Can the universal right to personal data privacy be upheld through the COVID-19 pandemic?- Part 1

This commentary was originally written for a course at Yale-NUS College on human rights.

Zwitter and Gstrein introduce the perspective of governments and lawmakers during the COVID-19 pandemic: “Right now, the temptation is very strong to do whatever is necessary” (Sevastopulo et al. 2020 qtd. in Zwitter and Gstrein). After a year of grappling with the pandemic, this is an accurate, if slightly vague, description of the global mindset. Society must do whatever is necessary to reduce infection, improve quality of healthcare, and keep the global economy from collapsing. Yet this begs the question: how do we deem what resources or privileges are necessary? For instance, are pre-existing rights like data privacy or freedom of movement still necessary despite COVID-19? And if these freedoms are overshadowed by the right to healthcare, it is worth investigating the extent to which they can be protected by human rights institutions and national policymaking. These questions are particularly au courant given the rise of location tracing apps, which allow governments to trace local infections. Thus I investigate: Can the universal right to personal data privacy be upheld in context of the COVID-19 pandemic? I argue: the basic provision of location and healthcare data trumps personal autonomy due to the severity of the health concerns posed by COVID-19. Nonetheless, governments and public health institutions must account for privacy and ethical concerns by restricting data use to healthcare purposes, creating robust mechanisms against data breaches/misuse, and customising apps to country needs.

To discuss the conflict between rights, it is worth examining the theoretical background of the rights to public health and personal data privacy individually. The gravity of good health has been documented across human rights literature, including the UDHR, CEDAW, ICESCR and ICERD. Most prominently in 1948, Article 25 of the Universal Declaration of Human Rights (UDHR) outlines the importance of a universal minimum standard of health: “Everyone has the right to a standard of living adequate for the health and well-being of himself and of his family, including food, clothing, housing and medical care and necessary social services” (UDHR). The United Nations reinforced this in 1966, via Article 12 of the International Covenant on Economic, Social and Cultural Rights (ICESCR), via the right to “ [enjoy] of the highest attainable standard of physical and mental health”, including “prevention, treatment and control of epidemic, endemic, occupational and other diseases” (ICESCR). This specification is relevant to the pandemic, as it clarifies the state’s responsibility to protect citizens from contracting COVID-19 via vaccination/isolating positive patients/imposing social distancing, and to provide existing patients with healthcare to regain their “highest attainable standard of physical and mental health”. And despite the gaps in treating COVID-19 (high mortality rates, vaccine shortages, inability to stem global spread of infection), the pandemic is inextricably linked to the universal right to health. On the other hand, the right to personal data privacy is a little murky. The concept of digital privacy and its rights can be broadly subsumed under Article 12 of the UDHR, which asserts that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation” (UDHR). While it doesn’t refer directly to digital rights (owing to the lack of “digital” in 1948), the concept of contact tracing apps can be linked to an “arbitrary interference with privacy.” Data rights have been better documented in recent national and state regulations like Europe’s General Data Protection Regulation (GDPR), California Consumer Protection Act (CCPA) and Singapore’s Personal Data Protection Act (PDPA) etc. These address issues on electronic and non-electronic personal data (including location and medical data) usage by businesses and governments, and potential breaches and misuse. Thus, we obtain a concrete overview of the historical backgrounds of both rights.

While these rights could have remained mutually exclusive, COVID-19 directly juxtaposes them. The very success of healthcare depends upon a government’s ability to track and break the chain of infection, thereby challenging an individual’s right to withhold geographical or medical information. Yet many states have enacted methods of contact tracing and enforced movement controls. This forms our first argument: the basic provision of healthcare and location information overrides an individual’s personal autonomy. But how is this justifiable? This state perspective can be explained via both a theoretical lens (dealing with rights legislation) and a practical lens (involving real-life legal cases in the United States). The theoretical lens demands a deeper analysis of human rights literature and the effects of COVID-19. Specifically, the spread of infection does not merely threaten the universal minimum standard of health in Article 25 of the UDHR. Rather, it is inherently linked to a host of other basic human rights including the rights to life (Article 3 UDHR, Article 6 ICCPR), liberty of movement (Article 12 ICCPR), safe working conditions (ICESCR Article 7), and an adequate standard of living including food, clothing and housing (Article 11 ICESCR). While these rights are all technically deemed “universal”, Zwitter and Gstrein point out a catch: the concept of non-derogation (Zwitter and Gstrein). As they note, Article 4 of the ICCPR allows states to take measures to derogate any “obligations” in situations which officially threaten the life of the nation EXCEPT the rights to life, recognition, freedom of thought/speech/religion and freedoms from torture/ punishment /slavery/ unlawful imprisonment (ibid). These rights remain inviolable regardless of the emergency (ibid). In this case, COVID-19 is a global pandemic, and a situation which threatens the life of the nation. So we understand that in context of a public health crisis like COVID-19, international human rights documentation would permit states to temporarily derogate rights to data privacy and personal autonomy in favour of the right to life (ibid). Thus, we are able to largely justify the broad existence of contact tracing efforts from the theoretical perspective.

