Privacy / Surveillance / Data Protection

  • This section includes privacy and data protection of medical information.
  • Literature on workplace surveillance is included in the Labour Law section.
Abuanzeh, Amal Abdallah, ‘Cyberspace and Criminal Protection of Privacy in the Jordanian Legislation Under the Corona Pandemic: Comparative Study’ (2021) 48(12) Journal of Hunan University (Natural Sciences 1996–2019
Abstract: The importance of the study is to demonstrate the criminal protection of personal data for individuals in general and patients in particular, and it aimed to demonstrate the adequacy of Jordanian legislation and comparing to provide legal protection of the individuals’ personal data, especially patients, in light of the Corona pandemic. The study also aims to illustrate the balance between two rights; the right of privacy for individuals’ data, especially patients infected with the Corona virus and the right of authorized parties to access this data in order to limit the spread of this virus. In order to achieve the study objectives, it discussed the nature of the concepts of privacy and personal data, and indicated the legislative treatments of the patients’ data, whether it was through the general criminal law, or through laws related to informatics, through medical charters, or even through the legislation related to the pandemic and to explain how these concepts contributed to the criminal protection of patients’ data. The study combined the analytical and comparative approach, and it concluded that the current legislation is not sufficient to protect a right worthy of legal protection, which is the right of privacy in personal data. The privacy of personal data has been exposed to many violations in the light of cyberspace, which requires legislators to hurry to issue special laws that surround personal data with a fence of criminal protection.

Ada Lovelace Institute, ‘No Green Lights, No Red Lines: Public Perspectives on COVID-19 Technologies’ (July 2020)
Abstract: How to contain the COVID-19 virus swiftly and effectively, with minimum impact on health, economies, societies and individuals, is the defining question of 2020. As lockdown eases after the first wave, we are at a moment when Government and policymakers can consider how to balance risk and shape freedoms at a local, or even individual, level. Novel and intrusive technologies are likely to play a part in that, but – as we have seen with contact tracing – it will be a challenge to navigate the risks and trade-offs. In this report, we articulate lessons from public engagement to assist Government and policymakers navigating difficult dilemmas when deploying data-driven technologies to manage the pandemic, and when judging what risks are acceptable to incur for the sake of greater public health.

Allman, Kate, ‘Privacy Concerns over Mobile Tracing App’ (2020) 66 LSJ: Law Society of NSW Journal 22
Abstract: Legal bodies have sounded alarm bells over the federal government’s plan to release a mobile-tracing app that would help track the contacts and movement of people infected with COVID-19.

Allman, Kate, ‘Technology: NSW Allows Witnessing Documents via Video Call - but Are There Privacy Risks?’ (2020) 67 LSJ: Law Society of NSW Journal 14
Abstract: As office spaces have been forced shut by COVID-19, many law firms have shifted the bulk of their legal work online in the space of a few weeks. Some have been left wondering whether this rapid transition could introduce previously not-contemplated privacy and security risks for lawyers and their clients.

de Almendra Freitas, Cinthia Obladen, Danielle Anne Pamplona and Dânton Hilário Zanetti de Oliveira, ‘Duty to Protect and Responsibility to Respect: Data Privacy Violations in Pandemic Times’ (2022) 26(8) The International Journal of Human Rights 1313–1332
Abstract: How far can State and businesses ‘play’ with personal data, claiming to protect the right to health in pandemic times? This question leads to the discussion of the possible damage caused by profiling and contact tracing techniques regarding personality rights in relations between ICT companies and States’. By analysing the way European and Inter-American bodies are tackling data protection rules currently in force, the text analyses the consent as a problematic issue, considering both the opt-in and opt-out model are not enough to protect those rights, especially in pandemic times. Although contact tracing might be used in favour of Public Health policies, it may also result in the violation of human rights. Applying the inductive method, this paper proposes a reflection about online behavioural tracking and profiling practices, explaining the efects of personal data mass gathering and the complex relations between businesses activities and human rights. The main conclusion is that all individuals have the same right to privacy, equality and freedom of choice. Thus, States should provide clear and objective rules to be followed by ICT companies, in accordance with international rules, ensuring individual’s protection and holding data processors accountable for personal data processing.

Amit, Moran et al, ‘Mass-Surveillance Technologies to Fight Coronavirus Spread: The Case of Israel’ (2020) 26(8) Nature Medicine 1167–1169
Abstract: As the COVID-19 pandemic escalates, teams around the world are now advocating for a new approach to monitoring transmission: tapping into cellphone location data to track infection spread and warn people who may have been exposed. Here we present data collected in Israel through this approach so far and discuss the privacy concerns, alternatives and different ‘flavors’ of cellphone surveillance. We also propose safeguards needed to minimize the risk for civil rights.

Amram, Denise, ‘The Role of the GDPR in Designing the European Strategy on Artificial Intelligence: Law-Making Potentialities of a Recurrent Synecdoche’ [2020] Opinio Juris in Comparatione (pre-print)
Abstract: Starting from an analysis of the EU Reg. n. 2016/679 on General Data Protection Regulation (GDPR), the Author deals with the opportunity to translate the current strategies on Artificial Intelligence into a possible general risk-based framework that combines hard and soft law instruments with the practical needs emerging in different sectors where AI technologies find application (i.e. healthcare, industrial innovation and robotics, workplace, etc.). This analysis allows the Author to provide a notion of ‘AI Controller’, whose main roles, responsibilities, and obligations are listed in a ‘General AI Regulation’ proposal, illustrated in the last paragraphs.

Angiolini, Chiara, ‘Case Law Survey on Data Protection’ (2021) 1(1–3) Legal Policy and Pandemics: The Journal of the Global Pandemic Network 197–224
Abstract: The article aims at analyzing the data protection case law collected within the COVID-19 Litigation project until November 2021. In particular, the survey focuses on litigation concerning cases where the processing of personal data is directly aimed at addressing the ongoing pandemic. The article firstly provides a very brief overview of the cases, focusing on the purposes of processing (Section 2). Then, the decisions are described in relation to the legal issues they address: the grounds for the processing of public interest and consent (Section 3), the different aspects of personal data processing that have been considered by the Court (Section 4), data transfers outside external borders (Section 5), andthe remedies that courts have granted in individual cases, building a classification of those remedies (Section 6). In the course of the analysis, as well as in Section 7, case law trends are critically considered, also looking at future litigation and possible lines of research to be further developed.

Angiolini, Chiara et al, ‘Remote Teaching During the Emergency and Beyond: Four Open Privacy and Data Protection Issues of “Platformised” Education’ (2020) 1(1) Opinio Juris in Comparatione 45–72
Abstract: Due to the spread of Covid-19 in the first months of 2020, almost all Universities across Europe had to close their buildings and migrate online. This rapid shift towards the provision of education online has been characterized by the externalization to and use of third-party service providers, such as Zoom, for ensuring the continuity of learning. The ‘platformisation’ of education, however, raises several concerns, especially from a privacy and data protection perspective. The aim of this paper is to map the possible data protection risks emerging from the platformisation of education by focusing on the most pressing points of friction with the European data privacy regime: 1) allocation of roles and responsibilities of the actors involved; 2) transparency of the processing and possibility to effectively exercise data subjects’ rights; 3) extra-EU data transfers after Schrems II; 4) challenges of e-proctoring systems. The paper argues that the implementation of the right to privacy and data protection in remote teaching is not merely an issue of compliance, but a substantial measure that Universities shall ensure to guarantee the fundamental rights of our students and colleagues. The paper concludes with recommendations for ensuring a safer and fairer remote teaching experience, also discussing long-term strategies beyond the emergency and beyond the mere compliance with the General Data Protection Regulation.

Anwar, Oves et al, ‘The COVID-19 Law and Policy Challenge: Cyber Surveillance and Big Data - Pakistan’s Legal Framework and the Need for Safeguards’ (2020) 2020 RSIL Law Review 35–61
Abstract: The outbreak of the novel coronavirus has led to the adoption and implementation of new technologies to achieve public health outcomes. While useful, the mass surveillance and collection of data has resulted in heightened concerns regarding the sanctity of data rights and privacy. This paper considers the legislation which provides cover for these measures and the potential legal issues raised by their use. It recommends striking a balance between the benefits of surveillance for the protection of individual’s health with their right to privacy.

Appleton, Susan Frelich and Laura A Rosenbury, ‘Reflections on “Personal Responsibility” after COVID and Dobbs: Doubling Down on Privacy’ (2023) 72 Washington University Journal of Law and Policy 129–166
Abstract: This essay uses lenses of gender, race, marriage, and work to trace understandings of ‘personal responsibility’ in laws, policies, and conversations about public support in the United States over three time periods: (I) the pre-COVID era, from the beginning of the American ‘welfare state’ through the start of the Trump administration; (II) the pandemic years; and (III) the present post-pandemic period. We sought to explore the possibility that COVID and the assistance programs it inspired might have reshaped the notion of personal responsibility and unsettled assumptions about privacy and dependency. In fact, a mixed picture emerges. On the one hand, the Supreme Court has rejected longstanding constitutional protection for abortion, and campaigns for ‘parental rights’ have gained traction in several states. On the other hand, innovative forms of public support for families have appeared at state and local levels. In developing these conclusions, we highlight familiar challenges to the public/private divide while also exposing new cracks in doctrine that purports to distinguish intentional discrimination from disparate impact and to protect negative but not positive rights.

Apum, Apilang et al, ‘First 100 Days of COVID-19 Firefighting: Hits and Misses of the Policy in India’ in Aleksandar Stojanović, Luisa Scarcella and Christina R Mosalagae (eds), The First 100 Days of Covid-19: Law and Political Economy of the Global Policy Response (Springer Nature, 2023) 87–119
Abstract: This chapter on India’s first 100 days of response to the COVID-19 epidemic sheds light on the immediate response of the State towards combating the pandemic. It provides a succinct review of the constitutional approach and the measures implemented to handle the pandemic. It also covers the adopted economic policies, surveillance methods, and compliance measures. This chapter came to the conclusion that India could have handled the initial days of the pandemic more effectively by giving adequate notice to the populace and by taking local states into consideration before announcement of the stringent lockdown.

Aragão, Alexandra, ‘Mobile Apps for the Epidemiological Surveillance of COVID-19: A European Perspective on Reliable Digital Technology’ in Ewoud et al Hondius (ed), Coronavirus and the Law in Europe (Intersentia, 2020)
Abstract: The COVID-19 pandemic in 2020 posed unprecedented challenges to healthcare systems, to economic stability, to the normal way of life and social values. A challenge of such magnitude requires a proportionate response. Mobile applications that produce anonymous and aggregated mobility data to assist health authorities and other competent public authorities in their efforts to contain the spread of the virus, seem to be the answer that we were looking for. The benefits of using new communication technologies of geolocation to reach one of the most important social purposes, such as health protection, are indisputable. What is still to be discussed is the security of the production, access and use of the information produced, processed, stored, and transmitted. The Recommendation (EU) 2020/518 of the European Commission is fundamental to develop trustworthy digital technology.

Archbold, Lisa et al, ‘Children’s Privacy in Lockdown: Intersections between Privacy, Participation and Protection Rights in a Pandemic’ 3(1) Law, Technology and Humans 18–34
Abstract: Children and young people throughout the world have felt the effects of Coronavirus Disease 2019 and the decisions made in response to the public health crisis, acutely. Questions have been raised about adequately protecting children’s privacy, as schooling, play and socialising went almost exclusively online. However, due to the historical lack of children’s rights being embedded throughout decision-making processes (including important participation rights), the effects of the increased surveillance as a result of the pandemic have not been thoroughly considered. This article pursues three objectives. First, it seeks to develop the literature on the enabling aspects of privacy for children in relation to education and play. Second, it seeks to expand the discussion on the exploitative risks endemic in not protecting children’s privacy, including not only violent harms, but commercial exploitation. Third, it suggests some policy responses that will more effectively embed a children’s rights framework beyond the ‘parental control’ provisions that dominate child-specific data protection frameworks.

de Azevedo, Leonardo Neri Candido and Angus Young, ‘Zoom: Data Protection in Light of COVID-19’ (2020) 26(6) Computer and Telecommunications Law Review 151–152
Abstract: Considers how the coronavirus pandemic has expanded the use of Zoom communications software by individuals and businesses, and the cybersecurity implications. Reviews the data protection shortcomings associated with its use, including hacking and the unauthorised sending of information to Facebook, and discusses the company’s data protection obligations, the need for consent to data sharing, and the implications of Zoom being based in Brazil.

Aziz, Jamal, Ayesha Malik and Noor Fatima Iftikhar, ‘The COVID-19 Law and Policy Challenge: Public Health vs. Individual Privacy in the Age of Cyber Surveillance’ (2020) 2020 RSIL Law Review 10–34
Abstract: Cyber-surveillance is increasingly being used by desperate governments seeking to curb the rising figures of those infected with coronavirus. States are investing in and rolling out smartphone apps to track citizens’ rnovements, trace locations and map outbreaks in a bid to tackle COVID-19. While not without its benefits, the proliferation of cyber surveillance raises important concerns regarding health rights and privacy of ordinary citizens This paper explores these concerns and the legality of these measures as well as the issues with their particular application in the Pakistani context.

Baek, Buhm-Suk, ‘Beyond Privacy: South Korea’s Digital Technology-led Policy on COVID-19 and Its Impact on Human Rights’ in Sabrina Germain and Adrienne Yong (eds), Beyond the Virus: Multidisciplinary and International Perspectives on Inequalities Raised by COVID-19 (Bristol University Press, forthcoming 2024)

Baker, Alison et al, ‘Online Privacy: What’s at Risk?’ (2020) 22 Internet Law Bulletin 30–31
Abstract: The necessity for remote working during the COVID-19 pandemic has meant that understanding privacy law obligations is more important than ever. There has been increased activity from cybercriminals looking to take advantage of and exploit privacy gaps in business identified during the crisis. With the foreseeable future likely focusing on a hybrid model of office work and work from home, businesses need to put in place appropriate cyber risk mitigation strategies to protect the personal information they hold.

Bandaranayake, Ramathi et al, ‘Health-Related Information and COVID-19: A Study of Sri Lanka and Thailand’ (SSRN Scholarly Paper ID 3877617, 13 May 2021)
Abstract: Effective pandemic response necessitates the collection of vast quantities of personally identifiable information. As part of disease surveillance, responders need to be able to identify those who have contracted the disease, trace contacts who may have been exposed, and find out where clusters may be emerging. They also need to be able to ask those who may have been exposed to quarantine, and likely follow up to check if the quarantine is being observed, as well as if those under quarantine have developed symptoms. Information collection for contact tracing and quarantine monitoring can be undertaken in a variety of ways, including testing, case reporting, and interviewing infected persons to find out their travel history and whom they may have recently come into contact with, and then following up with those contacts. However, advances in digital technologies have given rise to newer methods. The COVID-19 pandemic has seen a proliferation of contact tracing applications around the world. Similarly, other forms of data can be harnessed, such as location and GPS data, as well as the use of call records to identify close contacts and monitor quarantines. However, there are numerous challenges in information collection during a pandemic. Especially in a novel pandemic, as knowledge about the nature of the disease and how it spreads is still emerging, responders have to come up with response procedures quickly and often learn on the job. One of the challenges of dealing with infectious diseases, including COVID-19, is combatting the stigma associated with having contracted the disease. While it is necessary for health officials to be aware of who is infected and exposed, the social stigma associated with the disease can incentivise the unwell to hide their symptoms, posing a challenge for health officials. The use of digital technologies has also given rise to concerns about cybersecurity and the protection of personally identifiable information. In this research report, we present our study of information collection methods that were deployed in Sri Lanka and Thailand in the year 2020 during the COVID-19 pandemic. We map out methods, procedures, and technologies that were used, explore lessons learned, and propose policy recommendations for future pandemics.

Banner, Natalie F, ‘The Human Side of Health Data’ (2020) 26(7) Nature Medicine 995
Abstract: Reuse of patient data for research purposes could be very fruitful. However, too seldom are those whom the data are from—the patients—involved in how their data should be used.

Barry, Stephen, ‘Data Protection Guidance on the “Return to Work Safely Protocol”’ (2020) 25(6) Health & Safety Review 25–26
Abstract: Analyses the implications of Data Protection Commission (DPC) guidance on employers’ obligations as data controllers as they implement the Irish Government’s Return to Work Safely Protocol following the COVID-19 pandemic. Examines the DPC’s recommendations on: contact tracing logs; return to work forms; temperature testing; and the legal basis for data processing.

Baruga, Edward, ‘An Assessment of Digital Rights and Freedoms Amidst the COVID-19 Pandemic and the 2021 General Elections. A Case Study of Uganda’ (SSRN Scholarly Paper ID 3897261, 1 March 2021)
Abstract: The digital world is one of the fastest developing sections of the technological based being observed with these ever developing sectors mainly focusing on the periods of the COVID-19 pandemic and the 2021 General Elections in Uganda. In this era of fast assess whether digital rights and freedoms are being respected in areas such as these, mainly focusing on the COVID-19 pandemic and the 2021 General Elections. compositions world-wide, with a recent breakthrough in the quantum computing world the digital space is still on arise thus a need to assess whether digital rights are Internet of Things, so with all this at the back of the mind there is great need to internet speeds sponsored by 5G connectivity, quantum technology, Big Data and the more so in a country like Uganda where such technology is still or yet to develop.

Bassan, Sharon, ‘Data Privacy Considerations for Telehealth Consumers amid COVID-19’ (2020) 7(1) Journal of Law and the Biosciences Article lsaa075
Abstract: The COVID-19 emergency poses particularly high infection risks in a clinical setting, where patients and health care providers are placed in the same room. Due to these risks, patients are encouraged to avoid clinics and instead use Telemedicine for safer consultations and diagnoses. In March, the Office for Civil Rights (OCR) at the U.S. Department for Health and Human Services (HHS) issued a notice titled Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (the ‘Notification’). The Notification relaxes the enforcement of privacy and security safeguards established by the Health Insurance Portability and Accountability Act (HIPAA) until further notice, in order to facilitate the transition to telehealth services for the broader purpose of promoting public health during the pandemic. Specifically, covered healthcare providers can use telehealth to provide all services that, in their professional judgment, they believe can be provided through telehealth. If providers make good faith efforts to provide the most timely and accessible care possible, they will not be subject to penalties for breaching the HIPAA Privacy, Security, and Breach Notification Rules. This paper examines the implications of the Notification on patients’ health information privacy. It recommends that patients should undertake a careful reading of provider privacy policies to make sure their protected health information (PHI) is not at risk before switching to telehealth consultation. Acknowledging the limitations of patient self-protection from bad privacy practices when in need for medical treatment during pandemic, the paper proposes that consumers’ data privacy should be protected through one of two alternative regulatory interventions: the FTC’s authority under §5, or HIPAA’s business associates agreements.

Bassan, Sharon, ‘A Proportionality-Based Framework for Government Regulation of Digital Tracing Apps in Times of Emergency’ (2022) 126 Dickinson Law Review 361–427
Abstract: Times of emergency present an inherent conflict between the public interest and the preservation of individual rights. Such times require granting emergency powers to the government on behalf of the public interest and relaxing safeguards against government actions that infringe rights. The lack of theoretical framework to assess governmental decisions in times of emergency leads to a polarized and politicized discourse about potential policies, and often, to public distrust and lack of compliance. Such a discourse was evident regarding Digital Tracing Apps (‘DTAs’), which are apps installed on cellular phones to alert users that they were exposed to people who tested positive for COVID-19. DTAs collect the most sensitive types of information, such as health-related and location or proximity information, which violates the right to privacy and the right to be free of surveillance. This sensitive information is normally legally protected. But in emergencies there are no legal restrictions limiting the collection of such data. The common privacy-law approach supports DTA implementation under the condition that the technology preserves the privacy of users. But this Article suggests that the privacy approach focuses on micro considerations and under-addresses the implications of DTA-based policy. Instead, this Article suggests rethinking DTA implementation during COVID-19 through the doctrine of proportionality. Often used by European Union courts in areas where decisions entail meaningful implications to individual rights, the doctrine offers a clear and workable normative evaluation of tradeoffs in a more nuanced, explicable, and transparent way. Highlighting macro considerations, the doctrine of proportionality suggests that 1) DTA-based policy is less proportionate compared to traditional contact-tracing methods; 2) policies created while relying on smartphones are inequitable and biased; and 3) the sharing of sensitive personal information with private companies will have irreversible social surveillance implications. Additionally, the proportionality method not only provides a flexible methodological tool to evaluate government decisions in times of emergency but also offers an opportunity to examine how governments achieve and justify the acceptance and assimilation of new technological policy measures, which may take societies in new directions. Part I establishes the framework of governance during COVID-19, the use of emergency powers, and the conflict between the public interest and individual rights. Part II explores the value of using the doctrine of proportionality as a method for policymaking during emergencies. Part III applies the doctrine of proportionality to the case study of DTA-based policy, exploring the parameters of its suitability, necessity, and proportionality stricto sensu. Proportionality stricto sensu assesses the desirability and relative proportionality of three policies that have been used to promote the public interest in different ways: a general shelter-at-home policy, a traditional-contact-tracing policy, and a DTA-based policy. Part IV discusses the policy implications of using a DTA-based policy.

Bean, Daniel and Nadeem Hekmat, ‘Key Privacy Law Considerations for Employers (Including Vaccination Status)’ (2022) 19(4) Privacy Law Bulletin 58–61
Abstract: Company directors, business owners and government agencies all have significant privacy obligations towards their customers or clients under the ‘Privacy Act 1988’ (Cth) (the Act). The Act also contains obligations in relation to their employees, which if not carefully understood, can result in employment contracts that make it difficult for employers to implement and enforce new workplace policies because they may contravene the relevant obligations under the Act relating to employees. Recently, employees have been concerned about the privacy of information relating to their vaccination status, which in certain instances must be provided to their employers. Questions have been raised about the lawfulness of these scenarios. Can the employers ask for this information? What are the privacy principles relating to employers asking for information that employees may consider to be unnecessary or just too private? This article will respond to these questions and more generally explore how relevant Australian privacy principles (APPs) apply to the employment scenario. This article will also outline how the Australian privacy law framework was applied during the numerous state government directions requiring and storing information relating to vaccination status.

Becker, Regina et al, ‘COVID-19 Research: Navigating the European General Data Protection Regulation’ (SSRN Scholarly Paper No ID 3593579, 5 May 2020)
Abstract: Researchers must collaborate globally in order to rapidly respond to the COVID-19 pandemic. In Europe, the General Data Protection Regulation (GDPR) regulates the processing of personal data, including health data of value to researchers. Even during a pandemic, research still requires 1) a legal basis for the processing, 2) an additional justification for the processing of sensitive data and 3) a basis for any transfer outside Europe. The GDPR does provide legal grounds and derogations that can support research addressing a pandemic, if these measures are proportionate to the aim pursued and accompanied by suitable safeguards. During a pandemic, a public interest basis may be more promising for research than a consent basis, given the high standards set out in the GDPR. However, the GDPR leaves many aspects of the public interest basis to determination by individual Member States, who have not fully or uniformly made use of all options. The consequence is an inconsistent legal patchwork displaying insufficient clarity and impeding joint approaches. The COVID-19 experience provides lessons for national legislatures. Responsiveness to pandemics requires clear and harmonized laws, which consider the related practical challenges and support collaborative global research in the public interest.

Bennett Moses, Lyria et al, ‘COVIDSafe App - Submission to the Parliamentary Joint Committee on Human Rights’ (SSRN Scholarly Paper No ID 3595109, 7 May 2020)
Abstract: This submission to the Parliamentary Joint Committee on Human Rights sets out how the Australian government’s scheme around the COVIDSafe app can better align with the human right to privacy. We recognise the app pursues a legitimate objective and that the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (Cth) and exposure draft of Privacy Amendment (Public Health Contact Information) Bill 2020 provide important protections. Nevertheless, we make a series of recommendations that would improve the transparency of the scheme and better protect the privacy of those downloading and using the app.

Berman, Emily, Leah Fowler and Jessica L Roberts, ‘COVID-19 Surveillance’ (SSRN Scholarly Paper No ID 3666300, 3 August 2020)
Abstract: Any successful pandemic response involves tracking the spread of disease. In this regard, contact tracing is nothing new. What differentiates COVID-19 surveillance is its unprecedented use of technology. The potential for continuous and near-universal digital contact tracing has raised concerns about privacy and civil liberties more readily associated with national security surveillance, chilling the uptake of disease-tracking technologies in the United States. Yet public health surveillance and national security surveillance are two distinct paradigms with different values and governing norms. Ideally, public health surveillance is cooperative, minimizes data collection, and limits subsequent use. National security surveillance, by contrast, operates coercively, maximizes data collection, and imposes relatively few limits on the use of lawfully collected data. At first blush, digital contact tracing resembles national security surveillance because both depend heavily on technology. Yet despite these superficial similarities, COVID-19 surveillance is a public health initiative. This Article asks the important and novel question: Can we use technological tools similar to those found in national security surveillance while cultivating the trust necessary for successful public health surveillance? We respond with a cautiously optimistic yes and offer our recommendations.

Bigg, Carolyn et al, ‘Facial Recognition Technology: Supporting a Sustainable Lockdown Exit Strategy?’ [2020] (June) Computers and Law 23–32
Abstract: Considers the key aspects of data protection law concerning the adoption of facial recognition technology (FRT) as part of measures to help businesses restart following the COVID-19 pandemic lockdown, focusing in particular on examples in Ireland, Denmark and China. Discusses the more established use cases for FRT and the key considerations on whether its use is lawful.

Birnhack, Michael, ‘Who Controls COVID-Related Medical Data? Copyright and Personal Data’ (2021) International Review of Intellectual Property and Competition Law (forthcoming)
Abstract: Who controls big medical data of relating to COVID-19 vaccines? The January 2021 Real-World Epidemiological Evidence Collaboration Agreement between Pfizer and the Israeli Ministry of Health highlights the interrelationship between two modes of protecting data: data protection law and copyright law. The former provides legal protection to data subjects and limits the data controller, but generally speaking, allows the data to be processed for the benefit of public health; the latter awards the databases’ controller with rights regarding the dataset, a control which may hinder others’ access to highly important data. This editorial unpacks this relationship. Under the Agreement, the Ministry shares ‘aggregate project data’ with Pfizer, meaning ‘any de-identified data.’ ‘Project data’ are owned by the MoH or Israeli Health Maintenance Organizations. The data are about millions of people from a variety of sources and are used as they are collected. Combining copyright law and the obligations imposed by data protection law, pushes the parties to protect data under both copyright law and additional layers of protection, such as trade secret law. This result means that other parties may have access to outcomes but not to raw data. To facilitate broad access to crucial data during a global health crisis, we need to address both bodies of law in an integrated manner.

Blasimme, Alessandro and Effy Vayena, ‘What’s next for COVID-19 Apps? Governance and Oversight’ (2020) 370(6518) Science 760–762
Abstract: Many governments have seen digital health technologies as a promising tool to address coronavirus disease 2019 (COVID-19), particularly digital contact tracing (DCT) apps such as Bluetooth-based exposure notification apps that trace proximity to other devices ( 1 ) and GPS-based apps that collect geolocation data. But deploying these systems is fraught with challenges, and most national DCT apps have not yet had the expected rate of uptake. This can be attributed to a number of uncertainties regarding general awareness of DCT apps, privacy risks, and the actual effectiveness of DCT, as well as public attitudes toward a potentially pervasive form of digital surveillance. DCT thus appears to face a typical social control dilemma. On one hand, pending widespread uptake, assessing DCT effectiveness is extremely difficult; on the other hand, until DCT effectiveness is proven, its widespread use at a population scale is hard to justify. Recognizing that technological uptake is an open-ended process reliant upon social learning and the piecemeal creation of public trust, we suggest that policy-makers set up mechanisms to test effectiveness, oversee the use of DCT apps, monitor public attitudes, and adapt technological design to socially perceived risks and expectations.

Bloomberg, Scott, ‘The Development and Future of Privacy Law in Maine’ (SSRN Scholarly Paper No ID 3647386, 9 July 2020)
Abstract: In the United States, privacy law has traditionally developed in concert with intrusions created by newfangled technologies. This pattern has held true in Maine. Beginning in the late 1960s, the state has experienced three eras of privacy reform that track the technological advances of the mid-century, the internet era, and the new era of social media and big data. This Article details these three eras of reform and advances several proposals for responding to the challenges posed by the era that we are living through today. Indeed, at the beginning of the 2020s, there is much work on the horizon to ensure that Maine’s privacy laws keep up with new technological and social developments. The coronavirus pandemic looms large over all facets of society and privacy law is no exception. The pandemic had made us even more reliant on online services that collect, use, and share previously unfathomable quantities of data, leaving residents’ personal information vulnerable to misuse. Increased attention to racial injustice and over-policing in the wake of George Floyd’s tragic murder have likewise highlighted privacy issues with which Maine must continue to grapple. Finally, Northeastern University recently opened the Roux Institute in Portland, offering various graduate-level degrees pertaining to the practical application of artificial intelligence and machine learning in the digital and life sciences. This development offers exciting educational and economic opportunities for the state, but also indicates that regulating AI and machine-learning technologies will be important to preserving Mainers’ privacy rights in the near future. All of these recent challenges, moreover, have emerged against the backdrop of the existing privacy threats posed by social media, big data, mass surveillance, and more. This Article is thus well-timed to inform those who will be tasked with shaping Maine privacy law in the coming years and decades. In Part I of the Article, I detail the three eras of reform highlighted above. In Part II, I propose that Maine enact a general consumer privacy law endowing Mainers with certain rights to their personal information, vesting consumer privacy rulemaking authority in a state agency, regulating automated decision-making technologies, and more. After proposing the general consumer privacy law, I identify four privacy threats that warrant additional attention from the legislature: facial recognition technology; biometric information; smart-home devices; and data brokers. Part III briefly concludes the Article.

Boeing, Philipp and Yihan Wang, ‘Decoding China’s COVID-19 “Virus Exceptionalism”: Community-Based Digital Contact Tracing in Wuhan’ (ZEW - Centre for European Economic Research Discussion Paper No 21–028, 1 March 2021)
Abstract: During the COVID-19 pandemic, comprehensive, accurate, and timely digital contact tracing serves as a decisive measure in curbing viral transmission. Such a strategy integrates corporate innovation, government decision-making, citizen participation, and community coordination with big data analytics. This article explores how key stakeholders in an open innovation ecosystem interact within the digital context to overcome challenges to public health and socio-economic welfare imposed by the pandemic. To enhance the digital contact tracing effectiveness, communities are deployed to moderate the interactions between government, enterprises and citizens. As an example, we study the community-based digital contact tracing in Wuhan, a representative case of China’s ‘virus exceptionalism’ in COVID-19 mitigation. We discuss the effectiveness of this strategy and raise critical ethical concerns regarding decision-making in R&D management.

Booher, Kimberly Dempsey and Martin Robins, ‘American Privacy Law at the Dawn of a New Decade (and the CCPA and COVID-19): Overview and Practitioner Critique’ (SSRN Scholarly Paper No ID 3658495, 22 July 2020)
Abstract: This article has been prepared by experienced practitioners in the privacy area, who are interested in not only the ‘how’ of privacy law, but also the ‘why’, namely whether existing authority serves a valid social purpose and whether it does so efficiently relative to the cost that it imposes. The article was prompted by the effectiveness of the California Consumer Privacy Act. It also includes substantial discussion of the major privacy considerations associated with actual and potential responses to the COVID-19 situation, and how such considerations must be weighed against the public health considerations. The discussion encompasses all aspects of US privacy law from breach notice obligations to limitations on tracking internet use of children and the CCPA and similar law and informal guidance. It touches upon the EU’s GDPR.Two of the unique attributes of the piece are the presentation of various informal sources of authority such as Federal Trade Commission consent orders and handbooks and the extensive granular author critique from both a theoretical and practical point of view of the various authorities, as well as a separate discussion of the optimal manner for policy-makers to give effect to privacy considerations in connection with mandated COVID-19 responses.

Bosua, Rachelle, Damian Clifford and Megan Richardson, ‘Contact-Tracing Technologies and the Problem of Trust: Framing a Right of Social Dialogue for an Impact Assessment Process in Pandemic Times’ (2023) 5(2) Law, Technology and Humans 193–204
Abstract: While technologies offer potentially powerful tools to help address complex social challenges, experience shows that they may fail to meet expectations and may also raise challenges of their own, including for privacy and other data rights. To what extent can these difficulties be ascribed to a lack of public trust undermining the technologies’ effectiveness and disputing their legitimacy? The Australian and Dutch pandemic contact-tracing apps considered in this article suggest part of an answer to this question. As our case studies show, the greater efforts made by the Dutch Government to address a range of rights and provide for wide consultation in the CoronaMelder app’s various impact assessments paid off in terms of a better-designed app that was more broadly conversant with human rights than its Australian COVIDSafe counterpart, and was also more trusted—even if these benefits were still marginal compared to manual contact-tracking, especially in already marginalised communities. We argue that the Dutch experience should now be taken further to frame a right of social dialogue allowing data rights subjects to participate fully in the impact assessment process. We hope (and expect) this would result in better decision-making and improved public trust in ‘truly trustworthy’ technologies developed and deployed in response to a pandemic. However, ultimately, our more basic argument is that rights, premised on dignity and liberty, are of value and should be respected, including—indeed especially—in pandemic times.

Botero Arcila, Beatriz, ‘A Human Centric Framework to Evaluate the Risks Raised by Contact-Tracing Applications’ (ICT4Peace, 22 April 2020)
Abstract: Digital technologies and data-gathering and analytics are gaining prominence in the strategies adopted by governments all over the world as they address many of the challenges associated with the COVID-19 pandemic. Contact-tracing applications, in particular, promise to help contain the spread of the virus and allow societies to slowly relax social distancing measures. However, digital solutions pose a variety of risks to the security of individuals, and the enjoyment of human rights. This document proposes a framework to analyze how technical design and governance interplay in contact-tracing applications and how this interplay balances the safety needs of individuals and society at large. The document focuses on the two most prominent models at the time of writing, the Google-Apple protocol, announced on April 10, 2020, and the Decentralized PrivacyPreserving Proximity Tracing protocol (DP3T), proposed by a group of technologists, legal experts, engineers and epidemiologists. It also considers the EU toolbox for the use of mobile applications for contact tracing. This document evaluates the two above mentioned protocols, and what is known about their governance and design at the time of writing. The document should be useful for policy-makers and members of civil society currently looking to evaluate these two different contact-tracing applications as a means to ease the lockdown imposed on most of the world to flatten the curve of infection of COVID-19. Similarly, understanding on how the enjoyment of a variety of human rights interacts vis-à-vis the voluntary adoption of these applications, should offer guidance for policymakers, civil society and developers to decide whether to promote these options, and how these applications should be deployed, and when they should be dismantled.

Bradford, Laura, Mateo Aboy and Kathleen Liddell, ‘COVID-19 Contact Tracing Apps: A Stress Test for Privacy, the GDPR, and Data Protection Regimes’ (2020) 7(1) Journal of Law and the Biosciences Article lsaa034
Abstract: Digital surveillance has played a key role in containing the COVID-19 outbreak in China, Singapore, Israel, and South Korea. Google and Apple recently announced the intention to build interfaces to allow Bluetooth contact tracking using Android and iPhone devices. In this article, we look at the compatibility of the proposed Apple/Google Bluetooth exposure notification system with Western privacy and data protection regimes and principles, including the General Data Protection Regulation (GDPR). Somewhat counter-intuitively, the GDPR’s expansive scope is not a hindrance, but rather an advantage in conditions of uncertainty such as a pandemic. Its principle-based approach offers a functional blueprint for system design that is compatible with fundamental rights. By contrast, narrower, sector-specific rules such as the US Health Insurance Portability and Accountability Act (HIPAA), and even the new California Consumer Privacy Act (CCPA), leave gaps that may prove difficult to bridge in the middle of an emergency.

Brown, Elizabeth, ‘Supercharged Sexism: The Triple Threat of Workplace Monitoring for Women’ (SSRN Scholarly Paper No ID 3680861, 1 August 2020)
Abstract: As biometric monitoring becomes increasingly common in workplace wellness programs, there are three reasons to believe that women will suffer disproportionately from the data collection associated with it. First, many forms of biometric monitoring are subject to gender bias, among other potential biases, because of assumptions inherent in the design and algorithms interpreting the collected data. Second, the expansion of femtech in particular creates a gender-imbalanced data source that may feed into existing workplace biases against women unless more effective safeguards emerge. Finally, many femtech platforms encourage the kind of information sharing that may reduce women’s reasonable expectations of privacy, especially with regard to fertility data, thus increasing the risk of health data privacy invasion. This triple threat to female workers may be offset somewhat by the benefits of health data collection at work and may be remedied at least in part by both legislative and non-legislative means. The current trend toward greater health data collection in the wake of COVID-19 should provoke a reexamination of how employers collect and analyze women’s health data in order to reduce the impact of these new gender bias drivers.

Budd, Jobie et al, ‘Digital Technologies in the Public-Health Response to COVID-19’ (2020) 26(8) Nature Medicine 1183–1192
Abstract: Digital technologies are being harnessed to support the public-health response to COVID-19 worldwide, including population surveillance, case identification, contact tracing and evaluation of interventions on the basis of mobility data and communication with the public. These rapid responses leverage billions of mobile phones, large online datasets, connected devices, relatively low-cost computing resources and advances in machine learning and natural language processing. This Review aims to capture the breadth of digital innovations for the public-health response to COVID-19 worldwide and their limitations, and barriers to their implementation, including legal, ethical and privacy barriers, as well as organizational and workforce barriers. The future of public health is likely to become increasingly digital, and we review the need for the alignment of international strategies for the regulation, evaluation and use of digital technologies to strengthen pandemic management, and future preparedness for COVID-19 and other infectious diseases.

Burdon, Mark and Brydon Wang, ‘Implementing COVID Safe: The Role of Trustworthiness and Information Privacy Law’ 3(1) Law, Technology and Humans 35–50
Abstract: Governments worldwide view contact tracing as a key tool to mitigate COVID-19 community transmission. Contact tracing investigations are time consuming and labour intensive. Mobile phone location tracking has been a new data-driven option to potentially obviate investigative inefficiencies. However, using mobile phone apps for contact tracing purposes gives rise to complex privacy issues. Governmental presentation and implementation of contact tracing apps, therefore, requires careful and sensitive delivery of a coherent policy position to establish citizen trust, which is an essential component of uptake and use. This article critically examines the Australian Government’s initial implementation of the COVIDSafe app. We outline a series of implementation misalignments that juxtapose an underpinning regulatory rationality predicated on the implementation of information privacy law protections with rhetorical campaigns to reinforce different justifications for the app’s use. We then examine these implementation misalignments from Mayer and colleagues’ lens of trustworthiness (1995) and its three core domains: ability, integrity and benevolence. The three domains are used to examine how the Australian Government’s implementation strategy provided a confused understanding of processes that enhance trustworthiness in the adoption of new technologies. In conclusion, we provide a better understanding about securing trustworthiness in new technologies through the establishment of a value consensus that requires alignment of regulatory rationales and rhetorical campaigning.

Butler, Alan and Enid Zhou, ‘Disease and Data in Society: How the Pandemic Expanded Data Collection and Surveillance Systems’ (2021) 70(5) American University Law Review 1577–1628
Abstract: The COVID-19 pandemic is a global tragedy of historic proportions, and its impacts on our families, communities, and social structures will be felt for many years to come. From the significant to the mundane, COVID-19 has changed many aspects of daily life. One of the less obvious but more long-lasting changes is the expansion of data collection and surveillance systems adopted both in response to, and as a result of, the pandemic. As the United States brings the pandemic under control and shifts back to some form of normalcy, it is important to critically evaluate the data collection and surveillance systems that have become more widespread during the pandemic. Academics, historians, and journalists alike are contributing to a growing body of work that is examining the privacy impact of the technological and social changes caused by the pandemic. This Article contributes to the existing literature on privacy during the pandemic by highlighting important trends and recommending policy responses. This Article focuses in particular on two categories of surveillance and personal data collection systems that have been deployed and adapted because of the pandemic by non-government actors. The first category includes systems that collect and monitor health and health-related data in response to the spread of COVID-19. The second category includes systems of surveillance and data collection that have expanded as a result of the shift to remote work, school, and life. The main focus of this Article is on consumer, healthcare, workplace, and educational surveillance systems rather than the types of surveillance systems typically associated with law enforcement investigations. This Article aims to provide recommendations on how to protect privacy while responding to the pandemic and what lawmakers should do once the pandemic abates.

Cahane, Amir, ‘Israel’s SIGINT Oversight Ecosystem: COVID-19 Secret Location Tracking as a Test Case’ (2021) 19(2) The University of New Hampshire Law Review 451–490
Abstract: By mid-March 2020, Israel had experienced the first wave of the COVID-19 pandemic. Within a fortnight, confirmed coronavirus cases surged from half a dozen to 178 cases. In response to the challenge of identifying potential carriers, the government tasked the Israeli Security Agency (the ISA, or Shin Bet) with tracing the routes of confirmed coronavirus patients via cellphone location tracking and identifying individuals with whom the patients had been in close contact. Israel’s ISA communications metadata collection measures have been shrouded in veil of secrecy. The debate – in parliament and in court – regarding the use of the country’s secret service counterterrorism mass surveillance measures to contain the spread of the pandemic is a rare opportunity to assess whether the institutional oversight mechanisms on SIGINT collection activities are sufficient and effective. The paper will (1) describe the existing SIGINT oversight regime in Israel; (2) describe the SIGINT oversight ecosystem’s response to COVID-19 location tracking in Israel; and, (3) in light of existing literature, provide an analysis of that response.

Calvo, Rafael A, Sebastian Deterding and Richard M Ryan, ‘Health Surveillance during Covid-19 Pandemic’ (2020) 369 BMJ (advance article, published 6 April 2020)
Abstract: US government and state agencies are talking to companies such as Google, Facebook, and controversial startup Clearview AI about using location data mining or facial recognition to trace infected people and to monitor and enforce isolation. Around the globe, governments are rapidly following in implementing digital contact tracing of people with covid-19.

Calzada, Igor, ‘Europe Needs a Revolution in the Administration’ (SSRN Scholarly Paper No ID 3619407, 4 June 2020)
Abstract: In the current global digital realm, localised privacy policies that protect the data and digital rights of citizens will inevitably emerge as timely in the aftermath of the social disruption caused by Covid-19. The European Union’s General Data Protection Regulation (GDPR) provides a thorough framework for organisations to adhere to, with hefty fines that can run into hundreds of thousands of euros for those who do not comply with the rules.

Castets-Renard, Céline and Eleonore Fournier-Tombs, ‘COVID-19 and Accountable Artificial Intelligence in a Global Context’ in Colleen M Flood et al (eds), Vulnerable: The Law, Policy and Ethics of COVID-19 (University of Ottawa Press, 2020) 571
Abstract: This chapter identifies two of the key elements in accountable artificial intelligence infrastructure globally—ethical modelling and responsible data. The chapter takes a global perspective and highlights issues of particular relevance to countries that were already in humanitarian crises, such as food insecurity and conflict, explaining how these play into the way that epidemiological models should be constructed. Furthermore, it examines vulnerability from the perspective of aid recipients and migrants, to evoke the type of guidelines and laws that should be taken into account for data protection and privacy.

Cederblom, Michael L, ‘Welcome to the Digital Age: Reinventing Contact Tracing and the Public Health Service Act for a Modern Pandemic Response’ (2022) 31(1) Annals of Health Law and Life Sciences 101–139
Abstract: The United States’ patchwork public health system produced inefficient, insufficient, and fractured contact tracing during the COVID-19 pandemic. Unless the pure federalist approach to public health crisis response is remedied, the U.S. will remain uniquely vulnerable to future outbreaks of infectious diseases. The U.S. federal government should be empowered to become the central coordinator for state digital contact tracing programs, as modeled by South Korea during the COVID-19 pandemic. There are potential privacy concerns with such methods, however, the model provided by South Korea can be adapted to import the efficacy of their program while removing the threats to civil liberties. By amending the Public Health Service Act, the U.S. can turn the CDC into a regional manager for digital contact tracing, preempting stringent privacy laws during times of crises that restrict a state’s ability to act, while ensuring adequate digital privacy protections. This article proposes an amendment that would adapt the South Korean model to improve future U.S. pandemic responses and contact tracing during infectious disease outbreaks.

Celeste, Edoardo, Sorcha Montgomery and Arthit Suriyawongkul, ‘Digital Technology and Privacy Attitudes in Times of COVID-19: Formal Legality versus Legal Reality in Ireland’ (2022) 73(2) Northern Ireland Legal Quarterly 283–309
Abstract: The adoption of digital technologies to counteract the spread of COVID-19 has resulted in a major exposure of our rights to privacy and data protection. An empirical study conducted in Ireland by the Science Foundation Ireland-funded project PRIVATT demonstrates that privacy attitudes have shifted, resulting in a greater willingness to share personal data in order to combat the pandemic, while, at the same time, upholding a persistent mistrust in the public and private institutions overseeing this global health crisis. This article interprets these findings from a socio-legal perspective, arguing that people tend to overlook the inalienable nature of the essence of their rights to privacy and data protection, the compression of which is not admissible under EU law. Moreover, the widespread mistrust of public and private actors evidences a divergence between the formal legality of the technological solutions adopted and the legal reality that brings about the Irish public’s perception of government measures as potentially infringing their fundamental rights. These considerations will prompt recommendations in pursuit of enhancing transparency, involvement in decision-making processes and data protection literacy amongst the population.

Chaplin, David, ‘Covid-19: Stress Testing Data and Justice’ [2020] (June) Computers and Law 3
Abstract: Discusses the debate surrounding the data protection risks arising from the use of centralised COVID-19 contact tracing applications software, particularly where these may start to include facial recognition.

Charbonneau, Étienne and Carey Doberstein, ‘An Empirical Assessment of the Intrusiveness and Reasonableness of Emerging Work Surveillance Technologies in the Public Sector’ (2020) 80(5) Public Administration Review 780–791
Abstract:As public sector work environments continue to embrace the digital governance revolution, questions of work surveillance practices and its relationship to performance management continue to evolve, but even more dramatically in the contemporary period of many public servants being forced to shift to remote work from home in response to the COVID-19 pandemic. This article presents the results of three surveys, two of them population-based survey experiments, all conducted during the onset of the COVID-19 pandemic in Canada that compare public servant (n = 346) and citizen (n = 1,008 phone; n = 2,001 web) attitudes to various cutting-edge—though no doubt controversial among some—digital surveillance tools that can be used in the public sector to monitor employee work patterns, often targeted toward remote working conditions. The findings represent data that can help governments and public service associations navigate difficult questions of reasonable privacy intrusions in an increasing digitally connected workforce. Evidence for Practice New work surveillance technologies are available to use within the public sector and will present acceptability challenges to public managers as they contemplate the introduction of these technologies. Multimodal survey data from Canada reveals that public servants and citizens find these emerging work surveillance technologies to be quite intrusive and unreasonable but show relatively more tolerance for digital surveillance over physical surveillance practices. Understanding surveillance anxieties among targeted employees will be key to finding a balance between employee privacy rights and employer desires to manage employees in a remote or digital environment.

Chawla, Ajay, ‘Coronavirus (COVID-19): “Zoom” Application Boon or Bane’ (SSRN Scholarly Paper No ID 3606716, 20 May 2020)
Abstract: Advances in communication technologies offer new opportunities for the conduct of qualitative research. Among these, Zoom—an innovative videoconferencing platform—has a number of unique features that enhance its potential appeal to qualitative and mixed-methods researchers. Zoom has become nearly synonymous with office meetings and socializing as people around the world have adapted to life at home amid the coronavirus outbreak. That has put the roughly 9-year-old company in the spotlight more than ever before - for both the good and the bad, as an onslaught of security issues have come to light.As the coronavirus pandemic forced millions of people to stay home over the past month, Zoom suddenly became the video meeting service of choice: Daily meeting participants on the platform surged from 10 million in December to 200 million in March.Many Cybersecurity research companies research says that it found security flaws in videoconferencing platform Zoom that would have allowed a potential hacker to join a video meeting uninvited and listen in, potentially accessing any files or information shared during the meeting. While Zoom has addressed the issue, the report raises deeper concerns about the safety of videoconferencing apps that require access to microphones and cameras.

Chen, Qi, ‘Building a Panopticon Through Nodal Governance: Mass Surveillance and Plural Policing in China’s COVID-19 Lockdown’ (2024) 13(2) International Journal for Crime, Justice and Social Democracy 1–19
Abstract: At one time monitoring over 900 million people, China’s health code system is arguably the most controversial invention of the pandemic. This study explores how the system emerged and its implications for security governance in urban communities. By analysing 9,533 social media posts published during three key weeks, the study revealed that early pandemic responses in China were heavily shaped by private nodes, such as estate management companies, private security guards and homeowners. Homeowners’ demands for extra security clashed with migrants’ and tenants’ demands for mobility. The health code system was presented as a ‘solution’ to these conflicts. The findings of this study highlight the limitations of consumer-driven pluralisation in policing. Such pluralisation offered limited opportunities for democratisation. Instead, the radical pursuit of ‘club goods’ by consumer-denizens reinforced existing inequalities. Entrenched inequalities tempted marginalised social groups to accept ‘indiscriminate’ surveillance, which paved the way for a neo-panopticon. The study also warns against the alliance of state nodes and big-tech companies. Through collaboration, these powerful players can replace political dynamics in the community with data-driven modulation, thus destroying the foundation of nodal governance.

Churches, Genna and Monika Zalnieriute, ‘The Instrumentality of Metadata Access Regime For Suppressing Political Protests In Australia’ (UNSW Law Research Paper No 20–50, 2020)
Abstract: Australians, just like many other people around the world, are taking to the streets to oppose racial and environmental injustice, despite the COVID-19 risk of mass gatherings. Australian politicians have expressed strong disdain, and even threats, at protesters. Government’s desire to silence critics is not new, however today’s tracking technologies and Australia’s lax federal metadata laws give the government unprecedented tools to take action against protesters. Accessing metadata requires no warrant or reporting and enables government to draw links and amass schemes of connections between people who were organising, attending, intending or speaking at the protests. These tools, coupled with new COVID-19 powers to surveil citizens, have seriously impaired the right to protest anonymously in Australia. In this post we are not disputing the need for restrictions on mass gatherings or social distancing — to the opposite, we think they are crucial to stop the spread of virus. Instead, we are exposing the instrumentality of metadata, including location data, for the government to clamp down on peaceful protests. We propose one small step towards securing the right t protest anonymously during a time when Australians need it most: reforming the laws so that our metadata can only be accessed with a judicial warrant and further protected with detailed public reporting requirements.

Clifford, Damian, Megan Richardson and Normann Witzleb, ‘Artificial Intelligence and Sensitive Inferences: New Challenges for Data Protection Laws’ in Mark et al Findlay (ed), Regulatory Insights on Artificial Intelligence (Edward Elgar, 2022) 19

Cofone, Ignacio, ‘Ethical Surveillance in Vaccine Passports’ (2022) 45(4) Fordham International Law Journal 621–638
Abstract: This Essay explores the interrelated privacy and equality risks of deploying surveillance technology used in COVID-19 vaccine passports. The type of vaccine passport that governments implement has significant human rights ramifications. This Essay discusses how different vaccine passport designs can curb or exacerbate risks, providing a roadmap to guide policymakers in their app selection to mitigate unintended consequences. Vaccine passports should work on a decentralized system and use the least invasive data possible. Further, vaccine passports should be based solely on government vaccine data, should be implemented only in places where vaccines are widely available for free, should track location only when they are scanned, and should provide a non-digital option. Governments should have clear sunset clauses for the app and collected data.

Cohen, I Glenn, Lawrence O Gostin and Daniel J Weitzner, ‘Digital Smartphone Tracking for COVID-19: Public Health and Civil Liberties in Tension’ (2020) 323(23) Journal of the American Medical Association (JAMA) 2371–2372
Abstract: This Viewpoint compares manual and digital strategies for coronavirus disease 2019 (COVID-19) contact tracing, describes how countries in Asia and Europe have used smartphone tracking, and discusses privacy and discrimination concerns and strategies for balancing public health and civil liberties in the

Colcelli, Valentina, ‘The Pandemic Crisis as Test Case to Verify the European Union’s Personal Data Protection System Ability to Support Scientific Research’ in Dara Hallinan, Ronald Leenes and Paul De Hert (eds), Data Protection and Privacy, Volume 14: Enforcing Rights in a Changing World (Bloomsbury, 2021)

Collaco, Aafreen Mitchelle, ‘Contact Tracing Applications and Informational Privacy amidst the Pandemic in India’ (2022) 36(3) International Review of Law, Computers & Technology 368–381
Abstract: Various technological interventions introduced during the COVID-19 pandemic outbreak have resulted in numerous challenges, including the protection of informational privacy. Contact tracing applications are one such method adopted by governments worldwide to contain the pandemic. Their key features involve the collection and use of sensitive personal data, such as an individual’s personal information, health record, and location, raising concerns among regulators. Regulators must ensure that these technologies align with informational privacy protection. The current legal regime in India is not sophisticated enough to delve into issues that concern contact tracing technology. In India, the introduction of the Aarogya Setu Application (contact tracing application) gained attention when the Ministry of Home Affairs (MHA) made downloading it mandatory for individuals. Eventually, doing so was made voluntary. Considering these current trends, this paper aims to examine developments in data privacy issues specifically regarding surveillance technologies and tracing applications in India. It highlights and analyzes them considering private players which announced their partnership in creating a robust contact tracing application. The study also adopts a comparative examination of existing contact tracing applications and their privacy policy along with the Indian version and explores how one deploys jurisprudence for informational privacy as perceived in India.

Comandé, Giovanni, Denise Amram and Gianclaudio Malgieri, ‘The Democracy of Emergency at the Time of the Coronavirus: The Virtues of Privacy’ (2020) 1(1) Opinio Juris in Comparatione 1–7
Abstract: The emergency of the Coronavirus imposes a cultural debate on the balancing of rights, freedoms and social responsibilities, finalized to the protection of individual and collective health. So much and rightly has been written in these days about strategic errors of the past, and authoritarian and social control risks exploiting the fear of contagion to further compress individual freedoms. A lot has been said about the futility of privacy as well.But is there a democratic way that respects fundamental rights in an emergency? Is there a model that can turn respect for democratic freedoms into a tool for effective common struggle in an emergency?

Ćorić, Lucija and Anto Čartolovni, ‘Ethical, Legal and Policy Challenges in COVID-19 Contact Tracing Apps: A European Perspective’ in Assya Pascalev and Gergely Tari (eds), Ethical Issues of the SARS-CoV-2 Outbreak in East-Central Europe and Beyond (Trivent Publishing, 2024) 98-112
Abstract: In an effort to combat the global pandemic caused by COVID-19, countries around the world swiftly developed contact tracing mobile applications with the aim of fastening and objectivizing manual contact tracing of people infected with SARSCoV-2 virus. The apps encountered worldwide scepticism regarding their ethics, especially considering the privacy issue. The idea was supported by several joint documents in theory, but only a few Member States implemented it in practice, with some of them differing even from the commonly agreed technical points. This reveals a lack of solidarity and political weakness, pointing to deeper political issues within the EU.

‘COVID Passports Do Not Violate the Rights to Privacy and Data Protection’ (2022) 71(9) GRUR International: Journal of European & International IP Law 886–895
Abstract: A measure adopted by the Regional Minister of Health, which prescribes that documentation proving vaccination, testing or recovery from COVID-19 be displayed in order to gain access to certain premises, may limit the fundamental rights to equality, privacy and data protection as enshrined in the Spanish Constitution. As such, it requires prior ratification by the competent Regional High Court to be effective. Such a measure is appropriate and in accordance with the requirements of health protection, insofar as it aims at protecting the health and life of people, it concerns premises where entry is voluntary, where no essential activities take place, and where the risk of infection is high. Such a measure does not discriminate between vaccinated people and those who are not, as long as it gives an alternative to vaccination to enter the premises.

Curran, Charles, ‘Personal Data and Vaccination Hesitancy: COVID-19’s Lessons for Public Health Federalism’ (2024) 73(2) Catholic University Law Review 155–212
Abstract: During the COVID-19 vaccination campaign, the federal government adopted a more centralized approach to the collection of public health data. Although the states previously had controlled the storage of vaccination information, the federal government’s Operation Warp Speed plan required the reporting of recipients’ personal information on the grounds that it was needed to monitor the safety of novel vaccines and ensure correct administration of their multi-dose regimens. Over the course of the pandemic response, this more centralized federal approach to data collection added a new dimension to pre-existing vaccination hesitancy. Requirements that recipients furnish individual information deterred vaccination among undocumented immigrants already fearful about the Trump Administration’s data-driven immigration enforcement policies—even as undocumented essential workers faced enhanced risks of COVID-19 exposure. Disputes with some states over the federal government’s proposed terms of governance for individual vaccination information compounded delays in the reporting of necessary public health information. Moreover, as the pandemic response evolved, the Biden Administration was obliged to counter apprehension among the broader public that federally-stored information might be used to enforce vaccination mandates or adoption of digital ‘vaccination passports.’ Notwithstanding calls for greater federal authority to directly gather data in future epidemics, I argue that the goal of achieving broad public vaccination uptake will be better served by preserving and improving a federalist approach that generally leaves the states to control the collection and storage of individually identifiable vaccination information. I contend that the lessons of COVID-19 suggest that more robust governance and technological controls for federal access to state public health data—coupled with improved transparency about the limits of federal data use—can both ameliorate public hesitancy and improve inter-governmental exchange.

Damjanović, Biljana, Danilo Ćupić and Sanja Grbović, ‘Individual Privacy and Data Protection Rights. The Legal and Economic Consequences of the Violation During the Covid-19 Pandemic’ (2023) 2(4) Journal of Research, Innovation and Technologies 247–259 [full text pre-published version available on SSRN]
Abstract: The basic constitutional freedoms and rights of a person and citizen are in principle unlimited: the full scope of their exercise is the rule, and the restriction determined by law can only be an exception based on explicit constitutional authority and the legitimate aim of the restriction determined by the Constitution. That being so, the restrictions - in addition to being based on constitutional authority and pursuing constitutional objectives - should be commensurate with the needs to achieve these objectives. This means that restrictive legal rules must be suitable for achieving the legitimate aim pursued, must not be stricter than necessary and must be balanced between the constitutionally guaranteed subjective right of the individual and the interests of society. In this paper, the authors point out the economic and legal consequences of the violation of individual privacy and data protection rights caused by the public disclosure of personal data of people who, at a certain time, were obliged to self-isolate due to suspicion of Covid-19 virus infection.

Dash, Lipsa and Sambhabi Patnaik, ‘Artificial Intelligence in Covid-19: Application and Legal Conundrums’ in Sachi Nandan Mohanty et al (eds), Applications of Artificial Intelligence in COVID-19 (Springer, 2021) 581–595
Abstract: The current healthcare system needs strong support from new technology support systems like Artificial Intelligence (AI), Internet of Things (IoT), machine learning devices to help diagnose, analyze, assist, and prevent new diseases that are spreading in our world. The current international crisis that the world is suffering and witnessing is a virus contaminating and the spread which initiated as an epidemic but later declared by WHO to be a pandemic Covid-19. Corona virus has triggered a global challenge and has crossed boundaries in dismantling mental and physical health of people. AI technologies have seen to be introduced to help management of patients real time monitoring of its outbreaks and helping update the patients data, improve treatment outcome by prioritizing patients, diagnosis and recording of minute fluctuations in patients, assisting medical practitioners and giving productive solutions. The researchers will show the paradigm shift in the number of patents filed every year in the field of AI specific to healthcare sector from diagnosis to recovery of patients. The chapter includes how all the above applications lead to legal conundrums and the imminent need of bringing amendments to existing legislations or drafting new policies and encouraging government to bring up initiatives for innovations and research and development on the same. The Constitution of India has incorporated provisions which guarantees everyone the ‘right for the highest attainable standard of physical and mental health’. With the growth in usage of AI-induced systems in the healthcare sector, it has invited some unwanted issues. Protection of sensitive personal information and the impact assessment is however a major concern and is dealt by different International and national legislations and bills. AIs will soon lead the national security of India and economy. An analysis on the existing data, application of AI in healthcare and the legal implications shows the expected outcome in a few years. The consequence mainly technical and legal is discussed by the researchers.

Daskal, Jennifer, ‘Good Health and Good Privacy Go Hand-in-Hand’ (2020) 11(1) Journal of National Security Law & Policy 131–156
Abstract: Without a vaccine, writes Jennifer Daskal, the United States and other countries are struggling with different tools to stem COVID-19. A critically important one is health surveillance. Previous crises, such as 9/11, also led to restrictions—but often secret—on civil liberties. A pandemic’s surveillance response has a different goal: to educate and inform. Health surveillance provides officials and the public with valuable information on rising hotspots, when to test after exposure, and monitoring compliance with quarantine orders. Daskal adds to this topical debate by outlining various types of surveillance schemes and associated technology—public or private, universal or targeted, mandated or consent-based—as well as the U.S. legal and policy considerations that each system will face. Professor Daskal argues that, despite the challenges, good health and good privacy can and should go hand in hand.

Dempsey, Jennifer Schrack and Alyson A Foster, ‘Batten Down the Hatches: Handling Business Data in a Pandemic (and Everyday)’ (2021) 64(5) Advocate 22–27
Abstract: The article offers an overview of laws governing data collection and management and factors to consider in developing a data preservation and security strategy in a pandemic. Topics discussed include the increase in data security challenges during the COVID-19 pandemic, importance of the Idaho Consumer Protection Act and the Idaho Code data breach notification requirements to litigators, and significance of identifying the categories of information in developing a data strategy.

Devetzis, Dimitrios, ‘The Janus’s Two Faces in the Case of Tracing Apps: Safety v Privacy’ in Vasiliki Karagkouni (ed), The Impact of the Covid-19 Pandemic on Human Rights: Collective Research Project (Logos Verlag Berlin, 2024) 47 [OPEN ACCESS E-BOOK]

Du, Li, Vera Lúcia Raposo and Meng Wang, ‘COVID-19 Contact Tracing Apps: A Technologic Tower of Babel and the Gap for International Pandemic Control’ (2020) 8(11) JMIR mHealth and uHealth e23194
Abstract: As the world struggles with the new COVID-19 pandemic, contact tracing apps of various types have been adopted in many jurisdictions for combating the spread of the SARS-CoV-2 virus. However, even if they are successful in containing the virus within national borders, these apps are becoming ineffective as international travel is gradually resumed. The problem rests in the plurality of apps and their inability to operate in a synchronized manner, as well as the absence of an international entity with the power to coordinate and analyze the information collected by the disparate apps. The risk of creating a useless Tower of Babel of COVID-19 contact tracing apps is very real, endangering global health. This paper analyzes legal barriers for realizing the interoperability of contact tracing apps and emphasizes the need for developing coordinated solutions to promote safe international travel and global pandemic control.

Duarte, Francisco de Abreu and Francesca Palmiotto Ettorre (eds), Sovereignty, Technology and Governance after COVID-19: Legal Challenges in a Post-Pandemic Europe (Bloomsbury, 2022)
link to book page on publisher website
Chapters on privacy / data protection:
  • Francesca Palmiotto, ‘Tracing Transparency: Public Governance of Algorithms and the Experience of Contact Tracing Apps’ chap 6
  • Mariavittoria Catanzariti, ‘Data Under Threat for the “Health”’ of Nations chap 7
  • Natalia Menéndez, ‘“Brave New (Normal) World”: Can the Covid19 Emergency serve as an excuse to increase the Surveillance State with Facial Recognition Technology?’ chap 8
  • Tommaso Fia, ‘Data Governance to Tackle Covid19: Some lessons we should learn from the Pandemic’ chap 9
  • Francesco Godano and Galileo Sartor, ‘Contact Tracing and Techno-Surveillance Clusters in Asia and Europe’ chap 10
  • Nicolas Petit, ‘Covid19, Tracing Apps, and Big Tech: “Can't Buy me Love”’ chap 11
  • Maria Magierska, ‘What role for the Data Protection Authorities during the Covid19 Pandemic?’ chap 12

Dubov, Alex and Steven Shoptaw, ‘The Value and Ethics of Using Technology to Contain the COVID-19 Epidemic’ (2020) 20(7) The American Journal of Bioethics W7–W11
Abstract: As the world grapples with COVID-19, experts are calling for better identification and isolation of new cases. In this paper, we argue that these tasks can be scaled up with the use of technology. Digital contact tracing can accelerate identifying newly diagnosed patients, instantly informing past contacts about their risk of infection, and supporting social distancing efforts. Geolocation data can be used to enforce quarantine measures. Social media data can be used to predict outbreak clusters and trace the spread of misinformation online. These technology tools have played a role in turning the tide of the epidemic and easing lockdown measures in China, South Korea, and Singapore. There is a growing interest in the US in digital contact-tracing tools that may help rein in contagion and relax lockdown measures. This paper provides an overview of the ways in which technology can support non-pharmaceutical interventions during the COVID-19 epidemic and outlines the ethical challenges associated with these approaches.

Dzurakova, Daniela and Olga Gkotsopoulou, ‘Data Protection Law and the EU Digital COVID Certificate Framework’ in Dara Hallinan, Ronald Leenes and Paul De Hert (eds), Data Protection and Privacy, Volume 14: Enforcing Rights in a Changing World (Bloomsbury, 2021)

‘EDPB Adopts Statements on Schrems, PSD2 and Responds to MEP on Contact Tracing’ [2020] (August) Computers and Law 37–38
Abstract: Summarises the outcomes of the European Data Protection Board (EDPB)’s 34th plenary session during which it adopted: a statement on Schrems v Facebook Ireland Ltd (C-498/16) (ECJ); guidelines on the relationship between Directive 2007/64 (PSD2) and Regulation 2016/679 (GDPR); and a letter in response to MEP Duris Nicholsonova’s questions on contact tracing, interoperability of applications software and data protection impact assessments.

‘EDPB: ‘“Even in These Exceptional Times, the Protection of Personal Data Must Be Upheld in All Emergency Measures”’ [2020] (August) Computers and Law 7–8
Abstract: Highlights a statement by the European Data Protection Board (EDPB) clarifying the interpretation of data subjects’ rights under Regulation 2016/679 art.23 in relation to the emergency situation surrounding COVID-19 in response to concerns raised following the Hungarian Government’s Decree 179/2020 of 4 May 2020, which suspended Regulation 2016/679 (GDPR) in relation to dealing with the pandemic.

Egan, Mo, ‘Remote Justice: Information Rights as a Tool of Empowerment’ (2022) 36(2) International Review of Law, Computers & Technology 202–222
Abstract: The coronavirus pandemic has resulted in a compulsory retreat from public spaces. While, for some, this displacement has brought about engagement with digital technologies in new and interesting ways, for others, digital technologies have proved to be the site of technology-facilitated abuse (TFA). Consequently, there are renewed calls for regulation of TFA, with a great deal of this discussion focussing on the design and enforcement of criminal law. However, the scope of behaviour perpetrated with, or through, digital technologies is much broader and demands a range of responses that offer access to justice. This paper argues information rights offer significant potential to enable victims/survivors to gain control over personal information, feel empowered, and improve their mental health and wellbeing. First, it defines information rights and how they are accessed from an EU perspective. Second, it addresses the relationship between legal rights and empowerment in this context. It reflects on if, and how, information rights have been used within the UK specifically, to provide reflections on harnessing their potential. And lastly, explores the viability of advocacy in this area.

Eliot, Lance, ‘Contact Tracing Apps: The Latest Efforts in the US’ [2020] (June) Computers and Law 53–57
Abstract: Examines the approach of US state and federal governments to addressing problems associated with COVID-19-related digital contact tracing applications software. Outlines the precepts underlying the Exposure Notification Privacy Act released by the US Congress. Discusses the unanswered concerns that remain regarding the governance of such applications and the risks associated with the use of contact tracers.

Etteldorf, Christina, ‘EU Member State Data Protection Authorities Deal with Covid-19: An Overview’ (2020) 6(2) European Data Protection Law Review 265–280
Extract from Introduction: Governments, health ministries and medical research institutes are looking for technical solutions to track the spread of the virus and thus contain it. However, this also raises questions about the compatibility of these measures with (European) data protection law.

Falletti, Elena, ‘Privacy Protection, Big Data Gathering and Public Health Issues: COVID-19 Tracking App Use in Italy’ (SSRN Scholarly Paper ID 3758800, 2 January 2021)
Abstract: The COVID-19 global outbreak showed that big data gathering is an issue of international and national public health. According to comparative experience carried out especially in Taiwan, Hong Kong and South Korea contagion containment action should take place through the coordinated use of tests and tracking of infected contacts. From the end of March 2020, the Italian authorities started to prepare preparations for non-pharmaceutical interventions in order to be able to reactivate economic life and prevent the spread of COVID-19 in the country.From this perspective, the massive collection of personal data related to COVID-19 could present a possible opportunity for the elaboration of predictive models, especially after an open discussion involving experts and public opinion about the effectiveness of the enforcement of AI models. The main challenge here was to persuade people to download and use the app, showing trust in public policies and strategies planned by the Italian Government against the COVID-19 outbreak.In order to collect massive personal data according to the relevant constitutional and legal provisions, the Italian Government promoted a Law-decree No. 28/2020 regarding urgent measures for the introduction of a national COVID-19 alert system. It was called ‘Immuni’. This regulation disciplines the collection and management of big data through a black box. Regarding privacy protection, this law establishes some guarantees for users, and for this purpose any person, on a voluntary basis, can download a special software application, respecting the transparency principle and providing the proper information regarding the legal framework of this data collection.According to the Italian government, privacy protection, individual consent, and local data management were considered preferable to mandatory traceability and centralised management of the same data. However, first empirical analysis underlined that Italian people did not seem confident in the Immuni app since only 10 million people (over 60 million people of Italian population) downloaded it. Some questions about its public dissemination among citizens could emerge.

Fathauer, Cameron M, ‘Protecting Liberty in Times of Calamity: The Long and Short Term Benefits of Data Minimization During National Emergencies Like COVID-19’ (SSRN Scholarly Paper ID 3915021, 3 May 2020)
Abstract: Overall, data minimization provides more benefits to the United States in both the short and the long term because it directs governmental resources to areas that curb the spread and effects of COVID-19; it honors our democratic, republican principles of government; and it protects individual liberties reinstated by judicial precedent and guaranteed by the United States Constitution. While it may appear, in the short term, broader data information would aid in the fight against COVID-19, it would need to reach the level of surveillance as seen in communist, dictatorial regimes in order to be effective, which is something the Constitution and the American people will not allow. Thus, in the short term, it is far wiser and more prudent to direct financial energy toward those areas that do in fact aid in the fight against COVID-19, which, in the long term, upholds American democracy and liberty. When the COVID-19 chapter of history closes, those governments that did not give in to the reactionary, totalitarian temptations will be made clear. If there only be one, let it be America.

Fazlioglu, Müge, ‘Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing’ (International Association of Privacy Professionals, iapp Report, May 2020) 1–38
Abstract: Introduction: Considering the rapid and massive changes underway, the IAPP and EY launched a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. The initial phase of the project included a survey of privacy professionals, taking a deeper look at how organizations, in general, and privacy programs, in particular, are handling the privacy and data protection issues that have emerged alongside COVID-19, such as privacy and security issues related to working from home, monitoring the health of employees, and sharing data with governments, researchers and public health authorities. It also looks at the unique economic impact of the crisis on the privacy profession. A total of 933 respondents completed the survey, and responses were collected between April 8 and 20.

Fazlioglu, Müge, ‘Privacy Risks to Individuals in the Wake of COVID-19’ (International Association of Privacy Professionals, iapp White Paper, June 2020) 1–38
Abstract: Introduction: Considering the rapid and massive changes underway, the IAPP and EY launched a research initiative to gain more insight into the unique ways privacy and data protection practices have been affected by the pandemic. The initial phase of the project included a survey of privacy professionals, taking a deeper look at how organizations, in general, and privacy programs, in particular, are handling the privacy and data protection issues that have emerged alongside COVID-19, such as privacy and security issues related to working from home, monitoring the health of employees, and sharing data with governments, researchers and public health authorities. It also looks at the unique economic impact of the crisis on the privacy profession. A total of 933 respondents completed the survey, and responses were collected between April 8 and 20.

Findlay, Mark, ‘Regulating Personal Data Usage in COVID-19 Control Conditions’ in Mark et al Findlay (ed), Regulatory Insights on Artificial Intelligence (Edward Elgar, 2022) 101

Findlay, Mark and Nydia Remolina, ‘Regulating Personal Data Usage in COVID-19 Control Conditions’ (SMU Centre for AI & Data Governance Research Paper No 2020/04, 22 May 2020)
Abstract: As the COVID-19 health pandemic ebbs and flows world-wide, governments and private companies across the globe are utilising AI-assisted surveillance, reporting, mapping and tracing technologies with the intention of slowing the spread of the virus. These technologies have capacity to amass and share personal data for community control and citizen safety motivations that empower state agencies and inveigle citizen co-operation which could only be imagined outside times of real and present personal danger. While not cavilling with the short-term necessity for these technologies and the data they control, process and share in the health regulation mission (provided that the technology can be shown to be fit for purpose), the paper argues that this technological infrastructure for surveillance can have serious ethical and regulatory implications in the medium and long term when reflected against human dignity, civil liberties, transparency, data aggregation, explainability and other governance fundamentals. The paper commences with the case for regulation recognising crisis exigencies, after which it reiterates personal data challenges, then surveys policy and regulatory options to equitably address these challenges.

Findlay, Mark et al, ‘Ethics, AI, Mass Data and Pandemic Challenges: Responsible Data Use and Infrastructure Application for Surveillance and Pre-Emptive Tracing Post-Crisis’ (Singapore Management University, SMU Centre for AI & Data Governance, Research Paper No 2020/02, May 2020)
Abstract: As the COVID-19 health pandemic rages governments and private companies across the globe are utilising AI-assisted surveillance, reporting, mapping and tracing technologies with the intention of slowing the spread of the virus. These technologies have the capacity to amass personal data and share for community control and citizen safety motivations that empower state agencies and inveigle citizen co-operation which could only be imagined outside such times of real and present danger. While not cavilling with the short-term necessity for these technologies and the data they control, process and share in the health regulation mission, this paper argues that this infrastructure application for surveillance has serious ethical and regulatory implications in the medium and long term in relation to individual dignity, civil liberties, transparency, data aggregation, explainability and other governance challenges. To conduct this analysis, the paper presents the Singapore and China case studies, and offers a comparative description based on the many more initiatives implemented worldwide in order to understand the purpose, goal and risk of these infrastructures. The analysis looks at data protection and citizen integrity and reflects on other surveillance methods outside the health context, such as initiatives implemented in the financial sector, where similar challenges have arisen.

Finnegan, Matthew, ‘Zoom Hit by Investor Lawsuit as Security, Privacy Concerns Mount.’ [2020] Computerworld (Online Only) 4
Abstract: The article discusses video conferencing app Zoom. Topics include the challenges facing Zoom continue to mount, as the company now faces an investor lawsuit and more organizations ban the use of the video meeting app due to privacy and security concerns; company also upped efforts to improve its security and privacy practices by hiring Facebook’s former CSO as a consultant; and Zoom seen a surge in use as self isolation in response to the pandemic ramps up the demand for video software.

Ford, Jolyon, ‘COVID-19, International Human Rights Law and the State-Corporate Complex’ (2021) 39(1) The Australian Year Book of International Law Online 195–213
Abstract: Data-driven technologies (such as mobile phone-based tracing apps) have been at the forefront of public health responses to the COVID-19 pandemic. However, we have also seen high-level expressions of concern about how state actions ostensibly in pursuit of public health goals have in fact greatly accelerated existing human rights concerns about newer technologies, especially increased state and corporate surveillance. This article explores issues at the nexus of COVID-19 public health responses, civil-political rights under international human rights law, and the responsible governance of data-driven technologies. In particular, it offers a framework to evaluate the human rights compatibility of tech-assisted COVID-related state measures. The articles also explore analogies between COVID-related measures and post-2001 counter-terrorism actions taken by states in the name of public security. It cautions against exceptional measures becoming hardwired in ways that may unreasonably impact on pre-COVID freedoms. The article argues that the blurring of state and corporate surveillance and data-gathering and the often symbiotic relationship between tech firms and governments (the ‘state-corporate complex’) complicate efforts to assert clear frames of responsibility.

Francis, Leslie, ‘Health Information Beyond Pandemic Emergencies: Privacy for Social Justice’ 70(5) American University Law Review 1629–1680
Abstract: The COVID-19 pandemic has forcefully revealed the critical importance of timely information to identify emerging infections, discern patterns of disease, and stop disease spread. Information about individuals both as patients, and as ordinary people in the world is necessary for each of these tasks. Yet the implications for information use and efforts to achieve social justice are significant. This Article first surveys information needs as revealed by the pandemic. It then articulates different normative approaches to privacy and confidentiality to develop two implications for privacy and justice: that information gleaned in clinical care and information possessed by public health should be far more integrated, and that sectoral regulatory structures are deleterious. These implications suggest a third: that notice and choice models are misguided as a method for protecting individuals from discrimination and injustice. Individualistic notice and choice are particularly problematic from the perspective of risks of discrimination and social inequality. The Article concludes by suggesting that U.S. law should move away from the notice and choice model as the primary method for protecting privacy.

Franks, Mary Anne, ‘Protecting Privacy and Security in Online Instruction: A Guide for Students and Faculty’ (SSRN Scholarly Paper No ID 3668553, 6 April 2020)
Abstract: COVID-19 forced educational institutions all over the globe to shift abruptly to online instruction. Online instruction presents many challenges to both faculty and students accustomed to in-person learning. Among those challenges are serious equity concerns, including wide variation among students and faculty in terms of technological literacy, access to reliable Internet service and related ‘digital divide’ issues, time zones, caretaking responsibilities, and personal situations that may make remote learning difficult or impossible (e.g. unsafe home conditions). Another serious category of concern are privacy and security issues, which are the subject of this memo. The privacy and security issues raised by this memo are not exhaustive. This memo is only a preliminary and necessarily incomplete set of concerns and recommendations.

Fulford, Nicola and Hannah Jackson, ‘Returning to Work: COVID-19 and the Data Protection Perspective’ (2020) 109(May) Privacy Laws & Business United Kingdom Newsletter 1–5
Abstract: Examines what procedures employers should follow after the coronavirus ban is lifted and employees return to the workplace, to provide a safe working environment while protecting employees’ personal data and privacy.

Gable, Lance, Natalie Ram and Jeffrey L Ram, ‘Legal and Ethical Implications of Wastewater Monitoring of SARS-CoV-2 for COVID-19 Surveillance’ (2020) 7(1) Journal of Law and the Biosciences Article lsaa039
Abstract: Scientists have observed that molecular markers for COVID-19 can be detected in wastewater of infected communities both during an outbreak and, in some cases, before the first case is confirmed. The Centers for Disease Control and Prevention and other government entities are considering whether to add community surveillance through wastewater monitoring to assist in tracking disease prevalence and guiding public health responses to the COVID-19 pandemic. This scientific breakthrough may lead to many useful potential applications for tracking disease, intensifying testing, initiating social distancing or quarantines, and even lifting restrictions once a cessation of infection is detected and confirmed. Yet, new technologies developed in response to a public health crisis may raise difficult legal and ethical questions about how such technologies may impact both the public health and civil liberties of the population. This paper describes recent scientific evidence regarding COVID-19 detection in wastewater, identifying public health benefits that may result from this breakthrough, as well as the limitations of existing data. The paper then assesses the legal and ethical implications of implementing policy based on positive sewage signals. It concludes that the first step to implementing legal and ethical wastewater monitoring is to develop scientific understanding. Even if reliability and efficacy are established, limits on sample and data collection, use, and sharing must also be considered to prevent undermining privacy and autonomy in order to implement these public health strategies consistent with legal and ethical considerations.

Galloway, Kate, ‘The COVID Cyborg: Protecting Data Status’ (2020) 45(3) Alternative Law Journal 162–167
Abstract: This article examines the increasing tendency towards governance of people through their representation via data. In its most contemporary iteration, the COVID-19 pandemic has seen the release of contact tracing apps – in Australia, COVIDSafe. While public discourse about the apps has focused principally on the important issue of data privacy, there are other possible effects whereby participation in such schemes might become a prerequisite to accessing services or basic rights – either from government or from corporations. The pathway to acceptability of applying our data in this way is already paved, through fitness monitors and other technologies by which we represent ourselves. This article sets out the foundation of such technologies and their application, before outlining their effect on the recognised boundaries of governance and the conception of the holder of rights and the substance of those rights.

Gates, Samantha, ‘Pandemics, Privacy and Pressing Constitutional Limits: The Commonwealth’s Use of the Nationhood Power to Facilitate COVIDsafe’ (2023) 50(2) University of Western Australia Law Review 194–223
Abstract: The advent of COVID-19 saw the Commonwealth Government launch the voluntary contact tracing app – COVIDSafe. Accompanying the launch of the app, the Commonwealth inserted Part VIIIA into the Privacy Act 1988 (Cth) (‘Privacy Act’). Part VIIIA put in place a scheme of privacy protection for users of COVIDSafe to increase public trust in the app, and therefore its uptake. What is remarkable about Part VIIIA is its constitutional basis. While the constitutional validity of the Privacy Act is sourced in the external affairs power, the Commonwealth instead relied on the amorphous nationhood power to support Part VIIIA. The aim of this article is to examine Part VIIIA and determine whether it can truly be said to be a law with respect to the nationhood power. This will carry implications for future uses of the nationhood power by the Commonwealth in the realm of privacy protection.

Gawu, Delali A and Richard Obeng Mensah, ‘COVID-19 Contact Tracing and Privacy Rights in Ghana: A Critical Analysis of the Establishment of Emergency Communications System Instrument, 2020 (EI 63)’ (2021) 65(S2) Journal of African Law 361–373
Abstract: In December 2019, the world woke up to the news of a novel coronavirus (COVID-19). Since then, governments across the globe have deployed various measures to contain the spread of the disease. The government of Ghana, among other measures, issued the Establishment of Emergency Communications System Instrument, 2020 (EI 63) to establish an emergency communications system to aid contact tracing during public health emergencies. This executive instrument has been criticized for illegally ‘legalizing’ the breach of the privacy rights of electronic communications network subscribers in Ghana. This article critically analyses EI 63 in relation to the right to privacy of communication enshrined in Ghana’s 1992 Constitution. It argues against the constitutionality of EI 63, calls for its revocation and replacement with an act of Parliament enacted with due regard for Ghana’s legislative framework on the protection of the right to privacy of communication.

Gerke, Sara et al, ‘Regulatory, Safety, and Privacy Concerns of Home Monitoring Technologies during COVID-19’ (2020) 26(8) Nature Medicine 1176–1182
Abstract: There has been increasing interest in the use of home monitoring technologies during the COVID-19 pandemic to decrease interpersonal contacts and the resultant risks of exposure for people to the coronavirus SARS-CoV-2. This Perspective explores how the accelerated development of these technologies also raises major concerns pertaining to safety and privacy. We make recommendations for needed interventions to ensure safety and review best practices and US regulatory requirements for privacy and security. We discuss, among other topics, Emergency Use Authorizations for medical devices and privacy laws of the USA and Europe.

Germanò, Marco André et al, ‘Digital Surveillance Trends and Chinese Influence in Light of the COVID-19 Pandemic’ (2023) Asian Journal of Comparative Law (advance article, published online 23 January 2023)
Abstract: Countries across the world expanded digital surveillance strategies in response to the COVID-19 pandemic. As the pandemic occurred contemporaneously with a global trend toward greater digital repression, commentators advanced the notion that China would use the health crisis to promote a technology-enabled form of authoritarian governance abroad. This article surveys the evidence for these claims by first examining the literature on the increase of digital surveillance associated with China and then presenting three case studies from developing countries with varying responses to the COVID-19 pandemic. The selected countries – Brazil, South Africa and Vietnam – used surveillance technology as part of their pandemic response and have either been influenced by Chinese approaches or adopted Chinese technology in recent years. Examining these case studies allows us to better understand claims regarding China’s role in the general spread of digital surveillance and the interplay between Chinese state objectives and local political environments. Crucially, we illustrate how China’s engagement in digital governance abroad is heavily contingent on domestic environments. Against a backdrop of China’s growing influence in global digital governance, the effects observed in these case studies of Chinese surveillance models and technology proliferating through pandemic management are diffuse and contextualised by local factors.

Gesley, Jenny, ‘Regulating Electronic Means to Fight the Spread of COVID-19’ (Law Library of Congress Legal Report, June 2020)
Abstract: Note: This page includes a comparative summary, and links to the full report and a COVID-19 Contact Tracing Apps world map. Extract from Introduction: This report surveys the regulation of electronic means to fight the spread of COVID-19 in 23 jurisdictions around the globe: Argentina, Australia, Brazil, China, England, France, Iceland, India, Iran, Israel, Italy, Japan, Mexico, Norway, Portugal, the Russian Federation, South Africa, South Korea, Spain, Taiwan, Turkey, the United Arab Emirates, and the European Union (EU).

Ghose, Anindya et al, ‘Trading Privacy for the Greater Social Good: How Did America React During COVID-19?’ (SSRN Scholarly Paper No ID 3624069, Social Science Research Network, 10 June 2020)
Abstract: Digital contact tracing and analysis of social distancing from smartphone location data are two prime examples of non-therapeutic interventions used in many countries to mitigate the impact of the COVID-19 pandemic. While many understand the importance of trading personal privacy for the public good, others have been alarmed at the potential for surveillance via measures enabled through location tracking on smartphones. In our research, we analyzed massive yet atomic individual-level location data containing over 22 billion records from ten ‘Blue’ (Democratic) and ten ‘Red’ (Republican) cities in the U.S., based on which we present, herein, some of the first evidence of how Americans responded to the increasing concerns that government authorities, the private sector, and public health experts might use individual-level location data to track the COVID-19 spread. First, we found a significant decreasing trend of mobile-app location-sharing opt out. Whereas areas with more Democrats were more privacy-concerned than areas with more Republicans before the advent of the COVID-19 pandemic, there was a significant decrease in the overall opt-out rates after COVID-19, and this effect was more salient among Democratic than Republican cities. Second, people who practiced social distancing (i.e., those who traveled less and interacted with fewer close contacts during the pandemic) were also less likely to opt out, whereas the converse was true for people who practiced less social-distancing. This relationship also was more salient among Democratic than Republican cities. Third, high-income populations and males, compared with low-income populations and females, were more privacy-conscientious and more likely to opt out of location tracking. Overall, our findings demonstrate that during COVID-19, people in both Blue and Red cities generally reacted in a consistent manner in trading their personal privacy for the greater social good but diverged in the extent of that trade-off along the lines of political affiliation, social-distancing compliance, and demographics.

Ghose, Anindya and D Daniel Sokol, ‘Unlocking Platform Technology to Combat Health PandemicsYale Journal on Regulation, 2020 (Online 18 March 2020)
Abstract: Effective use of data from digital platforms and related technological ecosystems could be key to mitigating the spread of the COVID-19 pandemic. Data from smartphones, GPS, and wearable fitness trackers can combine with sophisticated algorithms to trace networks of contact with COVID-19 patients. This practice has already been used to successfully slow the spread of the pandemic in Korea and Taiwan warrants immediate, broader consideration. Regarding consumer concerns about data privacy, given the unusual and dire circumstances, government authorities need a set of consent exceptions that allows non-health data to be harnessed for the public health. A swift, thoughtful collaboration between the technology sector and the government could result in regulatory policy changes that have proven potential to save lives.

Gibellino, Elisa and Federica Cristani, ‘First 100 Days of Italian COVID-19 Policy: A New Image for Democracy, Security, Education, and the Economy in Italy’ in Aleksandar Stojanović, Luisa Scarcella and Christina R Mosalagae (eds), The First 100 Days of Covid-19: Law and Political Economy of the Global Policy Response (Springer Nature, 2023) 121–144
Abstract: Italy was the first in Europe which suffered from the outbreak of the Covid-19 pandemic, with around 90,000 estimated victims only in the first 100 days. This Chapter offers on overview of the development of the Italian state of emergency in the first months of the pandemic through the lenses of a variety of themes: policy, democracy, economy, security and education. After the first 100 days of the pandemic, we see (a) new face(s) of Italy, with manifold challenges, ranging from more concerns on the privacy side when it comes to surveillance and security, and new forms of intervention of the state in the national economy. Additionally, major concerns have come along for democracy and constitutionalism, as the Chapter will illustrate in detail.

Gil, Elad, ‘Digital Contact Tracing Has Failed: Can It Be Fixed with Better Legal Design?’ (2021) 25(1) Virginia Journal of Law and Technology 1–37
Abstract: Can big-data-driven technology help contain the spread of infectious diseases? Based on the COVID-19 experience, the answer seems to be ‘no.’ Despite a global effort by governments, developers, and research institutions to harness technology in the fight, digital contact tracing has failed almost everywhere. But a closer analysis, informed by comparative data, reveals that this failure was not inevitable. The crisis required local and national governments to evaluate the societal harms and benefits of the technology in conditions of uncertainty, but the legal frameworks governing that effort were ill-suited for health emergencies. Thus, a series of factors that originated from or were accelerated by overhyped anxiety over the erosion of the right to privacy prevented the technology from living up to its potential.This essay argues that better legal and institutional design can facilitate a more rational and efficient process for dealing with privacy tradeoffs during pandemics. It then outlines a new framework for health emergency law and explains its advantages over the classic constitutional and legal frameworks applied by most democratic states during the coronavirus crisis.

Goldenfein, Jake, Ben Green and Salome Viljoen, ‘Privacy Versus Health Is a False Trade-OffJacobin 17 April 2020
Abstract: As tech firms team up with governments to fight the coronavirus pandemic, we’re being asked to accept a trade-off between our digital privacy and our health. It’s a false choice: we can achieve the public health benefits of data without accepting abusive and illicit surveillance.

Goodyear, Michael, ‘The Dark Side of Videoconferencing: The Privacy Tribulations of Zoom and the Fragmented State of U.S. Data Privacy Law’ (2020) 10(3) Houston Law Review 76–89
Abstract: COVID-19 has forced the world to increasingly rely on online services to continue daily life. Chief among these, for school, business, and fun, are videoconferencing services. Zoom has led the way, being used by millions, yet it has come to light that Zoom’s data privacy practices are far from ideal. The tracking of users and the sale of personal data has enormous consequences for users’ data privacy. Yet U.S. law provides poor protections for such risky behavior. U.S. data privacy law is fragmented on both the federal and state level, with federal law focusing on industry-specific protections and states each going their own ways. While this splintered framework does provide some protection for Americans against poor data privacy practices by Zoom and others, it is an unequal framework that provides different protections to different groups of Americans. Instead, Zoom’s privacy tribulations should be a call for Congress to follow the precedent of Europe and enact comprehensive data privacy legislation to equally protect Americans at the federal level from the improper use and sale of consumers’ data privacy.

‘Government and DPC Guidance on Covid-19 Data’ (2020) 25(6) Health & Safety Review 2–3
Abstract: Highlights guidance for businesses by both the Irish Department of Business, Enterprise and Innovation and the Data Protection Commission (DPC) on the Irish Government’s Return to Work Safely protocol and COVID-19-related data protection. Includes a table summarising the legal basis for data processing under Regulation 2016/679 (GDPR) regs 6 and 9.

Greenleaf, Graham, ‘Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance’ (2021) 169 Privacy Laws & Business International Report: International Report 1, 3–5

Greenleaf, Graham and Katharine Kemp, ‘Australia’s “COVIDSafe App”: An Experiment in Surveillance, Trust and Law’ (2021) International Data Privacy Law Article ipab009
pre-published paper available on SSRN
Abstract: The joint Australian governments’ coronavirus contact tracing app, marketed as ‘COVIDSafe’, was released on 26 April 2020 for public download by the federal government, together with an emergency Determination under the Biosecurity Act to govern its operation, a Privacy Impact Assessment (PIA) with the Health Department’s response to that PIA, and (not least) the App itself and its privacy policy. It is a package intended to create sufficient public confidence to result in downloads of the app by a sufficient percentage of the Australian mobile-phone-owning population, for it to have a significant effect on the tracing of persons infected with the COVID19 virus. In the first few days since its launch nearly 3 million Australian’s have downloaded the app.When Parliament resumes, probably on May 12, it is expected that the government will introduce legislation to replace the non-disallowable Determination. This article analyses the steps that Australian governments need to take if public trust is to be justified, and aims to make a constructive contribution to the development of better legislation and greater transparency.We conclude that the conditions necessary to justify sufficient public trust in government for the Australian public to opt in voluntarily to the installation and use of the COVIDSafe app, and to not opt out, are lacking. Many of the main deficiencies we identify in this article are remediable: five deficiencies in transparency; and nine categories of improvements to the current Determination by the proposed COVIDSafe Act. However, the question of whether an individual Australian would be well advised to install and run the app remains a decision which depends on individual circumstances. Note: The Act referred to above, the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) (‘the COVIDSafe Act’) was assented to on 15 May 2020. The authors’ analysis of that Act is G. Greenleaf & K. Kemp ‘Australia’s COVIDSafe experiment, Phase III: Legislation for trust in contact tracing’ at https://ssrn.com/abstract=3601730.

Greenleaf, Graham and Katharine Kemp, ‘Australia’s COVIDSafe Experiment, Phase III: Legislation for Trust in Contact Tracing’ (University of New South Wales Law Research Series, 15 May 2020)
Abstract: The joint Australian governments’ coronavirus contact tracing app, marketed as ‘COVIDSafe’, was released on 26 April 2020 for public download by the federal government, together with an emergency Determination under the Biosecurity Act to govern its operation. In a brief federal Parliamentary sitting from 12-14 May, the Parliament enacted the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) (‘the COVIDSafe Act’) on 14 May 2020.The COVIDSafe app is more toward the centralised than decentralised end of the spectrum in the design of such apps, but its use is voluntary, and the government claims that will continue to be the case.The Act aims to create sufficient public confidence in the privacy protections surrounding the COVIDSafe app to result in downloads and use by a sufficient percentage of the Australian mobile-phone-owning population, for it to have a significant effect on the tracing of persons infected with the COVID19 virus. In the first two and a half weeks since its launch over 5.5 million Australian’s have downloaded the app, about 25% of those possible, and 20% of the population. Public trust must become more widespread, before success in uptake is likely to follow.Now that the Bill has been enacted, the purpose of this article is to provide a reasonably comprehensive explanation of the provisions of the COVIDSafe Act and important aspects of their Australian context. Significant deficiencies in both the extent of transparency around the introduction of the COVIDSafe app, and the privacy-protective provisions of the Act, are identified and improvements suggested. These extensive suggestions are made because debate over the app and the Act is not over, and opportunities to obtain improvements may arise, particularly through the operation of the two Parliamentary committees examining Australia’s COVID-19 response, and the human rights implications of the Act.Many other countries are developing contact tracing apps. Australia’s experiment is further advanced than most that are attempting to build a system based on voluntary uptake, protected by legislation. The results of its experiment will be of interest to many.

Grugorovych, Chystokletov Leontii et al, ‘Human Rights Protection Conditions of Covid-19, Legal Principals and Administrative Barriers in Ukraine’ (2020) 17(7) PalArch’s Journal of Archaeology of Egypt / Egyptology 11198–11210

Gstrein, Oskar Josef, ‘The EU Digital COVID Certificate: A Preliminary Data Protection Impact Assessment’ (2021) 12(Special Issue 2) European Journal of Risk Regulation 370–381
Abstract: On 20 May 2021 the European Commission, Council and Parliament announced a breakthrough in the trialogue negotiations to establish the EU Digital Covid Certificate. Originally, this standardisation effort was labelled as ‘Digital Green Certificate’ and -‘[i]n view of the urgency’ - presented without a data protection impact assessment. It should allow citizens and residents of Member States to prove that they are either vaccinated against COVID-19, have recently tested negative, or are currently immune against the virus. This article considers the proposal from a privacy perspective, taking into account the opinion of EU data protection authorities, ongoing negotiations in the EU institutions and relevant developments on the national and international level. While the European Parliament and others tried to improve the original Commission proposal, questions around the appropriateness and effectivity of the framework remain. The technological and organisational implementation is essentially left to Member States, who already have started to develop their own tracing and identification systems.

Guardiola, Jose and Rica Donna, ‘The Patient Data Protection from the Using of Big Data During the COVID-19 Pandemic in Indonesia’ (Proceedings of the 1st International Conference on Law and Human Rights 2020 (ICLHR 2020),2021) 453–461
Abstract: Big Data is a technology that accommodates large and complex databases to be analyzed by a computing system to construct a more concise information. Indonesia is not the only country that utilizes big data to compile databases from public, for instance, during COVID-19 Pandemic Indonesia has adopted and implemented an application named Peduli Lindungi as one of the effort of The Ministry of Communication and Information Technology of Indonesia together with The Ministry of State Owned Enterprises in assisting The Ministry of Health overcoming the COVID-19 pandemic in Indonesia. However, it will create a significant problem if there is patient’s information/ datum leakage to the public. This is crucial for COVID-19 patients, as they may experience great injury both materially and immaterially. The publication of their data and identities through social media and news that had happened at the beginning of COVID-19’s entry to Indonesia, was an important affair for the Government to handle and prevent. Therefore, realizing that there is an urgency to tighten security towards personal information, it is decisive to have a legal protection as human rights provided by the government. This paper used A normative juridical approach in this legal writing. The analytical approach adopted is descriptive analytical based on International treaties and National Personal Data Security Regulations. The result of the study can be inferred that Big data is the answer key, a perfect technology, to assist the elimination of this catastrophe that is happening all over the world, as it is used for the advancement of data management in the world during COVID-19 Pandemic so that fair inspections and states needs can be fulfilled. There is, however, a risk for data leakage that causes public damages, and yet, Indonesia still does not have regulations specifying personal data. This makes the information processing through big data a matter of concern as the security is not guaranteed. Therefore, the government needs to be prompt and responsive in harmonizing the existing laws and regulations to ensure the right to personal data privacy guaranteed by the government, especially during the COVID-19 Pandemic.

Guerra, AI et al, ‘General Data Protection Regulation (GDPR): Legal, Ethic and Other Issues, Especially in Covid-19 Time’ (2021) 13(2) Revista de Direito, Estado e Telecomunicacoes / Law, State and Telecommunications Review 28–41
Abstract: This paper intends to present an academic analysis about the legal, ethic and other issues raised by the General Data Protection Regulation, especially in Covid-19 time. In this context, we present the main legal aspects of networked privacy, online privacy literacy, transparency, data integrity and others. Besides, we present the employee’s rights in the context of the Covid-19 pandemic, such as the right to erase data, temperature monitoring, the employee’s consent, the legitimation of the processing of personal data and body temperature control. We also give a word about data protection and teleworking. Our purpose is to contribute for the evolution of law, regarding the challenges and all the changes in our daily-life, provoked by the Covid-19 pandemic.

Guimarães, Maria Raquel and Maria Regina Redinha, ‘Through the Keyhole: Privacy in COVID-19 Times – A Portuguese Approach’ in Ewoud et al Hondius (ed), Coronavirus and the Law in Europe (Intersentia, 2020)
Abstract: Time has shown that in periods of crisis the pressure on privacy and on personality rights in general has always increased. The coronavirus pandemic has not been an exception and several problems have emerged during this crisis. Compulsory confinement at home has led to the need for a new division of home ‘territories’ and devices, such as computers and televisions, with the ensuing compression of space, not only physical but also emotional and mental. The impact of these unique events on people’s privacy has not yet been the object of a thorough study. In this paper, the authors intend to discuss some of the issues that confinement has given rise to from a privacy perspective, among family members and housemates, co-workers and employers.

Guinchard, Audrey, ‘Our Digital Footprint under Covid-19: Should We Fear the UK Digital Contact Tracing App?’ in Carla Ferstman and Andrew Fagan (eds), Covid-19, Law and Human Rights: Essex Dialogues (School of Law and Human Rights Centre, University of Essex, 2020) 269–276
Abstract: With the objective of controlling the spread of the coronavirus, the UK has decided to create and, since 5 May 2020, is live testing a digital contact tracing app, under the direction of NHS X, a branch of NHS Digital, and with the help of the private sector. Given the lack of details as to what the app will exactly do or not do, there are fears that the project will increase government surveillance beyond the pandemic. While I share these concerns, I argue that we need to simultaneously tackle one of the most significant, yet overlooked, contributors to the problem of government surveillance: our inflated digital footprint, stemming from our use of digital technology, and the basis of ‘surveillance capitalism’, a business model left largely unchallenged, which results in surveillance, and stems from the non-compliance with data protection laws. A systematic enforcement of the General Data Protection Regulation (GDPR) on the private sector would disrupt the current dynamics of surveillance which are hidden in plain sight.

Gunawan, Johanna et al, ‘The COVID-19 Pandemic and the Technology Trust Gap’ (2021) 51(5) Seton Hall Law Review 1505–1533
Abstract: Industry and government tried to use information technologies to respond to the COVID-19 pandemic, but using the internet as a tool for disease surveillance, public health messaging, and testing logistics turned out to be a disappointment. Why weren’t these efforts more effective? This Essay argues that industry and government efforts to leverage technology were doomed to fail because tech platforms have failed over the past few decades to make their tools trustworthy, and lawmakers have done little to hold these companies accountable. People cannot trust the interfaces they interact with, the devices they use, and the systems that power tech companies’ services. This Essay explores these pre-existing privacy ills that contributed to these problems, including manipulative user interfaces, consent regimes that burden people with all the risks of using technology, and devices that collect far more data than they should. A pandemic response is only as good as its adoption, but pre-existing privacy and technology concerns make it difficult for people seeking lifelines to have confidence in the technologies designed to protect them. We argue that a good way to help close the technology trust gap is through relational duties of loyalty and care, better frameworks regulating the design of information technologies, and substantive rules limiting data collection and use instead of procedural ‘consent and control’ rules. We conclude that the pandemic could prove to be an opportunity to leverage motivated lawmakers to improve our privacy frameworks and make information technologies worthy of our trust.

Haganta, Raphael, ‘Legal Protection of Personal Data as Privacy Rights of E-Commerce Consumers Amid the Covid-19 Pandemic’ (2020) 4(2) Lex Scientia Law Review 77–90
Abstract: The use of e-commerce in the midst of the COVID-19 pandemic shows an increase. This is due to the publication of several regulations that limit everyone’s activities outside the home, affecting conventional trading activities online by utilizing e-commerce. Although providing benefits during the pandemic, e-commerce has a vulnerability to personal data protection. Through this paper, the authors use normative legal research methods, intending to know the concept of personal data as a right of privacy and the construction of Indonesia’s positive laws in legal protection of the personal data of e-commerce consumers.The use of e-commerce in the midst of the COVID-19 pandemic shows an increase. This is due to the publication of several regulations that limit everyone’s activities outside the home, affecting conventional trading activities online by utilizing e-commerce. Although providing benefits during the pandemic, e-commerce has a vulnerability to personal data protection. Through this paper, the authors use normative legal research methods, intending to know the concept of personal data as a right of privacy and the construction of Indonesia’s positive laws in legal protection of the personal data of e-commerce consumers.

Hardy, Jodi, ‘COVID-19 Tracing and Personal Privacy’ (2020) 20(4) Without Prejudice 52–53
Abstract: The National Department of Health has instituted a COVID-19 tracing database to help trace people who might have come into contact with a Person of Interest – one who has (or might have) contracted COVID-19. The move will affect all providers of electronic communication services.

Hassan, Md Tasnimul, ‘Decoding Aarogya Setu: Data Protection and the Right to Privacy’ (SSRN Scholarly Paper No ID 3671189, 29 July 2020)
Abstract: After the efficacy of tactics deployed by several countries to enable ‘contact tracing’ of individuals infected with the contagious corona virus (COVID-19), India came up with a mobile application called Aarogya Setu, which literally means ‘bridge to health’ in Sanskrit. The App was launched on April 2 this year, and was downloaded by more than five crore users within 13 days, albeit there are several similar applications developed and deployed by local authorities. Once you install the app, it uses the phone’s Bluetooth or Wi-Fi and location data, to inform the users if they have been near a COVID-19 host, by scanning a server database owned by the government. However, without rapid testing and treatment facilities, such application, becomes a nuisance providing the threat of data breach or systematic surveillance. Thus, the app’s method for tracking the infected has been under lens for being invasive and violating data privacy norms.

Hastings, Colin et al, ‘Intersections of Treatment, Surveillance, and Criminal Law Responses to HIV and COVID-19’ (2021) American Journal of Public Health (advance article, published 10 June 2021)
Abstract: Public health institutions are playing an increasingly central role in everyday life as part of the response to the COVID-19 pandemic (e.g., through stay-at-home orders, contact tracing, and the enforcement of disease control measures by law enforcement). In light of this, we consider how COVID-19 disparities and disease control practices intersect with the response to the more longstanding epidemic of HIV infection in Canada and the United States.

Hendl, Tereza, Ryoa Chung and Verina Wild, ‘Pandemic Surveillance and Racialized Subpopulations: Mitigating Vulnerabilities in COVID-19 Apps’ (2020) 17(4) Journal of Bioethical Inquiry 829–834
Abstract: Debates about effective responses to the COVID-19 pandemic have emphasized the paramount importance of digital tracing technology in suppressing the disease. So far, discussions about the ethics of this technology have focused on privacy concerns, efficacy, and uptake. However, important issues regarding power imbalances and vulnerability also warrant attention. As demonstrated in other forms of digital surveillance, vulnerable subpopulations pay a higher price for surveillance measures. There is reason to worry that some types of COVID-19 technology might lead to the employment of disproportionate profiling, policing, and criminalization of marginalized groups. It is, thus, of crucial importance to interrogate vulnerability in COVID-19 apps and ensure that the development, implementation, and data use of this surveillance technology avoids exacerbating vulnerability and the risk of harm to surveilled subpopulations, while maintaining the benefits of data collection across the whole population. This paper outlines the major challenges and a set of values that should be taken into account when implementing disease surveillance technology in the pandemic response.

Hu, Margaret, Pandemic Surveillance (Edward Elgar, 2022)
Link to book page on publisher website
Book summary: As the COVID-19 pandemic surged in 2020, questions of data privacy, cybersecurity, and the ethics of surveillance technologies centred an international conversation on the benefits and disadvantages of the appropriate uses and expansion of cyber surveillance and data tracking. This timely book examines and answers these important concerns.

Huang, Jie (Jeanne), ‘COVID-19 and Applicable Law to Transnational Personal Data: Trends and Dynamics’ (Sydney Law School Research Paper No 20/23, 2020)
Abstract: The recent COVID-19 outbreak has pushed the tension of protecting personal data in a transnational context to an apex. Using a real case where the personal data of an international traveller was illegally released by Chinese media, the paper identifies that three trends have emerged at the each stage of conflict-of-laws analysis for lex causae: (1) the EU, the US, and China characterize the right to personal data differently, (2) the spread-out unilateral applicable law approach comes from the fact that all three jurisdictions either consider the law for personal data protection as a mandatory law or adopt connecting factors leading to the law of the forum, and (3) the EU and China strongly advocate de-Americanisation of substantive data protection laws. The trends and their dynamics provide valuable implications for developing the choice of laws for transnational personal data. First, this finding informs parties that jurisdiction is a predominant issue in data breach cases because courts and regulators would apply the forum law. Second, currently there is no international treaty or model law on choice-of-law issues for transnational personal data. International harmonization efforts will be a long and difficult journey considering how the trends demonstrate not only the states’ irreconcilable interests, but also how states may consider these interests as their fundamental values that they do not want to trade off. Therefore, for states and international organisations, a feasible priority is to achieve regional coordination or interoperation among states with similar values on personal data protection.

Huang, Jie (Jeanne), ‘Preventing COVID-19 and Protecting Personal Information in China’ (2020) 17(3) Privacy Law Bulletin 34–36
Abstract: The recent COVID-19 outbreak has pushed the tension of protecting personal information in a transnational context to an apex. Using a real case where the personal information of an international traveller is illegally released by Chinese media, the article analyses Chinese law for personal information protection in the context of the COVID-19 pandemic.

Huret, Gwendoline, ‘Three Ways to Ensure What Links COVID-19 to New Regulations?: Privacy during a Pandemic’ (2020) 36(4) IQ : The RIM Quarterly 16–20
Abstract: 2020 has been an interesting and challenging year, and in my conversations with executives in data management across global companies, two recurring concerns are commonly mentioned. The first is unsurprisingly the impact of Coronavirus on their company and their role.

‘ICO Guidance for Employers on COVID-19 Workplace Testing’ [2020] (June) Computers and Law 17–18
Abstract: Outlines Information Commissioner’s Office (ICO) guidance for employers wanting to test their employees for COVID-19 or ask them for their test results, on how to ensure they are complying with Regulation 2016/679 (GDPR) and the Data Protection Act 2018.

Ienca, Marcello and Effy Vayena, ‘On the Responsible Use of Digital Data to Tackle the COVID-19 Pandemic’ (2020) 26(4) Nature Medicine 463–464
Abstract: Large-scale collection of data could help curb the COVID-19 pandemic, but it should not neglect privacy and public trust. Best practices should be identified to maintain responsible data-collection and data-processing standards at a global scale.

Ing, Ong Ee and Loo Wee Ling, ‘Gauging the Acceptance of Contact-Tracing Technology: An Empirical Study of Singapore Residents’ Concerns and Trust in Information Sharing’ in Mark et al Findlay (ed), Regulatory Insights on Artificial Intelligence (Edward Elgar, 2022) 70

International Data Privacy Law (2021) 11(1) Symposium Issue on Data Protection and Social Emergency in Latin America
This Special Issue includes the following articles:

Jalabneh, Rawan et al, ‘Use of Mobile Phone Apps for Contact Tracing to Control the COVID-19 Pandemic: A Literature Review’ (SSRN Scholarly Paper No ID 3641961, 1 July 2020)
Abstract: Background: Contact tracing is a widely adopted surveillance system that is used to identify, evaluate, and handle people who have been exposed to novel infectious diseases. The mobile phone apps using a digital technological system, called ‘proximity tracking,’ is used as a surveillance system to control the COVID-19 pandemic.Objective: The aim of this review is to examine the use of mobile phone apps for contact tracing to control the COVID-19 pandemic worldwide.Method: A search of different electronic databases, such as PubMed, PubMed Central, Google Scholar, and Google, was carried out using search items ‘mobile app,’ ‘tracing’, and ‘COVID-19’. The search was conducted between 18 to 31 May 2020.Findings: The search revealed that a total of 15 countries in the world developed and actively using 17 mobile apps for contact tracing to control the COVID-19 pandemic during the selected time frame. China and Malaysia were only using two apps. Out of 17 apps, three were protected by the country’s data protection laws. The results indicate that the mobile apps were used to monitor self-isolated individuals, identify individuals not wearing masks, whether they had close contact with an infected person, provides exact time and place of the encounter, and possible risk of infection.Conclusion: Contact tracing is found to be an essential public health approach to fight the spread of COVID-19 pandemic and other novel infectious diseases. However, caution is warranted to generalize the usability of apps, especially in the LMICs, and to address the concerns regarding data anonymizing, data privacy and usage, and data rights.

Jalali, Mohammad, Adam Landman and William Gordon, ‘Telemedicine, Privacy, and Information Security in the Age of COVID-19’ (SSRN Scholarly Paper No ID 3646320, 8 July 2020)
Abstract: COVID-19 has highlighted the shortcomings of healthcare systems globally as countries struggle to meet the high demand for patient care. The spread of COVID-19 has resulted in unprecedented circumstances that necessitate a shift towards adopting infrastructure to enable care to be provided virtually. This shift is critical to minimize insufficiencies and maximize the quality of care in healthcare systems. While COVID-19 has dramatically accelerated the adoption of technology into care delivery, ongoing work is needed to ensure that our technology infrastructure provides an environment for safe and effective care delivery.Telemedicine usage has substantially increased over the past decade (1), and many hospital systems have robust telemedicine programs. Yet traditional in-person visits remain the cornerstone of clinical care, despite the fact that a significant amount of these visits, including follow-ups, treatment for minor illnesses, and chronic disease management could be substituted by virtual communication. Telemedicine has previously been identified as particularly important during disasters, due to the inaccessibility of traditional care services. This is especially salient for the COVID-19 pandemic where in-person healthcare visits pose a high risk to exposure (2). Additionally, responses to COVID-19, specifically social isolation and the intensified burden on essential workers, are eliciting detrimental psychological effects on large populations, while simultaneously making mental health resources highly inaccessible (3). Overall, with the increased strain and demand on traditional medical resources, telemedicine has emerged as an essential component of clinical care delivery during the COVID-19 pandemic (4) with many healthcare organizations reporting substantial increases in telemedicine use during COVID-19. For example, NYU saw an increase in non-urgent care virtual visits from a pre-COVID-19 average of 95 daily to 4,209 post COVID-19 expansion (4,330% increase) (5).However, as we continue the shift to telemedicine, new issues unravel that need to be addressed, particularly in regard to technology infrastructure. In the US, the Department of Health and Human Services recently lifted many of the restrictions on communication apps, reducing barriers that previously prevented the use of telemedicine services for individuals. That being said, the substantial information security and privacy concerns surrounding telemedicine cannot be overlooked. For example, Zoom, currently one of the most popular video conferencing platforms, has had a 10-fold increase in usage over just a few months including increasing use in healthcare, leading to several important privacy considerations—outsiders joining video conferences, or inadequate encryption of communications (6), leading to the possibility of eavesdropping.State and federal agencies have warned of increased risk of cyberattacks towards healthcare and public health sector and organizations doing research on COVID-19 (7). Ransomware attacks—a type of cybersecurity threat that involves encrypting data and demanding payment in return for unencrypting the data—have continued unabated during the pandemic, with many targeting hospitals specifically. Recent ransomware attacks have included the Illinois Public Health District website and a medical testing facility in the UK (7). Successful cyberattacks negatively impact hospital operations, delay access to clinical services, and lead to significant economic loss (8, 9), all of which would be particularly devastating to organizations already under unprecedented economic and clinical strain during this pandemic.Therefore, while global healthcare systems should allocate significant resources towards improving telemedicine capabilities, improvements must ensure that the technology delivers care that is both safe and effective. Balancing the significant privacy and information security concerns with the enormous potential benefits of virtual care during this pandemic will remain a vital component to our continuously evolving response to COVID-19. Now more than ever, health care workers and organizations need to follow best practices to reduce cyber incidents.

Jankowska-Augustyn, Marlena, Mirosław Pawełczyk and Ewelina Badura, ‘Enabling Society 5.0 through COVID-19 Digital Transformation, New Data Ecosystems, and Sustainability. Post-Pandemic Legal Reflections’ (2023) 44(1) Prawo i Więź 163–194
Abstract: The COVID-19 pandemic has accelerated the adoption of new technologies and raised societies’ technological development. Legal regulations play an important role in the implementation of the latest technologies. The contact tracking applications that have been deployed almost all over the world do not, in most cases, provide an adequate level of personal data protection. An essential aspect of competition law regarding data protection is ensuring data security (trade secrets, personal information). Although entrepreneurs’ use of cloud data stores is well-established, we have never witnessed adoption on such a large scale as during this pandemic. This was influenced by, among other factors, the need to provide remote access to enterprise resources despite limitations on the movement of people. Furthermore, because many companies faced an immediate need to enable remote working and collaboration, many solutions were adopted without the usual due diligence that should apply to such a business decision. Therefore, questions arise as to whether the legal frameworks for the functioning of such data ecosystems ensure their security. Moreover, since technological innovations are of key importance for sustainable development, it is worth reviewing the framing assumptions (concerning sustainable development) of active sustainability initiatives and the possibilities of still achieving their goals despite the major setback of the pandemic. Furthermore, the rapid and forced changes resulting from the coronavirus pandemic cannot remain in place without adverse impact on the data protection landscape. During the pandemic, legal regulations regarding personal data protection, environmental protection, and competition law began to be questioned. The author shows that the legal regulations in force in these areas are no longer sufficient and require adaptation to the rapidly changing reality.

Jia, Peng and Shujuan Yang, ‘China Needs a National Intelligent Syndromic Surveillance System’ (2020) 26(7) Nature Medicine 990

Joh, Elizabeth E, ‘COVID-19 Sewage Testing as a Police Surveillance Infrastructure’ (2021) 2(2) Journal on Emerging Technologies 232–240
Abstract: Sewage has become a COVID-19 tool. American colleges and universities have struggled to cope with the COVID-19 epidemic as students returned to campus in 2020. Most colleges are unable to provide widespread testing and contact tracing. Testing all students, faculty, and staff on a campus is prohibitively expensive. As a result, many colleges and universities have turned to a different approach. Those infected with COVID-19 shed viral particles in their waste. Evidence of these viral particles can be tested by sampling wastewater. Testing sewage offers a reliable method for identifying outbreaks and is cheaper and easier to administer than a mass testing and contact tracing program. The reliance on wastewater testing during a pandemic makes sense at a time when no national program on mass testing and contact tracing exists. And as COVID-19 is likely to affect the population well into 2021, state and local governments have considered or started sewage testing. But emergency measures have a tendency to stick around after the crises that prompted them diminish. COVID-19’s public health crisis will end. But the incentives to monitor wastewater will continue. This essay argues that sewage testing will outlive the pandemic and become a part of a general policing surveillance infrastructure. We risk adopting this surveillance method without taking care to assess the legal and policy questions raised by its use. Wastewater can provide early clues not just for COVID-19 outbreaks, but also for the presence (and assumed use) of opioids, methamphetamines, and other illegal drugs. Sewage testing at the University of California, San Diego, recently led to an alert that an infected person was ‘someone who used a restroom [at a specified residence hall] from 6 a.m. and 9:30 a.m. on Sept. 2.’ Now replace ‘methamphetamine’ for ‘COVID-19.’ Systematically looking for evidence of criminal activity in sewage ‘may be a goldmine for law enforcement authorities.’9 COVID-19 is the current object of wastewater surveillance. However, the use of sewage testing now—by public universities, counties, and other government entities—can be readily repurposed from the detection of COVID-19 to other substances of interest to law enforcement agencies.

Kamphorst, Bart A, Marcel F Verweij and Josephine AW van Zeben, ‘On the Voluntariness of Public Health Apps: A European Case Study on Digital Contact Tracing’ (2023) 15(1) Law, Innovation and Technology 107–123
Abstract: As evidenced during the COVID-19 pandemic, there is a growing reliance on smartphone apps such as digital contact tracing apps and vaccination passports to respond to and mitigate public health threats. In light of the European Commission’s guidance, Member States typically offer such apps on a voluntary, ‘opt-in’ basis. In this paper, we question the extent to which the individual choice to use these apps – and similar future technologies – is indeed a voluntary one. By explicating ethical and legal considerations governing the choice situations surrounding the use of smartphone apps, specifically those related to the negative consequences that declining the use of these apps may have (e.g. loss of opportunities, social exclusion, stigma), we argue that the projected downsides of refusal may in effect limit the liberty to decline for certain subpopulations. To mitigate these concerns, we recommend three categories of approaches that may be employed by governments to safeguard voluntariness.

Kang, Jagvinder Singh, ‘NHSX Covid-19 Tracing App: “Nothing to Fear but Fear Itself!”’ [2020] (June) Computers and Law 40–44
Abstract: Discusses issues that have been raised regarding the proposed national roll-out of the NHSX COVID-19 contact tracing applications software, including: whether it is really necessary; whether it is going to be privacy intrusive; how much personal data it aims to collect; whether it will adopt a centralised or decentralised approach; and the pre-conditions that have been set by the Government’s Joint Committee on Human Rights prior to its roll-out.

Karagianni, Anastasia and Vagelis Papakonstantinou, ‘Surveillance in Schools Across Europe: A New Phenomenon in Light of the COVID-19 Pandemic? The Cases of Greece and France’ (2022) 11(2) European Journal of Educational Research 1219–1229
Abstract: Surveillance technology is more and more used in educational environments, which results in mass privacy violations of kids and, thus, the processing of huge amount of children’s data in the name of safety. Methodology used is doctrinal, since the focus of this research was given in the implementation of the legal doctrine of data protection law in the educational environments. More than that, the cases of Greece and France regarding the use of surveillance technologies in schools are carefully studied in this article. Privacy risks that both children and educators are exposed to are underlined. In these terms, this research paper focuses on the proper implementation of the European data protection framework and the role of Data Protection Authorities as control mechanisms, so that human rights risks from the perspective of privacy and data protection to be revealed, and the purposes of the use of such technologies to be evaluated. This study is limited in the legal examination of the European General Data Protection Regulation, and its implementation in the legal orders of Greece and France, and practice pertaining to the case studies of Greece and France respectively.

Kakooza, Anthony Conrad, ‘Data Collection and Management in the Covid-19 Era: A Legal Analysis of Ugandan Legislation’ (2021) 10(1) The Uganda Living Law Journal 1–20
Abstract: This article is an inquiry into the significance of database management viewed through the lens of COVID-19 infected persons. The article attempts at assessing the nature of the treatment given to data that was captured from cross-border migrants into Uganda during the pandemic in the course of the government’s attempts at controlling the further spread of the disease. The control measures instituted by many countries over the spread of COVID-19 were mainly premised on generating and utilizing data on migrations of persons from one place to another. The article highlights shortfalls in previous studies undertaken in the area of data collection and management and goes on to scrutinize the legislative structure in Uganda related to data collection and management. It then sums u p with recommendations on improving the legislative shortfalls.

Kemp, Katharine and Graham Greenleaf, ‘COVID Digital Surveillance: Common Legislative Protections for Proximity Apps, Attendance Tracking, and Status Certificates (Presentation Slides)’ (UN Special Rapporteur on the Right to Privacy Session: ‘COVID-19 and Privacy in Asia, Australasia and Europe’ Presentation, 23 June 2021)
Abstract: This presentation to the UN Special Rapporteur’s conference on the Right to Privacy Session: ‘COVID-19 and Privacy in Asia, Australasia and Europe’ was given on 23 June 2021. Katharine Kemp presented this first part, and Graham Greenleaf presented a second part.
Three forms of COVID data surveillance are considered:
(1) Proximity Tracking – Typically via Bluetooth signal; Tracks proximity to another person (device), not location.
(2) Attendance Tracking – Typically via QR Codes; Tracks attendance and time at required venues; Sporadic location tracking, not continuous.
(3) COVID Status Certification – . Can be electronic (app) and/or paper; Records vaccination history and/or COVID test history; Aka immunity / vaccine passports / certificates or ‘Green Certificates’.

The data collected by each of the 3 forms of surveillance may be either:
• Distributed on user devices – for example: Apple/Google Bluetooth proximity app; QR Codes at venues that only update ‘digital diaries’; COVID status data that is static until user chooses to update (also paper copies).
• Stored centrally – for example: Australia’s COVIDSafe Bluetooth proximity app; All Australian State/Territory QR Code systems; COVID status apps that always update from central database.

This part focuses on privacy risks of these three types of COVID surveillance, with illustrations from their use in Australia.
Our argument (in the second part) is that legislative protections based on common principles are needed for all types of COVID surveillance, including those that are compulsory, and involve centralised storage of personal data. Australia is an example of a country where compulsion or centralisation cannot effectively be challenged in court as a breach of fundamental rights.

Kim, Youngrim, ‘Tracking Bodies in Question: Telecom Companies, Mobile Data, and Surveillance Platforms in South Korea’s Epidemic Governance’ (2022) 25(12) Information, Communication & Society 1717–1734
Abstract: In the 2020 COVID-19 pandemic, many countries across the world have developed new health surveillance technologies using digital tools and communication data to monitor and manage confirmed and suspected carriers of the virus. This article demonstrates the growing centrality of mobile network operators in managing global health crises through a case study of South Korea’s epidemic governance. In South Korea, KT, one of the country’s three telecommunications companies, has been actively developing and investing in health surveillance platforms since 2015, promoting that its big-data-based surveillance and ICT infrastructures may prevent the spread of infectious diseases. Conducting a situational analysis of archival materials, I document the process through which such mobile network operators emerge as essential producers of the data infrastructures that shape the understanding and management of public health emergencies. The article also addresses the sociocultural implications of such private technology corporations’ capturing of emergency power. In the end, I argue that Korea’s public health surveillance systems are increasingly constructed within the capitalist logic of the telecom industry, mainly via ‘platformization’ – a shift that offers telecom firms to transform from network to platform operators by extracting and aggregating subscribers’ data. The case analyzed here demonstrates how granting such extraordinary authority to ICT companies during national emergencies becomes routinized, and even instrumentalized for economic purposes.

Kitchin, Rob, ‘Civil Liberties or Public Health, or Civil Liberties and Public Health? Using Surveillance Technologies to Tackle the Spread of COVID-19’ [2020] Space and Polity (advance article, published 3 June 2020)
Abstract: To help tackle the spread of COVID-19 a range of surveillance technologies – smartphone apps, facial recognition and thermal cameras, biometric wearables, smart helmets, drones, and predictive analytics – have been rapidly developed and deployed. Used for contact tracing, quarantine enforcement, travel permission, social distancing/movement monitoring, and symptom tracking, their rushed rollout has been justified by the argument that they are vital to suppressing the virus, and civil liberties have to be sacrificed for public health. I challenge these contentions, questioning the technical and practical efficacy of surveillance technologies, and examining their implications for civil liberties, governmentality, surveillance capitalism, and public health.

Kolfschooten, Hannah van and Anniek de Ruijter, ‘COVID-19 and Privacy in the European Union: A Legal Perspective on Contact Tracing’ (2020) 41(3) Contemporary Security Policy 478–491
Abstract: When disease becomes a threat to security, the balance between the need to fight the disease and obligation to protect the rights of individuals often changes. The COVID-19 crisis shows that the need for surveillance poses challenges to the right of privacy. We focus on the European Union (EU), which has a strong data protection regime yet requires its member states to exchange personal data gathered through contact tracing. While public authorities may limit the right to privacy in case of public health threats, the EU provides little guidance when such limitations are proportionate. To define standards, we analyze existing EU case law regarding national security measures. We conclude that on the proportionality of contact tracing in the EU it is difficult to reconcile public health measures and individual rights, but guidance can be taken from understandings of proportionality in the context of security, particularly in the current COVID-19 emergency.

Kubenov, Gizat et al, ‘Protection of Privacy in Information Technologies in the Context of COVID-19: A Comparative Legal Analysis of the Republic of Kazakhstan and the European Union’ [2023] 2023/1 Rivista Di Studi Sulla Sostenibilita 63–89
Abstract: Today, the world community faces the arduous and responsible task of preventing the spread of the coronavirus disease COVID-19, which objectively requires the adoption of a complex of anti-epidemic (organizational, medical, administrative, and other) measures to prevent the spread of COVID-19 and to contain and eliminate this epidemic. At the same time, to a large extent, such measures are embodied in various forms of restrictions on the realization of civil, political, and other rights, freedoms, and legitimate interests of a person and a citizen, as well as to a certain extent there are encroachments on the inviolability of a person’s private life. The purpose of the scientific article is to study the state mechanisms of Kazakhstan and the European Union on legal support and security of personal data on the Internet, particularly during the COVID-19 pandemic, and to determine possible ways for their development and improvement. The research used dialectical, historical-legal, formal-logical, comparative-legal, and special-legal research methods, and systemic-structural research methods, as well as the method of systemic analysis. The theoretical significance of the study lies in the fact that it develops new scientific provisions, proposals, and recommendations that deepen the theoretical and practical foundations in the field of legal regulation of personal da-ta protection in information technologies during the pandemic in the European Un-ion in general and in the Republic of Kazakhstan in particular.

Lavi, Michal, ‘Crises, Creep, and the Surveillance State’ (2022) 53(2) Seton Hall Law Review 491–467
Abstract: COVID-19 started in December 2019 in China and spread rapidly and globally. This virus led to a public health emergency of international concern as a threat to the public’s health and safety. The speed of virus infections depended on various aspects of individual’s social network position. Individuals with more friends, or those who were more central in the network, caught the virus sooner. In the beginning of the outbreak, governments thought that tracking human networks and collecting information on the movements of individuals would allow governments to utilize the information for mitigating the spread of the virus. They believed that mass surveillance would help health authorities identify the contacts an infected person had, and warn such contacts, thus reducing the likelihood for them to infect others. By gaining such data, governments believed they could focus their efforts to block the spread of the virus and even predict where the next cluster of infections would emerge. In general, information and data-driven models have the potential to promote health. Data is knowledge; however, knowledge is power that can grant governments control over citizens, leading to a slippery slope that could creep beyond health considerations and undermine the infrastructure of civil rights. The result could be constant surveillance instead of privacy, self-censorship instead of freedom of expression, suspicion instead of trust, and the rise of the surveillance state instead of democracy. This Article outlines a taxonomy of surveillance data-driven practices that were used to combat the virus. It describes the potential benefits of such models while addressing the dangers created by such mass surveillance. Additionally, this Article demonstrates that surveillance practices can compromise privacy, infringe on free expression and equality without safeguards or due process, and lead to abuse of power. Finally, it establishes how such practices can erode democracy and creep beyond combating a virus. This Article argues that even in times of crisis, we can have both health and human rights. It warns against surveillance creep and advocates for a privacy by design approach in such models, including anonymization of personal information. This Article further proposes safeguards including transparency, impact assessments of data protections and algorithms, fiduciary duties, oversight, and due process. Finally, this Article addresses practices of long-term invasive surveillance that should be ruled out altogether and rejected at all costs. COVID-19 is a test case that demonstrates the consequences of mass surveillance without warrants or adequate regulatory prerequisites, and the misuse of personal data. Thus, this Article warns that the creep of mass surveillance can lead to the rise of the surveillance state.

Lavorgna, Anita et al, ‘To App or Not to App? Understanding Public Resistance to COVID-19 Digital Contact Tracing and Its Criminological Relevance’ (2021) 3(2) Law, Technology and Humans 28–45
Abstract: In the context of the COVID-19 pandemic, digital contact tracing has been developed and promoted in many countries as a valuable tool to help the fight against the virus, allowing health authorities to react quickly and limit contagion. Very often, however, these tracing apps have faced public resistance, making their use relatively sparse and ineffective. Our study relies on an interdisciplinary approach that brings together criminological and computational expertise to consider the key social dynamics underlying people’s resistance to using the NHS contact-tracing app in England and Wales. The present study analyses a large Twitter dataset to investigate interactions between relevant user accounts and identify the main narrative frames (lack of trust and negative liberties) and mechanisms (polluted information, conspiratorial thinking and reactance) to explain resistance towards use of the NHS contact-tracing app. Our study builds on concepts of User eXperience (UX) and algorithm aversion and demonstrates the relevance of these elements to the key criminological problem of resistance to official technologies.

Lawrence, Meghan K, Tinker Stays Home: Student Freedom of Expression in Virtual Learning Platforms’ (2021) 101(6) Boston University Law Review 2249–2288
Abstract: Following the COVID-19 outbreak of March 2020, states imposed mandatory ‘lockdowns,’ forcing schools throughout the country to move to virtual learning platforms. With this unprecedented shift came many unforeseen challenges for school officials, including assessing what First Amendment rights students retain in virtual learning platforms. Falling into an unusual gray area where students are technically ‘in school’ because they are attending school-run classes, and yet off campus as they are doing so from the privacy of their homes, school officials have little guidance from the currently established student speech categories to make these determinations. While this issue originally arose out of the unique circumstances surrounding the COVID-19 pandemic, schools will likely continue to face this problem in the future, whether by the uncertain prospect of further school closings as new COVID-19 variants emerge or by schools and students continuing to take advantage of the convenience and safety provided by online platforms. This Note focuses on the intersection of existing student First Amendment rights both on and off campus and the constitutional protections afforded to speech and expression within the home. Ultimately, this Note concludes that there is no one-size-fits-all test that can be applied to all aspects of the virtual learning platform. While schools arguably must have some authority to limit student expression within virtual learning platforms, that authority must be balanced with students’ First Amendment rights. The two central problems posed by virtual learning platforms, virtual backgrounds and physical backgrounds, require a unique solution to balance protection of students’ rights and respect for a school’s authority. This Note argues that schools should wield far more authority over students’ virtual backgrounds and less authority over their physical backgrounds. To control physical backgrounds, school officials must presume students are entitled to First Amendment protection over student expression subject to only few exceptions in specific categories of speech. Virtual backgrounds, on the other hand, do not exist outside of the virtual class, and thus do not implicate the same First Amendment and privacy concerns. This bifurcated solution thus accounts for the nature of virtual learning environments and balances school authority with not only students’ First Amendment rights but also students’ privacy rights, students’ autonomy, and the authority of students’ parents to control their homelife.

Lawson-Tancred, Hugh, Henry CW Price and Alessandro Provetti, ‘COVID-19 Contact Tracing: Eight Privacy Questions Explored A Reply to de Montjoye et al’ (SSRN Scholarly Paper No ID 3607089, 20 May 2020)
Abstract: We respond to a recent work by de Motjoye et el. on privacy issues with COVID-19 tracking. Our discussion is structured around three ‘toy’ protocols for the design of an app which can maximise the utility of contact tracing information while minimising the more general risk to privacy. On this basis, the paper proceeds to introduce eight questions against which they should be assessed. The questions raised and the protocols proposed effectively amount to the creation of a game with different categories of players able to make different moves. It is therefore possible to analyse the model in terms of optimal game design.

Leonard, Peter, ‘Novel Coronavirus Spawns Novel Law-Making in Australia’ [2020] (June) Computers and Law 46–48
Abstract: Discusses the lessons that can be learnt from Australia’s approach to drafting the Privacy Amendment (Public Health Contact Information) Bill 2020 to regulate its COVID-19 tracing applications software and aims to nurture its citizens’ digital trust.

Li, Tiffany C, ‘Post-Pandemic Privacy Law’ (2021) 70(5) American University Law Review 1681-1728
Abstract: COVID-19, the global pandemic that began in 2019, altered how we live our lives in just about every way imaginable. Some of those changes were obvious—for example, those who were fortunate enough to be able to work from home began working online—while other changes were more subtle. The latter category included unprecedented levels of data collection by governments and organizations purporting to collect information that would help stop the pandemic’s spread. Given the deadly nature of COVID-19, few would question any public health efforts, no matter their impact on privacy. However, the lack of attention to privacy issues during the pandemic can and will have long-ranging effects that will lead to greater losses of privacy in the future, post-pandemic world. This Article analyzes privacy issues in this pandemic and offers a novel framework for crafting legislation during and after this pandemic to protect privacy. The Article takes a unique socio-legal approach in contextualizing privacy-related issues arising from this time of public health crisis, examining the impact of the coronavirus itself as well as contemporaneous social issues in America that have shaped the way we must think about privacy moving forward (primarily focusing on political unrest related to the 2020 election and growing tensions involving racism and discrimination). Ultimately, the Article proposes a framework that post-pandemic privacy law should follow and provides tangible legal and policy solutions, including a federal privacy law, updates to existing legislation to reflect specific privacy considerations, and focus on privacy as an integral part of foreign policy. Finally, the Article evaluates select privacy-related legislation that the U.S. Congress has proposed to date in light of the Article’s proposed framework and recommendations.

Lim, Woojin, ‘Assessing the Implications of Digital Contact Tracing for COVID-19 for Human Rights and the Rule of Law in South Africa’ (2020) 20(2) African Human Rights Law Journal 540–557
Abstract: The article argues that the establishment of centralised and aggregated databases and applications enabling mass digital surveillance, despite their public health merits in the containment of the COVID-19 pandemic, is likely to lead to the erosion of South Africa’s constitutional human rights, including rights to equality, privacy, human dignity, as well as freedom of speech, association and movement, and security of the person. While derogation clauses have been invoked, thereby limiting International Covenant on Civil and Political Rights clauses and enabling the mass collection of location data only for contact tracing purposes under the Disaster Management Act, a sustained breach of these rights may pose an impending threat to the human rights framework in South Africa. Any proposed digital contact tracing technologies in their design, development and adoption must pass the firm legal muster and adhere to human rights prescripts relating to user-centric transparency and confidentiality, personal information, data privacy and protection that have recently been enacted through the latest development on Protection of Personal Information Act.

Lin, Hsin-Hsuan and Yi-En Tso, ‘Evaluation on the Legality of Smart Technology Tracking to Prevent the Spread of Covid-19’ (SSRN Scholarly Paper No 4477389, 15 June 2023)
Abstract: This paper aims to evaluate smart technology monitoring measures adopted by governments in response to the Covid-19 epidemic from a legal aspect. Internationally, preemptive measures during an epidemic are generally based on monitoring means. These may include behavioral patterns in electronic fences such as isolation and quarantine, big data epidemic investigation, epidemic prevention tracking technology and contact tracing applications. This type of data surveillance outlines a three-pointed, linear pattern of ‘digital footprint-profiling-surveillance’, and an evaluation of its legitimacy triggers the question of whether public power measures are able to balance collective security against information privacy during a state of emergency. The study addresses three major aspects designed for the discourse: (1) the use of smart technology for epidemic monitoring and prevention, (2) the legal constraints of smart technology in epidemic prevention, and (3) balancing the use of smart technology in epidemic prevention with the right to personal data protection. This paper selects South Korea, Taiwan and Norway for case study, as representative of strict controls, moderate controls, and absence of controls respectively. By drawing upon experience from other legal systems in a comparative analysis, the author hopes to show that controlling the spread of a virus and personal data protection are not a zero-sum dilemma. Finally, ideas for a mechanism to oversee and evaluate the use of smart technology in COVID-19 prevention and elimination will be presented.

Lintvedt, Mona Naomi, ‘COVID-19 Tracing Apps as a Legal Problem: An Investigation of the Norwegian “Smittestopp” App’ (University of Oslo Faculty of Law Research Paper No 2021–18, 16 June 2021)
Abstract: In their efforts to curb the COVID-19 pandemic, many countries have introduced contact tracing apps installed on mobile phones with the aim of breaking chains of infection. This raises ethical and legal questions, as these apps have the potential to be used for surveillance of the population. There is pressure to set privacy and data protection aside to allow extensive collection and processing of personal data, while their benefits remain uncertain. The two versions of the Norwegian COVID-19 tracing app are used as a case study to explore how law and legal norms are made and implemented – or not – in the context of a public emergency. In Norway, the legal question of contact tracing apps has largely been limited to a question of compliance with the GDPR and has excluded a meaningful conversation about the use of apps as pandemic response tools and their impact on rights and freedoms. The normative argument of the article is that to combine a robust form of privacy and data protection with the use of digital tools in a crisis, we need to carefully scrutinize the effects technology choices have on human rights and the rule of law.

Liu, Ching-Yi, Wei-Ping Li and Yun-Pu Tu, ‘Privacy Perils of Open Data and Data Sharing: A Case Study of Taiwan’s Open Data Policy and Practices’ (2021) 30(3) Washington International Law Journal 545–597
Abstract: Governments and private sector players have hopped on the open data train in the past few years. Both the governments and civil society in Taiwan are exploring the opportunities provided by the data stored in the public and private sectors. While they have been enjoying the benefits of the sharing and flowing of data among various databases, the government and some players in the private sectors have also posed tremendous privacy challenges by inappropriately gathering and processing personal data. The amended Personal Data Protection Act was originally enacted as a regulatory mechanism to protect personal data and create economic benefits via enhancing the uses of public and private sector data. In reality, the Act has instead resulted in harm to Taiwan’s data privacy situation in this big data era. This article begins with an overview of Taiwan’s open data policy history and its current practices. Next, the article analyzes cases in which the data-sharing practices between different sectors have given rise to privacy controversies, with a particular focus on 2020, when Taiwan used data surveillance in response to the COVID-19 pandemic. Finally, this article flags problems related to an open data system, including the protection of sensitive data, de-identification, the right to consent and opt-out, and the ambiguity of ‘public interest,’ and concludes by proposing a feasible architecture for the implementation of a more sensible open data system with privacy-enhancing characteristics.

Lodders, Adam and Jeannie Marie Paterson, ‘Scrutinising COVIDSafe: Frameworks for Evaluating Digital Contact Tracing Technologies’ (2020) 45(3) Alternative Law Journal 153–161
Abstract: Digital technologies are being used to combat the coronavirus disease 2019 (COVID-19) pandemic through a variety of methods, including monitoring compliance with quarantine and contact tracing. These uses of technology are said to promote public health outcomes but risk undermining rights to privacy. In this article we focus on the use of digital technologies for contact tracing, such as the COVIDSafe app used in Australia. We explore the kind of framework that might be used for evaluating the design, deployment and governance of such technologies to ensure they operate in a manner that is proportionate to the ends to be achieved. We conclude that, in addition to issues of privacy, any use of contact tracing technology should address important considerations of efficacy, equity and accountability.

Lucivero, Federica et al, ‘COVID-19 and Contact Tracing Apps: Ethical Challenges for a Social Experiment on a Global Scale’ (2020) 17(4) Journal of Bioethical Inquiry 835–839
Abstract: Mobile applications are increasingly regarded as important tools for an integrated strategy of infection containment in post-lockdown societies around the globe. This paper discusses a number of questions that should be addressed when assessing the ethical challenges of mobile applications for digital contact-tracing of COVID-19: Which safeguards should be designed in the technology? Who should access data? What is a legitimate role for ‘Big Tech’ companies in the development and implementation of these systems? How should cultural and behavioural issues be accounted for in the design of these apps? Should use of these apps be compulsory? What does transparency and ethical oversight mean in this context? We demonstrate that responses to these questions are complex and contingent and argue that if digital contract-tracing is used, then it should be clear that this is on a trial basis and its use should be subject to independent monitoring and evaluation.

Lucivero, Federica et al, ‘COVID-19 and Contact Tracing Apps: Technological Fix or Social Experiment?’ (SSRN Scholarly Paper No ID 3590788, Social Science Research Network, 10 April 2020)
Abstract: Mobile applications are increasingly regarded as important tools for an integrated strategy of post-lockdown policy response around the globe. This paper explores how the use of smartphone applications for digital contact tracing is currently being framed by media, experts and policy-makers and discusses a number of questions raised by the debate on digital surveillance at the time of Covid-19: How can personal data be adequately collected and protected? Who should access data? What is a legitimate role for Big Tech companies in the development and implementation of these systems? How is the cultural and moral context taken into account in the design of these apps? Should use of these apps be compulsory? What does transparency and ethical oversight mean in this context? As we show that responses to these questions are complex and uncertain, we argue that rather than technological fixes to the current emergency these apps should be introduced in society as societal experimental trials whose effectiveness and consequences need to be closely and independently monitored the same level of precaution and safeguards that social experimentation require.

Majumder, Amita and Karan Jawanda, ‘Contact Tracing Apps of Covid-19 vis-a-vis Privacy Issues: A Study’ (2021) 24 Supremo Amicus Journal (unpaginated)
Abstract: Surveillance is not a new concept for the Government agencies of any country but during COVID-19 pandemic it gives an extra wing to government agencies to do digital surveillance. Digital Surveillance has been done with the help of interfaces to allow bluetooth or location tracking or contact tracking methods using Android or iPhone communication devices. During the COVID19 outbreak the government agencies of China, Singapore, India, Israel etc. are using contact tracing apps for COVID-19 patient and helping the society against the COVID19 virus. This technology is helpful for tracing the contact of certain geo-location area and breaks the chain of strain of virus. But it raises many question before all of usWhat about the right to privacy of the Individuals who are downloading these apps?, how their data has been stored?, where it has been stored?, is our data in encrypted form?, is our data protected? What are the methods to destroy our data after this pandemic is over? Etc. This paper shall deal with the problem and issues relating to privacy because of contact tracing apps for COVID-19, the need for data protection, comparative analysis of different apps being used by different countries with respect to privacy and data protection. The paper shall also outline the legal provisions relating to surveillance and interception of data under Indian Telegraph Act and Information Technology Act 2000 along with rules. Findings and suggestions regarding the issue shall also be discussed.

Malhotra, Shefali and Shivangi Rai, ‘To What Effect? COVID-19 Mobile Apps, Public Health and the Need for Sound Policy’ (SSRN Scholarly Paper No 4263424, 28 October 2022)
Abstract: In the early days of the COVID-19 pandemic, a multitude of mobile apps were deployed to complement manual contact tracing, quarantine and isolation efforts by central, state and local authorities in India. This was the first time that digital tools were used to augment disease surveillance efforts on a large scale. At the time of deployment and even today, these mobile apps remain experimental tools with no conclusive evidence of their effectiveness, but with known risks to privacy and data security. The public discourse examining these mobile apps has also raised several privacy and data security concerns. We add to this literature through an examination of COVID-19 mobile apps deployed by state governments and local authorities, using public health perspectives on infectious disease surveillance. We develop a framework of analysis that factors state capacity concerns, public engagement, processes and methods that facilitate continuous effectiveness evaluation, and privacy and ethical concerns. We then examine COVID-19 mobile apps against this framework of analysis. Our analysis highlights several instances of duplication due to lack of coordination amongst various stakeholders engaged in COVID-19 disease surveillance; absence of any oversight and public engagement in the development and deployment processes; mixed evidence on the integration of COVID-19 mobile apps with public health protocols, a prerequisite for conducting any effectiveness evaluation; and, weak data protection. Our findings underscore the need for a systems level approach to deploying digital disease surveillance tools, particularly the need for integrating effectiveness evaluations in the implementation process.

Maras, Marie-Helen and Wendy O’Brien, ‘Discrimination, Stigmatization, and Surveillance: COVID-19 and Social Sorting’ (2023) 32(1) Information & Communications Technology Law 122–148
Abstract: The unprecedented global public health crisis posed by the COVID-19 pandemic has caused mass upheaval of social, educational, financial, health, and justice systems around the world. Technological and other responses at the national, regional, and international level, designed to contain the spread of COVID-19, have also significantly interrupted the way that we live, work, and interact. This article explores the implications of these response efforts, and their impact on human rights, existing inequalities, and entrenched forms of discrimination. In particular, the article explores the implications of using mass surveillance and registration measures to detect, surveil, and control populations and their movements within and across borders as part of public health responses. The use of digital health credentials in automated social sorting processes and other mass surveillance and registration measures in response to the COVID-19 pandemic sets an alarming precedent for future responses to global public health crises.

Marcus, David, ‘Digital Resilience in the Age of a Global Pandemic: How Can Privacy Assist in Risk Mitigation?’ (2020) 17(1/2) Privacy Law Bulletin 2–5
Abstract: The global Coronavirus disease 2019 (COVID-19) pandemic is creating unprecedented disruption to all industries globally through its direct and indirect impact on health and wellbeing, the needs of citizens, the way we work, and the needs of our clients. It is estimated that over the course of a year, the pandemic could impact the Australian economy alone by a reduction of AUD34.2 billion or an approximately 1.3% decrease in Gross Domestic Product (GDP). The challenges we face in addressing the risks of the pandemic are well-documented. Perhaps less documented however are the role of privacy frameworks in assisting with such statutory and day-to-day risk mitigation efforts, as well as the fact that we cannot avoid compliance with the ‘Privacy Act 1988’ (Cth) and other similar privacy frameworks including the ‘General Data Protection Regulation’ (GDPR).

Marks, Mason, ‘Emergent Medical Data: Health Information Inferred by Artificial Intelligence’ [2021] U.C. Irvine Law Review (forthcoming)
Abstract: Artificial intelligence can infer health data from people’s behavior even when their behavior has no apparent connection to their health. AI can monitor one’s location to track the spread of infectious disease, scrutinize retail purchases to identify pregnant customers, and analyze social media to predict who might attempt suicide. These feats are possible because in modern societies, people continuously interact with internet-enabled software and devices. Smartphones, wearables, and online platforms monitor people’s actions and produce digital traces, the electronic remnants of their behavior. In their raw form, digital traces might not be very interesting or useful; one’s location, retail purchases, and internet browsing habits are relatively mundane data points. However, AI can enhance their value by transforming them into something more useful—emergent medical data. EMD is health information inferred by artificial intelligence from otherwise trivial digital traces. This Article describes how EMD-based profiling is increasingly promoted as a solution to public health crises such as the COVID-19 pandemic, gun violence, and the opioid crisis. However, there is little evidence to show that EMD-based profiling works. Even worse, it can cause significant harm, and current privacy and data protection laws contain loopholes that allow public and private entities to mine EMD without people’s knowledge or consent. After describing the risks and benefits of EMD mining and profiling. The Article proposes six different ways of conceptualizing these practices. It concludes with preliminary recommendations for effective regulation. Potential options include banning or restricting the collection of digital traces, regulating EMD mining algorithms, and restricting how EMD can be used once it is produced.

McGregor, Lorna, ‘Regulating Digital and AI Technologies:: Lessons from the Digitisation of Contact Tracing during the COVID-19 Pandemic’ (2022) 3(1) Yearbook of International Disaster Law Online 35–70
Extract from Introduction: Using the example of the digitisation of contact tracing during the COVID-19 pandemic, I discuss the challenges that arise from seeking to use digital technologies, particularly where they involve AI dimensions, as part of states’ due diligence obligations while addressing risk in the absence of any, or incomplete, regulation dedicated to the governance of these technologies. As quickly became apparent, contact tracing via an app is a qualitatively different exercise to simply digitising a human function.

Mello, Michelle M and C Jason Wang, ‘Ethics and Governance for Digital Disease Surveillance’ (2020) 368(6494) Science 951–954
Abstract: Digital epidemiology—the use of data generated outside the public health system for disease surveillance—has been in use for more than a quarter century [see supplementary materials (SM)]. But several countries have taken digital epidemiology to the next level in responding to COVID-19. Focusing on core public health functions of case detection, contact tracing, and isolation and quarantine, we explore ethical concerns raised by digital technologies and new data sources in public health surveillance during epidemics. For example, some have voiced concern that trust and participation in such approaches may be unevenly distributed across society; others have raised privacy concerns. Yet counterbalancing such concerns is the argument that ‘sometimes it is unethical not to use available data’; some trade-offs may be not only ethically justifiable but ethically obligatory. The question is not whether to use new data sources—such as cellphones, wearables, video surveillance, social media, internet searches and news, and crowd-sourced symptom self-reports—but how.

Miao, Michelle, ‘Coded Social Control: China’s Normalization of Biometric Surveillance in the Post-COVID-19 Era’ (2023) Washington Journal of Law, Technology & Arts (forthcoming)
Abstract: This article investigates the longevity of health QR codes, a digital instrument of pandemic surveillance, in post-COVID China. From 2020 to 2022, China widely used this tri-color tool to combat the COVID-19 pandemic. A commonly held assumption is that health QR codes have become obsolete in post-pandemic China. This study challenges such an assumption. It reveals their persistence and integration - through mobile apps and online platforms - beyond the COVID-19 public health emergency. A prolonged, expanded, and normalized use of tools that were originally intended for contact tracing and pandemic surveillance raises critical legal and ethical concerns. Moreover, their functional transformation from epidemiological risk assessment tools to instruments of behavior modification and social governance heralds the emergence of a Data Leviathan. This transformation is underpinned by a duality of underlying political and commercial forces. These include 1) a structural enabler: a powerful alliance between political authorities and tech giants and 2) an ideological legitimizer: a commitment to collective security over individual autonomy. In contrast to the rights-centric approach embraced by Western democracies to regulate AI-driven biometric surveillance, China adopts a state-industry dominance model of governance.

de Miguel Beriain, Íñigo and Jon Rueda, ‘Digital Covid Certificates as Immunity Passports: An Analysis of Their Main Ethical, Legal, and Social Issues’ [2022] Journal of Bioethical Inquiry (advance article, published online 19 September 2022)
Abstract: Digital COVID certificates are a novel public health policy to tackle the COVID-19 pandemic. These immunity certificates aim to incentivize vaccination and to deny international travel or access to essential spaces to those who are unable to prove that they are not infectious. In this article, we start by describing immunity certificates and highlighting their differences from vaccination certificates. Then, we focus on the ethical, legal, and social issues involved in their use, namely autonomy and consent, data protection, equity, and international mobility from a global fairness perspective. The main conclusion of our analysis is that digital COVID certificates are only acceptable if they meet certain conditions: that they should not process personal data beyond what is strictly necessary for the aimed goals, that equal access to them should be guaranteed, and that they should not restrict people’s autonomy to access places where contagion is unlikely. We conclude that, if such conditions are guaranteed, digital COVID certificates could contribute to mitigating some of the most severe socioeconomic consequences of the pandemic.

Miller, Nigel and Ben Nolan, ‘The NHSX App: What Are the Privacy Concerns?’ [2020] (June) Computers and Law 34–38
Abstract: Reviews how the contact tracing application software that is being developed by NHSX works and explores the steps that should be taken to address the privacy and data protection concerns that have been raised concerning its use. Questions whether there needs to be a specific NHSX regulator or legislation to ensure its necessary safeguards.

Milo, Dario et al, ‘The Effect of COVID-19 on Cybersecurity and Cyber Breaches’ (2020) 20(6) Without Prejudice 19–20
Abstract: With more employees working from home during the COVID-19 pandemic, the risk of cybercrime has escalated, and the need to have proper systems and procedures in place has become even more important.

Molitorisz, Sacha, James Meese and Jennifer Hagedorn, ‘From Shadow Profiles to Contact Tracing: Qualitative Research into Consent and Privacy’ (2021) 3(2) Law, Technology and Humans 46–60
Abstract: For many privacy scholars, consent is on life support, if not dead. In July 2020, we held six focus groups in Australia to test this claim by gauging attitudes to consent and privacy, with a spotlight on smartphones. These focus groups included discussion of four case studies: ‘shadow profiles’, eavesdropping by companies on smartphone users, non-consensual government surveillance of its citizens and contact tracing apps developed to combat COVID-19. Our participants expressed concerns about these practices and said they valued individual consent and saw it as a key element of privacy protection. However, they saw the limits of individual consent, saying that the law and the design of digital services also have key roles to play. Building on these findings, we argue for a blend of good law, good design and an appreciation that individual consent is still valued and must be fixed rather than discarded - ideally in ways that are also collective. In other words, consent is dead; long live consent.

Molldrem, Stephen, Mustafa I Hussain and Alexander McClelland, ‘Alternatives to Sharing COVID-19 Data with Law Enforcement: Recommendations for Stakeholders’ [2020] Health Policy (advance article, published 7 November 2020)
Abstract: During the COVID-19 pandemic, in some jurisdictions, police have become involved in enforcing coronavirus-related measures. Relatedly, several North American jurisdictions have established COVID-19 data sharing protocols with law enforcement. Research across a range of fields has demonstrated that involving police in matters of public health disproportionately impacts the most vulnerable and does more harm than good. This is reflected in the consensus against COVID-19 criminalization that has emerged among civil society organizations focused on HIV, human rights, and harm reduction. The European Data Protection Board has also released guidelines against re-uses of COVID-19 data for law enforcement purposes. This article offers an overview of the harms of criminalizing illnesses and strategies for health stakeholders to seek alternatives to sharing COVID-19 data with police agencies while facilitating interoperability with healthcare first responders. It also presents case studies from two North American jurisdictions – Ontario and Minnesota – that have established routine COVID-19 data sharing with police. We recommended seven alternatives, including designating COVID-19 data as sensitive and implementing segmented interoperability with first responder agencies. These guidelines can help ensure that health information technology platforms do not become vehicles for the criminalization of COVID-19, and that health data stay within the health system.

De Montalvo Jääskeläinen, Federico, ‘Ethical and Legal Requirements for Biomedical Research Involving Health Data in the Context of the Covid-19 Pandemic: Is Informed Consent Still Playing the Leading Role?’ [2021] (Special Issue 2) BioLaw Journal – Rivista di BioDiritto 157–167
Abstract: The current pandemic could have accelerated a change of the traditional paradigm about the secondary use of health data. The traditional one has been based on the faculty of the individuals about accepting or not that use of their health data through the main role of informed consent. The new paradigm considers the current value of that secondary use for the improvement of the health of community and its individuals, through the possibilities offered by Big Data and AI. Therefore, the need of a balance between individual rights and the common good is indispensable. Pseudonymization could be the way to find this balance.

de Montjoye, Yves-Alexandre, ‘Evaluating COVID-19 Contact Tracing Apps? Here Are 8 Privacy Questions We Think You Should Ask’, Imperial College, Computational Privacy Group (2 April 2020)
Abstract: While governments are ramping up their efforts to slow down the spread of COVID-19, contact tracing apps are being developed to record interactions and warn users if one of their contacts is later diagnosed positive. These apps could help avoid long-term confinement, but also record fine-grained location or close-proximity data. In this blog post, we propose 8 questions one should ask to understand how protective of privacy an app is.

Morley, Jessica et al, ‘Ethical Guidelines for COVID-19 Tracing Apps’ (2020) 582(7810) Nature 29–31

Morris, Narelle and Anna Bunn, ‘When Trust Fails Purpose: Legislative Lessons From Police Access to the SafeWA Covid 19 Contact Tracing Data’ (2023) 50(2) University of Western Australia Law Review 162–192
Abstract: In response to the ongoing COVID-19 pandemic, Western Australia (WA) introduced in November 2020 a mandatory contact tracing registration system and rolled out an online mobile application (the SafeWA app) which allowed users to easily check-in to venues at which they were required to register their attendance. The WA public was assured that their check-in data, including data logged through the SafeWA app, would only be used for contact tracing purposes. Despite this, it later came to light that WA Police had sought and gained access to data collected by the SafeWA app in connection with criminal investigations. Following that revelation, and to address its potential to undermine public confidence in the SafeWA app (and the contact tracing system in general), the WA Government introduced the Protection of Information (Entry Registration Information Relating to COVID-19 and Other Infectious Diseases) Act 2021 (WA). That Act, which came into force in June 2021, provides that entry registration information can be used only for contact tracing and some other specified purposes and cannot be used for general criminal investigations or law enforcement. This article examines the legislative basis of WA’s mandatory contact tracing registration system and highlights some of the implications for law-making, parliamentary oversight and the rule of law which result from the use of subsidiary legislation to effect significant controls over the public.

Morrison, David and Patrick Quirk, ‘An Australian Conundrum: Genomic Technology, Data, and the COVIDSafe App’ (2020) 33(1) Pace International Law Review 43
Abstract: This paper examines the difficulties that have arisen in Australia in the use of its contact-tracing app. We examine the privacy implications around the use of the app, the wider economic imperative, and the balancing of those concerns against the health threat of the COVID-19 pandemic. We posit that default options are superior in times of emergency and rather than begging for the adoption of lifesaving technology, we suggest that the evidence gathered by behavioral economists provides an apposite and powerful alternative worthy of consideration.

Moulds, Sarah et al, ‘Stopping the Spread? Enhancing Legal Frameworks for the Protection of Personal Information in the Context of COVID-19 Contact Tracing’ (2021) 37(3) Law in Context. A Socio-legal Journal (advance article, published online 24 January 2022)
Abstract: Personal privacy versus public safety is a rights trade-off that has been brought into sharp focus by the COVID-19 pandemic, with flow-on implications for the success of contract tracing regimes implemented across Australia. These contact tracing regimes depend upon the supply of accurate information by individuals, which in turn depends upon the trust that is placed in health authorities and other government officials to handle personal information with care. A range of different laws govern the collection and use of personal information by health authorities at the federal level and in each Australian state or territory. Understanding these rules might help us to work out ways to ensure that everyone in our community feels like they can tell the truth when it matters most. Using a case study from South Australia, this article reviews existing legislative, regulatory and policy frameworks that currently apply to the col-lection and use of personal information in health care and highlights the tension between creating incentives to share personal information and policing compliance with COVID-19 laws and ensuring robust legal protection for sensitive personal information. Relevant lessons from the South Australian experience are then extrapolated for consideration by other Australian jurisdictions, with a view to identifying what safeguards and protections could be included in current legal frameworks governing the use, sharing and disclosure of personal information in health care settings to help resolve the current tension between protecting individual privacy and promoting public health.

Mühlhoff, Rainer, ‘We Need to Think Data Protection Beyond Privacy: Turbo-Digitalization after COVID-19 and the Biopolitical Shift of Digital Capitalism’ (SSRN Scholarly Paper No ID 3596506, 30 March 2020)
Abstract: Turbo-Digitization after Covid-19 will advance algorithmic social selection and the biopolitical shift of digital capitalism. In order to mitigate these risks, we must address the social implications of anonymous mass data.

Mukerjee, Diksha, Sang Doma Sherpa and Shilpa Suresh, ‘Understanding the Covid-19 Pandemic through Foucault’ 9(3) International Journal of Social Science and Humanities Research 509–516
Abstract: Due to the severity of the pandemic, countries across the world had to accept a lot of sophisticated new technological solutions to keep the pandemic under its grip, which included embracing digital surveillance tools as quick fixes and as policy responses to the crisis. However, the use of ICTs have made it much harder to distinguish between what is considered public and private. Thus, the use of such technologies have raised serious concerns related to mass digital surveillance practices, the outsourcing of expertise or sensitive personal data to private companies, and the potential infringement of citizens’ fundamental rights. States of emergencies, like the coronavirus crisis, tend to warrant an extension of discretionary governmental powers. This can become problematic when they are used as a rationale, or as a pretext to suspend and undermine democratic principles and rights. This paper seeks to investigate the heightened correlation between the emergence of sensory power and surveillance as a means to regulate/control disease, ushering in an era of normalized surveillance, and the slippery slope that it presents.

Nabben, Kelsie, ‘Trustless Approaches to Digital Infrastructure in the Crisis of COVID-19 Australia’s Newest COVID App. Home-Grown Surveillance Technologies and What to Do About It’ (SSRN Scholarly Paper No ID 3579220, 14 April 2020)
Abstract: This week, the Australian Government proposed a mobile phone-based tracking application to address the spread of coronavirus. The COVID-19 pandemic has demonstrated an acceleration of government-led surveillance technology around with the world. At present, the significant uptick in digital tools as a policy response to address the public health crisis are not being matched by suitable policy clauses or technology design to serve the interests of Australian citizens. This article presents the global contact-tracing phone app responses to COVID-19, outlines the key privacy concerns and presents alternative policy pathways and technical approaches towards privacy preservation and trustless (trust minimising) digital infrastructure to improve Australia’s digital-political response to COVID-19.

Nabben, Kelsie, Marta Poblet and Jan Carlo Barca, ‘What Is Known from a Network?: Digital Contact Tracing, Privacy, and Pandemics in the Digital Age’ (Mercatus Center at George Mason University, COVID-19 Response Working Paper, October 2020)
Abstract: COVID-19 is an unprecedented crisis that has sparked unprecedented responses from governments around the world. These responses pose a threat to democratic stability and civil liberties. Digital contact tracing is just one example of a technology-based crisis response measure that has been rapidly deployed but could have far-reaching negative consequences for society. This paper explores the risks and consequences of collecting, collating, and storing digital data on people’s networks of contacts as a crisis response measure. We aim to inform a discussion on the tradeoffs between the value of creating the data for public health outcomes and the risks to public trust in government and democratic stability. We ask, ‘What are the privacy risks of digital contact tracing, and what consequences does this have for national security and democratic stability?’ We analyze the considerations that governments are taking in designing and deploying digital responses to the crisis in the case of digital contact tracing, and we explore what information can be derived from the data on populations and how this information could be misused in ways that harm democratic principles. We argue that government collection of digital contact tracing data poses a serious threat to civil liberties owing to the potential for the data to become a geopolitical target for hacking and interference in democratic stability through information warfare. We then propose a number of technical considerations and policy settings that are transparent, temporary, and proportionate to limit data vulnerabilities and provide a framework to better safeguard civil liberties and democracy in the digital age.

Naudé, Wim, ‘Artificial Intelligence Against Covid-19: An Early Review’ (SSRN Scholarly Paper No ID 3568314, 6 April 2020)
Abstract: Artificial Intelligence (AI) is a potentially powerful tool in the fight against the COVID- 19 pandemic. Since the outbreak of the pandemic, there has been a scramble to use AI. This article provides an early, and necessarily selective review, discussing the contribution of AI to the fight against COVID-19, as well as the current constraints on these contributions. Six areas where AI can contribute to the fight against COVID-19 are discussed, namely i) early warnings and alerts, ii) tracking and prediction, iii) data dashboards, iv) diagnosis and prognosis, v) treatments and cures, and vi) social control. It is concluded that AI has not yet been impactful against COVID-19. Its use is hampered by a lack of data, and by too much data. Overcoming these constraints will require a careful balance between data privacy and public health, and rigorous human-AI interaction. It is unlikely that these will be addressed in time to be of much help during the present pandemic. In the meantime, extensive gathering of diagnostic data on who is infectious will be essential to save lives, train AI, and limit economic damages.

Nesterova, Irena, ‘The Global Flood of COVID-19 Contact Tracing Apps: Sailing with Human Rights and Data Protection Standards against the Wind of Mass Surveillance’ (2021) 92 SHS Web of Conferences Article 01035
Abstract:
Research background: Countries all around the world are rapidly introducing contact tracing apps and other surveillance technologies to tackle the spread of COVID-19 raising serious concerns about human rights and democratic principles.
Purpose of the article: The article aims to analyse how human rights and data protection law regulate the COVID-19 contact tracing apps and reveal the biggest challenges that countries face in applying the essential requirements.
Methods: The article will analyse the legal framework and compare many guidance documents issued by the international organisations, including the Council of Europe, the OECD and many EU institutions on the data protection requirements for contact tracing tools and the main challenges the governments face in different countries.
Findings & Value added: The article will reveal that the existing human rights and data protection standards already impose significant requirements for contact tracing apps requiring to comply with such principles as legality, necessity, proportionality, transparency, purpose limitation, temporariness. Although countries tend to deviate from some of these standards a choice between effective response to crises and fundamental rights should not be made. The article argues that the global flood of digital surveillance technologies requires new regulatory framework and governance mechanisms to enable impact assessment, oversight and monitoring of these technologies both during and after the crises not only to ensure that they are lawful and ethical, but also to limit the dependency of governments on large technology companies as well as to prevent mass surveillance becoming the new normal on a global scale.

Newlands, Gemma et al, ‘Innovation under Pressure: Implications for Data Privacy during the Covid-19 Pandemic’ (2020) 7(2) Big Data & Society Advance article, published online 1 December 2020
Abstract: The global Covid-19 pandemic has resulted in social and economic disruption unprecedented in the modern era. Many countries have introduced severe measures to contain the virus, including travel restrictions, public event bans, non-essential business closures and remote work policies. While digital technologies help governments and organizations to enforce protection measures, such as contact tracing, their rushed deployment and adoption also raises profound concerns about surveillance, privacy and data protection. This article presents two critical cases on digital surveillance technologies implemented during the Covid-19 pandemic and delineates the privacy implications thereof. We explain the contextual nature of privacy trade-offs during a pandemic and explore how regulatory and technical responses are needed to protect privacy in such circumstances. By providing a multi-disciplinary conversation on the value of privacy and data protection during a global pandemic, this article reflects on the implications digital solutions have for the future and raises the question of whether there is a way to have expedited privacy assessments that could anticipate and help mitigate adverse privacy implications these may have on society.

Ng, Yee-Fui and Stephen Gray, ‘Wars, Pandemics and Emergencies: What Can History Tell Us about Executive Power and Surveillance in Times of Crisis?’ (2021) 44(1) UNSW Law Journal 227–266
Abstract: In the fight against coronavirus, the Australian government has enacted a series of measures that represent an expansion of executive powers. These include the use of smartphone contact-tracing technology, mandatory isolation arrangements, and the closure of businesses. Critics have expressed concerns about the long-term implications of these measures upon individual rights. This article will analyse the validity of such concerns in the context of other historical uses of executive power in Australia in times of crisis: during the Spanish Flu pandemic of 1918, the First and Second World Wars, and the ‘War on Terror’ post-September 2001. Drawing its conclusions from these historical precedents, the article argues that clear legislative safeguards are a minimum necessary step both to prevent police and governmental abuse of privacy, and to foster and maintain trust in the government’s ability to manage their ‘emergency’ powers in a manner consistent with human rights.

Ni Loideain, Nora, ‘Regulating Health Research and Respecting Data Protection: A Global Dialogue’ (2020) 10(2) International Data Privacy Law 115
Abstract: The global COVID-19 pandemic has focused minds sharply on the valuable role to be played by data collection and analysis for advancing health research, especially how it may help in informing and developing policy responses.Modern health research requires vast collections of data. Ensuring open access and wide sharing of these huge data sets that contain highly sensitive personal in-formation within the international scientific community is also essential to the development of medical treatments and research breakthroughs. The importance of all of these factors drastically increases in times of emergency when rapid responses are urgently needed from the scientific community (such as the development of a vaccine). However, as the European Commission and academic commentators point out, any such measures must also be lawful and proportionate, comply with data protection law, and respect the fundamental rights of those who have shared their health data.

Nicol, Dianne et al, ‘Australian Perspectives on the Ethical and Regulatory Considerations for Responsible Data Sharing in Response to the COVID-19 Pandemic’ (2020) 27(4) Journal of Law and Medicine 829
Abstract: As the rush to understand and find solutions to the coronavirus disease 2019 pandemic continues, it is timely to re-examine the legal, social and ethical drivers for sharing health-related data from individuals around the globe. International collaboration and data sharing will be essential to the research effort. This raises the question of whether the urgent imperative to find therapies and vaccines may justify some temporary rebalancing of existing ethical and regulatory standards. The Global Alliance for Genomic Health is playing a leading role in collecting information about national approaches to these challenging questions. In this section, we examine some of the initiatives being taken in Australia against this global backdrop.

Nijsingh, Niels, Anne van Bergen and Verina Wild, ‘Applying a Precautionary Approach to Mobile Contact Tracing for COVID-19: The Value of Reversibility’ (2020) 17(4) Journal of Bioethical Inquiry 823–827
Abstract: The COVID-19 pandemic presents unprecedented challenges to public health decision-making. Specifically, the lack of evidence and the urgency with which a response is called for, raise the ethical challenge of assessing how much (and what kind of) evidence is required for the justification of interventions in response to the various threats we face. Here we discuss the intervention of introducing technology that aims to trace and alert contacts of infected persons—contact tracing (CT) technology. Determining whether such an intervention is proportional is complicated by complex trade-offs and feedback loops. We suggest that the resulting uncertainties necessitate a precautionary approach. On the one hand, precautionary reasons support CT technology as a means to contribute to the prevention of harms caused by alternative interventions, or COVID-19 itself. On the other hand, however, both the extent to which such technology itself present risks of serious harm, as well as its effectiveness, remain unclear. We therefore argue that a precautionary approach should put reversibility of CT technology at the forefront. We outline several practical implications.

Novita, Thasya and Elfia Farida, ‘Legal Protection of Rights to Personal Data in Digital-Based Health Services for Indonesians (E-Health during the Covid-19 Pandemic)’ (Proceedings of the 1st International Workshop on Law, Economics and Governance, IWLEG 2022, 27 July 2022, Semarang, Indonesia, 2023) [unpaginated]
Abstract: The implementation of e-health in Indonesia is one form of e-government implementation, which is effective for realizing good governance. The use of information technology in the implementation of e-health raises legal issues regarding the protection of patient’s personal data. This research examines how the legal protection of the right to personal data of patients in the implementation of e-health. This research used a doctrinal approach, and the collected data was analysed qualitatively. The results of this research indicate that the patient’s personal data has been protected by law through the ITE Law, Health Law, Hospital Law, and the medical code of ethics as well as the ICCPR. Patients as protected parties have the right to demand accountability from health service providers in the event that a violation of the right to personal data. Confidentiality of patient health information has a close affiliation with patient rights and medical ethics. The existence of the principle of non-maleficence in health practice provides an opportunity for health workers to provide limited information about the medical condition of COVID-19 patients to outside parties who have an interest.

Ogbuefi, Nnubia, ‘Contact Tracing and Its Approach to Privacy Under Europe and Canada’s Privacy Laws’ (SSRN Scholarly Paper No 4248282, 18 January 2021)
Abstract: 2020 can be described as COVID-19, given that the entire year was spent battling and trying to contain the spread of this new strain of the SARS virus, a situation declared as a pandemic by the World Health Organization. News about the discovery and effectiveness of the COVID vaccine emerged this month, bringing some hope to the end of the pandemic. Before the vaccine discovery, control measures such as prevention, testing, and tracing were adopted to control the spread of the virus. This paper discusses privacy and data protection concerns surrounding contact tracing and the impact of the adoption of immunity certificates on marginalized and vulnerable communities.

Oliva, Jennifer D, ‘Public Health Surveillance in the Context of COVID-19’ (2021) 18(1) Indiana Health Law Review 107–122
Extract: Today, we are talking about public health surveillance in the context of COVID-19. My presentation will focus on contact tracing, so let me give you a roadmap for today’s discussion. I am going to start out by providing some background on traditional contact tracing, including its genesis, efficacy, and benefits. I will also highlight some of the significant challenges with contact tracing and disease surveillance with a focus on COVID-19 and the current state of track-and-trace in the United States. I will then explain the various digital track and trace technologies that have been developed or are under development to supplement traditional contact tracing to make the process more effective. I will also point out the strengths and weaknesses that attend to the current technologies that are available in the United States and abroad. I will then provide a survey of health data privacy laws. One of the themes that I want to emphasize today is that we do not have a federal-level general data protection law in the United States. Therefore, once we start talking about the collection of sensitive health care data outside the traditional health care system, we start to run into huge gaps in the law. I will touch on the California Consumer Privacy Act as well as the recent bills that have been introduced in Congress to protect health data captured by contact tracing applications. I will also give an overview of one of the most misunderstood laws in the United States—the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’).

Oliva, Jennifer D, ‘Surveillance, Privacy, and App Tracking’ in Scott Burris et al (eds), Assessing Legal Responses to COVID-19 (Public Health Law Watch, 2020) 40–46
Abstract: Over the last several months, global innovators have developed a heterogenous array of ‘smart’ technology protocols and applications aimed at tracking, tracing, and containing the spread of the novel coronavirus, SARS-CoV-2, which causes the disease COVID-19. The United States, which has left it to the states to acquire or build their own automated track and trace platforms, currently lags behind other countries. However, technology companies Apple and Google have announced co-production of a digital tracing platform for their phones. As this Chapter details, the United States lacks a comprehensive federal health data privacy law that protects the privacy of sensitive information collected and stored by digital contact tracking applications. The Chapter also explains how digital COVID-19 surveillance applications work, assesses their effectiveness from a public health perspective, and enumerates the legal and ethical issues they implicate. It concludes with proposals aimed at maximizing the public health benefits of COVID-19 surveillance technology while minimizing its inherent and conceivable threats to privacy, civil liberties, and vulnerable populations.

Ong, Ee-Ing and Wee Ling Loo, ‘Gauging the Acceptance of Contact Tracing Technology: An Empirical Study of Singapore Residents’ Concerns and Trust in Information Sharing’ (SSRN Scholarly Paper ID 3817972, 2 April 2021)
Abstract: In response to the COVID-19 pandemic, governments began implementing various forms of contact tracing technology. Singapore’s implementation of its contact tracing technology, TraceTogether, however, was met with significant concern by its population, with regard to privacy and data security. This concern did not fit with the general perception that Singaporeans have a high level of trust in its government. We explore this disconnect, using responses to our survey (conducted pre-COVID-19) in which we asked participants about their level of concern with the government and business collecting certain categories of personal data. The results show that respondents had less concern with the government as compared to a business collecting most forms of personal data. Nonetheless, they still had a moderately high level of concern about sharing such data with the government. We further found that income, education and perceived self-exposure to AI are associated with higher levels of concern with the government collecting personal data relevant to contact tracing, namely health history, location and social network friends’ information. This has implications for Singapore residents’ trust in government collecting data and hence the success of such projects, not just for contact tracing purposes but for other government-related data collection undertakings.

Ong, Nathan and Thomas Lim, ‘TraceTogether and the Doctrine of Legitimate Expectation’ [2021] Singapore Comparative Law Review 42–56
Abstract: On 4 January 2021, the Minister of State for Home Affairs Mr. Desmond Tan stated in Parliament that the police were able to obtain any data under Singapore’s jurisdiction for the purposes of criminal investigations, including data obtained from the mobile application ‘TraceTogether’,’ developed by Singapore’s Ministry of Health and Government Technology Agency (GovTech) for contact-tracing purposes in relation to the spread of the Covid-19 virus. These powers are derived from the Criminal Procedure Code (s. 20 CPC). This contradicted a privacy statement on the TraceTogether website and an assurance from the minister responsible that the data would only be used ‘for contact tracing purposes’. Following public outcry, the Singapore government announced that it would pass a law to formalise assurances made earlier that data from the Covid-19 TraceTogether contact-tracing programmes, if needed, could only be used in investigations pertaining to serious crimes. We will discuss the doctrine of legitimate expectation in the context of an action brought on the grounds of ministerial statements in the public law of Singapore and England, as elucidated by the controversy regarding the use of TraceTogether data for the purposes of criminal investigations. This will be done in two parts. Firstly, through an exploration of a hypothetical judicial review of a case based on issues surfaced by the TraceTogether controversy, we will compare the outcomes in the two jurisdictions. Secondly, we will trace how both jurisdictions have reasoned the existence of the doctrine. This will allow us to identify the public law principles influencing the conceptual basis of the doctrine, and how that leads to the results in our hypothetical case.

