Recent Developments
Government Activity
U.S. Supreme Court to Review Federal Anti-Hacking Law For the First Time
On April 20, 2020, the U.S Supreme Court agreed to hear the case of Van Buren v. United States, whose petitioner challenges the scope of the Computer Fraud and Abuse Act (CFAA). The case involves the conviction of a former police officer who, while the target of a Federal Bureau of Investigation (FBI) sting operation, allegedly violated the CFAA by looking up an individual's license plate number in exchange for money. The CFAA has been subject to varying interpretations by various U.S. circuit courts, with the First, Fifth, Seventh, and Eleventh Circuits ruling for a broader view of the CFAA's scope than the Second, Fourth, and Ninth Circuits. According to an article from Cyberscoop, the circuit courts' rulings mainly diverge due to differing opinions on whether individuals are in breach of the CFAA if they violate provisions from specific entities' "Terms of Service," or if CFAA violations only occur when individuals achieve unauthorized access by "bypass[ing] technical constraints." In a Politico article on the matter, a University of California, Berkeley law professor is quoted as stating that the Supreme Court will likely "narrow" the CFAA's scope.
Congressional Research Service Examines Fourth Amendment Considerations in Coronavirus Digital Surveillance
On April 16, 2020, the Congressional Research Service (CRS) published a report titled "COVID-19, Digital Surveillance, and Privacy: Fourth Amendment Considerations." The report noted that many countries have employed digital surveillance measures by using data, such as location data, to attempt to track and minimize the impact of the novel coronavirus. According to the report, the Fourth Amendment to the U.S. Constitution may determine the parameters of attempts at similar "invasive" or obligatory data surveillance in the U.S. The report stated that a warrant or probable cause requirement may be inapplicable when "special needs" make those requirements "impracticable," and cited the Supreme Court's previous statement that a "substantial and real" threat to public safety may justify "blanket suspicionless searches calibrated to the risk." The report noted that a government effort that included compelled provision of location data on specific individuals may be seen as objectionable by a court. The report noted that Congress may "attempt to establish standards for governmental acquisition of digital-location" or other types of data in response to the pandemic but added that Congress may not legislate away constitutional protections.
United Kingdom's Information Commissioner's Office Sees Google, Apple Coronavirus Efforts Aligned with Data Protection Principles
On April 17, 2020, the United Kingdom's primary data regulatory authority, the Information Commissioner's Office (ICO), published a formal opinion on Google and Apple's recently launched "contact tracing" initiative, which we reported on last week. In a blog post announcing the opinion, UK Information Commissioner Elizabeth Denham noted that the Google and Apple project "broadly align[s] with the principles of data protection by design and default," and that Google and Apple have clearly demonstrated how their project aligns with such principles. Commissioner Denham also noted that "it is right that [government entities] explore" the use of contact tracing initiatives as a means of evaluating societal isolation measures and to inform individuals about potential exposure to COVID-19. She added that so long as UK data protection principles including fairness, transparency, and proportionality are upheld by contact tracing projects, data protection laws should "not get in the way of innovative use of data in a public health emergency."
European Data Protection Board Guidelines Do Not Require Consent for Governments' COVID-19 Monitoring and Contact Tracing Applications
On April 21, 2020, the European Data Protection Board (EDPB) published guidelines "on the use of location data and contact tracing tools in the context of the COVID-19 outbreak." In the guidelines, the EDPB states that enrollment in and use of location monitoring and contact tracing applications should be voluntary. The guidelines added that the voluntary basis of contact-tracing applications does not mean that the processing of personal data must be based on consent, noting that there is a legal basis for data processing that is not consent-based when, as here, such processing is necessary for the public's interest. As noted in an article entitled "Privacy in a Pandemic" in The Economist on April 23, 2020, there are exemptions for public health crises written into Europe's data protection laws. The Economist notes that a "more comprehensible" debate on the European Union's privacy policy may be a consequence of the coronavirus, and adds that voters will judge their governments on how quickly life returns to normal.