This theoretical argument can also be seen in practice by legislation like the Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA) in the US. Here it is important to note that my research question addresses both personal location and medical data like temperatures or symptoms, as diverse contact tracing efforts across the world often require different types of information. The HIPAA was created by President Clinton in 1996, in order to protect citizens’ private healthcare information (PHI) while interacting with public health institutions, government and insurance agencies (HHS, “Summary of the HIPAA Security Rule”). While enacted with good intention, HIPAA proved to be a hurdle in the midst of COVID-19 in 2020; it prevented state and local health departments from providing updated infection data and analytics for government use, due to lack of permission from individual patients (Shatzkes et al, “HHS Further Relaxes HIPAA Regulations Governing Use and Disclosure of Protected Health Information During the COVID-19 Public Health Emergency”). It also prevented practitioners from providing consultations via telehealth apps, as video chats may violate the HIPAA Privacy Rule requirements (ibid). This became a classic illustration of the aforementioned conflict between individual data privacy rights and the right to quality medical care which requires data analytics and telehealth apps. In April 2020, however, the US Department of Health and Human Services (HHS) announced two discretionary measures which would relax the Privacy Rule in the interest of public health (ibid). This included waivers on sanctions/penalties for healthcare providers who did not obtain the patient’s permission before discussing conditions with family; good faith disclosures of PHI without patient consent for public health activities; and good faith usage of videos for telehealth services related to COVID-19 (ibid). While the exemption isn’t permanent, it serves another critical role in this debate. It highlights the counterargument for prioritising privacy over good medical care, and notes the logistical issues that a government might face while entertaining this request. And so, we grasp the true impact of withholding information on a range of complex healthcare procedures for COVID-19: from governments being unable to locate the close contacts of patients, to researchers being unable to advance vaccine research in laboratories. Hence, our first argument is supported by both the theoretical and state perspectives.

A last viewpoint to consider would be that of the citizen: the average Joe who has to decide between providing information to government agencies for crisis management and retaining their privacy. This is partially captured in the class action lawsuit Stasi v. Inmediata Health Group. Corp which addressed CCPA in March 2020 (Mork et al, “The California Consumer Privacy Act (“CCPA”) – 2020 Year in Review”). The CCPA is the US’ first concrete set of data privacy laws which came into force in January 2020; it regulates how global businesses can use the personal information of California residents, and enables the citizens themselves to opt out of information provision (ibid). In this case, Inmediata Health Group is a company providing health records and billing technology to hospitals (ibid). It accidentally disclosed the personal health information (PHI) of 1.5 million users on the internet (Bryan, “Denied! Federal Court Allows Claims to Proceed Concerning Wide Scale Data Breach”). Even though this was not all COVID-19 related data, the plaintiffs’ argument was a close representation of our counterargument: citizens may not wish to disclose private health records in the fear of data breaches or unauthorized usage (ibid). According to research from analytics firm Protenus, American health data breaches rose by 42% in 2020 from 2019 (Protenus, “Health Data Breaches Skyrocket During COVID-19 Pandemic”). This makes the threat of medical data leaks a valid concern from the citizen’s point of view. MacDonald from the Centre for International Governance Innovation adds to this, “The use of mobile phone network data [..] creates very granular, real-time targeting opportunities, which is dangerous for a number of reasons — as an illustration, in Israel, the government has said it will use location data to impose quarantine as a “requirement” that the government will enforce “without compromise” (Macdonald, “The Digital Response to the Outbreak of COVID-19”). While the initial ruling in Stasi v. Inmediata Health Group. Corp asserted that the CCPA did not cover medical information, it acknowledged the violation of other privacy acts. More importantly, this case uncovered a discrepancy in data privacy laws as the CCPA was not in line with the broader national HIPAA law. The gap was corrected in October 2020, aligning the CCPA with HIPAA (including aforementioned exemptions in light of COVID-19) (Reilly, “California Harmonizes CCPA, HIPAA But Providers Still Face Obligations”). Hence, healthcare information across the US is uniformly subjected to the same regulations and exemptions under COVID-19; thereby acknowledging the importance of preventing data breaches while providing the government with maximum potential data (ibid).

This commentary is continued in the following post- Can the universal right to personal data privacy be upheld through the COVID-19 pandemic?- Part 2