Ouyang, Weimin, ‘Research on the Legal Regulation of Personal Information Protection and Utilization in the Prevention and Control of COVID-19 Epidemic’ in 2020 6th International Conference on Social Science and Higher Education (ICSSHE 2020) (2020) 748–752
Abstract: In the prevention and control of COVID-19 epidemic in China, big data technology provides crucial scientific and technological support. Big data technology, on the one hand, played a huge role in the key issues of the prevention and control of COVID-19 epidemic that quickly identify potential infections, on the other hand, because China’s laws and regulations are not sound on the protection and utilization of personal information, there are legal obstacles in the collection, utilization and sharing of personal information. It is not conducive to making full use of personal information in prevention and control of COVID-19 epidemic. To this end, this paper combed the relevant laws and regulations on the protection and utilization of personal information in China, especially the laws and regulations on the protection and utilization of personal information under the situation of epidemic prevention and control, studied the complex legal relationship between them, and proposed promulgating the Personal Information Protection Law, as a long-term mechanism, to construct China’s legal standard system for the protection and utilization of personal information, and proposed that the National People’s Congress of China should issue an emergency bill according to the work needs, giving the government the power to deal with emergencies.

Park, Sangchul, Gina Jeehyun Choi and Haksoo Ko, ‘Information Technology–Based Tracing Strategy in Response to COVID-19 in South Korea: Privacy Controversies’ (2020) 323(21) Journal of the American Medical Association (JAMA) 2129–2130
Abstract: Introduction: Amid the global coronavirus disease 2019 (COVID-19) outbreak, South Korea was one of the next countries after China to be affected by the disease. Confirmed cases in Korea were first reported on January 20, 2020, and spiked from February 20 to 29, 2020. Instead of deploying aggressive measures such as immigration control, lockdown, or roadblocks, South Korea mounted a trace, test, and treat strategy. This was made possible by the preparations that the country had made after the Middle East respiratory syndrome (MERS) outbreak of 2015. South Korea extensively utilized the country’s advanced information technology (IT) system for tracing individuals suspected to be infected or who had been in contact with an infected person. Such measures helped flatten the curve of newly confirmed cases and deaths around mid-March. As of April 21, 2020, there had been 10 683 confirmed cases of COVID-19 in South Korea, with a total of 2233 patients who are in isolation because of hospitalization or quarantine, and a total of 237 deaths. However, important concerns have been raised over privacy involving the tracing strategy.

Parker, Michael J et al, ‘Ethics of Instantaneous Contact Tracing Using Mobile Phone Apps in the Control of the COVID-19 Pandemic’ (2020) 46(7) Journal of Medical Ethics 427–431
Abstract: In this paper we discuss ethical implications of the use of mobile phone apps in the control of the COVID-19 pandemic. Contact tracing is a well-established feature of public health practice during infectious disease outbreaks and epidemics. However, the high proportion of pre-symptomatic transmission in COVID-19 means that standard contact tracing methods are too slow to stop the progression of infection through the population. To address this problem, many countries around the world have deployed or are developing mobile phone apps capable of supporting instantaneous contact tracing. Informed by the on-going mapping of ‘proximity events’ these apps are intended both to inform public health policy and to provide alerts to individuals who have been in contact with a person with the infection. The proposed use of mobile phone data for ‘intelligent physical distancing’ in such contexts raises a number of important ethical questions. In our paper, we outline some ethical considerations that need to be addressed in any deployment of this kind of approach as part of a multidimensional public health response. We also, briefly, explore the implications for its use in future infectious disease outbreaks.

Paseri, Ludovica, ‘COVID-19 Pandemic and GDPR: When Scientific Research Becomes a Component of Public Deliberation’ in Dara Hallinan, Ronald Leenes and Paul De Hert (eds), Data Protection and Privacy, Volume 14: Enforcing Rights in a Changing World (Bloomsbury, 2021)

Pesapane, Filippo et al, ‘Legal and Regulatory Framework for AI Solutions in Healthcare in EU, US, China, and Russia: New Scenarios after a Pandemic’ (2021) 1(4) Radiation 261–276
Abstract: The COVID-19 crisis has exposed some of the most pressing challenges affecting healthcare and highlighted the benefits that robust integration of digital and AI technologies in the healthcare setting may bring. Although medical solutions based on AI are growing rapidly, regulatory issues and policy initiatives including ownership and control of data, data sharing, privacy protection, telemedicine, and accountability need to be carefully and continually addressed as AI research requires robust and ethical guidelines, demanding an update of the legal and regulatory framework all over the world. Several recently proposed regulatory frameworks provide a solid foundation but do not address a number of issues that may prevent algorithms from being fully trusted. A global effort is needed for an open, mature conversation about the best possible way to guard against and mitigate possible harms to realize the potential of AI across health systems in a respectful and ethical way. This conversation must include national and international policymakers, physicians, digital health and machine learning leaders from industry and academia. If this is done properly and in a timely fashion, the potential of AI in healthcare will be realized.

Ponce, Aida, ‘COVID-19 Contact-Tracing Apps: How to Prevent Privacy from Becoming the Next Victim’ (ETUI Research Paper - Policy Brief No 5/2020, 2020)
Abstract: Contact-tracing apps to combat the COVID-19 pandemic have increasingly been mentioned as useful tools to accompany and contribute to a return to normality despite the many ethical and legal questions they raise. The pressure exerted by business circles and lobbies to restart and ‘save the economy’ has been intense. What started as a public health crisis morphed into an economic crisis and we are now faced with a ‘trick-or-treat’ choice: accept to ‘pay the price’ and use invasive tracing apps, and by so doing facilitate a gradual reopening of business, or fight for privacy and delay the return to normality.

Porcedda, Maria-Grazia, ‘On the Compatibility of Pandemic Data-Driven Measures with the Right to Data Protection: A Review of “under-the-Radar” Measures Adopted in Ireland to Contain COVID-19’ (2022) 73(2) Northern Ireland Legal Quarterly 310–340
Abstract: This article reviews the compatibility of ‘under-the-radar’ data-driven measures adopted in Ireland to contain the COVID-19 pandemic with data protection law. Since data protection law implements and gives substance to the right to the protection of personal data enshrined in article 8 of the Charter of Fundamental Rights of the European Union, the article reviews the compatibility of data-driven measures with the applicable law in light of the Charter. The measures reviewed – thermal scanner guns, health self-check forms, Statutory Instruments for contact logging and the Vaccine Information System – appear well-meaning but partly incompatible with the right to data protection. The analysis points to the difficulty of reconciling public health and data protection without a systematic data-processing strategy and concludes with recommendations for right-proofing data-driven measures in the guise of a blueprint strategy for processing personal data for present and future pandemic purposes.

Pratama, Anugrah Muhtarom and Umi Khaerah Pati, ‘Analysis Principles of Personal Data Protection on COVID-19 Digital Contact Tracing Application: PeduliLindungi Case Study’ (2021) 5(2) Lex Scientia Law Review 65–88
Abstract: This article aims to review the application of the principle of personal data protection as part of privacy rights in the PeduliLindungi application considering that on the one hand, the PeduliLindungi application helps the government to reduce the spread of the COVID-19 virus. But on the other hand, there is a threat of misuse of personal data in the future. This background article is based on the use of the PeduliLindungi application, which was initially used to track the spread of the virus during the COVID-19 pandemic. But it seems that the public will increasingly use its use in the future, especially now that it has begun to be planned as an e-wallet and started integrating with several other applications. This article reveals that there has been a dual role by the Ministry of Communication and Informatics as a supervisor and controller of personal data in Indonesia so that it has implications for the PeduliLindungi application that has not fully applied the principles of personal data protection when collecting, processing, and storing personal data. For the future, a comprehensive legal development drive is needed related to the protection of personal data. There is a personal data protection agency and Data Protection Officer (DPO) to more strongly enforce the principles of personal data protection.

‘Privacy Is Protected, Even during a Pandemic: Research’ (2020) 113(6) Servamus Community-based Safety and Security Magazine 58–58
Abstract: Many South Africans have expressed valid concerns about the potential for abuse of personal information collected by government as part of tracking and tracing those exposed to COVID-19 infection. Yet, the approach taken appears to be well-balanced, even though the Protection of Personal Information Act of 2013 (POPI) has not yet come fully into operation. Electronic Communication Service Providers (ECSPs) such as Internet Service Providers (ISPs) can only provide personal information required to combat COVID-19 to the Director-General of the Department of Health for inclusion in a database which is subject to several restrictions.

Puri, Anuj, ‘A Theory of Privacy’ [2020] Cornell Journal of Law and Public Policy (forthcoming)
Abstract: In the age of Big Data Analytics and COVID-19 Apps, the conventional conception of privacy that focuses excessively on the identification of the individual is inadequate to safeguard the identity and autonomy of the individual. An individual’s autonomy can be impaired and her control over her social identity diminished, even without infringing the anonymity surrounding her personal identity. A century old individualistic conception of privacy that was designed to safeguard a person from unwarranted social interference is incapable of protecting her autonomy and identity when she is being targeted on the basis her interdependent social and algorithmic group affiliations. In order to overcome these limitations, in this paper, I develop a theoretical framework in form of a triumvirate model of group right to privacy (GRP), which is based on privacy as a social value (Pv). An individual has an interest in protecting her social identity arising out of her participation in social groups. The panoptic sorting of individuals by Big Data Analytics for behavioral targeting purposes gives rise to epistemic bubbles and echo chambers that impede the formation of an individual’s social identity. I construct the formulation of GRP1 to protect an individual’s interest in her social identity and her socially embedded autonomous self. Thereafter, I emphasize an individual’s right to informational self-determination and against algorithmic grouping in GRP2. Lastly, I highlight instances where an organized group may be entitled to privacy in its own right as GRP3. I develop a Razian formulation to state that the constant surveillance and monetization of human existence by Big Data Analytics is an infringement of individual autonomy. I highlight that the violation of GRP subjects an individual to behavioral targeting including hyper-targeted political advertising and distorts her weltanschauung. As regards the COVID-19 Apps, I assert that the extraordinary circumstances surrounding the pandemic do not provide an everlasting justification for reducing the identity of an individual to a potential disease carrier. I argue that the ambivalence regarding existence of surveillance surrounding an individual’s social identity can leave her in a perpetual state of simulated surveillance (simveillance). I further assert that it is in the long-term best interests of the BigTech corporations to respect privacy. In conclusion, I highlight that our privacy is not only interdependent in nature, it is existentially cumulatively interlinked. It increases in force with each successive protection. The privacy challenge posed by COVID-19 Apps has helped us realize that while limited exceptions to privacy maybe carved out in grave emergencies, there is no justification for round the clock surveillance of an individual’s existence by Big Data Analytics. Similarly, the threat to privacy posed by Big Data Analytics has helped us realize that privacy has been wrongly focusing on the distinguishing aspects of the individual. It is our similarities that are truly worth protecting. In order to protect these similarities, I formulate the concept of mutual or companion privacy, which counter-intuitively states that in the age of Big Data Analytics we have more privacy together rather than individually.

Ram, Natalie, Lance Gable and Jeffrey Ram, ‘The Future of Wastewater Monitoring for the Public Health’ (2022) 56 University of Richmond Law Review (forthcoming)
Abstract: The COVID-19 pandemic has invited dramatic investment in and expansion of wastewater surveillance. This surveillance may enable early detection of an increasing presence of COVID-19 in the community. But the same technology may simultaneously or soon be turned to other uses, including for drug interdiction, community wellness, or environmental monitoring. All of these uses raise urgent legal and ethical questions. But the legal literature, to date, has almost uniformly failed to even consider the ramifications of wastewater-based epidemiology. Indeed, we are aware of only two articles discussing wastewater surveillance in the legal literature—one of which is our own prior work. In prior work, we have raised questions about the legal and ethical dimensions of wastewater surveillance in response to the COVID-19 pandemic. But that work arrived in the earliest days of the pandemic, when research efforts were not yet well established or as broadly implemented, and when legal and ethical consideration was focused almost exclusively on the drastic public health emergency at issue. This Article thus expands the extant literature by considering the legal and ethical dimensions of wastewater surveillance more thoroughly and more broadly. It arrives at an auspicious time, as the United States moves into a vaccine-mediated phase in which COVID-19 is less likely to give rise to broad stay-at-home orders and more likely to trigger narrower, more targeted interventions. It seeks to offer guidance for the legal and ethical use of wastewater surveillance along two dimensions. The first considers the circumstances under which wastewater monitoring should be deployed for detecting and responding to COVID-19 specifically. The second zooms out, to consider whether and how this surveillance infrastructure, largely created in response to the COVID-19 pandemic, might be deployed for other uses, and examines the legal and ethical difficulties that may attend these broader uses. This Article proceeds in three parts. Part I reviews the state of the science for wastewater-based epidemiology, focusing specifically on how this technique has been deployed to monitor for or detect the virus that causes COVID-19. One of the authors is a research scientist currently working to establish and oversee wastewater-based epidemiological efforts related to COVID-19 monitoring in the City of Detroit, Michigan, and Part I draws on that expertise. Part II then moves from what is possible to what is legal and ethical. If wastewater-based epidemiology is to be deployed now and in the future for detecting and responding to COVID-19, what parameters should guide the collection of wastewater signals, and how should that data be used by policymakers and others to enact further public health protections? Finally, Part III broadens its scope beyond COVID-19. Wastewater surveillance for COVID-19 sentinel surveillance can be well justified, provided guidelines are established ex ante for public health response to monitoring results. Other uses of wastewater surveillance infrastructure, however, may raise substantial privacy concerns, particularly if this infrastructure becomes denser and correspondingly more granular in the data it discloses. Such uses may, in turn, undermine both the legal soundness of and public trust in wastewater monitoring writ large.

Ram, Natalie and David Gray, ‘Mass Surveillance in the Age of COVID-19’ (2020) 7(1) Journal of Law and the Biosciences Article lsaa023
Abstract: Epidemiological surveillance programs such as digital contact tracing have been touted as a silver bullet that will free the American public from the strictures of social distancing, enabling a return to school, work, and socializing. This Article assesses whether and under what circumstances the United States ought to embrace such programs. Part I analyzes the constitutionality of programs like digital contact tracing, arguing that the Fourth Amendment’s protection against unreasonable searches and seizures may well regulate the use of location data for epidemiological purposes, but that the legislative and executive branches have significant latitude to develop these programs within the broad constraints of the ``special needs’’ doctrine elaborated by the courts in parallel circumstances. Part II cautions that the absence of a firm warrant requirement for digital contact tracing should not serve as a green light for unregulated and mass digital location tracking. In light of substantial risks to privacy, policy makers must ask hard questions about efficacy and the comparative advantages of location tracking versus more traditional means of controlling epidemic contagions, take seriously threats to privacy, tailor programs parsimoniously, establish clear metrics for determining success, and set clear plans for decommissioning surveillance programs.

Raposo, Vera Lúcia, ‘Big Brother Knows That You Are Infected: Wearable Devices to Track Potential COVID-19 Infections’ (2021) 13(2) Law, Innovation & Technology 422–438
Abstract: Over the course of the COVID-19 pandemic, technology has been widely deployed to deter the spread of the virus. One such technology is wearable devices that can collect health data and inform health authorities about potential infections. Despite the laudable purposes of this technology, we might be on the verge of another digital Big Brother. This is not a case in which our moves are being watched, but our bodies are, in an extreme form of public health surveillance. This paper analyses the use of wearable devices to track potential COVID-19 infections within the framework of public health and related individual and state duties. The paper focuses on the threats that these devices may pose to individual rights and liberties, particularly self-determination (the freedom to not be tested for infectious diseases) and privacy (the protection of private data).

Raposo, Vera Lúcia, ‘Health, Privacy and Liberty: A Call for Digital Governance during (and after) the Pandemic’ (2023) 27(3) The International Journal of Human Rights 529–551
Abstract: The COVID-19 pandemic has boosted the development and use of technology by increasing the use of previously existing technological resources, such as maps identifying population movements; assigning new uses to previously existing technological mechanisms, such as the use of facial recognition for monitoring infected people; and encouraging the development of new technologies, such as apps that ascribe risk codes to citizens. Without these digital measures, the pandemic would probably continue to expand, or, alternatively, entire populations would have to be quarantined for months (or even years), with significant consequences arising from either scenario. Technologies provide tools to avoid those scenarios. However, digital measures come at a price to our rights, namely our rights to privacy and liberty. Precautions and limitations ought to be imposed on the use of these technologies, forming a code of digital governance for COVID-19.

Ray, Brian, ‘Just Plain Dumb?: How Digital Contact Tracing Apps Could’ve Worked Better (And Why They Never Got the Chance)’ (2021) 51(5) Seton Hall Law Review 1467–1504
Abstract: This Essay describes how the privacy debate that emerged over digital contact tracing and Google’s and Apple’s decisions to strictly limit apps permitted to use their platforms resulted in undercutting their potential usefulness as a tool to combat the pandemic while still failing to engender trust in these tools as intended.

Rennie, Ellie and Stacey Steele, ‘Privacy and Emergency Payments in a Pandemic: How to Think about Privacy and a Central Bank Digital Currency’ 3(1) Law, Technology and Humans 6–17
Abstract: The economic fallout of the COVID-19 pandemic prompted many governments to provide emergency payments to citizens. These one-off and recurring payments revealed the shortcomings of existing financial infrastructures even as electronic payments replaced cash for everyday expenses. Delays in getting government payments to citizens in many countries focused attention on the potential benefits of central bank digital currencies (CBDCs). This article outlines the social and economic policy choices involved in designing a CBDC and the consequences of these choices for privacy. Priorities including preventing the criminal abuse of the financial system, geopolitical concerns and private sector innovation compete with, and potentially undermine, privacy. We identify and categorize four key privacy risks as ‘losses’ associated with current CBDC models: loss of anonymity, loss of liberty, loss of individual control, and loss of regulatory control.

Restrepo Amariles, David, ‘From Computational Indicators to Law into Technologies: The Internet of Things, Data Analytics and Encoding in COVID-19 Contact-Tracing Apps’ (2021) 17(2) International Journal of Law in Context 261–274
Abstract: This paper investigates the data life-cycle of contact-tracing apps (CTAs) in the context of the COVID-19 pandemic. It highlights the socio-legal implications resulting from the design and technology choices that software developers inevitably make. These choices are often neglected by policy-makers due to the inherent technical complexity of algorithmic decision systems and to certain naive belief in technological solutionism. In particular, this paper shows, first, that technology-harvested data do not reflect an objective representation of reality, and therefore require a context within which to be understood and interpreted for policy and legal purposes; and, second, that the use of data analytics to extract insights from these data enables the production of computational indicators. By looking at how CTAs are used to implement pandemic-mitigation restrictions such as lockdowns, quarantines, social distancing and testing, the paper ultimately brings forth the ways in which technologies – and thus their bias and ways of framing social reality – become embedded in the law.

Richardson, Eric and Colleen Devine, ‘Emergencies End Eventually: How to Better Analyze Human Rights Restrictions Sparked by the COVID-19 Pandemic Under the International Covenant on Civil and Political Rights’ (2020) 42 Michigan Journal of International Law (forthcoming)
Abstract: In the wake of the COVID-19 pandemic, states have been quick to adopt emergency measures aimed at curbing the spread of the virus. However, poorly constructed restrictions threaten to undermine hard won human rights protections and may in fact erode important elements of international human rights law as a result of overreaching implementation or lack of rigorous analysis in how the restrictions are put, and kept, in place. This article analyzes the International Convent on Civil and Political Rights (ICCPR) standards which apply to emergency regulation in times of public health crisis and the tangled morass of legal tests which have been used to balance human rights and emergency restrictions. We argue that in the current pandemic, human rights are best protected when states act under the Article 4 derogation mechanism to put emergency measures in place because it provides opportunities for oversight ensuring the end of emergency restrictions after the crisis subsides and provides certainty as to how states are justifying their emergency measures under the treaty regime. Given that so few states have provided notice of derogation under the ICCPR, this Article also considers what a rigorous analysis would look like when restricting freedom of movement, privacy, and freedom of assembly using the limitation language found in each article, suggesting best practices for better balancing COVID-19-related emergency measures with human rights.

Richens, R Chantz, ‘Privacy in a Pandemic: An Examination of the United States’ Response to COVID-19 Analyzing Privacy Rights Afforded to Children under International Law’ (2021) 28(2) Willamette Journal of International Law and Dispute Resolution 244–290
Extract from Introduction: The important nature of privacy rights and the national interest in these rights, as caused by the COVID-19 pandemic, create a situation where an analysis of children’s privacy rights is long overdue. The United States, a signatory to the CRC, can do more to fulfil its obligations to the CRC and its youngest citizens, specifically in the protections it affords its children’s privacy rights.14 The United States can do so by establishing a greater understanding of and respect for children’s privacy rights through a new legislative undertaking, founded on ideas enshrined in the CRC that children and parents or caregivers 5 can together come to an understanding of children’s rights, making decisions as informed by those rights. In advocating for such an approach, this paper will first discuss the CRC as well as the unique circumstances of the United States’ relationship to the CRC and the United States’ duties as a signatory. In addition, this paper will examine the current approaches the United States has taken to protect children’s privacy rights both before and in light of the 2019 novel coronavirus and the shortcomings therein. Lastly, this paper will advocate for the implementation of a new framework, centered around a presumption that children and parents will work together to reach a greater understanding of children’s role in the legal sphere. This will be informed by an analysis of obligations that have been recommended for states to consider in protecting such legal actors’ right to privacy, specifically concerning identifying data that has quickly become one of the greatest legal concerns in the midst of the pandemic. By so doing, caregivers will be able to help children understand their inherent autonomy as players in the legal arena during especially formative years.

Rix, Ashley, ‘How Data Privacy Regulations Affect Public Corporations That Profit from Consumers’ Data During an Ongoing Pandemic’ (SSRN Scholarly Paper ID 3896785, 3 May 2021)
Abstract: This research project examines how data privacy regulations, such as the California Consumer Protection Act and the General Data Protection Regulation, affect businesses that utilize big data to boost profits through consumer profiling and targeted marketing during an ongoing pandemic. In the current day and age, as a result of the vast growth in technological advancements, people are producing personally identifiable data at an exponential rate. This is becoming of increasing importance as there are businesses whose sole source of income is gathering and selling consumer’s personal data. This information is often so unique to the person that it can be used to predict spending patterns, life choices, daily locations, and intimate details about one’s life. The European Union has a regulation called the General Data Protection Regulation (GDPR), and the state of California has enacted regulations modeled after the GDPR called the California Consumer Protection Act (CCPA). The specific research question is what effect did the enaction and enforcement of the California Consumer Protection Act have on businesses that utilize big data to boost profits through consumer profiling and targeted marketing during the ongoing COVID-19 pandemic.

Rocco, Philip et al, ‘Who Counts Where? COVID-19 Surveillance in Federal Countries’ (2021) Journal of Health Politics, Policy and Law, Article 9349114 (advance article)
Abstract: While the World Health Organization (WHO) has established guidance on COVID-19 surveillance, little is known about implementation of these guidelines in federations, which fragment authority across multiple levels of government. This study examines how subnational governments in federal democracies collect and report data on COVID-19 cases and mortality associated with COVID-19. We collected data from subnational government websites in 15 federal democracies to construct indices of COVID-19 data quality. Using bivariate and multivariate regression, we analyzed the relationship between these indices and indicators of state capacity, the decentralization of resources and authority, and the quality of democratic institutions. We supplement these quantitative analyses with qualitative case studies of subnational COVID-19 data in Brazil, Spain, and the United States. Subnational governments in federations vary in their collection of data on COVID-19 mortality, testing, hospitalization, and demographics. There are statistically significant associations between subnational data quality and key indicators of public health system capacity, fiscal decentralization, and the quality of democratic institutions. Case studies illustrate the importance of both governmental and civil-society institutions that foster accountability. The quality of subnational COVID-19 surveillance data in federations depends in part on public health system capacity, fiscal decentralization, and the quality of democracy.

Rohman, Abdul, ‘A Fused Resistance against State-Sponsored Hacking in Indonesia during COVID-19 Pandemic’ (SSRN Scholarly Paper No 4331462, 1 October 2021)
Abstract: Digital authoritarian practices are on the rise as surveillance technology industries continue to proliferate. Hacking civil society members’ digital and social media platforms has become the most recent phenomenon demonstrating attempts to oppress activists and dissenters. In the Global South, the COVID-19 pandemic has reportedly opened more doors for governments to potentially abuse the power to govern the Internet and online spheres. This article demonstrates a fusion of individual and collective resistance that activists perform in response to the state’s attempt to silence critiques by hacking digital and social media platforms during the COVID-19 pandemic in Indonesia. Individual resistance manifests in the activists’ self-determination to continue the actions they believe will improve society. Collective resistance appears in the emergence of coalitions comprised of different entities sharing a common goal to fight back authoritarian practices.

Rothstein, Mark A, ‘Public Health and Privacy in the Pandemic’ (2020) 110(9) American Journal of Public Health 1374–1375
Abstract: In deciding whether to use certain health information technology in a pandemic, policymakers should analyze and apply the following criteria, which have been derived from principles commonly cited in the public health ethics literature related to public health powers generally and applied to privacy: (1) necessity and effectiveness; (2) proportionality and minimal infringement; (3) purpose limitations; and (4) justice.

Rozenshtein, Alan Z, ‘Digital Disease Surveillance’ (2021) 70(5) American University Law Review 1511–1576
Abstract: The fight against future pandemics will likely involve digital disease surveillance: the use of digital technology to enhance traditional public-health techniques like contact tracing, isolation, and quarantine. But legal scholarship on digital disease surveillance is still in its infancy. This Article fills that gap. Part I explains the role that digital disease surveillance could have played in responding to coronavirus, and the role it likely will play in future infectious-disease outbreaks. Part II explains how the ‘special needs’ exception to the Fourth Amendment’s warrant requirement permits almost any rationally designed disease surveillance program. Part III suggests safeguards beyond what Fourth Amendment doctrine currently requires that could protect rights without diminishing surveillance effectiveness, including review for effectiveness and equality, procedural requirements, and periodic legislative authorization. Part IV proposes a mixed standard for judicial review: courts should require these safeguards under an evolving understanding of Fourth Amendment reasonableness while tempering their review with deference to the political branches. Part IV concludes by outlining how the doctrinal evolution spurred by digital disease surveillance programs—the development of a ‘special needs with bite’ standard—might advance a key research agenda in criminal procedure: how to apply the Fourth Amendment to modern, data-driven surveillance regimes.

Saki, Otto, ‘Data Protection in Zimbabwe with Reference to the Covid-19 Pandemic and International Law’ (2024) 27 Potchefstroom Electronic Law Journal 1–38
Abstract: The corona virus that caused the COVID-19 disease defied geographical boundaries, spreading faster than the measures to contain its transmission. The processing of personal health-related data became widespread as a measure to respond to the pandemic. This triggered new concerns about the possibility of there being a data crisis. Individuals suspected to be infected by COVID-19 were forced to undertake mandatory testing that involved the collection of health-related data. To limit the spread of the disease, the collection of personal data extended to secondary contacts. Personal health-related data are very prone to abuse, and this data included secondary data inconsistent with initial collection purposes. Admittedly, such risks are not new. Prior to the pandemic, health-related data were processed through electronic health (e-health) platforms. The health-related data processing methods during the pandemic were insufficient to meet the data protection principles of consent, transparency, purpose and storage, potentially violating the right to privacy. Globally, expectations are that countries should have data protection laws informed by established principles regulating the processing of personal data. While, Zimbabwe had not enacted the Cyber and Data Protection Act (CDP Act), which lists some of the data principles, this paper relies on existing laws to determine whether Zimbabwe is still abiding by constitutional and international human rights standards in protecting personal data privacy. The paper examines the development of data principles and their application in Zimbabwe in respect of health-related data protection during the pandemic. The paper 1) analyses the existing laws and their protection of personal health-related data; 2) explores the incorporation of data principles in COVID-19-related responses including in national laws as informed by international laws; and 3) highlights the gaps in both law and practice as they relate to the handling of personal health-related data in Zimbabwe during the pandemic. The paper concludes that even if the existing laws on data privacy were not comprehensive and even if the CDP Act came too late, the global regulations, the sectoral laws and other guidance accessible to Zimbabwe in responding to the pandemic would have sufficed to avert a data pandemic during the health pandemic and allowed Zimbabwe to be compliant with international data protection standards.

Sander, Barrie and Luca Belli, ‘COVID-19, Cyber Surveillance Normalisation and Human Rights Law’ in Barrie Sander and Jason Rudall (eds), Opinio Juris Symposium on COVID-19 and International Law (2020)
Extract from Introduction: In this post, we focus on one set of practices in particular – cyber surveillance – and critically reflect on human rights law as a framework and a terrain of contestation for shaping the future of surveillance practices both during and in the aftermath of the COVID-19 crisis.

Sarabdeen, Jawahitha, ‘Health Data Privacy During Pandemic: Benefiting from Heath Data Without Compromising Health Data Privacy’ (2021) Heliyon (forthcoming)
Abstract: Health emergency during COVID-19 caused health authorities and authorized organisations to widely collect, store, transmit and use health data for research and public health purposes. Such use may limit the right to data privacy for the purpose of prevention of spread of decease and protection of public health. The limitation of data privacy, however, should have an appropriate balance. The European Union (EU) member countries are pioneers in implementing better data privacy protection. The EU member countries’ data privacy in general is enshrined in the European Convention on Human Rights (ECHR) (Council of Europe 1950), the Charter of Fundamental Rights of European Union (CFREU) and Data Protection Regulation 2018 (GDPR). The pandemic created an opportunity to look at the existing EU laws, regulations, and guidelines to understand the proportionate use of health data for public health in case of emergency. In Canada, privacy laws in general are non-harmonized for different categories of entities: private sector, public sector, and health sector entities. In the light of COVID-19, the regulators leaned towards creating exceptions in using, storing, and transmitting the health data for clinical and research purposes internally and internationally. Nonetheless, there is no clear guidance on how the usage is going to be balanced against competing interests. Saudi Arabia has provided protection for personal data in addition to limitation of such protection in case of national and international crisis as well. However, there is no provisions on how the limitation would be exercised and time limit of such limitation. Hence this research will analyse various laws and regulation in EU, Canada, and Saudi Arabia with a view to encapsulating the proposition of standard that could be used in enhancing public health by benefiting from heath data while ensuring acceptable protection of personal health data privacy.

Savona, Maria, ‘The Saga of the Covid-19 Contact Tracing Apps: Lessons for Data Governance’ (University of Sussex, Science Policy Research Unit, SPRU Working Paper Series No 2020–10, July 2020)
Abstract: This note selectively unpacks the rapid evolution of the (Western) debate around the opportunity to deploy contact tracing apps, alongside other digital tools such as apps for symptoms sharing and immunity certificates to mitigate the Covid-19 pandemics. I do so from the perspective of a social scientist interested in the implications of the development of digital tools at times of emergency in terms of data governance. I argue that a more articulated reflection is needed towards the development of a healthy institutional structure that regulates the role of large tech platforms, such as Google and Apple (G&A), and public institutions, in governing data, particularly when health data and public value are involved. I unravel the saga of contact tracing apps in the UK and EU, looking at the technical, legal and ethical aspects and I attempt to draw more general lessons for data governance.

Scassa, Teresa, Jason Millar and Kelly Bronson, ‘Privacy, Ethics, and Contact-Tracing Apps’ in Colleen M Flood et al (eds), Vulnerable: The Law, Policy and Ethics of COVID-19 (University of Ottawa Press, 2020) 265
Abstract: Data and analytics are being enlisted to play a role in understanding and preventing the spread of COVID-19. This chapter focuses on digital ‘apps,’ which are being deployed by governments around the world to supplement the manual contact-tracing efforts typically performed by public health officials. Contact-tracing apps have been developed rapidly, with little time for user testing, and their adoption raises important privacy and ethical concerns. In this chapter, we outline some of these potential concerns. We begin by tracing the history of contact tracing as a pre-digital, or manual, method and then detail the current contact-tracing efforts, distinguishing among different types of apps and data use approaches. We then draw from our complementary expertise in law, ethics, and sociology to outline potential risks of contact-tracing apps along these dimensions. Risks include misuse of personal data for surveillance and insufficient uptake leading to inaccurate information for individuals, which could lead to increased infection. Risks also include differential access and thus the reproduction of vulnerability among marginalized communities. Overall, the chapter identifies issues relevant to the responsible development and use of big data and AI for COVID-19 mitigation efforts.

Schmit, Cason, Brian Larson and Hye-Chung Kum, ‘Data Privacy in the Time of Plague’ (SSRN Scholarly Paper ID 3968130, 20 November 2021)
Abstract: Data privacy is a life-or-death matter when it comes to public health. From late fall 2019 until summer 2021, two series of events unfolded, one that everyone was talking about, and one that hardly anyone noticed. The most reported news story of that period related to the greatest world-health crisis in at least 100 years, the COVID-19 pandemic. Meanwhile, in a story that received next to no news attention, the Personal Data Protection Act Committee of the Uniform Law Commissioners in the United States was busy working on a new model law. By July 2021, each of these stories had reached a turning point. In the developed, Western world, most people who wanted to receive the vaccine against COVID-19 could do so, and nearly 60% of people in the United States had received at least one vaccine dose. Nevertheless, the COVID pandemic surged in late summer. Meanwhile, the Uniform Law Commission adopted the Uniform Personal Data Protection Act (UPDPA) at its annual meeting, paving the way for state legislatures to consider adopting the uniform act in 2022 legislative sessions. At roughly the same time, Virginia and Colorado state legislatures also adopted comprehensive data privacy acts.These stories intersect in the public-health space. Public health researchers struggled with COVID-19 in the United States because they lacked information about individuals who were exposed and their contacts, among other matters. When the next pandemic arrives (and it is almost certain to do so), public health researchers will again have a critical need for access to personal data to monitor the progress of the disease and identify and implement population and individual interventions. In the meantime, understanding existing public health threats (e.g., obesity, opioid abuse, racism) requires leveraging and linking diverse data on the contributing social, environmental, and economic factors. The UPDPA does not clear the dense underbrush of barriers resulting from the patchwork of federal data privacy laws that interfere with public health practice and research. But it does provide an important route forward for public health, the full potential of which can be achieved only with active involvement of public health researchers and professionals. This article provides a conceptual framework for analyzing the regulation of uses of personal data and for public health and applies those frameworks to an analysis of UPDPA and other comprehensive state privacy statutes, focusing particularly on the ways that state adoption of UPDPA could promote—and hinder—public health. It concludes with recommendations for public health researchers and professionals to get involved in upcoming legislative debates on data privacy. Lives will depend on the outcomes.

Segal, Eran et al, ‘Building an International Consortium for Tracking Coronavirus Health Status’ (2020) 26(8) Nature Medicine 1161–1165
Abstract: We call upon the research community to standardize efforts to use daily self-reported data about COVID-19 symptoms in the response to the pandemic and to form a collaborative consortium to maximize global gain while protecting participant privacy.

Sekalala, Sharifah et al and Ma 02115 +1495‑1000, ‘Analyzing the Human Rights Impact of Increased Digital Public Health Surveillance during the COVID-19 Crisis’ (2020) 22(2) Health and Human Rights Journal 7–20
Abstract: The COVID-19 pandemic has led policy makers to expand traditional public health surveillance to take advantage of new technologies, such as tracking apps, to control the spread of SARS-CoV-2. This article explores the human rights dimensions of how these new surveillance technologies are being used and assesses the extent to which they entail legitimate restrictions to a range of human rights, including the rights to health, life, and privacy. We argue that human rights offer a crucial framework for protecting the public from regulatory overreach by ensuring that digital health surveillance does not undermine fundamental features of democratic society. First, we describe the surveillance technologies being used to address COVID-19 and reposition these technologies within the evolution of public health surveillance tools and the emergence of discussions concerning the compatibility of such tools with human rights. We then evaluate the potential human rights implications of the surveillance tools being used today by analyzing the extent to which they pass the tests of necessity and proportionality enshrined in international human rights law. We conclude by recommending ways in which the harmful human rights effects associated with these technologies might be reduced and public trust in their use enhanced.

Selby, John, ‘The Efficacy, Equity and Externalities of Australia’s COVIDSafe App as a Policy Intervention during the COVID-19 Pandemic: Was It Sunscreen or Tanning Lotion?’ (2021) 44(4) UNSW Law Journal 1584–1618
Abstract: Digital contact tracing apps, such as the COVIDSafe App in Australia, have been rapidly implemented by many governments as a public policy solution to increase the efficiency of health screening testing during the COVID-19 viral pandemic. This article analyses how the COVIDSafe App’s unresolved efficacy and equity issues and the cybersecurity and privacy externalities it imposes onto Australians have prevented the App from making a significant positive contribution towards reducing the impact of the pandemic in Australia. It attributes some of the failure of Bluetooth-based digital contract tracing apps to their mis-characterisation as a Lessigean ‘code as law’ policy response, arguing instead that such apps are more complex and fragile cyber-physical systems requiring more analysis prior to implementation.

Sella-Villa, David, ‘The COVID-19 Pandemic One Year On: Finding Balance Between Privacy and Public Health’ (2021) 77 The Business Lawyer (forthcoming)
Abstract: During the COVID-19 pandemic stay-at-home orders and social distancing requirements limited the possibility of safe and lawful in-person interactions for over a year. Many people in the United States responded to these circumstances by resisting challenges to their sense of decisional privacy – ‘non-interference in one’s decisions and actions.’ Instead, they chose to relinquish some data privacy by sharing both new and existing types of data about themselves in efforts to enjoy the simulacrum of human contact.Use of digital services that helped approximate in-person interactions increased dramatically. Video conferencing features in Zoom and dating apps, for example, collected new types of data about people and offered novel means by which information once exchanged primarily in person could be collected, processed, and stored. Privacy and data protection jurisprudence has helped address the circumstances where an individual’s privacy interests may have been compromised. An overview of the privacy litigation involving Zoom (Part II) provides an illustrative example of some of the privacy consequences of the pandemic.Many people have been very reluctant to share data in more collective efforts at fighting the COVID-19 pandemic. Attempts at adding a digital layer to activities traditionally perceived to be data-light met strong resistance (Parts III and IV). Decisional privacy and data privacy are compromised when some combination of infection, vaccination, location, and demographic data are aggregated, processed, and shared. Discussions of the limited successes of tracking apps and policies related to the administration of COVID-19 vaccine show that privacy interests during the pandemic may have trumped public health concerns.

Sella-Villa, David, ‘An Early Evaluation of the Privacy Impacts of the COVID-19 Pandemic’ (2021) 76 Business Lawyer 261
Abstract: At the time of this writing in mid-2020 the COVID-19 pandemic has gripped the world and frustrated health experts. In the interest of ‘flattening the curve’ of new cases, state and local government officials have implemented a variety of legal measures including stay-at-home orders, social distancing requirements, and mandates to wear masks in public. These legal responses to the pandemic have created both new sources of data about people and new avenues for accessing existing data that may have been difficult to access before the pandemic. This survey will address four common scenarios related to these data streams that these policies have fostered. The impact of these data streams on people’s privacy is just starting to be understood. The term ‘privacy’ in this survey refers to an individual’s ability to control disclosure of her personally identifiable information. This survey explores some early answers to the question of how the COVID-19 pandemic has impacted people’s privacy in the U.S context.

Sessa, Carmelina, ‘Coronavirus and Effects on the Rule of Law: How Fundamental Rights Live with Mass Surveillance Technologies in Democratic Systems – An Analysis of Europe and Italy in a Global View’ (2021) 8(1: Covid Special Issue) IALS Student Law Review 47-56
Abstract: In the management of the Coronavirus Pandemic, law is called to play a synergistic role with the science to guarantee the public order and safety. In the European context Italy is to be examined, i.e. the first state in Europe to launch containment measures of the spread of the virus and to protect public health. Through a comparative approach, the purpose here is to examine the assumptions and the impact of the emergency legislation on the Italian democratic system. Evaluating within what limits fundamental human rights and freedoms’ compression can be legitimated on a national and international basis in exceptional events allow to analyse the relative reflections on the rule of law. Finally, the discussion focuses on the compatibility of using mass surveillance technologies on the International and European regulatory framework where balancing techniques and the principle of proportionality represent the core in framing the regulatory activity. Despite undoubted short-term benefits, the concern is to safeguard both the protection of personal data and health, in the face of this ‘invisible enemy’, considering that the link between emergency regulation and prolonged compression of rights in technological innovation requires special attention.

Shabani, Mahsa, Tom Goffin and Heidi Mertes, ‘Reporting, Recording, and Communication of COVID-19 Cases in Workplace: Data Protection as a Moving Target’ (2020) 7(1) Journal of Law and the Biosciences Article lsaa008
Abstract: In response to concerns related to privacy in the context of coronavirus disease 2019 (COVID-19), recently European and national Data Protection Authorities (DPAs) issued guidelines and recommendations addressing a variety of issues related to the processing of personal data for preventive purposes. One of the recurring questions in these guidelines is related to the rights and responsibilities of employers and employees in reporting, recording, and communicating COVID-19 cases in workplace. National DPAs in some cases adopted different approaches regarding duties in reporting and communicating the COVID-19 cases; however, they unanimously stressed the importance of adopting privacy-preserving approaches to avoid raising concerns about surveillance and stigmatization. We stress that in view of the increasing use of new data collection and sharing tools such as ‘tracing and warning’ apps, the associated privacy-related risks should be evaluated on an ongoing manner. In addition, the intricacies of different settings where such apps may be used should be taken into consideration when assessing the associated risks and benefits.

Sharma, Tanusree and Masooda Bashir, ‘Use of Apps in the COVID-19 Response and the Loss of Privacy Protection’ (2020) 26(8) Nature Medicine 1165–1167 < https://www.nature.com/articles/s41591-020-0928-y >
Abstract: Mobile apps provide a convenient source of tracking and data collection to fight against the spread of COVID-19. We report our analysis of 50 COVID-19-related apps, including their use and their access to personally identifiable information, to ensure that the right to privacy and civil liberties are protected.

Sheehan, Brian, ‘GDPR Rules “Do Not Hinder” Measures Taken in Covid-19 Fight’ (2020) 14 Industrial Relations News 23–24
Abstract: Discusses the European Data Protection Board (EDPB)’s guidelines on the processing of personal data in the context of emergency measures taken by governments and public and private organisations throughout Europe to contain and mitigate COVID-19. Note: the Statement referred to in this article is the European Data Protection Board, ‘Statement on the Processing of Personal Data in the Context of the COVID-19 Outbreak, Adopted on 19 March 2020’.

Sihombing, Eka NAM, Cynthia Hadita and Muhammad Yusrizal Adi Syaputra, ‘Legal Securities Against Privacy Data for Covid-19 Patients in Indonesia’ (2021) 4(1) Veteran Law Review 35–52
Abstract: The dilemma of disclosing patient privacy data to the public is faced with a consolidation like two sides of the currency. If opened, it will make it easier to know the contact tracing of covid-19 patients to minimize the potential of others infected. However, on the other hand, patient privacy data needs to be protected as guaranteed by the constitution and its various degradations.

Silberberg, Cecilia I, ‘Legal Strategy to Safeguard the Right to Personal Data Protection in Future Epidemics’ in Shinya Murase and Suzanne Zhou (eds), Epidemics and International Law (Brill Nijhoff, 2021) 367

Singhh, Arunender, ‘Protection of “Digital Rights” Amid Fight Against COVID-19: The Missing Responsibility of ICTs Platforms’ (Afronomicslaw COVID-19 Symposium on International Economic Law in the Global South (May 2020), Symposium II: Intellectual Property, Technology and Agriculture)
Introduction: It is often stated that the new technology is changing what it means to be human. The digital world is rapidly transforming society. On the one hand, it allows unprecedented advances in the human conditions and at the same time gives rise to profound new challenges. Social media is a dominating force in modern social life as internet technology has taken hold of our cyber-driven society. The oft-use of information and communication technology (ICT) to fight the battle against Covid-19 crisis has opened up new challenges for the governments, especially, for populous countries like India. There are genuine concerns that fake news has assumed a pernicious character that is harmful to citizens and society at large. The use of big data in the global world has come to stay with ICT corporations commonly using data analytics to forecast customer preferences, boost their productivity and improve decision-making. It appears that big data may have a huge positive effect in defeating Covid-19, by promoting efficiency, monitoring health security and enhanced services, but that it might also result in discrimination, privacy violations, and other chilling effects…. In this trying times these developments have squarely brought under the scanner the role and legal responsibility assumed by the ICTs platforms.

Sircar, Tuisha and Pranav Menon, ‘Trace, for What, How and Whom? Deconstructing Aarogya Setu’s Data Protection Safeguards Using Actor Network Theory’ (SSRN Scholarly Paper ID 3778863, 3 February 2021)
Abstract: The COVID-19 pandemic has exacerbated the policy solutionism to deploy digital contact tracing tools. This study seeks to adopt the Actor Network Theory to dissect India’s contact tracing application- The Aarogya Setu app. Using Bruno Latour’s methodology this study highlights the need to locate the privacy implications that affect the users’ locational and bodily integrity. There is a need to move beyond the technological determinism with which the state locates the usage of such applications, marginalising certain bodies over others. The delegation of authority to contact trace by the state to the app and subsequent actants is a facet that has been explored in this piece. Moroever, there is an aspect of choice which creates an unconditional obligation on some bodies and does not on others to download the app to access public services and fulfill other commitments like employment. This study has relied on a posthumanistic lens to argue that the anthropomorphized app exhibits the agency rooted within hindutva nationalism and self-securitization. Thus the transfer of personal information into the app not merely promulgates control over bodies but severely impacts the decisional autonomy of users who are forced to negotiate with the app. The aarogya setu application has inbuilt faulty design injustice induced in order to create inequality where there already is. The privacy element and its implications has been looked upon as the ‘law of the excluded middle’ that provides a way out of the obligation that the app as well as the state actant creates on users and non-users. Thus, this piece seeks to call for a resistance of such modes of e-governance and surveillance that is mediated through applications such as the Aarogya Setu.

Siregar, Fitriyani Dewi and Muhammad Yusrizal Adi Syaputra, ‘Legal Protection of Data Security of E-Commerce Applications During the Covid-19 Pandemic’ (2021) 2(2) NOMOI Law Review 252–264
Jurisdiction: Indonesia
Abstract: The rapid progress in the field of information technology has contributed greatly to the development of the world of information and electronic transactions. The security of consumer personal data that enters e-commerce data should be a guarantee given by the company to its consumers. This study aims to find out the legal protection for data/information security of e-commerce application users during a pandemic. This study uses normative legal research with analytical descriptive methods to explain, describe, and correlate legal regulations and theories with the problems that occur. Data analysis was carried out qualitatively. The results of the study indicate that the electronic system operator must ensure the availability of service level agreements, the availability of information security agreements for the information technology services used; and security of information and means of internal communication held. Then, the operator of the electronic system must ensure that each component and the integration of the entire electronic system operates properly. Especially in the era of the covid-19 pandemic, it is appropriate that the regulation of personal data protection can be immediately upgraded to the level of the law.

Slinn, Ben, ‘What’s in Store for Contact Tracing Apps in the UK?’ (2020) 110(July) Privacy Laws & Business United Kingdom Newsletter 10–12
Abstract: Examines data protection considerations relevant to the use of contact tracing apps, focusing on the position of the Information Commissioner’s Office, which favours a decentralised approach with processing focused on users’ devices, and the European Data Protection Board. Notes the steps taken by the European Commission in relation to contact tracing apps and the status of the UK app.

Staunton, C, ‘ACT-Accelerator Data Governance Framework: Balancing Individual Rights with the Public Interest in Responding to COVID-19’ (2021) 14(1) South African Journal of Bioethics and Law 4–5
Abstract: COVID-19 is a global pandemic, and the world’s first ‘digital pandemic’. The response to the disease has seen the development of digital tools to track, trace and analyse the virus, and we have seen a rapid scale-up in the use of digital health. An effective COVID-19 response is contingent on timely access to personal data. These data can be used to identify COVID-19 hotspots and guide national and localised responses, but importantly, can also be used in the development of tests, treatments and vaccines. The use of these personal data in responding to COVID-19 is essential, but their use impacts the right to privacy and risks stigmatising and discriminating against individual, group and minority populations. Other risks can also arise depending on the context in which the personal data are used, and the vulnerabilities of the individual or population. There is a clear public interest in enabling access to, sharing and use of personal data to respond to COVID-19, but there is an equally clear public interest in ensuring that the use of these personal data is rooted in human rights, including the right to privacy, the right to health and life and the right to economic and social development. Thus the use of personal data during COVID-19 brings to the fore a critical question in access to and use of personal data: how do we balance individual rights with collective interests in the use of personal data to respond to a public health crisis?

Stefoudi, Dimitria, ‘Space Data in the Fight against Pandemics: Privacy Concerns and Sharing of Benefits from the Use of Space Technology for Decision-Making’ (2020) 45(Special issue) Air and Space Law 108–121
Abstract: The fast and continuous collection and distribution of information are essential for decisionmaking in the first-response phase, as well as in the constant monitoring during and after the peaks of the Coronavirus Disease-2019 (COVID-19) outbreak. Particularly in times of emergency that require immediate reaction on behalf of local and global authorities, it is important that their reaction is based on reliable information. The unique features of satellite technology, which enable the steady flow of accurate near real-time data, have granted it a vital role in the fight against the COVID-19 pandemic. This article will address the uses of space data for public health and their legal implications, particularly in terms of privacy and access to data.

Stevens, Hallam and Monamie Bhadra Haines, ‘TraceTogether: Pandemic Response, Democracy, and Technology’ 14(3) East Asian Science, Technology and Society 523–532
Abstract: On 20 March 2020, in the midst of the COVID-19 pandemic, the Singapore government released a new app called TraceTogether. Developed by the Ministry of Health, SG United, and GovTech Singapore, the app uses the Bluetooth capability of smartphones to store information about other smartphones that have come into close proximity with your own. These data facilitate the government’s process of ‘contact tracing’ through which they track those who have potentially come into contact with the virus and place them in quarantine. This essay attempts to understand what kinds of citizens and civic behavior might be brought into being by this technology. By examining the workings and affordances of the TraceTogether app in detail, the authors argue that its peer-to-peer and open-source technology features mobilize the rhetorics and ideals of citizens science and democratic participation. However, by deploying these within a context that centralizes data, the app turns ideals born of dissent and protest on their head, using them to build trust not within a community but rather in government power and control. Rather than building social trust, TraceTogether becomes a technological substitute for it. The significant public support for TraceTogether shows both the possibilities and limitations of citizen science in less liberal political contexts and circumstances.

Steytler, M and DW Thaldar, ‘Public Health Emergency Preparedness and Response in South Africa: A Review of Recommendations for Legal Reform Relating to Data and Biological Sample Sharing’ (2021) 14(3) South African Journal of Bioethics & Law 101–106
Abstract: COVID-19 exposed flaws in the law regulating the sharing of data and human biological material (HBM). This poses obstacles to the epidemic response, which needs accelerated public health research and, in turn, efficient and legitimate HBM and data sharing. Legal reform and development are needed to ensure that HBM and data are shared efficiently and lawfully. Academics have suggested important legal reforms. The first is the clarification of the susceptibility of HBM and HBM derivatives to ownership, including, inter alia, the promulgation of a revised version of the South African Material Transfer Agreement (SA MTA) by the Minister of Health. This would remove uncertainty regarding the current SA MTA’s perpetual donor ownership clause. The second is the development of data trusts, the adoption of open access to research data, and the creation of an African ‘data corridor’. This would ensure that data are protected while allowing for the efficient transfer of data between researchers for the collective good and in the interest of the public. The third is the amendment of the Space Affairs Act to extend the powers of the Council of Space Affairs to include the management of data collected through the utilisation of Earth observation and geographical information systems. This would ensure the protection of outer space data, legislating its use and sharing once it lands on Earth. The implementation of these legal reforms and developments will better prepare SA to face future epidemics from a health research perspective.

Stock, Melissa, ‘Facial Recognition and Detection Technology: Developments and Challenges’ (2020) 25(3) Computer and Telecommunications Law Review 161–166
Abstract: Highlights the privacy risks posed by facial recognition and detection technology, including the potential for fraud and other criminal misuse, and errors in detection, particularly among Asian or African ethnic groups and women. Explores legal challenges relating to the use of face recognition brought in the UK, Sweden, France, Belgium, and the US. Considers the role digital surveillance has played in tackling the coronavirus pandemic.

Stoeger, Karl and Martina Schmidhuber, ‘The Use of Data from Electronic Health Records in Times of a Pandemic—a Legal and Ethical Assessment’ (2020) 7(1) Journal of Law and the Biosciences Article lsaa041
Introduction: National electronic health record (EHR) systems containing more or less comprehensive data on a person’s medical history have recently become increasingly popular, as they enable different healthcare providers to treat a patient more accurately by sharing all available health data on this person. At the same time, this comprehensive accessibility of health data raises concerns with respect to data protection. A possible answer to these concerns is the implementation of voluntary participation, be it in the form of an opt-in or an opt-out regime. Another strategy chosen by certain EHR system operators is to limit access to personal data to health care providers treating the patients, while state institutions are usually not allowed access to personal data3in EHRs. Such EHR systems which are as a result ‘controlled’ by the patient (either through an opt-in or an opt-out decision concerning all or parts of the content), have been established particularly in parts of Europe. Currently, EHR systems based on an opt-in or opt-out scheme are in operation or about to be established in more than ten European states.Introduction: National electronic health record (EHR) systems containing more or less comprehensive data on a person’s medical history have recently become increasingly popular, as they enable different healthcare providers to treat a patient more accurately by sharing all available health data on this person. At the same time, this comprehensive accessibility of health data raises concerns with respect to data protection. A possible answer to these concerns is the implementation of voluntary participation, be it in the form of an opt-in or an opt-out regime. Another strategy chosen by certain EHR system operators is to limit access to personal data to health care providers treating the patients, while state institutions are usually not allowed access to personal data3in EHRs. Such EHR systems which are as a result ‘controlled’ by the patient (either through an opt-in or an opt-out decision concerning all or parts of the content), have been established particularly in parts of Europe. Currently, EHR systems based on an opt-in or opt-out scheme are in operation or about to be established in more than ten European states.

Stojanović, Aleksandar et al, ‘Law and Political Economy of China’s Early Pandemic Response: Limited Economic Support and Insulation’ in Aleksandar Stojanović, Luisa Scarcella and Christina R Mosalagae (eds), The First 100 Days of Covid-19: Law and Political Economy of the Global Policy Response (Springer Nature, 2023) 15–54
Abstract: In this chapter we identify several significant aspects of the ongoing policy transformation in China. Firstly, combating the pandemic allowed for policy justification through a specific type of ‘state of war’ narrative instead of referring to legal rules, which were unclear. It also led to a shift in the utilization of surveillance practices from a national, hierarchical and visible level, to a social, fluid, and less visible one. Moreover, unlike in the West, the least significant change has been observed in the domain of economic policy. Instead of a less discriminate liquidity supply approach taken in the West, China’s policy makers opted for a set of highly targeted fiscal, monetary and procurement measures in order to ensure the stability of the financial markets, relieve pressures on the real economy and secure employment. The measures were rolled out over a brief period of time (although not as large as in the EU or US) and were retracted significantly faster.

Stojanović, Aleksandar, Lauren Sweger-Hollingsworth and Dashiell Anderson, ‘Reinforcement of Economic Inequality and Extra Economic Power—Law and Political Economy of the US Pandemic Policy Response’ in Aleksandar Stojanović, Luisa Scarcella and Christina R Mosalagae (eds), The First 100 Days of Covid-19: Law and Political Economy of the Global Policy Response (Springer Nature, 2023) 463–506
Abstract: In this chapter, by adopting a Law and Political Economy (LPE) approach, we show that the US policy response resulted in increased inequalities. Moreover, economic policy was the main tool used by the federal government to tackle the pandemic and it was used in a manner reflective of existing power structures. As policy measures assisted the private sector and the owners of capital before workers; and big business and the stock market were prioritized, the existing power structures were entrenched. Additionally, major contradictions plagued the balance of powers and representation by democratically-elected individuals. Declarations of emergencies within individual States granted excess powers to governors and the emergency circumstances allowed experts great decision-making powers. State governments partnered with the private sector for surveillance and control measures, often with the state outsourcing the enforcement of these measures to the private sector. The pandemic allowed for an unprecedented rise in the surveillance of private citizens, by state and local governments and employers.

Struensee, Von and Susan, ‘Mapping Artificial Intelligence Applications Deployed Against COVID-19 Alongside Ethics and Human Rights Considerations’ (SSRN Scholarly Paper ID 3889441, 4 July 2021)
Abstract: This article presents an extensive and global survey on the use of Artificial Intelligence (AI) to address the COVID-19 epidemic and a comprehensive discussion of the ethical and human rights implications of AI’s deployment during the pandemic. AI applications contributed to the COVID-19 response including through early warnings and alerts; tracking and prediction; diagnosis and prognosis; drug treatments; and social and medical management. There are human rights issues and ethical risks to consider with these uses of AI technology, for example, equality, non-discrimination and accessibility – particularly as they impact on gender, ethnicity, locality, and wealth. To understand risks before relying on such methods, we must assess whether data can be collected any more effectively from people in remote or disadvantaged areas than with the traditional methods. Other questions would include whether information is gathered equally from women and men, and older people; do all ethnicities have equal access to phones and mobile data; and does the cost of internet access and data use discriminate against poorer people?While the ‘coronacrisis’ advanced AI-based responses to global health emergencies, this wide-reaching AI capacity, raises an array of ethical and human rights challenges. The need for governments to act quickly and globally in tackling the coronavirus resulted in unprecedented practices amid a lack of public trust. AI technologies assisted governments to curb the global epidemiological threat. Yet, the application of these tools threatened fundamental rights. AI based interventions such as contact tracing raised valid fears of ‘surveillance creep’. Global human rights are implicated in the measures targeting the spread of COVID-19-related misinformation. Concern over the impact of the internet as a carrier of fake news amplified during COVID-19. Conspiracy theories and alternative narratives mushroomed all over the world. While some fears of misinformation in the current context are valid, the pandemic resulted in an unprecedented global crackdown on freedom of expression. AI applications during the pandemic challenged widely-held commitments to privacy, autonomy, and civil liberties. The ‘coronacrisis’ was viewed by some as a perfect storm to undermine rights to privacy, as effected by surveillance, and freedom of expression. Tech-based responses to COVID-19 included drone surveillance, facial recognition technologies, contact-tracing and quarantine-enforcement apps. With no expiration date or sunset clauses in sight for these technologies’ deployment, there are concerns that these surveillance measures could deteriorate privacy further and long-term.While AI is a powerful tool, humans remain central in evaluating and interpreting its output and its ethical application. Human input, across disciplines, remains needed for the optimal application of AI against COVID-19 and other contexts. Overcoming the lack of data needed to optimize AI as a pandemic tool will require a careful balance between data privacy and public health. Increasing diagnostic data is valuable and essential to save lives, train AI, and harness AI for other public health applications. Due to the technical, ethical, and human rights risks, AI must develop alongside human rights and ethical considerations.

Sulistyandari and Putri Ayu Sutrisno, ‘Legal Aspects and Role of Ojk in Bank Digital by Digital Banking Services During Post-Covid 19 Pandemic in Indonesia’ (2023) 11(12) Journal of Law and Sustainable Development e2364–e2364
Jurisdiction: Indonesia
Abstract: The purpose of this research is to analyze the implementation of bank digital by digital financial services that are able to maintain bank secrecy and personal data security; and to analyze the application of prudent banking principles in the implementation of bank digital by digital services in Indonesia; and it also aim to analyze the role of the OJK in regulating and supervising Bank Digital by digital services post Covid 19 pandemic.

Sundquist, Christian, ‘Pandemic Surveillance Discrimination’ (2021) 51 Seton Hall Law Review 1535–1547
Abstract: The COVID-19 pandemic has laid bare the abiding tension between surveillance and privacy. Public health epidemiology has long utilized a variety of surveillance methods—such as contact tracing, quarantines, and mandatory reporting laws—to control the spread of disease during past epidemics and pandemics. Officials have typically justified the resulting intrusions on privacy as necessary for the greater public good by helping to stave off larger health crisis. The nature and scope of public health surveillance in the battle against COVID-19, however, has significantly changed with the advent of new technologies. Digital surveillance tools, often embedded in wearable technology, have greatly increased the ability of governments and private corporations to monitor large sections of society while collecting massive amounts of personally identifiable data from millions of persons around the world—often with little to no regulatory oversight (or legal limits) on how that information may be later used. Surveillance responses to public health crises have also historically, disproportionately, targeted racialized communities, leading to a normalization of both racial discrimination and inequality. The world certainly must use all means to end the devastating COVID-19 pandemic. We also need to be careful, however, to not undermine individual privacy rights or engage in racialized responses to the current crisis. This Essay examines the discord between public health surveillance and privacy rights and argues that the bio-surveillance technologies being used to respond to the COVID-19 pandemic—such as contact tracing apps, GPS ankle monitors and other wearables, the collection of cell phone location data, genomic testing, and targeted quarantines—can potentially exacerbate discrimination against racial minorities and immigrants. The Essay concludes with legal and policy solutions on how to utilize public health surveillance tools to prevent the spread of COVID-19 while guarding against privacy violations and racial bias.

Sureani, Nurkhairina Binti Noor et al, ‘The Adequacy of Data Protection Laws in Protecting Personal Data in Malaysia’ (2021) 6(10) Malaysian Journal of Social Sciences and Humanities (MJSSH) 488–495
Abstract: With the burgeoning technology, Malaysia has seen a staggering number of data breaches and data leaks within this past decade alone, with no signs of the trend decreasing. This has raised questions on whether the Personal Data Protection Act 2010 (PDPA) adequately protects the personal data of Malaysians. With the recent COVID-19 pandemic, data has been collected on a larger scale than before, with more frequent data leaks occurring. Hence, this study aims to analyse the adequacy of the PDPA by benchmarking it to the United Kingdom’s (UK) Data Protection Act 2018, which have seen a decrease in data breaches since the implementation of the new legislation. In this context, personal data refers to information processed or recorded that relates directly or indirectly to a data subject, who may be identified from the information and may include sensitive personal data. The study uses a doctrinal analysis methodology to best explore the ideas and concepts within the literature available regarding the protection of personal data. The study also employs a comparative analysis methodology by comparing the scope and application of Malaysian and UK legislation for benchmarking. The findings suggest that there are improvements to be made for the PDPA to be adequate.

Susanto, Deny, ‘Sharia-Based Legal Formula for Personal Data Protection in the Financial Services Industry Post-Covid-19 Pandemic’ (2022) 1(04) BULLET: Jurnal Multidisiplin Ilmu 545–552
Abstract: As a country with a substantial Muslim population, Indonesia provides a market for sharia-based financial firms. Corporate organizations, minimal liability companies, seek the most effective way to promote business growth. One objective is to develop its digital ecosystem for the financial services industry, including banking, insurance, capital markets, and non-bank financing organizations. The most crucial factor is the corporation’s attempts to deliver effective and efficient services in response to the community’s demands as the number of Covid-19 cases continues to fall and the economy begins to improve. This study aims to examine the perspectives on formulating the right and applicable law for the protection of personal data in the management conducted by corporations in the sharia-based financial services sector in Indonesia during the Covid-19 pandemic as post-pandemic expectations. Covid-19 examines law enforcement for potential personal data violations on technology users by businesses. Finding an appropriate and effective legal formulation that can be fundamentally applied in the form of fair regulations and in accordance with sharia values in parallel is the result of the research, and it can be concluded that the formulation of legal rules can rapidly provide regulatory solutions to achieve an equilibrium of rights. and justice for businesses based on sharia law.

Sweeney, Yann, ‘Tracking the Debate on COVID-19 Surveillance Tools’ (2020) 2(6) Nature Machine Intelligence 301–304
Abstract: Contact-tracing apps could help keep countries open before a vaccine is available. But do we have a sufficient understanding of their efficacy, and can we balance protecting public health with safeguarding civil rights? We interviewed five experts, with backgrounds in digital health ethics, internet law and social sciences.

Świtała, Krzysztof, ‘Information Security and Cybersecurity in a Pandemic’ in Irena Lipowicz, Grażyna Szpor and Aleksandra Syrt (eds), Instruments of Public Law: Digital Transformation during the Pandemic (Routledge, 2022)

Tambou, Olivia and Alexia Pato, ‘COVID-19 Vaccination and Data Protection Issues: A European Comparative Study With Focuses on France, Germany, Belgium, and Switzerland’ (MPILux Research Paper No 2021(3), 4 March 2021)
Abstract: This report, which tackles data protection issues related to Covid-19 vaccinations, completes the study on vaccination policies carried out by the Max Planck Institute Luxembourg upon the request, and for the benefit of, the Ministry of Health of Luxembourg. The first part of this research project analyses the safeguard measures and guarantees put in place for the processing of data related to Covid-19 vaccinations in the EU. The general framework on data protection, i.e. the GDPR, is examined and relevant references to the law of the Council of Europe and the main recommendations at the European level are made. The purpose of this first part is to assess what EU Member States should do and what room for manoeuvre is left to those for the processing of data generated as a result of the Covid-19 vaccinations. The second part of the research project consists in a comparative analysis of the data protection laws in the area of public health in France, Belgium, Germany and Switzerland with specific references to Covid-19 vaccinations. The purpose of this second part is to understand and compare the approach taken in the selected States.

Taylor, Mark J, ‘“Personal Information” and Group Data under the “Privacy Act 1988” (Cth)’ (2020) 94(10) Australian Law Journal 730–740
Abstract: The ‘Privacy Act 1988’ (Cth) is focused on information that relates to identified or identifiable persons. If understood narrowly, this approach risks failure to acknowledge the importance of data relating to multiple persons (group data) and its appropriate control within the framework of data governance. There is an increasingly urgent need to address this risk. Indeed, the COVID-19 pandemic has already demonstrated how group data might have tangible impact: by shifting an understanding of priority and what constitutes a reasonable trade-off between individual and public interests. This article considers the extent to which governance mechanisms could, through the vehicle of existing privacy law, protect persons from potentially harmful uses of group data in a modern information economy.

Terry, Nicolas and Christine Nero Coughlin, ‘A Virtuous Circle: How Health Solidarity Could Prompt Recalibration of Privacy and Improve Data and Research’ (2021) Oklahoma Law Review (forthcoming)
Abstract: While data laws were given a seat with older, relationship-based health law such as tort duties, they are not seen as a crucial part of the modern healthcare regulatory system and viewed only from a distance when healthcare history and policy are discussed. However, here we argue that our healthcare data laws have a closer relationship to the healthcare law mothership than often portrayed (and that is not necessarily a compliment). The core proposition that we advance is that there is (or should be) a hydraulic relationship between healthcare and health privacy. First, if health care continues to robustly prohibit health discrimination and continues to grow closer to universal access, the need for health data protection should decrease. This is not because privacy declines as a value but because exposures of health information will be less consequential. Second, it is broadly accepted that the U.S. imprudently spends a considerably larger percentage of its ‘health dollars’ on clinical health rather than public health. The outsized role of social determinants, zip-code health, and institutionalized health inequities has been accentuated during the COVID-19 pandemic. Public health recognizes solidarity, social and health interdependence as a fundamental tenet. As the recovery from COVID-19 begins and we ‘rebuild better,’ public health and hence solidarity likely will be strengthened. Third, the movements towards universal access and more vibrant public health are likely to be premised on a shift away from health individualism to solidarity. As this shift slowly develops, it is likely to engender more sharing of personal information in order to improve the overall health of the population.

Ting, Daniel Shu Wei et al, ‘Digital Technology and COVID-19’ (2020) 26(4) Nature Medicine 459–461

Tong, Xi Xian and Eng Siang Tay, ‘Relevance of MySejahtera Application in Post-Pandemic Era: Legal Regulations on Data Ownership and Privacy’ (Atlantis Press, 2022) 110–122
Abstract: MySejahtera application has been adopted by the Malaysian government since the outbreak of COVID-19 pandemic in March 2020. It is a digital tracing tool with functions, amongst others, to assist the government to monitor and control the spreading of the COVID-19 cases. Data ownership and privacy are always a controversial issue especially when the MySejahtera application was developed by a private company under corporate social responsibility. The government has assured that the data and information kept in MySejahtera application are fully owned by the Ministry of Health. From 1 April 2022, Malaysia has entered the transition to the endemic phase of COVID-19. The Ministry has further announced the relaxation of all SOPs starting 1 May, which include the doing away with MySejahtera. The recent Public Accounts Committee report discloses the selling of such an application to another private company has again raised the fear of intrusion of data ownership and privacy. This paper will address the issues on the data ownership and privacy of the MySejahtera application and discuss the relevance of continuing to use MySejahtera in daily life in the post-pandemic era. Existing legal regulations such as Personal Data Protection Act 2010, Prevention and Control of Infectious Diseases Act 1988, Communication and Multimedia Act 1988 and Medical Act 1971 will be examined in addressing the above issues. The research method used in this paper is doctrinal legal research. This paper will conclude with suggestions on the amendment to the relevant legislations to safeguard the data privacy of the MySejahtera users.

Townsend, Beverley, ‘The Lawful Sharing of Health Research Data in South Africa and Beyond’ (2022) 31(1) Information & Communications Technology Law 17–34
Abstract: Personal information, in particular health-related information, used in conjunction with data analytics and shared with researchers, is a valuable tool in health research and development. In light of the public health emergency arising from the COVID-19 pandemic and new African data protection laws, this paper addresses the regulation of data sharing and transfer. Three broad questions addressed are: (i) What are the existing legal modalities governing and protecting data use and sharing in South Africa, and, more generally, in Africa? How can data be transferred into and out of South Africa? (ii) What can be learned from recent international developments in data transfer? And, lastly, (iii) where plausible how might data flows throughout Africa be facilitated in the interests of public health during times of pandemic? This paper explores these questions with specific emphasis on the importance of health and research data transfers in light of the COVID-19 pandemic.

Trotogott, Rachel, ‘A Comparative Analysis of Data Privacy Impacted by Covid-19 Contact Tracing in the European Union, the United States, and Israel: Sacrificing Civil Liberties for a Public Health Emergency’ (2020) 27(1) ILSA Journal of International & Comparative Law 55–76
Abstract: The purpose for choosing this topic is to explore privacy issues being faced in distinct parts of the world by countries exploring the use of digital contact tracing phone applications to help gain control over the COVID-19 global pandemic. First, this article will provide a brief history of the United States, the European Union, and Israel, and explore the applicable privacy laws governing its corresponding citizens in relation to the usage of digital contact tracing applications. Then, this article will compare the similarities and differences between such laws, and how the United States, the European Union, and Israel are addressing such laws relative to digital contact tracing application usage. Finally, this article will conclude with an assessment on the current contact tracing situation in the United States and what can be learned by looking towards the European Union and Israel.

‘UK Regulator Addresses Perplexing Privacy Questions for Hospitality Sector’ (2020) 20(7) Privacy & Data Protection 17–18
Abstract: Reports on the publication of guidance by the Information Commissioner’s Office on the collection and retention of customer and visitor information by organisations and small businesses in the hospitality sector for the purposes of the COVID-19 Test and Trace scheme.

