The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
This report surveys the regulation of electronic means to fight the spread of COVID-19 in 23 selected jurisdictions around the globe, namely Argentina, Australia, Brazil, China, England, France, Iceland, India, Iran, Israel, Italy, Japan, Mexico, Norway, Portugal, the Russian Federation, South Africa, South Korea, Spain, Taiwan, Turkey, the United Arab Emirates, and the European Union (EU).
As of June 4, 2020, a total of 6.4 million confirmed cases of COVID-19 had been reported worldwide, with the most cases being reported in the United States (1.8 million), Brazil (555,383), and the Russian Federation (432,277). Of those cases, 383,872 people have died. COVID-19 is caused by the SARS-CoV-2 virus and spreads from person to person through droplet and contact transmission. Currently, there is no known cure or vaccine. Countries therefore have to find other ways to control and mitigate the spread of this infectious disease in order to break the chain of human-to-human transmission, such as case identification, isolation, testing, contact tracing, quarantine, and location tracking.
Many governments have turned to electronic measures to provide information to individuals about the COVID-19 pandemic, check symptoms, trace contacts and alert persons who have been in proximity to an infected person, identify “hot spots,” and track compliance with confinement measures and stay-at-home orders. Dedicated coronavirus apps that are downloaded to an individual’s mobile phone, the use of anonymized mobility data, and creating electronic databases are the most common measures. However, it is unclear whether such digital solutions by themselves are sufficient to contain the spread of the virus. The World Health Organization (WHO) recommends using digital proximity tracking only as a supplement to other measures such as increased testing and manual contact tracing.
Most of the surveyed jurisdictions have developed one or several dedicated coronavirus apps with different functionalities, such as general information and advice about COVID-19, symptom checkers, and contact tracing and warning. In order to be effective and provide accurate information, the applications need enough data, meaning enough people need to download the app. Some countries had low download rates, or, as in the case of Norway, only initial high enthusiasm. Other problems observed were technical glitches in computer systems that led to false information being reported, which happened in Russia, where people were erroneously fined or fined several times. In the UK, there were reports that the app was unable to work properly if another app was being actively used.
In the majority of the surveyed jurisdictions, the download of a COVID-19 app is voluntary. The EU in non-binding guidance to Member States recommended the use of voluntary apps because of the “high degree of intrusiveness” of mandatory apps. However, some exceptions were observed. In the UK, a body established to consider the ethics of the app noted that it would be possible to require the app for individuals returning to work or using public transportation. In Argentina, installing the contact tracing app is generally voluntary; however, people who enter the country from abroad and people who return to work are obligated to install it. India’s contact tracing app’s use was considered voluntary when launched in early April but became mandatory for public- and private-sector employees in early May. This requirement was eased in late May after criticism from privacy and digital rights organizations. In China, even though the health code apps that assign different color codes to people depending on their infection status appear not to have been made compulsory, they are de facto compulsory in many cities as citizens without the code are not able to enter most public places. In Turkey, travelers whose HES codes on their app indicate that they were diagnosed as positive or have been in contact with a person diagnosed as such are not allowed to use public transportation or airplanes. In Russia, all people identified as having been in contact with an infected individual must install the “Social Monitoring app” or face a fine. Individuals with no cell phone receive special devices with a preinstalled Social Monitoring app. And, as noted below, in some countries persons required to quarantine must install an app to allow the authorities to monitor their movement.
Some of the surveyed jurisdictions have also established databases in which the health information of infected persons is logged. South Africa established an interim database in which health care professionals who test a person for COVID-19 must enter the person’s identification and contact information, including cellphone number, for inclusion in the database. The French government has developed two electronic databases, one where all COVID-19 test results are recorded and one to facilitate contact tracing. The data in both systems may only be accessed by medical professionals who are subject to medical confidentiality. In China, the health code apps reportedly rely on a combination of self-reporting by the user, COVID-19 databases set up by government authorities, and data held by other sources, including the public transportation, telecommunications, and banking sectors.
Technology is also used to measure compliance with quarantine measures or stay-at-home orders. South Korea has developed an electronic wristband that monitors people’s compliance with self-quarantine; however, it is not mandatory and violators must consent to wearing it. Spain used mobile phone location data to track people’s movements and verify how closely the nationwide lockdown was being observed. Norway used telecommunication data to determine whether people complied with travel restrictions during the month of March 2020; however, no individuals were targeted by that approach. In Russia, QR codes that serve as digital passes were required to use public transportation for the self-isolated population. Taiwan’s “digital fence” monitors the location of those required to undergo home quarantine via their own cellphones or government-issued cellphones, with the goal of preventing their movement. In the United Arab Emirates, people who are ordered to quarantine must install an app, which sends alerts to them to stay within the range of movement allowed during the quarantine and provides health authorities with the precise location of these individuals.
Furthermore, a few selected surveyed countries have used other electronic means to fight the spread of COVID-19. The Italian Civil Aviation Authority has approved the use of drones by local police to monitor social distancing. Israel has utilized the surveillance technologies of the Israel Security Agency (ISA) to trace patients and those with whom they came into contact during the period from mid-March 2020 to early June 2020. In response to a ruling by the Israeli Supreme Court requiring the ISA activities to be defined in legislation and public criticism over privacy concerns, the government announced on June 8, 2020, that it would no longer utilize ISA surveillance for tracing COVID-19 patients or promote relevant legislation in this regard unless a new outbreak takes place.
However, these electronic measures also raise privacy and data protection concerns, in particular as they relate to sensitive health data. Appropriate safeguards have to be put in place to ensure that the electronic measures are necessary and proportionate, such as consent, data minimization, privacy by design, transparency, nondiscrimination, security of data, deletion or anonymization of data once it is no longer necessary, and oversight mechanisms, among others. South Korea, for example, has been criticized for releasing a detailed log of movements of COVID-19 patients, including the time and names of places they visited, through the media and related websites. The European Data Protection Board has voiced concerns with regard to apps that use location tracking as they violate the principle of data minimization. In Australia, critics voiced concerns that United States law enforcement entities could gain access to the app data, because the data is being hosted in Australia by Amazon Web Services, a US company subject to the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). Iceland’s app, on the other hand, has received international recognition as one of the least invasive apps from a privacy perspective.
Some countries conducted rights impact assessments before the measures were deployed to ensure that individual rights would not be violated and to promote public acceptance, or had data protection agencies conduct an assessment after deployment. The French government sought advice from the independent National Commission on Information Technology and Freedoms (CNIL) twice before the introduction of the app. The Turkish Data Protection Authority released two guidance documents discussing privacy and data protection concerns with regard to electronic measures to fight the COVID-19 outbreak. In Australia, the Department of Health engaged a law firm to prepare a Privacy Impact Assessment (PIA) to advise the Department on how it needed to address and mitigate any identified privacy risks with regard to the COVIDSafe app. The PIA was published online. The Norwegian supervisory authority for the collection and use of personal data started an investigation after the introduction of the app to ensure that it complies with the Norwegian regulation on tracing and epidemic contagion related to COVID-19.
The map below shows which jurisdictions have adopted COVID-19 contact tracing apps and the technologies they use.
Prepared by Jenny Gesley
Foreign Law Specialist
Last Updated: 07/24/2020