CONTACT TRACING APPS: AN OPPORTUNITY TO SHARE A PIECE OF THE (DATA) PIE.

• Author: Boyd, Ellen

Text

[*267]

1. Introduction

   People around the world are confused and concerned about what companies do with the personal data (1) collected from consumers. (2) [*268] In fact, a recent global survey shows that only one in three adults realize how much personal data companies have stored on them, and even fewer know how much personal data their own state or federal governments hold (or even what it is used for). (3) This distrust runs far and deep; in fact, on average, "only a minority of citizens trust national government (39%)... [and] globally, most consumers agree that allowing companies to use personal data is something they should be able to refuse (62%) and that they should be paid or rewarded for it (54%)[.]" (4)

   Consumers' patent suspicion is hardly unjustified. The privacy industry is largely self-regulated, and it has been suggested that companies and websites actively simulate respecting users' privacy needs in order to trick users into turning over data. (5) At the Monetary Tech Summit in Iowa, 2020 Presidential Candidate Andrew Yang said, "so our current approach to data is this: it's a free-for-all, and companies get our data and then they sell it and package it and resell it and we are sort of on the outside looking in...." (6) Yang sees a proprietary interest in personal data as a necessary step to protecting consumer privacy and thinks if companies are making money off your data, then you should, too. (7)

   There is no single approach to privacy; different countries afford varying amounts of protection to individuals' personal information. (8) Internationally, the omnibus approach (implementing a comprehensive approach that protects individuals' data [*269] across all industries in most contexts) and the sectoral approach (regulating information on a sector-by-sector basis, allowing different industries to implement different regulations) comprise the two general approaches to privacy law. (9) The European Union (EU) utilizes a comprehensive approach with the general rule being that collection or use of personal data is not allowed unless permitted by law. (10) The Constitution of the United States does not explicitly reference personal privacy, though the Supreme Court of the United States - in a line of cases and through the Fourth Amendment's search and seizure rules - has inferred one." (11) Instead, the United States implements a sectoral model, as Congress's piecemeal laws exhibit, to protect against a variety of privacy issues. (12) One of such state laws, the California Consumer Protection Act

   (CCPA), (13) resembles the EU's comprehensive regulatory method and will be addressed in more detail below.

   Singapore previously used a similar approach to the United States but adopted the Personal Data Protection Act (PDPA) (14) in 2012 to govern the protection of personally identifiable information. (15)

   COVID-19's appearance in early 2020 resulted in a rise of contact tracing applications and a naturally growing concern for the privacy of those participating in contact tracing initiatives. (16) The private sector within the

   United States has made multiple contact tracing applications available and State governments are beginning to implement several contact tracing applications as well; for example, the California Department of Public Health recently rolled out a new contact tracing program on December 10, 2020. (17) The EU has seen similar implementation of contact [*270] tracing apps. (18) Singapore, the first government to introduce a national contact tracing application in March of 2020, has had recent general success with its app/token hybrid tracing methods. (19)

   The persistency of the COVID-19 virus and rise in use of contact tracing applications, set against a backdrop of wariness over use of sensitive personal information, leaves room for a solution that is beneficial to both governments and individual consumers. Singapore's healthcare system has been lauded as a positive example for public health initiatives. (20) Recently, a novel program introduced by Singapore's government actually pays users to participate in a program that encourages healthy habits and uses participant data to gauge program effectiveness and acts as the foundation for future health initiatives. (21) The United States has the capacity to implement a program similar to this, (22) and by creating a contact tracing application that allows users to opt-in to earn rewards, puts power back in the hands of the user. Such a program would improve efficacy of COVID-19 tracing through increased participation by way of incentives, and would also give users a piece of the (data) pie.

   Part II of this Article will provide a general overview of the current state of data as a commodity and will touch on consumer involvement in the sale and sharing of personal data with third [*271] parties through the lens of the GDPR, CCPA, and PDPA. Part III will discuss Singapore's LumiHealth initiative and looks to the LumiHealth app as an example of how consumers can affirmatively participate in the economic exchange of their personal data.

   Part IV will look to international contact tracing applications as examples for the current state of processing certain personal information in the United States, Singapore and across the EU. Part V of this Article will provide a conclusion restating the reasons why the United States should look to the Lumi Health initiative as a structure for a contact-tracing app that encourages participation through economic incentives.

2. Who Owns Our Personal Data? Who Has the Rights To Sell It?

   "We may disclose your Personal Information to... other third parties with whom we have a business relationship" (23) (or language to that effect) is a phrase familiar to most who have actually taken the time to sit down and read a privacy policy before using an application, service or online platform. Users often click through these privacy policies without considering the fact that by simply going about our daily routines, we generate hundreds of data points, from what we eat and drink, to the places where we spend time, to the products we buy. (24) Essentially, this means that we are giving away multitudes of free data to "companies that analyze, package, sell, and profit from it - not just every day, but every hour." (25) The ability to sell consumers' personal information to third parties is a pervasive source of revenue (26) for data controllers. (27)

   [*272] Generally speaking, data controllers justify selling consumer information as a tradeoff for providing personalized and curated content to users at no cost to the data subjects. (28) Although consumers are provided with access to the app at no charge, the benefits may not outweigh the costs as the price comes in the form of personal information disclosure. (29) Beyond this benefit, however, it is abundantly clear that users lose substantial control over their personal data after they make the initial decision to provide their information to the data controller.

   Ultimately, "users are forced to make a bundled choice that disregards temporal and contextual nuances of information sharing. The rise of data as a commodity has undermined user ability to preserve contextual integrity online." (30) Fundamentally, individuals are left with only one option: either share with everyone (i.e. the data controller and the data controller's third party affiliates), or share with no one and forgo advantageous services and personalization. (31) This choice between anticipated convenience and personal privacy can hardly be characterized as in the best interest of users.

   1. Theoretic Approaches to Data: Dignity, Monetary, and Dataism

      The philosophical debate over the commoditization of personal data renders compelling points on both sides however, this conversation generally focuses on monetary value to data controllers and third parties, and largely fails to consider consumers as active players in the grander economic scheme. Generally speaking, digital personal information is particularly valuable because "data is what economists call a non-rival good, meaning multiple users can consumer it at once." (32) Data is so valuable that it has been likened to oil; personal information in

      [*273] the 21st Century's data driven economy is not only necessary for a functional society, but it also offers tremendous benefit for those who learn to draw from it. (33) Economists argue that property-based market approaches make the most sense, because "market exchanges will then transfer that information to whichever party values it most, thereby achieving efficiency." (34) This free-market approach would not create full property rights in personal data, but instead permits consumers to obtain great control over their rights to personal information - ultimately affording users "the power to choose 'their optimal mix of privacy' without paternalistic intervention from the state." (35)

      In theory, this makes sense; however, proponents of the "dignity approach" argue that the opposing market-based theory "provides too little control over personal data. In the market-place, personal data will be lost in the shuffle, with citizens making bad choices or being coerced into transactions from which they cannot walk away. (36) These market-based approach naysayers ultimately contend that an economic model results in "information asymmetry and power inequality" (37) consumers only transfer data because they possess insufficient leverage, and privacy statements are so obtuse that consumers contract away rights without fully understanding what they are agreeing to. (38) In essence, this represents the current situation where firms tend to own the data from transactions and can use it in ways consumers may not want and without the consumers' knowledge." (39)

      The counter argument to the commoditization approach is that privacy is a fundamental human right. (40) This argument is founded on the concept that...