Governments are turning toward the use of data driven solutions as part of their response to the COVID-19 pandemic, which raises numerous privacy concerns.
Contact tracing technology seeks to inform and notify individuals that have been in contact with a person infected with COVID-19, enabling such individuals to self-quarantine, receive testing and, if required, obtain follow-up treatment.
Contact tracing apps (CTAs), alongside measures such as the deployment of comprehensive testing regimes and eventual vaccination, will hopefully provide an effective means for managing the pandemic across the globe.
Utilising technology and data to achieve this objective, whilst protecting individuals’ rights and freedoms, is a task governments worldwide are currently grappling with, with varied approaches in overcoming such a challenge.
Contact tracing across the globe
In March 2020, Singapore’s government instructed its Government Technology Agency, and Ministry of Health, to create the app Trace Together. Through the exchange of Bluetooth signals between phones, it detects other users in close proximity, enabling contact tracers to inform close contacts of COVID-19 cases quickly.
Other governments in the region swiftly replicated the technology, with varying degrees of success:
- Indonesia: released a Bluetooth-based tracking app at the end of March, but currently has fewer than 400,000 downloads;
- Philippines: an executive order was released by the governor of Cebu requiring all residents to download a locally developed version, solely relying on self-reporting;
- South Korea: the government developed an app aimed at tracing movements of individuals in quarantine, with new airport arrivals’ installation of the app, a mandatory requirement. Due to individuals leaving quarantined areas, with their app-installed devices left behind, the government have now issued tracking bracelets
European approach and concerns
Across Europe regulators and government bodies have issued opinions, recommendations and released guidance on the privacy concerns of CTAs including:
The key principles consistent across all the above documentation, are for European governments to adopt a harmonised and uniform approach to the development and implementation of contact tracing technology and deployment of CTAs, which implement and reflect the principles of the GDPR; including:
- Data minimisation: Data processed by CTAs to be limited to the bare minimum. CTAs should not collect any unrelated or unnecessary information, including device identifiers such as the device’s IP address or location data. Low energy Bluetooth communications data (or data generated by equivalent technology) should instead be used to determine proximity;
- Data controllers: CTAs should be designed to enable national health authorities, and / or public organisations carrying out COVID-19 investigations, to be data controllers;
- Data protection by design and default: The significance of carrying out a data protection impact assessment prior to the deployment of CTAs or related technology that process health data on a large scale, is highlighted throughout the above documentation
- Purpose limitation: Governments are turning toward the use of data driven solutions as part of their response to the COVID-19 pandemic, which raises numerous privacy concerns. European governments should define a specific purpose for the collection of CTA data, that excludes any further unrelated processing, and ensures the use of the data is adequate, necessary and proportionate to that purpose
- Security measures: Data identifying individuals through CTAs should be stored on the individual’s device, using state-of-the-art cryptographic processes and encryption, with the exchange of pseudonymous identifiers between users’ devices sufficient to analyse proximity data
- Lawful basis: There have been differing opinions across European regulatory bodies regarding the correct legal basis for the processing of personal data under CTAs. Some regulators have indicated that given the voluntary nature of the app, consent would be the correct lawful basis for the processing of personal data under CTAs. The EDPB has recommended the lawful basis as a necessity for the performance of a task in the public interest, concluding that if processing is based on consent the burden would remain on the controller to ensure that the strict requirements for consent, as a legal basis, are valid and met
- Data retention: Data should be only be retained in conjunction with transparent medical requirements, including epidemiology considerations, and solely for the duration of the COVID-19 pandemic. Proximity data should be deleted within one month of collection (incubation period plus margin), or after the person was tested and the result was negative. Thereafter, all personal data should be erased or anonymised, as well as the de-activation and dismantle of the CTA. European regulators are currently debating the appropriate system to store citizens data, following the introduction of the Pan-European Privacy-Preserving Proximity Tracing initiative (PEPP-PT). The PEPP-PT, which includes seven countries, such as France, outlines the use of a centralised system to store citizens’ data from CTAs. Germany conversely, issued its preference for a decentralised system such as DP-3T, following claims by privacy advocates that a centralised approach could result in increased government surveillance through, for example, access to individual’s location data. Decentralised systems are perceived by some European countries including Spain and Switzerland, as enhancing individual’s control over their data and minimising the risk to their rights and freedoms
Google and Apple’s collaboration
Google and Apple have collaborated to create software to enable public health authorities around the globe to create CTAs, using Bluetooth signals to sense when an individual is at risk of being infected with COVID-19. Individuals will download official public health apps, that will share anonymous data with governments and public health organisations.
A matching process will take place through a decentralised system on users’ handsets, matching those that are at risk of contracting COVID-19, with alerts sent directly to their handsets. Google and Apple indicated that a decentralised approach provides increased privacy, limiting governments’ or a potential hacker’s ability to use a computer server to log specific individuals and identify social interactions.
Public health authorities will retain control in setting the parameters to define and calculate their chosen risk level, assigned to individuals receiving an alert that they have been exposed to a person who has tested positive for COVID-19.
The NHS’ technology unit NHSX, however, have rejected the software model proposed by Google and Apple’s collaboration, due to its use of a decentralised system.
NHSX instead believe a centralised system with a computer server assessing which handset should receive a matching alert will provide more insight into COVID-19's spread.
The success of CTAs in fighting the current pandemic is contingent upon user engagement; a substantial proportion of a country’s population downloading and keeping the app installed, as well as self-reporting. If CTAs are solely used on a voluntary basis, public trust and confidence in the integrity and management of individual’s privacy is vital for CTAs success.
The data protection and privacy issues are not only a matter of compliance, but are a key component in eliciting the trust of individuals; which if obtained, will make CTAs, in conjunction with wide-spread testing, an effective tool against lifting some of the measures imposed by governments world-wide, including lockdown.