed to fight the pandemic.

Contact-tracing of employees should not be obligatory. Any use of third-party tracing apps should be voluntarily, with the risks adequately disclosed. Many apps have not been entirely vetted for compliance with applicable privacy laws. According to Baker Botts, liability and exposure in the agreements to use third-party apps are extremely important as many contain virtually no protection for the end-user or the company.

Other data privacy concerns include transparency about the purpose of collecting information, the retention period, safeguarding the data, restricting access to the data, and employing anonymization techniques.

Returning to work in a safe office will require planning on the part of many parts of an organization. However, contract-tracing is only one of many options. It is perhaps one of the least effective, with the highest potential for data privacy liability as well.

Skeptics that thought data privacy might be shunned or set back as a result of the public health crisis are thus far being proven wrong. The heightened awareness and caution surrounding data privacy indicate that the regulations are here to stay, and new data privacy laws will likely gain momentum in the future.

(Todd Ehret, Regulatory Intelligence. Julie DMauro of Regulatory Intelligence contributed to this article)

This article was produced by Thomson Reuters Regulatory Intelligence - - and initially posted on July 13. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters