These days in Shanghai there is a lot of talk about whether people have gotten their “green code” through Alipay or WeChat. The “green code,” of course, refers to the QR code generated from personal information gathered through various means to indicate that one is supposed to be “safe” from COVID-19 infection and therefore that he or she can be allowed to enter certain buildings or use public transportation.
This whole discussion has brought up an interesting consideration, and it is one that we have been receiving more and more questions about recently: what personal information can private companies collect while implementing the COVOD-19 restrictive measures , who can they reveal such information it to, and for what purposes?
Here is an example of one such question:
A colleague of ours was recently asked by a large multinational company if the MNC should be capturing employees’ body temperatures and tracking their physical locations through an internal maintenance app. Apparently, this had recently been promoted to the company as some gimmicky feature related to the outbreak.
Our thoughts:
Fact is indeed that as part of the emergency measures imposed by the government, private companies may be obligated to assist in collecting, reporting, and sharing relevant personal data for the purpose of helping to control the COVID-19 outbreak, as required by the relevant authorities or administrations (CDC, Health Commission, CAC organs, etc.) as stated in the relevant laws and regulations.
When collecting such personal data, however, companies must still follow basic data collection rules, such as prior consent of the person and smallest scope/minimum volume of personal data (in principle, only data of definite diagnosis, suspected diagnosis, and close contact information should be collected). Moreover, companies must have adequate technical and management rules in place to protect the personal data it collects, desensitize the personal data, and ultimately delete the personal data when the purpose has been served.
Unless a company has explicit authorization from the relevant authorities to do so, stepping outside the lines of the fundamental data collection and management rules will be illegal, even if the data is collected as part of the implementation of the emergency measures. This fact was actually confirmed and emphasized in the Notice Regarding Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Epidemic Prevention and Control, issued by the Office of the Central Cyberspace Affairs Commission on February 4, 2020.
That said, it is indeed possible, even likely, that some companies may try to abuse the current emergency situation to illegally collect personal information for its own purposes. With that in mind, the Notice reiterates that any illegal collection, use, or publication of personal data should be reported to the Cyberspace authority and to the PSB.
It seems to us that constant tracking of temperature and location/movement would fall outside the scope of what is mandated by the authorities and relevant laws and regulations. So, if you are asked or required to collect or provide data outside of this scope, there must be clear authorization from the authorities we mentioned above.
So then, you will ask, what about those “green codes?” Well, to be honest we are still researching this but at this point we must assume that there likely must have been some kind of exceptional authorization delivered by authorities at a relevant level to authorize the private companies producing the “green code” apps to collate enough personal data from existing government data bases, for them to be able to provide a quasi-immediate health clearance for every individual. It will be interesting to see if the companies will abide by the rules and restrict themselves from using any such data for any other purposes. We will keep you posted as we learn more.