The town of Westport, Connecticut, is the latest administration to face the challenge of balancing privacy concerns while combating the COVID-19 pandemic. By April 17, 2020, there were 183 confirmed cases of COVID-19 in Westport. For the sake of public health, Westport announced its intent to collaborate with the company Draganfly to use drone technology to monitor social distancing. Draganfly's drones are allegedly able to detect fevers, heart and respiratory rates, and people sneezing and coughing. The drones would aid in the fight against COVID-19 by alerting officials of any locations where crowds were not properly social distancing, using biometric readings to analyze population patterns.
It was a short-lived plan. Westport announced the pilot program in a press release on Tuesday, April 21, 2020. Just two days later on Thursday, April 23, 2020, Westport announced that it would no longer be implementing Draganfly's drone program. The program had drawn harsh condemnation and criticism, including a public protest. The American Civil Liberties Union (ACLU) criticized the drone program, saying that there was no indication as to "who is operating the drones, what data they will collect, or how, or if that data will be stored, shared, or sold." The ACLU also described the drone program as an example of "privacy-invading companies using COVID-19 as a chance to market their products and create future business opportunities." Simply put, the overreach and collection of data with no accountability was incredibly concerning because of the potential for individuals to be personally harassed or targeted. Even though Draganfly claimed it would not use facial recognition technology and Westport said the drones would only be used at public spaces such as beaches, parks, or shopping centers, public opinion regarding the lack of oversight grounded the program.
During the COVID-19 pandemic, we have seen examples of agencies trying to strike the balance between privacy and public health. Certain federal agencies have relaxed privacy standards and their enforcement. For example, the Office for Civil Rights of the U.S. Department of Health and Human Services (OCR) released a bulletin specifying that, during public health emergencies, it would be exercising its discretion regarding enforcement of the HIPAA Privacy, Security and Breach Notification Rules. Although HIPAA's privacy protections remain in effect to protect the privacy of certain health information, the OCR stated that it would not impose penalties for noncompliance with regulatory requirements in connection with the good faith provision of telehealth during the COVID-19 pandemic. Since some third-party audio or video communication might not currently be in strict compliance with HIPAA—e.g., Zoom—the OCR nonetheless determined that the importance of providing accessible healthcare outweighs privacy enforcement.
Ultimately, the issue is that the law and regulations are slow to keep up with advances in technology. This is especially true during times of crisis, where attempts to implement and utilize technology outpace legislation. For COVID-19, this has included the possibility of tech behemoths collecting personal health information in order to track the disease, such as combining travel and location data from smartphones for contact tracing.
Even before COVID-19, the good intentions of law enforcement possibly outran the risk to civil liberties and privacy when hundreds of agencies partnered with Clearview AI to use the company's facial recognition technology and proprietary algorithms to enable the company to search private pictures of individuals on platforms like Facebook to match those pictures with individuals suspected of criminal activity. After the programs became known, some states prohibited law enforcement from using Clearview AI and the company has now agreed to stop sharing its technology with private entities.
Like slowing or preventing infections, all of us can get behind supporting law enforcement in keeping communities safe and holding bad actors accountable. But at what price? And how do we strike a balance between advancement and benefits, while keeping privacy and security in focus? While technology may be implemented with good faith intentions, privacy experts caution the hasty reactionary responses taken during times of crisis. These rushed actions risk the erosion of individual privacy rights and have unintended consequences, which could last even after the COVID-19 pandemic has passed. Although legally permissible, particularly when there are relaxed legal standards, companies should thoughtfully implement such technology and onboard users with a measured approach to privacy.
As Taft's Privacy and Data Security Insights always stresses, it is imperative that companies review and continually take the lead with privacy and reassess their information security and data handling processes. This is especially important during the current COVID-19 pandemic, when the public is scrutinizing whether customer data is adequately protected with the disclosure of health information. Companies should have candid internal conversations about how best to implement legally permissible solutions that protect privacy rights. As companies navigate business challenges resulting from COVID-19, they should consider the following guidelines and principles for their services and products.
- Know the rules. Review and keep current on privacy laws, in order to ensure that data practices are up-to-date and in compliance with applicable law.
- Balance "Can" versus "Should." In the absence of brightline law, companies and cities are best served by seeking out best practices and implementing them, even when not required by law. Often we counsel clients that something may very well be legal, but how does it feel or look to the public? Should we really be doing that? What does this look like?
- Best practices provide a solid foundation. Utilize best practices when handling customer information, while understanding what and how information can be disclosed. This includes providing customers notice of the data use, obtaining consent for such use, and using the minimal amount of information necessary to fulfill the purpose of the collection or processing.
- Build privacy in. A company's services or products should incorporate privacy as a core feature. Rights of privacy should be proactively integrated, rather than reactively inserted, into the services or products.
- No privacy without security. End-to-end security should be incorporated into the company's services or products, ensuring that proper physical and technical safeguards are implemented through the collection, storage, and processing of handled data.
- Use your noggin. And let customers use theirs. Privacy rights and the decisions affecting customer's privacy rights with respect to services or products should not be left to automation or technology. Instead, there should be transparency in allowing customers to exercise judgment on whether to waive any rights.
- Trust, but verify. Oversight and governance should be incorporated into the services or products. Part of this principle includes visibility and transparency for customers, meaning that the company's objectives are clearly stated and upheld. Customers should be able to know what kind of oversight is governing the services or products.
Again, the law will never be fast or robust enough to provide bright-line guidance. Business leaders, community leaders and citizens, alike, will have to take ownership of privacy in their day-to-day existence, and empower themselves to make choices in line with the law and their respective values.
Should you have any questions or issues as you navigate the issues caused by COVID-19, Taft's Privacy and Data Security Practice and COVID-19 Task Force are ready to assist in answering any questions or developing strategies for your business.
Originally published May 8, 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.