Article by Bhredipta Socarana, CIPP/E (LLM ‘20)
Introduction
The outbreak of the coronavirus (COVID-19) that first infected the people of Wuhan, China, later spread to the rest of the world. In response to this, the World Health Organization (WHO) declared the outbreak as “pandemic” and called on State leaders to take actions. There are a number of actions carried out by these States, both at a national level, and also at a regional level. These actions, however, raise issues on the rights to privacy. The purpose of this article is to discuss some of the implications that these measures have for the rights to privacy. It calls for global privacy governance that balances the rights to privacy on the one hand and the State’s interest in protecting public health on the other hand.
Domestic and cross-border implications
The sharing of personal information related to combating COVID-19 implicates the right to privacy arises on two levels: internally between individuals and the use of their personal information by their States through individuals’ health screening and tracking, and externally between individuals and foreign States, on the potential cross-border personal health information case resulted from global mobility.
Internally, in Asia, efforts to mitigate further increases of COVID-19 cases by mass monitoring and tracking of individual’s health have been widely implemented such as in South Korea and Singapore. Through certain apps that are required to be installed by individuals, the governments are tracking the geographic location of individuals thus exposing their sensitive information to government agencies of these States. In Europe, countries are considering similar measures, while the US has not imposed similar measures yet though it is considering it. Additionally, personal health information is also shared between medical researchers to further the development of vaccines.
Externally, the need to share this information became more pressing as more and more people seek to return home before potential border closures. A sharing personal health information between departure States and arrival States will help the arrival State identify risks that may be posed by the travelers. Unfortunately, global data standards have not been developed to address this.
Granted, the right to privacy is often carved out by the exceptions to protect public health at domestic level laws, which must be applied in ways that are proportionate and accountable. Similar approach at the global level of personal health information sharing activities must be taken. However, in the absence of a global policy on the right to information privacy, the needs to have clear requirements and exceptions to sharing of personal health information become more pressing.
The needs of global information privacy governance
Qualifying the right to privacy in the middle of a pandemic may sound acceptable. Admittedly, even various international treaties grant public health concern as one of major exemptions in the fulfillment of obligation under international law. The International Health Regulations (IHR), in particular, is the primary international legal source relating to public health But there are qualifications to these exceptions too. For example, Article 45 of the IHR expects respect by States in relation to the privacy of its citizens, in accordance with the States’ national laws.
However, the absence of clear global governance on privacy creates uncertainties in protecting the right to privacy. The current scale of the outbreak and the potential needs of sharing personal health information between countries trigger the need for States to cooperate on an international level.
The call for global privacy governance is not novel as it has been discussed in numerous international discussions. The Global Privacy Assembly, participated by a number of privacy authorities around the world sets an example of a unified front for global privacy governance, although not every country participated. Accordingly, the current outbreak and the States' responses add an additional argument as to why global privacy governance is necessary.
Such a global information privacy governance should address the need to lay down multilateral global personal data transfer rules to address the evident weaknesses of bilateral arrangements that currently exist. In this way, there will be more legal certainty on what can be expected from States if, for example, personal information is shared with other States. Public in general, including medical researchers, will also be able to do more rigorous damage control assessments with a view to mitigate potential privacy violations. Lastly, States will be held accountable for their use of personal information as the public is allowed to scrutinize the States’ use of their personal information or by third parties contracted by States.
Conclusion
As Yuval Harari has said in his most recent publication “The World After Coronavirus”, global cooperation is needed in curing the current pandemic. Countries need to work hand-in-hand to solve the problems that COVID-19 and future outbreaks pose, and not to create other problems by not co-operating. This approach could also be applied to protection of information privacy, whether it’s in respect of personal health information or not, which at present remains limited as a matter of domestic concern. Global information privacy governance may not be a complete solution, but at least it may prevent further wounds to the right to information privacy and cure some of the symptoms of unlawful exploitations of the exceptions to that right.