Senators Weigh In on Standards for Contact Tracing Applications
Throughout the week, lawmakers have pressed for action related to COVID-19 contact tracing applications. On April 21, 2020, Sen. Josh Hawley (R-MO) wrote a letter to Google and Apple's CEOs requesting that they ensure consumer privacy in their efforts to mitigate the coronavirus pandemic. Also on April 21, 2020, sixteen Senators sent a letter to the Centers for Disease Control (CDC) and the Department of Health and Human Services (HHS) urging the agencies to establish tracing mechanisms to assist in the mitigation of the coronavirus pandemic. The letter includes a request for examining contact tracing, including data collection. On April 22, 2020, Sen. Ed Markey (D-MA) outlined his nine principles for a national contact tracing plan in a letter to Vice President Mike Pence. The letter states that, among others, the nine principles include: (1) an "opt-in" contact tracing system; (2) transparency related to data collection and processing; (3) data security obligations; (4) accountability for data misuse and other violations; and (5) data minimization and data use limitations.
Technology
Privacy Advocates Weigh In on Coronavirus Tracking Efforts
On April 18, 2020, the Washington Post published an article entitled, "Coronavirus tracking apps meet resistance in privacy-conscious Europe." The article noted that European governments are more cautious to use location tracking surveillance to mitigate the COVID-19 outbreak, and added that this could serve as a setback for those countries. The article stated that Austria, a country that utilized such technology, is beginning to rollback coronavirus mitigation efforts. According to the article, Germany, the United Kingdom, the Netherlands, and France are examining applications that include opt-in for data collection, anonymized data, and no GPS data sharing with telecom companies and the government. The article expressed concern that not enough consumers are using the application thus making it ineffective. An April 20, 2020, TechCrunch article stated that 300 "academics" expressed support for applications that use automated Bluetooth tracing to mitigate COVID-19. Also, according to an April 21, 2020 article in Politico, the board of the Electronic Privacy Information Center (EPIC) announced that EPIC's co-founder and long-time leader was departing, following reports that he had continued going to work and meeting with staff after a doctor directed him to take a coronavirus test that later came back positive.
Help: European Governments Ask Smartphone Manufacturers to Pave Way for Contact Tracing Apps
On April 21, 2020, Bloomberg Law reported that the French Digital Minister requested that Apple remove a portion of its privacy safeguards to ensure a smooth deployment of Bluetooth contact tracing. According to the article, Apple does not allow Bluetooth technology to run in the background if such data is set to be shared off the device. The article stated that Minister Cédric O noted such prohibition would hinder France's contact tracing app, which it plans to deploy on May 11, 2020. According to the article, European Union (EU) officials want the option to store Bluetooth contact tracing data in a "centralized location" to ensure that public health officials have access to such data. According to the article, EU officials emphasized that the application must be voluntary. On April 22, 2020, Bloomberg Law reported that EU Digital Commissioner Thierry Breton echoed the French Digital Minister's call for Apple's compliance with the proposed application.
Cybersecurity Challenges: Hackers Work From Home Too
Following our reporting on hospitals' cybersecurity concerns in light of the COVID-19 pandemic, data associated with COVID-19 held by federal and international entities has been targeted by cybercriminals. On April 21, 2020, Bloomberg Law reported that hackers have increasingly "targeted" World Health Organization (WHO) officials involved with the WHO's COVID-19 response work. The article stated that certain hackers targeting the WHO may be affiliated with nation-state groups and that the hackers have gained access to certain officials' credential information, though they have not infiltrated "sensitive internal systems." The article also noted that in response to increased hacking activity, the WHO has devoted additional resources to cybersecurity. Likewise, on April 22, 2020, Politico published a report noting that Google had reported that "a government-backed hacking group" targeted U.S. government employees via phishing. According to Google, no targeted accounts are currently known to have been compromised.
Also on April 21, 2020, Bloomberg Law issued a report stating that the U.S. Small Business Administration (SBA) experienced a security incident that potentially exposed data about 7,900 individuals. The report noted that affected individuals had sought aid from the SBA's Economic Injury Disaster Loan program and that the data may have been exposed to other individuals seeking aid. In the wake of what the FBI described as a "global increase in malicious cyber activity exploiting fear derived from the COVID-19 pandemic," the FBI published an update on cybersecurity incidents among healthcare providers. The update encouraged entities to notify the FBI if they are targeted by cybercriminals and included guidance for entities aimed at minimizing security risks.