- Apps to isolate individuals from infected parties are highly effective at slowing the transmission of COVID-19.
- The apps require governments to collect data and pinpoint your location, leading to privacy concerns.
- Existing regulatory guidelines could be used effectively, taking a per country approach and bolstering where needed.
In response to COVID-19, many countries have turned to digital contact tracing technologies (DCTs) to fight against the deadly pandemic. Broadly, these are apps used to detect, trace and grant access permission to isolate infected persons from the uninfected.
Emerging research in countries where DCTs have been implemented, such as in the UK and Spain, suggests that they are better than manual contact tracing to slow the transmissions of COVID-19 and save lives.
When coupled with digital infrastructure, testing, social distancing and vaccines, DCTs promise to revolutionise the battle against pandemics and will be vital to returning our lives to normal.
However, users must part with some degree of privacy, with most contact tracing services requiring users to report their location data at the least. It follows that the public is wary of letting governments snoop into their private lives.
Contact tracing has its perils
The successful implementation of DCTs requires a "marriage of convenience" between tech companies and governments, which has resulted in the unprecedented accumulation of private data.
In China, the government is reportedly working with Alibaba and Tencent to enforce DCTs, whilst in South Korea the government works closely with Naver and Kakao to achieve the same goals.
Similarly, in the US and Europe, some states and countries are working with Apple, Google and other developers to implement DCTs.
Some view the situation with caution, saying that governments' regulatory power over tech firms could weaken in time, causing privacy concerns. Such worries have become magnified in light of the recent instances of Apple, Google and Facebook using their powers to gain increased leverage over political leadership and processes in different countries.
Worse still, such technologies have links to police and state control in some countries. In Canada and Japan, revealing contact tracing data has resulted in the widespread stigmatisation of infected citizens. Moreover, there was a recent controversy about how only half of the QR code data was destroyed in South Korea.
All this raises the question: Is the state of technology governance ready for, and indeed capable of, implementing DCTs and addressing the public's privacy concerns? Then, how can governments build public trust in DCTs to enable the healthcare system to use it beyond COVID-19?
New territories: governing digital contact tracing
Due to myriad concerns over data privacy, contact tracing requires governance in the form of regulations to establish public trust in DCTs and to guarantee their continued use after COVID-19.
DCTs need to be designed to work within the confines of laws and systems that respect the human right of privacy and democracy. Several forward-looking proposals on achieving DCT governance are currently being discussed, including the Authorized Public Purpose Access Data governance model framework by the Forum, alongside more comprehensive regulatory regimes.
The reality is that across the board, Big Tech and governments have a massive influence on private data with limited oversight beyond legal patches and diversified guidelines. What is underexplored in this evolving debate is whether existing institutions and regulatory systems can be benchmarked to build guardrails and ensure public trust in DCTs.
For now, it appears that countries are primarily relying on three types of governance approaches:
Some countries — among them South Korea, Singapore, Taiwan and Israel — rely on regulatory updates.
Countries such as the US are using self-regulation—placing less emphasis on privacy and on governmental overreach.
In Europe, governments are trying to work with companies to ensure that DCTs comply with existing regulatory frameworks such as the GDPR.
Staying with the latter, there is a series of existing regulations that would allow countries to be flexible and benchmark what could work in their political and social contexts.
Ways to approach existing guidelines
First, there is an urgent need to address issues related to social stigma, and to ensure that private contact tracing data remains secure. Therefore, public education programs and campaigns should be designed to limit COVID-19 shaming. Within the regulatory frameworks, the right to be forgotten in Europe can help. However, laws need to be updated to penalise culprits who leak private data or use the internet to cyberbully others.
Through such initiatives, governments may prove able to separate technologies from social stigma and build enduring trust in DCTs beyond COVID-19.
Another option is for countries to follow the example set by South Korea, Taiwan and Singapore, whose success in implementing DCTs came from supporting existing privacy and data governance laws with acts to cover DCTs. Other countries could consider fast-tracking reviews of existing laws in the context of DCTs, especially because DCTs have been found to operate in countries with outdated legal systems, such as in the US.
With the speed of technology adoption worldwide as giddying as it currently is, agile governance models that seek to revise and adopt legal and institutional frameworks quickly are needed to ensure DCTs' success.
In those cases in which regulations are subject to a complex governmental process, guardrails could be established, or strengthened, through existing approval bodies and regulations such as the FDA's Pre-Cert for Digital Health Software in the US. DCTs could benefit from a similar method of verifying safety and effectiveness through continuous monitoring from the pre-market development process to additional post-market performance verification.
If the public deems such bodies trustworthy, then DCTs may find some level of trust among users.
That said, given the scale of adoption and the amount of privacy data involved, those approval bodies and processes that are trusted at present may not prove sufficient to ensure privacy. And that means that additional enforceable guidelines may be required.
One area of interest is ensuring that contact tracing data can only trace exposure and is never shared. Some governments, including South Korea and Australia, are proposing deleting data after a given period, and this should be implemented through an independent and trustworthy watchdog.
Other guardrails could follow the steps of the Norwegian Data Protection Authority and the UK's Centre for Data Ethics and Innovation to identify how the public can enjoy the full potential benefits of DCTs within the ethical and social constraints of liberal democracy. Through trusted review processes, penalties could be enforced without having to push for "innovation stifling" regulations, and at the same time trust could be built in technology.
Given the privacy risks and citizens' lack of trust in how DCTs are overseen (or not) worldwide, governments must focus on erecting guardrails to build confidence in this technology, starting with strengthening existing systems.
If they manage to garner user confidence, governments could create a situation in which DCTs are trusted and become an integral part of global healthcare systems in the post-COVID-19 world.