Unger, Wayne, ‘How Disinformation Campaigns Exploit the Poor Data Privacy Regime to Erode Democracy’ (SSRN Scholarly Paper No ID 3762609, 14 December 2020)
Abstract:The U.S. is under attack. It is an information war, and disinformation is the weapon. Foreign and domestic actors have launched information operations and coordinated campaigns against western democracies using dis/misinformation. While the U.S. is both a disseminator and recipient of global or regional disinformation campaigns, this article focuses on the U.S. and its people as the recipient.From Russian election interference to COVID-19 conspiracies, disinformation campaigns harm the presumptive trust in democracy, democratic institutions, and public health and safety. While dis/misinformation is not new, the rapid and widespread dissemination of dis/misinformation has only recently been made possible by technological developments that enable mass communication and persuasion never seen before.Today, social media, algorithms, personal profiling, and psychology, when mixed together, enable a new dimension of political microtargeting—a dimension that disinformers exploit for their political gain. These enablers share a root cause—the poor data privacy and security regime in the U.S.At its core, democracy requires independent thought, personal autonomy, and trust in democratic institutions because an independently thinking and acting public is the external check on power and authority. However, when the public is misinformed or disconnected from fact and truth, the fundamental concept of democracy erodes—the public is no longer informed, independently thinking, and autonomous to elect its representatives and check their power. Disinformation, not rooted in fact and truth, attacks the core of democracy, and thus, the public check on governmental power. This article addresses a root cause—the lack of data privacy protections—of the dis/misinformation dissemination and its effects on democracy. This article explains, from a technological perspective, how personal information is used for personal profiling, and how personal profiling contributes to the mass interpersonal persuasion that disinformation campaigns exploit to advance their political goals.

van Erp, Sjef, ‘COVID-19 Apps, Corona Vaccination Apps and Data “Ownership”’ (SSRN Scholarly Paper ID 4038139, 27 March 2021)
Abstract: Already before the present COVID-19 health crisis an emerging trend could be seen towards offering health services from a distance, called ‘e-health’. This trend, like so many other developments towards digitalisation of our societies, received a considerable impetus because of the COVID-19 crisis. First, the rise of COVID-19 tracing (and/or tracking) apps and now to be followed by the advance of Corona vaccination apps has made us aware of the benefits which e-health may bring, particularly in a situation where distance means safety. The apps contain very personal information and, consequently, have provoked questions as to whether the apps sufficiently protect a person’s right to privacy and data protection as safeguarded by the EU’s General Data Protection Regulation. The nature of the data, however, is such that also questions as to the importance of access by public health authorities in the public interest can be asked. Also, although commercial, but still important for developing and producing vaccines, for the pharmaceutical industry the data are important. The result is a conflict particularly between entitlement to privacy protection and the general interest, causing questions to be asked about which interest has priority. It might very well be, however, that this question, asked as such, is beside the point. Given that data are non-rivalrous and non-depletable, because they can be copied and copied, questions about which entitlement has priority cannot be answered in absolute terms. Rights regarding data depend upon who at a particular time has control over the data, who else has control and what control between all those involved then means. Looking at who has which right to data one can see an entitlement paradigm surfacing which is multi-perspective, relative and dynamic. Calling data entitlement ‘ownership’ is not a reference to ownership in the traditional sense of the word, but to management. To decide what management in a particular situation means interest balancing exercises must be made. These exercises will change over time, as accordingly will the answer to the question who is ‘owner’ of data in COVID-19 and Corona vaccination apps.

Van Natta, Meredith et al, ‘The Rise and Regulation of Thermal Facial Recognition Technology during the COVID-19 Pandemic’ (2020) 7(1) Journal of Law and the Biosciences Article lsaa038
Abstract: As the current COVID-19 pandemic sweeps the globe and dramatically alters society, governments and corporations are turning to novel uses of biometric technologies to limit contagion and maintain economic opportunities. Technologies that may have once seemed like the province of science fiction - such as thermal facial recognition, remote fever detection, or smartphone-based immunity certificates - are now not only possible but already in use. This raises important questions about the potential privacy implications of the widespread collection and use of such personal data. While multimodal biometric surveillance technologies such as these may prove useful in slowing the spread of SARS-CoV-2, we caution that the ability of governments and corporations to leverage these technologies will likely persist beyond the current public health emergency. Just as many of the privacy concessions made in the USA Patriot Act have become permanent since the emergency circumstances of September 11, 2001, the privacy-limiting technologies unleashed during this pandemic may well persist unless policies are enacted now to regulate their use and ensure responsible oversight. Recognizing that these emergent technologies may become entrenched long after this public health crisis subsides, we focus here on the case of fever checks and thermal facial recognition technology to illustrate the current state of the technology, existing policies related to its use, and suggestions for proactive policies to govern its deployment during and beyond the present pandemic.

Van Zeben, Josephine and Bart A Kamphorst, ‘Tracking and Nudging through Smartphone Apps: Public Health and Decisional Privacy in a European Health Union’ (2020) 11(4) European Journal of Risk Regulation 831–840
Abstract: In response to the SARS-CoV-2 pandemic, European Union (EU) Member States adopted technological solutions aimed at mitigating the effects of the virus, as well as enforcing newly adopted public health measures. Examples include apps for disseminating information, performing self-diagnosis, enforcing home quarantine orders and aiding contact tracing. This extensive use of technology for tracking and promoting public health raises important questions regarding EU citizens' privacy. Thus far, the discourse in this regard has predominantly revolved around data protection, the risk of surveillance and the right to control access over one's personal information (informational privacy). In light of the push towards a more unified approach to mitigating the current pandemic and future health crises through a European Health Union (EHU), we consider a different dimension of privacy that may be at risk when employing technology for public health, namely the right to noninterference with one's decisions (decisional privacy). In particular, this article focuses on whether the advances in health-related persuasive technology, together with a more general movement towards nudging as an individual and public health tool, will require EU legislation to further protect decisional privacy by regulating 'hypernudging' technologies and to guide the EHU in coordinating public health measures that utilise these technologies in a privacy-preserving way.

Veale, Michael, ‘Privacy, Informational Infrastructures and Covid-19: Comparative Legal Responses’ in Jeff King and Octávio Ferraz (eds), Comparing Covid Laws: A Critical Global Survey (Oxford University Press (forthcoming, 2024)
Abstract: Covid-19 saw states creating and repurposing informational infrastructures to manage populations and in turn, the pandemic. In this chapter, I consider how these infrastructures played out in their legal contexts. I show how while privacy regimes, where they existed, largely remained applicable, particular technologies reshaped the privacy landscape and at times, pushed at the boundaries of the legal system. States seeking to use telecommunications data to shape behaviour faced significant legal challenges as courts struck down a range of instruments, although some powers proved nebulous and hard to challenge. Digital contact tracing apps showcased a different dynamic, as the architecture of these systems — whether centralised or decentralised — shaped legal responses. Not all is gloomy however — insofar as the pandemic made information technology a political focus for legislators and citizens, this may bode well for future law-making and governance.

Viljoen, IM et al, ‘Contact Tracing during the COVID-19 Pandemic: Protection of Personal Information in South Africa: Review’ (2020) 13(1) South African Journal of Bioethics and Law 15–20
Abstract: Containing the COVID-19 pandemic necessitates the use of personal information without the consent of the person. The protection of personal information is fundamental to the rights that ensure an open and democratic society. When regulations that limit the right to privacy are issued outside of the democratic process, every effort must be made to protect personal information and privacy. The limitation of human rights must be treated as an exception to the norm, and any regulations should be drafted to ensure minimum limitation of rights, rather than to the minimum acceptable standard. The contact tracing regulations included in the COVID-19 disaster regulations include some basic principles to ensure privacy; however, other important principles are not addressed. These include principles of transparency and data security. The envisaged future use of human data for research purposes, albeit de-identified, needs to be addressed by the COVID-19 designated judge appointed under the regulations.

Villarreal, Pedro A, ‘International Law and Digital Disease Surveillance in Pandemics: On the Margins of Regulation’ (2023) 24(3) German Law Journal 603–617
Abstract: The COVID-19 pandemic elicited a surge in the use of digital tools to replace ‘classic’ manual disease tracking and contact tracing across individuals. The main technical reason is based on the disease surveillance needs imposed by the magnitude of the spread of the SARS-CoV-2 virus since 2020, particularly how these needs overwhelmed governments around the world. Such developments led to stark variations across countries in terms of legal approaches towards the use of digital tools, including self-reporting software and mobile phone apps, for both disease tracking and contact tracing. Against this backdrop, in this article I highlight some of the normative challenges posed by the digitalization of disease surveillance, underscoring its almost non-existent regulation under international law. I look back at the historical emergence of the epidemiological principles underlying this procedure, by referring to John Snow’s trailblazing work in cholera control. I emphasize how the COVID-19 pandemic prompted both technical and normative shifts related to the digitalization of these procedures. Furthermore, I refer to some of the overarching obstacles for deploying international law to tackle future tensions between the public health rationale for digitalized disease tracking and contact tracing, on the one hand, and normative concerns directly related to their legality, on the other hand. Lastly, I put forward conclusions in light of the current juncture of international health law reforms, and how they so far display limited potential to herald structural changes concerning the legality of the use of digital tools in disease surveillance.

Wang, Chao and Taixia Shen, ‘China’s New Legislation on Personal Information Protection in Light of the COVID-19 Pandemic’ (2022) 9(2) Journal of International & Comparative Law 109–124
Abstract: During the COVID-19 pandemic period, China used a data-based approach to protect public health. Although this approach has supported the containment of the COVID-19 virus, it risks infringing the right to privacy. This article considers how this data-based approach, including data collection, sharing, storage and disclosure could affect the right to privacy and shows that the data collection process in China may involve the collection of irrelevant personal data from too many broad categories and sometimes without consent of the data subject. The results show that the main challenges to the right to privacy are (1) a lack of effective information control and storage safeguards, (2) the improper use and disposal of information and (3) the disclosure of non-desensitised information. This article examines PRC’s newly passed legislation, including the Cybersecurity Law, Data Security Law and the Personal Information Protection Law, which constitute China’s first systematic and comprehensive regulatory framework to protect personal information. This regulatory framework requires that any restrictions on the right to protect personal information and privacy rights must be in the public interest such as public health and security. This article examines whether and to what extent this regulatory framework is capable of addressing challenges of big data applications to individual rights to privacy and proposes some further improvements.

Wang, Ying et al, ‘Legal Considerations for Processing Employees’ Pandemic-Related Personal Information in China’ (2022) 47(7) Employee Relations Law Journal 46–49
Abstract: It has been almost two years since the unprecedented outbreak of COVID-19 pandemic. We have been learning to live with the pandemic, whether we like it or not. In China, companies are responsible for pandemic prevention and control. Therefore, it is inevitable for employers to process their employees’ pandemic-related personal information (‘PI’). With the Personal Information Protection Law (‘PIPL’) having taken effect on November 1, 2021, this article discusses how to process employees’ PI in compliance with the law during the pandemic.

Washington, Anne L and Lauren Rhue, ‘Tracing the Invisible: Information Fiduciaries and the Pandemic’ 70(5) American University Law Review 1765–1797
Abstract: Predictive data technology designed to contain the COVID-19 pandemic was not as successful as promised. Data-centric solutions to providing testing and tracing did little to limit the virus’s spread in part because they served only the most visible parts of society. This Article argues for more robust solutions to protect individuals’ privacy—whether those individuals are currently visible or invisible to pandemic technology—if pandemic technology is to provide the universal coverage necessary for a public health emergency, such as the COVID-19 pandemic. First, we contend that current pandemic data technology operates under rigid technical and social assumptions that thwart participation from all population groups. Second, we demonstrate that the organizations associated with pandemic data technology have financial incentives that could be in opposition to protecting anyone susceptible to the virus. Third, we consider how the need for someone to protect data to allow for medically necessary access to data could be an onramp for a pilot implementation of legal theory on information fiduciaries. Finally, we offer two tangible policy suggestions: conflict-of-interest notices released as open data and a public health fiduciary that has legal responsibility to protect data relevant to epidemiological outbreaks. A public health fiduciary working in the public interest would be more likely to gather sufficiently accurate data than would a fiduciary working within the organizations collecting data themselves. Technology has a vital role to play in managing the pandemic, but in the hands of some organizations, it may encourage behavior that counters public health goals. Trusted data technology solutions in conjunction with predictive epidemiology models could contribute to reducing the spread of the virus more holistically and with fewer privacy-related consequences.

Watts, David, ‘COVIDSafe, Australia’s Digital Contact Tracing App: The Legal Issues’ (SSRN Scholarly Paper No ID 3591622, 2 May 2020)
Abstract: The Australian government has developed a digital contact tracing app, COVIDsafe, accompanied by a temporary legal framework that is designed to support its deployment until a legislative framework is developed.This preliminary analysis argues that the temporary legal framework does a creditable job in addressing privacy concerns. Despite this, there are a variety of legal risks that remain. These centre on the ability of the courts to issue orders to obtain and inspect the data produced by or through the app; police warrant powers; metadata retention and its availability to local law enforcement agencies; the vulnerability of data to US law enforcement agencies through the US CLOUD Act; inaccurate assurances about proximity restrictions and more general concerns that users’ consent to the use of their app data for contact tracing may not be valid.These are issues that must be addressed by government when it develops its permanent legislative framework for COVIDSafe. A failure to do so will erode the community’s trust in COVIDSafe and thus undermine its efficacy as a means by which COVID-19 risks can be managed until a vaccine or an effective treatment become available.

Webb, Julia M, ‘HIPAA & Telehealth during COVID-19: A Legal Review’ (SSRN Scholarly Paper No 4235321, 3 March 2022)
Abstract: Patient privacy has always been important, but the shift in virtual healthcare during the COVID-19 pandemic brought about different challenges. This brief legal analysis focuses on the nationwide efforts to increase access to care in the pandemic while still protecting privacy.

Wee, Alicia and Mark Findlay, ‘AI and Data Use: Surveillance Technology and Community Disquiet in the Age of COVID-19’ (SMU Centre for AI & Data Governance Research Paper, 2020)
Abstract: The proliferation of surveillance technology during the COVID-19 pandemic has resulted in a myriad of responses from the public. This paper seeks to examine community disquiet in the context of these smart technologies. In particular, we look at sources of social responses to the different control measures and the escalated use of surveillance technologies. The concerns voiced by citizens underscore their worries surrounding infringement of their rights, liberties and integrity, which we examine through six broad themes: disquiet about the data collected; disquiet concerning authority styles confirming control responses; disquiet regarding the integral architecture of control strategies employed; disquiet surrounding infringement of rights and liberties; disquiet surrounding the role of private sector; as well as uncertainties regarding a post-pandemic world and its ‘new normal’. We find that the resulting distrust of both the surveillance technology and the authorities behind these have a pronounced effect on the technology’s utility and accuracy. Ultimately, we argue that public confidence in governments’ control policies and the technologies that they employ can only be rebuilt through a genuine inclusion, engagement, and collaboration with citizens in the conceptualisation, development, implementation and decommissioning phases.

Wee, Alicia and Mark Findlay, ‘Digital Contact Tracing: An Examination of Uptake in UK and Germany’ (SMU Centre for AI & Data Governance Research Paper No 10, 1 September 2021)
Abstract: At the start of the pandemic, our research on community disquiet surrounding tracking and tracing surveillance used as COVID-19 control led us to our conclusion that a failure to engage with the public in the development and execution of the technology had a negative influence on the way it has been received. In this paper, we sought to test our view: that damaged or absent trust, relating to the technology or its sponsors (particularly governments), was key in understanding the way community disquiet constrained efficacy of the control policy. However, initial findings have demonstrated instances where trust relationships were damaged this did not always or consistently appear to deter significant rates of downloads. Conversely, initial public engagement and approval of the technology likewise did not always or consistently result in requisite uptake rates being met, for the technology to work as planned. Through our survey of the UK and German app, how trust is created and maintained is neither simple not inevitable. Externalities beyond community engagement effected trust in various ways depending on the wider socio-political control environment prevailing. What can be said of trust and engagement is that their absence, along with other influences of public permission and approval, can have an impact on how control initiatives are received by data subjects. Therefore if trust and engagement are not magic bullets for efficacy, their absence will produce disquiet and this can impact on the sustainability of pandemic control policy.

Weisburd, Kate, ‘Punitive Surveillance’ (2022) 108(1) Virginia Law Review 147–221
Abstract: Budget constraints, bipartisan desire to address mass incarceration, and the COVID-19 crisis in prisons have triggered state and federal officials to seek alternatives to incarceration. As a result, invasive electronic surveillance—such as GPS-equipped ankle monitors, smartphone tracking, and suspicionless searches of electronic devices—is often touted as a humane substitute for incarceration. This type of monitoring, which I term ‘punitive surveillance,’ allows government officials, law enforcement, and for-profit companies to track, record, search, and analyze the location, biometric data, and other meta-data of thousands of people on probation and parole. With virtually no legal oversight or restraint, punitive surveillance deprives people of fundamental rights, including privacy, speech, and liberty. Building on the critique that punitive surveillance is a form of racialized carceral control, this Article makes three contributions: First, drawing on original empirical research of almost 250 public agency records governing the operation of electronic ankle monitoring, this Article reveals non-obvious ways that punitive surveillance, like incarceration, strips people of basic rights and liberties. In particular, the records show how monitoring restricts movement, limits privacy, undermines family and social relationships, jeopardizes financial security, and results in repeated loss of freedom. Unlike traditional probation and parole, punitive surveillance is more intensive, restrictive, and dependent on private surveillance companies. Second, this Article explains how, and why, courts’ labeling of such surveillance as a ‘condition’ of punishment or a regulatory measure stems from a misunderstanding of this surveillance and punishment jurisprudence. Third, and most ambitiously, this Article raises the question of whether a fundamental rights analysis, a regulatory response, or an abolitionist approach is the most effective way of limiting—if not outright eliminating—punitive surveillance.

Wen, Shuangge, Mariarosaria Taddeo and Jeremy Pitt, ‘Some Ethical, Legal, and Social Dimensions of Pandemic Response Technology’ (2021) 40(2) IEEE Technology and Society Magazine 41–46
Extract: In my work, I’m most concerned with the ethical and social implications of these kinds of technological interventions. When the first app was about to be released, the Digital Ethics Lab (in which I serve as Deputy Director) focused on what are the requirements that these kinds of apps need to respect to ensure that they will be ethically sound. For these apps, being ethically sound is important because, as we saw with the failure of the first app if citizens do not deem the app ethical, they do not trust it and do not adopt it. In this case, the efforts, funds, and time invested in developing the app will turn into missed opportunities; in turn, this will hinder government reputation. So, ensuring that these apps respect fundamental values and rights (i.e., are ethically sound) is vital.

West, Leah, ‘Privacy vs. Health: Can the Government of Canada Leverage Existing National Security Surveillance Capabilities to Stop the Spread?’ in Leah West, Thomas Juneau and Amarnath Amarasingam (eds), Stress Tested: The COVID-19 Pandemic and Canadian National Security (University of Calgary Press, 2021) 193 (open access E-book)
Extract from Introduction: In early 2020, as COVID-19 spread across Canada, officials within and outside the national security community considered how state resources and capabilities could be retooled or redirected to manage the pandemic. One of the key debates that emerged—in this country and abroad—was whether a state’s surveillance apparatus, used by federal security and intelligence agencies to detect and monitor national security threats, could be leveraged in a public health crisis. Alternatively, could the federal government mandate that individuals or telecommunication service providers share the location data generated by wireless devices—namely, cell phones—with health or security agencies? This chapter looks at these questions from a legal perspective and answers them in the negative.

Winlo, Camilla and Hannah Jackson, ‘Additional Security Risks Arising from Home Working’ (2020) 110(July) Privacy Laws & Business United Kingdom Newsletter 8–9
Abstract: Highlights additional measures which employers might wish to adopt, in light of the coronavirus pandemic, to guarantee data security and privacy as employees work from home more regularly. Sets out steps which organisations can take to mitigate the risks posed by remote working. Notes the changing regulatory approach of Information Commissioner’s Office.

Witzleb, Normann and Moira Paterson, ‘The Australian Covidsafe App and Privacy: Lessons for the Future of Privacy Regulation’ in Belinda Bennett and Ian Freckelton (eds), Pandemics, Public Health Emergencies and Government Powers: Perspectives on Australian Law (Federation Press, 2021)
Abstract: This chapter provides a preliminary assessment of the Australian expe­rience with privacy regulation during the pandemic. It examines the Australian legislation enabling the introduction of the COVIDSafe app, before exploring the interac­tion between high levels of privacy protection and the generation of public trust. We argue that the need for specific rules dealing with COVIDSafe contact data has highlighted weaknesses in the Australia’s existing data protection framework under the Privacy Act. The chapter also considers the privacy issues arising from digital visitor registration at public venues for contact tracing and analyses the effect of recent public debates about privacy for the future of privacy regulation in Australia. In our view, the public discourse about data protection during the pandemic demonstrates that Australians attribute high value to their privacy, even in a time of crisis. The example of the COVIDSafe app illustrates that robust privacy protections are critical to achieving a strong community uptake of new data-driven technologies. We submit that Australian society would therefore benefit if the government gave better recognition to privacy interests, and their protec­tion, than it has done in the past.

World Health Organization Regional Office for the Western Pacific, ‘Considerations for Strengthening Legal Frameworks for Digital Contact Tracing and Quarantine Tools for COVID-19’ (Interim guidance No WPR/DSE/2021/038, WHO Regional Office for the Western Pacific, 15 June 2021)
Abstract: There has been rapid development and uptake of digital contact tracing and quarantine (‎DCTQ)‎ tools as part of the response to coronavirus disease 2019 (‎COVID-19)‎. There are critical legal and ethical dimensions to the use of DCTQ tools, including issues relating to privacy and surveillance, which differ depending on the technology being used and its application. This document suggests steps to review, develop and monitor legal frameworks to ensure their appropriate and ethical use.

Wongsin, Utoomporn et al, ‘Data Privacy, Regulations and Legal Issues on COVID-19 Tracking Apps: A Scoping Review’ in J Mantas et al (eds), Informatics and Technology in Clinical Care and Public Health (IOS Press, 2022) 388–391
Abstract: It cannot be deniable that smartphone apps have grown exponentially and are playing a crucial role in the response to the COVID-19 pandemic in many countries. This paper aims to investigate data privacy, regulations and legal issues on COVID-19 tracking apps. A literature search will be followed the PRISMA guidelines extension for a scoping review. The search will be conducted on PubMed and Google Scholar. A total of 38 articles from 7,626 articles were reviewed. Mostly articles report on data privacy. Not many articles report on regulations and legal issues. However, there are many challenges on COVID-19 applications such as security risks, privacy issues, political, ethical, and legal risks, and standardization issues.

Yoo, Christopher S and Apratim Vidyarthi, ‘Privacy in the Age of Contact Tracing: An Analysis of Contact Tracing Apps in Different Statutory and Disease Frameworks’ (2021) 5 University of Pennsylvania Journal of Law and Innovation (forthcoming)
Abstract: The COVID-19 pandemic is a once-in-a-generation pandemic that has claimed the lives of more than two million people, and infected more than one hundred million. The novel, interconnected nature of the contemporary global economy has accelerated the transmission of an already infectious disease. Yet the ubiquity of smartphones, the Internet, and data collection has also enhanced the effectiveness of an important tool for technologists and public health agencies to track and slow the spread of the pandemic: digital contact tracing.The idea of contact tracing is not novel. Plague crosses, which were placed on buildings occupied by the victims of plague, served as a rudimentary mechanism for minimizing the risk of contagion in the seventeenth and eighteenth centuries. During the AIDS crisis in the 1980s, public health officials debated the balance between contact tracing and discrimination against the LGBTQ community. The trend continues in our latest health crisis, with digital contact tracing apps using the mobility and accessibility of Internet-connected smartphones to track and slow the spread of COVID-19. But this latest iteration of contact tracing also raises concerns about data privacy inherent with all Internet-connected apps and devices. To fulfill their purpose of tracing the spread of a disease, contact tracing apps necessarily need to collect some type of location data and test result data and upload them to the Internet. Both location data and test result data can be considered intimate and private, revealing the granular details of where data subjects travel, with whom they associate, and what potential locations might have caused them to test positive. If an app is to collect such data, what design decisions help protect against the misuse of this data and mitigate concerns of surveillance? Do existing privacy regimes provide adequate guidance to guide app developers as they balance the importance of protecting privacy against the need to perform critical public health functions through technology? Do such statutes provide adequate flexibility in addressing the changing needs of particular public health crises? And how do we balance the public health needs of preventing the spread of a deadly disease against individuals’ privacy rights and expectations?In this paper, we attempt to answer these pressing questions by using three leading privacy regimes—the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), and the European Union’s General Data Protection Regulation (GDPR)—as a benchmark for understanding what types of design choices they encourage for the developers of contact tracing apps. We measure the performance of five COVID-19 contact tracing apps from across the globe against the standards across eight design categories set forth in these three regulatory schemes. We then look at what these regimes cover and what they miss.In Part I, we describe the statutory landscape and the apps we assess: Germany’s Corona-Warn-App, Israel’s HaMagen, North Dakota’s Care-19 Diary and Alert apps, and India’s Aarogya Setu app. In Part II, we look at eight factors in the statutes that implicate design decisions of each of these apps: notice and consent, consent requirements for medical data disclosed to third parties, location identifying technologies, data profiles and data collection, minimizing data categories collected, data sale and sharing with non-research third parties, third party and researcher access to data, and affirmative user rights. We assess how each of the apps measures up against the HIPAA, CCPA, and GDPR benchmarks in each of these eight categories. In Part III, we look at how disease variables affect some of these common factors assessed and analyze whether the statutes provide adequate flexibility to balance different public health concerns of three other diseases—SARS, Ebola, and HIV—against privacy. In Part IV, we assess privacy issues in the context of contact tracing that go beyond issues of public health. Ultimately, we conclude that the three privacy regimes encourage app developers to make design choices that favor privacy that also allow these apps to succeed at contact tracing. The statutes also provide some flexibility for issues of public health, which likely weigh in favor of public health concerns, at the expense of individual privacy under appropriate circumstances. Nonetheless, there are some aspects of privacy, like dignitary concerns, that are not captured by these statutes and that require a more complex framework to address.

Yuen, Albert and Jasmine Yung, ‘Covid-19 and Data Privacy Issues in APAC and the UK: Key Guidance from Privacy Regulators’ (2020) 17(1/2) Privacy Law Bulletin 26–30
Abstract: The Coronavirus disease (Covid-19) outbreak has not only caused disruptions worldwide in social, economic and political arenas, but also raises a plethora of issues in the data privacy protection arena. Government authorities and businesses around the world seek to respond to this public health emergency by using personal data and information of their employees, visitors, customers and/or suppliers, including by deploying technologies to collect individuals’ health and location data to manage health and safety issues arising from the Covid-19 virus and for targeted crowd monitoring. As the increased use by health authorities and businesses/employers rise in the collection and use of personal data and health information for tracking and identifying Covid-19 carriers for public health emergency purposes, privacy discussions and concerns abound over potential personal data misuse, mishandling and a more permanent stretch of government powers for long-term privacy-intrusive monitoring even after the virus ends. At this juncture, we examine how data protection regulators in the Asia Pacific (APAC) and the UK have approached data privacy issues and guidelines in the context of Covid-19, to shed light on how privacy rights balance against the countervailing interests of public health emergency and to what extent APAC and UK data privacy laws are able to protect individuals’ rights.

Zar, Mickey and Niva Elkin-Koren, ‘The By-Design Approach Revisited: Lessons From COVID-19 Contact Tracing Apps’ [2022] Fordham Intellectual Property, Media & Entertainment Law Journal, (forthcoming)
Abstract: The by-design approach, namely, the belief that pre-embedding values in the design level of technology will bring about the desired social consequences, has become a cornerstone of the modern regulatory approach to technology. It generally assumes that norms could be embedded in technological design, and therefore technology could effectively govern users’ behavior, surpassing governance by legal norms. This paper challenges the by-design regulatory approach by exploring the case study of Contact Tracing Technologies (CTTs(, which were deployed during the Covid-19 pandemic to interrupt the chains of infection by tracing contact with confirmed patients. The CTT case study demonstrates a major flaw of the exclusive focus on technological solutions while overlooking the critical role of other social regulatory forces. It offers a rare opportunity to compare two extreme examples of technological affordances, reflecting contradictory strategies of contact tracing. One approach deployed a voluntary, privacy-friendly, transparent, and open-source civilian technology, while the other repurposed a mandatory state surveillance system, originally designed to gather intelligence concerning homeland security. Obviously, each approach raised different expectations and almost contrary sentiments. While in the case of the civilian app, HaMagen (‘The Shield’), it was expected that users would flock to the app store, the use of the Israeli General Security Service’s (GSS) surveillance capabilities (known as ‘the TOOL’) over a civilian population was perceived as a possible harbinger of ‘the end of democracy.’ However, neither the high hopes pinned on HaMagen nor the grave fears of the TOOL have materialized: while the civil app’s qualities have not mobilized the bulk of users to adopt, the TOOL was gradually disarmed of its unbounded intrusive powers through a mixture of institutional efforts, including extensive judicial and parliamentary review, until it was finally banned. The CTT case study offers important lessons to policymakers. It highlights the ways in which technological affordances are shaped by social institutions, thus transforming their social outcome. This is not to say that technological affordances are not a powerful social regulator, but rather to claim that technology is but one regulating actor among others in the sociotechnical ecosystem. Consequently, policymakers should beware not to overestimate the power of design choices in determining social outcomes. At the same time, we are reminded of the regulatory power of law and legal institutions. The role of law in technological contexts does not amount to simply making design choices ex-ante by setting technical standards to ensure social values. Instead, the law might also play a crucial role in shaping the social consequences of technology ex-post, for example, by restricting certain uses of pre-existing technology, introducing rights and duties, or setting liability rules. Following a brief introduction of the by-design regulatory approach in Part II, Part III describes the CTT case study, comparing two contradictory contact tracing strategies in the course of their development, deployment, and aftermath. It also offers a wider perspective on the issue by analyzing the co-influence of the two strategies. Part IV discusses the role of market forces in shaping the social meaning of technological design, and Part V concludes.

Zarra, Antonella, Silvia Favalli and Matilde Ceron, ‘Pandemic-Sanctioned AI Surveillance: Human Rights under the Threat of Algorithmic Injustice in the EU’ (SSRN Scholarly Paper ID 3939747, 10 October 2021)
Abstract: Attention to algorithmic injustice has long characterised the perspective of European Union (EU) institutions toward artificial intelligence (AI), given the potential threats to citizens and democracies. From a global perspective, the EU has likewise championed in the pandemic context thanks to higher attention to concerns such as privacy in the deployment of technological solutions to help control the outbreak. Nevertheless, as digital tools became more and more pervasive, their proliferation far exceeded official contact tracing apps to include a multitude of public and private surveillance solutions. Our work considers the current European regulatory framework and it highlights how problematic pandemic surveillance digital tools in terms of privacy and data protection, digital accessibility, non-discrimination and social exclusion may fall through the cracks, especially within the private sector. The legal analysis complemented by empirical examples of COVID-19 related apps assesses how the pandemic offers a breeding ground for algorithmic injustice. Similarly, we evaluate the extent to which, in its current form, the European Commission Proposal for an AI Regulation (the AI Act) may fail to fully mitigate in practice such threats to human rights. Specifically, the contribution of the paper is to highlight how - even in a context such as the EU where notable attention is given to citizens’ rights and their balancing against the need of protecting public health - COVID-19 and its algorithmic response poses a substantial risk to human rights. More broadly, the analysis offers a cautionary tale for post-pandemic societies in which AI surveillance is bound to remain a ubiquitous feature, for which current regulatory efforts may not prove sufficient guarantees.

Zhang, Alex and Andrea Levan, ‘Contact Tracing and Right to Privacy: A Comparative Law Research in China and Singapore’, Globalex (November/December 2022)
Abstract: This article discusses research tools and tactics for legal problems surrounding contact tracing technologies and the right to privacy in China and Singapore. This article aims to provide resources and strategies for identifying relevant materials that examine the relationship between tracking technology adoption and the right to privacy in the present and post-pandemic circumstances. We hope that researchers interested in the subject or performing comparative legal studies at the junction will find this article helpful. We focus on the following resource categories and the most effective way of locating information about them: Main features of the legal system, including legal institutions and major players in the lawmaking and rulemaking process; primary sources of law; and relevant secondary sources of law.

Zhang, Xiaohan, ‘Decoding China’s COVID-19 Health Code Apps: The Legal Challenges’ (2022) 10(8) Healthcare 1479
Abstract: Heath code apps, along with robust testing, isolation, and the care of cases, are a vital strategy for containing the spread of the COVID-19 outbreak in China. They have remained stable and consistent, allowing China to extensively restore its social and economic development. However, the ethical and legal boundaries of deploying health code apps for disease surveillance and control purposes are unclear, and a rapidly evolving debate has emerged around the promises and risks of their fast promotion. The article outlines the legal challenges by applying the core values of the Personal Information Protection Law (PIPL), the fundamental law for personal information protection in China, into the context of the nationwide use of health code apps. It elaborates on the balance between the demands for upholding individuals’ rights to the security of their personal information and those for public access to such information to prevent the spread of infectious diseases. It identifies the current gaps in addressing personal information harms during the use of the apps, particularly with regard to user consent, transparency, necessity, storage duration, and security safeguards.

Zingales, Nicolo, ‘A Stronger Claim to Data Protection During Pandemics? Leveraging the American Convention on Human Rights Against Governmental Inaction: A Brazilian Case-Study’ (2020) 14(3) Revista de Direitos Fundamentais & Justiça 427-462 [pre-published version of article available on SSRN]
Abstract: This article presents a case-study to illustrate the crucial importance of an effective data protection law in the fight against pandemics, and critically assess the extent to which the absence of such framework may amount to a violation of the American Convention of Human Rights. The analysis focuses on Brazil as an emblematic example, as the country has been facing the pandemic without being able to rely on a comprehensive and properly supervised data protection law, while also failing to adopt data-driven responses which could have helped to raise awareness and prevent the spread of the virus. Although the relationship between the adopted policies and the unwavering rise of contagions and deaths is one of correlation, and not necessarily causation, it is argued that an examination of the facts through the lenses of the Convention and its case-law could give sufficient grounding to a claim of responsibility for failure to ensure sufficient protection to the right to privacy, life and integrity. To substantiate such claim, the article begins by describing the Brazilian government´s approach towards the health risks raised by the pandemic (Section 2), and highlighting the privacy and data protection questions raised by technological solutions that are dependent on the collection and use of personal data (Section 3). It follows with an overview of the troubled process of entry into force of a general data protection law in the country, and of a Supreme Court ruling that invalidated the government´s attempt to make use of personal data in order to gather evidence for the adoption of economic measures (Section 4). Finally, having explained the nature of the positive obligations assumed by States that are parties to the Convention, the article examines whether the Brazilian data protection framework has proven fit for purpose during the pandemic (Section 5), and concludes with lessons learned from this case-study (Section 6). :

Zwitter, Andrej and Oskar J Gstrein, ‘Big Data, Privacy and COVID-19: Learning from Humanitarian Expertise in Data Protection’ (2020) 5(1) Journal of International Humanitarian Action Article 4
Abstract: The COVID-19 pandemic leads governments around the world to resort to tracking technology and other data-driven tools in order to monitor and curb the spread of SARS-CoV-2. Such large-scale incursion into privacy and data protection is unthinkable during times of normalcy. However, in times of a pandemic the use of location data provided by telecom operators and/or technology companies becomes a viable option. Importantly, legal regulations hardly protect people’s privacy against governmental and corporate misuse. Established privacy regimes are focused on individual consent, and most human rights treaties know derogations from privacy and data protection norms for states of emergency. This leaves little safeguards nor remedies to guarantee individual and collective autonomy. However, the challenge of responsible data use during a crisis is not novel. The humanitarian sector has more than a decade of experience to offer. International organisations and humanitarian actors have developed detailed guidelines on how to use data responsibly under extreme circumstances. This article briefly addresses the legal gap of data protection and privacy during this global crisis. Then it outlines the state of the art in humanitarian practice and academia on data protection and data responsibility during crisis.

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine