top of page
  • Writer's pictureDurham Pro Bono Blog

Privacy v Pandemic: ethical issues raised by contact tracing applications during COVID-19

Disclaimer: The views expressed are that of the individual author. All rights are reserved to the original authors of the materials consulted, which are identified in the footnotes below.

By Titlee Pandey

The urgent need to restart life amidst a pandemic has depended on effective public health management through tracing and limiting the spread of the virus. Manual contact tracing, used previously by the NHS and by other healthcare systems for STIs and epidemics, proved to be too slow and burdensome; the transmission of the coronavirus precedes symptoms, and the volume of cases exceeded the amount of contact tracers available.1 This triggered the immediate need for digital public health tools in the form of contact tracing applications on smartphones. These, however, came with their own ethical implications concerning risks to privacy, and the right to protect private information and autonomy.2 This essay aims to discuss these issues and analyse how the risks can be balanced against the urgency of the global pandemic.

Digital public health technologies are to some extent bound to interfere with the right to privacy, by requiring users to provide sensitive information like health status and location.3 This risk can vary, depending on the data types used by the application4 ; GPS, mobile tower data and sensor tracking, for example, are much more invasive tools than Bluetooth, which only measures spatial proximity between mobile devices. If specific and granular tools, such as GPS and mobile tower data are used, there is a high risk of discrimination through collection of data on race, gender, socioeconomic group or even political affiliation, which may create division and vulnerability not only during but also post-pandemic.5 A possible Black Mirror-esque threat is that the data collected from contact tracing apps could be applied to other forms of surveillance and shared with third parties for purposes other than COVID-19 mitigation.6 This is particularly concerning, as there is no end in sight for use of these applications; in Hungary the government instituted emergency powers to fight the pandemic without stating an expiration date, meaning it could continue heightened surveillance through mobile devices.7

Personal autonomy is another right that could be undermined through the use of public health technologies. The strongest breach occurs when mandatory use is imposed. For example, in Qatar, the use of the proximity tracking application EHTERAZ is compulsory, and failure to comply leads to a three-year jail time and/or a fine.8 Other countries have made their apps necessary to access services; in China, it is mandatory to show health status on an application to enter many offices, restaurants, parks and malls. Such measures make it virtually impossible to opt-out of using the application.9 Another threat to autonomy is when applications include permissions to collect data that falls outside the ambit of their stipulated purpose, depriving people the ability to consent to being tracked, or data being shared. In a brazen breach of autonomy, the Polish government created accounts on its contact tracing application for suspected quarantine patients (those who were travelling internationally), and required all those self-isolating to send selfies of themselves on request.10 While mandating contact tracing for those in quarantine and the infected could be justifiable through the principle of beneficence (as quarantine would be undermined if it remains voluntary), such an extreme overreaching of autonomy should amount to an infringement.

To ensure mitigation of the pandemic and the least interference with the rights to privacy and autonomy, various legal protections and ethical principles are in place. In the EU, the regulatory principles of the General Data Protection Regulation, Article 8 ECHR (the right to a private life) and other recent resolutions towards coordinated action for safeguards around contact tracing applications, all collectively help uphold the fundamental rights to privacy and autonomy.11 In the UK, patient information can only be processed (through digital means or otherwise) by explicit orders of the Secretary of State under article 251 of the NHS Act 2006.

In a recent joint declaration by world-leading scientists and researchers from 27 countries, four principles to achieve ethical contact tracing were laid down.12 The first principle is limited access to information, meaning the applications ought to collect only the minimum required amount of data in order to achieve their purpose. The second principle necessitates that the protocols and implementation of digital public health solutions should be transparent and that the data should be stored unambiguously. The third principle entails that the most privacy preserving option available must be used. And finally, the usage of the application must be voluntary; data should be collected only after gaining the user’s explicit consent. There must also be an option to switch off data collection and delete everything collected post-pandemic.

In a crisis like COVID-19, some rights will be necessarily be infringed upon for the overall public benefit. However, the balance between individual rights to privacy and autonomy, and the urgent need to mitigate the pandemic must still be struck. Bodies tasked with building contact tracing applications should keep privacy protection and the afore-mentioned ethical principles as their indispensable goals. For digital public health tools to work, they must respond to the need of the hour, adhere to ethical principles and create internal safeguards for the smooth functioning of these applications.



[1] Alex Dubov, 'The Value and Ethics of Using Technology to Contain the COVID-19 Epidemic' [2020] 20(7) The American Journal of Bioethics

[2] Amnesty international, 'COVID-19, surveillance and the threat to your rights' (Amnesty International, 3 April 2020) <> accessed 16 November 2020

[3] Lisa Lee and others, 'Ethical Justification for Conducting Public Health Surveillance Without Patient Consent' [2011] 102(1) American Journal of Public Health 38-44

[4] European data protection supervisor, 'Monitoring Spread of COVID-10' (, 25 March 2020) <> accessed 18 November 2020

[5] Paul Quinn, 'Crisis Communication in Public Health Emergencies: The Limits of ‘Legal Control’ and the Risks for Harmful Outcomes in a Digital Age' [2018] 14(4) Life Sciences, Society and Policy

[6] Paul Mozur, 'In Coronavirus Fight, China Gives Citizens a Colour Code, With Red Flags' (The New York Times, 1 March 2020) <> accessed 20 November 2020

[7] Laszalo Bruszt, 'Viktor Orban: Hungary's Disease Dictator ' (Balkan Insight, 23 April 2020) <> accessed 20 November 2020

[8] Amnesty international, 'Qatar: 'huge' security weakness in COVID-19 contact-tracing app' (Amnesty International, 26 May 2020) <> accessed 20 November 2020

[9] Japan times, 'Green or red light: China coronavirus app is ticket to everywhere' (Japan Times, 13 May 2020) <> accessed 20 November 2020

[10] Isobel Hamilton, 'Poland made an app that forces coronavirus patients to take regular selfies to prove they're indoors or face a police visit' (Business Insider, 23 March 2020) <> accessed 20 November 2020

[11] Gabriela Zanfir-fortuna, 'European Union’s Data-Based Policy Against the Pandemic, Explained' (Future of Privacy Forum, 30 April 2020) <> accessed 20 November 2020

[12] Sebastian Klöckner, 'Joint Statement on Contact Tracing: Date 19th April 2020' (CISPA April 2020) <> accessed 21 November 2020

169 views0 comments


bottom of page