COVID-19 spread to 188 countries and infected tens of millions of people in the matter of months. Organizations, including governments and employers, turned to health surveillance technologies to slow the spread and combat the disease. Protected health information and personal information are required for the proper and effective functioning of the health surveillance technologies. The collection, use, and dissemination of protected health and personal information raised data privacy and security concerns. But under the current data privacy and security regime—based on the reasonable expectation of privacy standard—protected health and personal information is not protected to the extent that it needs to be. Unlike other scholarly work, this article presents deeper analysis into the technologies, the data that powers them, and the applicable legal standards. The objective is to provide a better understanding of (i) the data privacy and security risks, and (ii) whether the current data privacy and security regime in the United States provides sufficient protections for individuals. This article explores two health surveillance technologies (contact tracing applications and health monitoring platforms), presents three categories of data (user-inputted, queried, and autogenerated data), and describes the data supply chains that power technology and organizations. I discuss the benefits and risks of collecting the protected health and personal information in response to the pandemic. I explore the current legal standards and jurisprudence, and I propose the Privacy Continuum to explain how the pandemic shifted the reasonable expectation of privacy. I present a case study to synthesize the foregoing, and I conclude by proposing a new legal standard—the right to control—and other reforms to effectuate true data privacy and security protections. Only then can we reclaim our right to privacy.
Read full abstract