TraceTogether App on an I Phone. TraceTogether App on an I Phone. (Stock photo)

The original version of this report was published on the weekly briefing What’s Next

As countries grapple with the global threat of COVID-19, some are leveraging user location data and tracking apps to model potential contamination paths. China has tapped into its facial recognition tools to track the virus and has deployed drones that tell people to wear masks. Singapore has launched an app called TraceTogether which uses Bluetooth to determine who could be at risk of infection. And the United Kingdom is reportedly in talks with telecom providers on how to best use location data to stem the crisis.

But the coronavirus turning the world upside down does not mean companies can throw out the General Data Protection Regulation and the California Consumer Privacy Act, as well as other privacy protections. Here’s how law experts and companies can comply with existing legal standards and new norms set by the pandemic.

Sandra Jeskie, Duane Morris’ team lead for the technology, media and telecom industry group, said in an email that businesses under GDPR or CCPA still have to comply with the laws unless the information they are sharing is anonymized or de-identified.

If companies find a new application for users’ personal information, they might have to send out an updated notice. “That notice usually comes in the form [of] a privacy policy and with regard to CCPA, notice must be provided at or before collection of personal information,” she said. “So, to the extent a business previously collected personal information for a specific purpose, as reflected in its privacy policy at the time the information was collected, it cannot use that information for a different purpose without notice to the individual.”


➤➤ Sign up for the What’s Next newsletter here to keep up with the latest news from the intersection of law and technology. 


The GDPR actually has guidance on how personal data can be used in an epidemic or health crisis, said Rohan Massey, who leads Ropes & Gray’s privacy and cybersecurity practice. “That’s a legal basis for processing personal information,” Massey said. “Under the laws we’re seeing drafted and the actions we’re seeing taken, there are certainly mechanisms within the GDPR to facilitate some tracking of personal information. But an epidemic does not give carte blanche to collect and share everything.”

Rohan, who is based in London, said it’s more likely that UK telecoms could potentially share statistically de-identified or pseudonymous information, which mitigates some of the risks of processing that data, but still requires it to be treated as personal data.

He said the bigger challenge is when authorities are asking people to check in with apps at certain times to study the spread of contagion via exact location and correlate with contact or proximity.

“As with a lot of data, there are potentials for huge upsides in being able to track individuals. But there’s also the potential for the dystopian use of such information,” he said.