Apple and Google’s COVID-19 Tracking Tool: Proactive on Privacy
Apple and Google, two tech giants announced their joint effort to use Bluetooth technology and application programming interfaces (APIs) to both trace individuals known to have coronavirus and notify others when in close proximity with them. Currently unnamed, this new process will combine the former rival operating systems and rely on voluntary cooperation from users and governmental health authorities.
To assess the privacy and data security law implications of Apple and Google’s process, along with that of any other data collection system, the following issues must be analyzed:
What information is being collected? (i.e. health information, PII, minor children, location, biometric)
What is the purpose of the collection?
Who is the information being collected from? (the individual, a business)
How is it being collected? (i.e. voluntary disclosure, purchase)
Was there consent from the data’s owner to collect the data?
Was there a notice provided about the data’s collection, storage, and use?
Does the data’s owner have control over the data? (i.e. right to have it deleted or stop the sale of the data)
Will the data be aggregated or anonymized?
Who will the data be given to?
Who will act or what actions/decisions will be taken on the conclusions derived from the data?
Based on currently known information about the intended privacy protections, Google and Apple’s process appears CCPA compliant and proactive on privacy law concerns.
Beginning in May, here is how the implementation will work (chronologically):
Development of software compatible with Android (Google) and iOS (Apple)
COVID-19 positive individual voluntarily elects to enter his/her health status into the software app (which will later be developed into a broader platform)
App collects a participant’s contacts within the last 14-days and uploads that information into a server
Phone will run checks to determine if its user has encountered any other Android or iOS user that recently reported a positive COVID-19 test
If so, the Phone will then notify its user of the potential exposure to an infected individual.
All protected health information is collected on a voluntary basis from the individual.
To protect the privacy of its users, Google and Apple give the following assurances:
Allowing individuals to opt out of the technology and notifying users when the system is in use;
Not collecting or disclosing any user’s personal identifying information (including the identity of COVID-19 positive individuals) or location to other users, Google, or Apple; and
Pledging the tool will only be used for contact tracing by public health authorities for COVID-19 pandemic management.
Apple and Google promise to implement additional privacy controls, which seem to track the 5 requirements under the California Consumer Privacy Act. These controls include assigning a random and rotating identifier to a user’s phone in lieu of any personally identifiable information; users that test positive will not be identified to other users, Google, or Apple; and the ability to entirely disable broadcast system when no longer needed or desired by the user.
Interestingly, Google and Apple’s proposed activities may also trigger HIPAA compliance, as Google and Apple could be considered as acting as “Covered Entities.” “Covered Entities” under 45 C.F.R. §160.100 et seq. include Health Care Clearing Houses (HCCH), which are defined, in part, as a
public or private entity … that … (2) Receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.
Entities such as telephone companies and ISPs that simply provide connectivity are not health care. But, if an entity has direct contact with individuals and creates or receives protected health information may be classified as a HCCH and therefore, must comply with all the provisions of HIPAA, including the Privacy and Security Rules (certain exceptions for HCCHs acting as “business associates” under HIPAA). Accordingly, Google and Apple may be required to adhere to provisions of the HIPAA Security and Privacy Rules, which may be already implemented given existing security and privacy policies.
Knowing that every privacy law “watchdog” is scrutinizing their actions, Google and Apple seemingly took a proactive approach to ensuring privacy law compliance.