New legislation imposes stronger privacy protections on Australia’s planned contact-tracing app.

“The Australian government’s coronavirus tracing app will have stronger privacy protections under legislation which has passed Parliament,” reports The New Daily.

“People found accessing the data without authorization will face up to five years’ jail and fines of $63,000.

Businesses refusing to serve people because they haven’t downloaded the app will face the same penalties, along with anybody who tries to force someone to sign up.

The new privacy protections also make it a crime to store data outside Australia or communicate the information to someone overseas.”

Details from New Daily.

The IAPP — International Association of Privacy Professionals — offers its take on the top 10 impactful provisions of the California Privacy Rights Act ballot initiative.

  • Sensitive information obligations
  • New enforcement authority
  • Expanded data breach definition
  • Audits and risk assessment for high risk processing
  • Restrictions on automated processing and profiling
  • Right to rectification
  • Opt-in and heightened penalties regarding children’s information
  • Data retention limitation
  • Extended employee right moratorium
  • Service provider/third party extended obligations

Details from the IAPP.


Following Democratic and Republican federal Coronavirus data privacy bills, Sen. Elizabeth Warren, along with U.S. Rep. Andy Levin, and U.S. Sens. Jeff Merkley and Tina Smith, introduced a bill for the Coronavirus Containment Corps Act. The bill aims to enhance contact tracing in the U.S. to prevent COVID-19

Under the legislation, the Centers for Disease Control and Prevention (CDC) shall  provide to the appropriate Congressional committees a strategy to expand COVID–19 contact tracing.

The strategy will include:
  • Plans to use mobile or app-based contact tracing technology, including:
    • Plans to prevent the misuse of data and to ensure the automatic deletion of data after the conclusion of the COVID–19 public health emergency; and
    • Plans to prohibit data sharing with and within the federal government, with the exceptions of the CDC and the Indian Health Service;
  • Strategies to record and publicly report de-identified data, while protecting the privacy of individuals and information regarding their personal health.

Details from The Hill.

A United Nations representative warned of the privacy risks associated with contact tracing in the fight against COVID-19 in a recent interview.

“The danger is that measures brought in to protect citizens in exceptional circumstances, when most people accept they are needed, could outlast the current crisis, said Joe Cannataci, the U.N. special rapporteur on the right to privacy.”

“Dictatorships and authoritarian societies often start in the face of a threat,” he told the Thomson Reuters Foundation.

“That is why it is important to be vigilant today and not give away all our freedoms.”

“Surveillance and monitoring measures should be written in law and clearly limited in time” Cannataci said

“Governments should also favor voluntary tools such as phone-tracking apps requiring users’ consent over broader surveillance powers,” he said, calling on countries to set up independent bodies to oversee such measures.

“Any form of data can be misapplied in incredibly bad ways,” he said. “If you have a leader who wants to abuse the system, the system is there.”

Details from Reuters.

Democratic Senators introduced a second COVID-19 privacy bill.

It addresses the collection and processing of data in connection with fighting the COVID-19 pandemic. This Democratic Senate bill shares a number of key points with the recently filed Republican Senate bill, among them:

  • consent required for collection and revocable
  • disclosure at collection
  • information security
  • data minimization (collect only what you need)
  • retention limitation (delete after revocation and after the pandemic).

The bill would be enforceable by the Federal Trade Commission and State Attorneys General, but this bill also adds a private right of action with statutory damages.

Read a detailed analysis in my client alert.

Dan Or-Hof and Rotem Perelman-Farhi analyzed the Israeli Supreme Court decision on COVID-19 related phone tracing by the Israeli Secret Service in an article for the International Association of Privacy Professionals.

“The violation of the right to privacy is severe because the [Israeli secret service] tracks the location and other personal information related to law-abiding citizens and residents by using a covert, coercive and non-transparent technology.”

“… the measures taken by the Israeli government to confront the COVID-19 virus are extreme and unusual and warned from a slippery slope effect, which may lead to the use of the [Israeli secret service’s] capabilities without proper justification for additional purposes. The court encouraged the government to find and deploy effective alternatives to the [Israeli secret service’s] means.”

Details via the International Association of Privacy Professionals.

Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe, issued a Joint Statement on Digital Contact Tracing.

Key principles for digital tracing:
  • transparency
  • data minimization
  • impact assessment
  • de-identification
  • safeguards from automated decision making

More details in my client alert.

Italy’s Garante and France’s CNIL publish updated guidelines on privacy in the workplace as workplaces are opening up for a phased return to normal.


  • Automatic collection of temperature (e.g. by thermal cameras) is not allowed
  • Taking temperature by means of a manual thermometer (such as for example of infrared type without contact) at the entry of a site, without a trace being kept, nor any other operation is carried out (such as readings of these temperatures, information feedback, etc.), does not fall under data protection regulations and is permissible.

Per Garante:

  • If you are recording temperatures per legal requirements, you may do so but while recording only whether or not the temperature exceeds the threshold established by law and the reasons that prevented access to the workplace (if you are required to document this).

Read the CNIL guidance.

Read the Garante guidance.