Export Compliance Daily is a Warren News publication.
ACLU, EU Release Guidance

Consensus Develops for Data Limits, Retention Guidelines for Contact-Tracing

There’s wide consensus COVID-19 tracing apps should be voluntary, and developers should follow guidelines for collecting, retaining and deleting data. The American Civil Liberties Union (see 2004160047) and the European Commission released similar proposals Thursday for protecting data. Privacy attorneys we interviewed largely agreed.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Apple and Google are developing an interoperable, COVID-19 contact-tracing app (see 2004100037). The Trump administration is reportedly looking to create a national coronavirus surveillance system (see 2004080037).

The ACLU wants apps to be voluntary and companies store data on an individual’s device rather than in a centralized repository. It seeks use limitations, data minimization, data deletion, transparency and no “mission creep,” meaning the tracking shouldn’t continue after COVID-19. The European Commission recommends voluntary apps give users “full control” of personal data, limit use of that data, place “strict limits” on data storage, encrypt the data, ensure accuracy of data provided to third parties and consult with data protection authorities.

The ACLU got it “exactly right,” said Bryan Cave's Jena Valdetero. Developers should disclose risks, benefits and what’s being shared, which will allow users to make informed decisions, she added. Individuals likely want to know if they have been in contact with the infected, she said.

Many ACLU principles are generally correct, said O’Melveny's John Dermody. Core protections for intelligence data gathering include strict data retention timelines and data use limits. An effort to collect information needs to have very stringent protections, he said. Contact tracing will allow responders to direct resources where needed, but technology isn’t going the only solution, he said. Preventing further spread will ultimately require proper positioning of resources, he said, with testing, social distancing and medical treatment.

The Electronic Frontier Foundation warned a “faulty proximity tracing app could lead to false positives, false negatives, or maybe both.” Reliable apps go through several rounds of development and refinement, wrote EFF Senior Staff Attorney Andrew Crocker, Deputy Executive Director Kurt Opsahl and Staff Technologist Bennett Cyphers: “We must ensure that the word ‘crisis’ does not become a magic talisman that can be invoked to build new and ever more clever means of limiting people’s freedoms through surveillance.”

Statistics could aid a “more targeted response” and lead to “tailored policy that allows a faster reopening where safe,” wrote American Action Forum Technology and Innovation Director Jennifer Huddleston. Voluntary response through opt-in consent could better inform public health officials, she wrote. She sought “clear guardrails on its use and collection to prevent surveillance or other abuses.”

Deleting information after it serves its purpose is important, wrote Center for Strategic and International Studies Senior Adviser Glenn Gerstell: “Almost all terrorist-related data the NSA collects is required by law to be deleted after a set period of time, in part to minimize the temptation to use it for other purposes.”