The legal implications of contact tracing in Chile
Andrés Culagovski, from Abdala & Cía., member of DRT International Law Firm & Alliance in Chile.
On February 26th, 2020, the first case of Covid 19 in Latin America was detected in Sao Pablo, Brazil. Countries throughout the region reacted by implementing a wide range of measures, reflecting national legislation, customs, and even ideology. The impact of those measures on personal privacy will have ongoing consequences throughout the region. One of the initiatives which have been most closely scrutinized is that of contact tracing.
In Chile, in mid-April the government rolled out a contact tracing app, called CoronApp. Other countries throughout Latin America have also announced tracing applications, including Argentina (March 22nd), Brazil (February 28th), Colombia (March 12th, also called CoronApp), Mexico (April 2nd) and Peru (April 3rd).
Although no information is available about how widely the app has been downloaded in Chile, there have been a number of concerns about its compliance with privacy regulations.
Privacy protection has been enshrined as a constitutional right in Chile since 2018. However, the actual privacy legislation dates back to 1999, and is in need of updating. Under national law, all data that can be linked to a specific individual is considered personal data, and consent is also required for its treatment. The law also considers “data regarding physical and mental health, as well as data regarding sexual activity” to be sensitive data, and as such can only be processed with the consent of the individual data subject, or when it is necessary for the determination or conveyance of health benefits.
That’s where the doubts regarding the CoronApp begin. The application, which is available on the Apple store and Google Play, is linked to the user’s government-issued personal identification number, which all Chilean and foreign residents must have. Through the app, users can report and control their own symptoms as well as those of people under their supervision, indicate where they’ll be quarantining, and communicate any circumstance that may put others at risk of infection. The app can also and record a user’s location and receive health updates from health authorities.
Additionally, users get very little in return for exposing their private data. Since the app relies on self-reporting of symptoms, the government could use that information to single out individuals for quarantine or enforced testing, even without any actual medical data. There have already been cases of neighbors pushing back against medical professionals and others suspected of being infected, and this app could add to that discriminatory treatment. If the intention is that the app can refer people showing symptoms to local health services, that could be achieved by listing known symptoms and identifying health providers in the vicinity of the user, without collecting personal information beyond their location.
The policy also says that only the Ministry of Health and “other sanitary bodies authorized by law” may access the provided data, but goes on to say that the Ministry may transfer data to third parties “based on a judicial or administrative order”. This is broad enough that there is very little chance that users will know beforehand who may end up accessing their information.
In an apparent contradiction to the above, the app also states that user data can be transferred to third parties with which the Ministry signs cooperation agreements “for purposes compatible with those declared and consented to by the user”. These third parties must only take care to anonymize the data if they intend to publish the result of their analysis, implying that they will receive and use all personal and sensitive data intact. If they decided to sell that data to private health or pharmaceutical companies, which in theory could be construed as “purposes compatible” with those of the app, there would be very little that users could do.
Finally, the app declares that users’ data will be used and treated “as long as needed to protect public health, in the context of the medical emergency”, but authorities could make a strong case that, short of total eradication of Covid-19, data on this outbreak should be on hand to treat future events, indefinitely. And given the loose restrictions on transfer to third parties, that information could eventually be sent to “compatible” private companies, such as insurers and employers.
In short, while contact tracing can be a valuable tool for abating the spread of the virus, greater attention should be given to the protection of user privacy, to ensure that the implicit dangers of revealing private information do not outweigh the potential benefits of the app. Authorities should also be mindful that many of the most vulnerable members of the population, including seniors and lower-income citizens who are more exposed to underlying medical conditions, may very well not have the means to access the digital technology needed to run the application.