The Atlanta Lawyer June/July 2020 Vol. 19, No. 1 | Page 21

IN THE PROFESSION
Much like pandemic-level diseases like COVID-19,
privacy concerns do not discriminate based on a person’s profession, and
neither of these concerns are going away.
collect data and execute certain functions to
make contact tracing more efficient. In a
rare showing of solidarity, Google and Apple
have partnered to develop an application
programming interface (API) that allows
governments and third parties to develop
applications for use on major mobile devices
leveraging Bluetooth technology. These apps
are intended to inform individuals whether
they have been in proximity to someone
who has been diagnosed with COVID-19.
While several countries around the world
have been simultaneously developing their
own apps, privacy concerns dominated the
efforts to structure them, whether utilizing
a centralized database or a de-centralized
model. The Google and Apple API has been
instrumental in addressing the privacy
concerns that arose from the centralized
model, as seen in the evolution from the app
in Germany from a centralized model to a
decentralized one using the Google/Apple
API. 2
A key aspect of the technologies utilized in
these apps is the use of Bluetooth technology
to exchange beacons between the devices
whose owners have opted in to using such
apps. If a user notes in the app that s/he has a
positive COVID-19 diagnosis, the app sends
a warning of potential risk of infection to
other devices that exchanged a beacon with
that device. The key to this de-centralized
process from a privacy perspective is that
personally identifiable information is not
stored in a central government database.
At most, a unique device key is stored in
a database, and not traceable back to the
individual user.
Risks Inherent in Electronic Data
Collection
But who needs privacy anyway and what
do we have to lose, especially when the
well-being of the global population is at
stake? The question of whether companies
or governments will indeed limit the data
collection and use to just COVID-19
tracking purposes is a valid one, but such
a discussion far exceeds the amount time
(and quite frankly, tinfoil hats) allotted for
this particular article. For now, the issue
is not whether personal data, and privacy
in general, is worth protecting. Given
the various data privacy laws around the
world and in the US, the reality is that
privacy is increasingly recognized as a
basic human right. Instead, the issue is how
this technology can be implemented to
engender enough confidence in the general
population in the security and underlying
intentions behind the technology to
encourage adequate participation. Research
says that at least 60% of a population must
opt in to contact tracing in order to make it
an effective tool in stopping the COVID-19
virus, although a lower usage rate will be
effective in curbing the spread.3
The type of data that makes contact tracing
in general useful also includes data that
companies utilize for advertising purposes:
identity, geographic location, travel
patterns, and others with whom we are in
close-proximity. Locations, travel history,
and contact networks are sensitive personal
information, but are also the type of
information necessary for health agencies to
track the spread of a communicable disease.
Minimizing the data to what is absolutely
necessary for contact tracing, as well as
ensuring that the data is only used for that
purpose, are basic concepts that a contact
tracing app must follow in order to properly
balance privacy concerns with managing
a global pandemic. These concerns have
triggered privacy discussions as the Federal
level, including the propped Exposure
Notification Privacy Act.4
In an Employment Context, Privacy
Concerns Differ from Those of the General
Population
From the perspective of private industry,
employers must contend with specific
regulations and legal constraints while
balancing the health needs of their
workforces. CDC5 and Occupational
Safety and Health Administration
(OSHA) guidance remind employers
that they are responsible for ensuring
a healthy workplace.6 If an employee
has confirmed or is suspected of having
contracted COVID-19, the CDC and OSHA
recommend that the employer inform
any other employees who may have been
exposed to the infected employee. However,
pursuant to the Americans with Disabilities
Act, employers must make efforts to
maintain the confidentiality of the infected
employee’s identity when communicating
potential exposure to other employees. The
employer may reveal the name to a public
health agency.7
For employers who have global operations,
a one size fits all approach may not be
appropriate. For example, while employers
(continued on page 23)
www.atlantabar.org THE ATLANTA LAWYER 21