Privacy in the times of the COVID-19 Pandemic: Disease Control via AI & Big Data

The COVID-19 virus has infected more than 920,939 globally and the outbreak has been declared a pandemic by World Health Organization (“WHO”).  Since the first time Chinese health officials informed the WHO  about a cluster of patients with a mysterious pneumonia on December 31, 2019, China has reported no new locally transmitted Coronavirus cases for the first time since the pandemic began. China’s hospitals, once overwhelmed by the COVID-19 patients, are now empty. Chinese authorities were able to build two hospitals dedicated to COVID-19 in Wuhan in just over one week. Strict social distancing measures were also implemented to control the viral pandemic. China canceled sporting events, theatres; suspended flights and trains; and extended school breaks. Anyone who had to go outdoors had to wear a mask. Moreover, China relied on aggressive measures to slow the spread of the virus with massive lockdowns and electronic surveillance measures.

A report by WHO released last month stated that AI and big data are a key part of the disease response in China, where they were used for contact tracing and management of priority populations. Two widely used mobile apps, AliPay and WeChat, assisted Chinese Government to track COVID-19 patients through their digital payments. The officials also reported that they have tracked offline and online purchases of fever medicine. The authorities also used social platforms and apps to monitor movement to employ a traffic-light system. Color codes on mobile phones designated a person’s health status and allowed authorities to check individuals at train stations and checkpoints to know who to let through. The government also used facial recognition and thermal sensors in drones and helmets to identify and monitor the infected individuals.

Though the Chinese government did an excellent job controlling the COVID-19 outbreak, some privacy experts worry that many important privacy issues were brushed under the carpet during these extraordinary times. For example, individuals might disregard the potential issues regarding surveillance, user consent, data collection, and storage when faced with a health crisis. Another important privacy concern is who will have access to this data. If the facial recognition data were sold to third parties, it would make it possible for third parties to identify individuals on security cameras. Global and national emergencies, like pandemics, can require transparency and access to more data­ to control the situation —thus compromising privacy. Consequently, it is important to create effective and proactive laws to deal with novel challenges pertaining to uses of personal data, particularly biometric data, gathered by AI prior to those emergencies.

Moreover, Canadian privacy laws include several provisions that authorize the collection, use and disclosure of personal information in the context of a public health crisis or “emergencies”. The Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act extends the powers granted to federal and provincial governments that might be relevant in the time of a public health situation. For instance, although PIPEDA generally requires meaningful consent of the individual for the collection, use or disclosure of their personal information, there are certain circumstances where personal information can be used without the consent of the individual. The consent may not be required if the collection is clearly in the interests of the individual but consent cannot be obtained in a timely way; if the collection and use is for the purpose of making a disclosure required by law; or if the disclosure is requested by a government institution under a lawful authority to obtain the information and the disclosure is for the purpose of enforcing or administering any of federal or provincial law. While Canadian privacy and data legislation provides stronger protections for Canadians, only time will tell whether they may still permit privacy violations similar to those that occurred in China.  

Written by Elif Babaoglu, Contributing IPilogue Editor and JD Candidate at Osgoode Hall Law School. Elif is also the co-director of events at the Osgoode Privacy Law Society.