In May 2020, a Korean man visited a series of bars and clubs in the Itaewon district of Seoul. The next day, he tested positive for COVID-19 and the Korean Center for Disease Control and Prevention snapped into action. To find out who the man might have come into contact with they combined different data sources, including credit card transactions from the clubs and bars he visited and GPS locations of mobile phones in the area at the time.
Some of this information was shared with the media, who reported the places the man had visited and noted that some were gay clubs. This led to the LGBTQ+ community being blamed for new COVID-19 cases and resulted in a surge in discrimination in a country where stigma against queer communities remains high.
The data collection and sharing practices of South Korea’s contact tracing system effectively risked the forced outing of LGBTQ+ Koreans. One man told The Guardian, “My credit card company told me they passed on my payment information in the [Itaewon] district to authorities. I feel so trapped and hunted down. If I get tested, my company will most likely find out I’m gay. I’ll lose my job and face public humiliation.”
As countries around the world continue to battle outbreaks of COVID-19, South Korea has been held up as an example of how to successfully limit the spread of the pandemic. Widespread technology and data use, from contact tracing to quarantine enforcement, has been a key part of this success. Many other countries have taken note and attempted to follow suit by integrating technology into their own responses. While this can be a win for public health and safety, the example above shows how technology and data use for pandemic response can facilitate human rights violations.
In the current COVID-19 landscape, data and technology solutions can be used for many positive outcomes, such as facilitating “back to work” efforts, enhancing research into COVID-19 vaccines and treatments, and allowing the resumption of economic activity while also protecting public health. However, these uses may also result in the infringement of privacy rights, new forms of discrimination, and harm to vulnerable groups. Some governments are using the emergency as an excuse to expand their power, leading to concerns that initiatives launched to address COVID-19 could become permanent forms of state surveillance.
As the providers of data and digital infrastructure, technology companies are often central in public health emergency response efforts. A company's responsibility to respect human rights does not disappear during a public health emergency—indeed, the severity of adverse human rights impacts makes it even more essential that companies undertake robust human rights due diligence.
A company's responsibility to respect human rights does not disappear during a public health emergency—indeed, the severity of adverse human rights impacts makes it even more essential that companies undertake robust human rights due diligence.
With the support of Microsoft, BSR developed a human rights framework for responsible business decision-making before, during, and after public health emergencies. The framework is intended to be used as part of human rights due diligence to guide business decisions related to technology and data use in response to public health emergencies. It is informed by a combination of international human rights law related to states of emergency; allowable limitations and derogations of rights; relevant regulations, standards, and principles grounded in human rights; and lessons learned from past emergencies.
There are various human rights norms, principles, and standards that can help navigate a pathway through these dilemmas. For example, Article 4 of the International Covenant on Civil and Political Rights (ICCPR) and its accompanying General Comment 29 allow governments to derogate from specified human rights during times of public emergency. The Siracusa Principles, adopted by the UN Economic and Social Council in 1984, describe limitations on the restriction of human rights that governments may apply for reasons of public health or national emergency.
However, three factors are challenging the application of these principles today:
- Changes in the digital realm: Ever-more-powerful computing, massive growth in the availability of data, increasingly sophisticated artificial intelligence capabilities, and the centrality of digital infrastructure in everyday life have transformed the opportunities and risks associated with the use of digital technologies for public health.
- Increased involvement of companies: These principles were written for governments rather than companies, yet today the private sector has a far more significant role and power in the fulfillment of human rights than when the principles were drafted.
- Complexities of a global pandemic: These principles were not written to address the complexities of a global pandemic, and new insights about their implementation are emerging in real time.
In addition to the framework, BSR’s report, Decisions, Decisions, Decisions. Responsible Decision-Making Before, During, and After Public Health Emergencies, makes recommendations for companies to help ensure they take rights-respecting approaches to future public health emergencies. These can be summarized as follows:
Act: What Companies Should Do Internally
Although responding to public health emergencies requires swift action, companies must still carry out human rights due diligence to identify, prevent, and mitigate their human rights impacts and foresee the possible impacts of their decisions. The framework outlined in the report can help companies balance privacy rights with the protection of public health.
In their quest to take action, companies should also take care to avoid known pitfalls of applying technological solutions to social problems. This includes things like ensuring a tech or data-based solution is the right one for the given context, working with appropriate government authorities, creating effective escalation processes for handling government requests and contracts during times of emergency, and avoiding open-ended projects.
Enable: How Companies Should Work with Others
Public health solutions are seldom executed from start to finish by a single company. Businesses therefore must be as transparent as possible about the work they are doing and effectively engage with relevant stakeholders, including other companies in the industry and governments, who are often the customers for technology solutions. Through transparency and working with their peers, customers, and partners, companies can create more effective public health solutions and prevent scope creep or misuse.
Influence: How Companies Should Influence Public Policy
Governments have the obligation to protect human rights and therefore have an important role to play in ensuring that pandemic solutions do not unduly limit the rights of their citizens. As governments come to companies with various health emergency-related requests, companies have an opportunity to advocate for rights-respecting approaches and push back on requests that cross the line. Companies can also advocate for standards or regulations that provide clarity on the on the balance between privacy and public health, as well as stronger health data regulations that close loopholes related to non-traditional health data. When companies are required by a government to share data beyond what is necessary and proportionate, they should push back as much as possible.
When companies are required by a government to share data beyond what is necessary and proportionate, they should push back as much as possible.
Although COVID-19 may be the first truly global pandemic of the modern age, it certainly won’t be the last—in fact, experts expect that pandemics will become increasingly common, and business involvement in addressing them will only grow. However, while the public health crises of the future may share some features with the COVID-19 pandemic, they may vary in other ways too—such as different dynamics of transmission, severity of the illness, availability of treatment, and the necessary control measures—and it will be important to both take the lessons learned from COVID-19 and be able to apply them in different contexts.