COVID-19 - EC emphasises privacy is key to the effectiveness of contact tracing apps

As initiatives to adopt smartphone apps in the fight against COVID-19 gain increasing momentum across the globe, last week the European Commission (Commission) published applicable data protection guidance (the Guidance), as supported by the European Data Protection Board and the EU Member States’ own eHealth network.

This followed the previous week’s announcement from tech giants Apple and Google that they are collaborating over Bluetooth contact tracing technology to turn iOS and Android smartphones into COVID-19 threat-detectors, and a more recent list of privacy-preserving principles from Microsoft.

Apps could monitor the spread of infection and effectively manage self-isolation as mass restrictions on movement are gradually lifted. They also have the potential to support healthcare services by offering advice and guidance to users on symptoms of COVID-19. However, they will only be effective if used by a majority, estimates vary but this could be as many as 80 percent of smartphone owners. To achieve this, users will need to trust that their fundamental rights, including privacy, are protected and their data is not used, for example, to track their movements. We identify the key consumer privacy concerns and how these may be addressed.

Compliance with EU data protection legislation

COVID-19 tracing apps must comply with the General Data Protection Regulation (the GDPR) and the ePrivacy Directive. However, the Commission notes that apps responding to the COVID-19 crisis may potentially impact on a wider range of human rights in the EU (including, for the time being, the UK): respect for private and family life, freedom of association and non-discrimination.

National health authorities to act as data controllers

The Commission believes that national health authorities should act as data controllers in order to increase public confidence in use of the apps. With public health authorities in control of the data processing, this ensures data will not be used for alternative purposes, such as advertising tracking; and allows action to be taken with the consumers’ best interests at heart. For example, uncertainty over who is responsible for data processing has led the Dutch data protection authority to request further information from app developers shortlisted by the Dutch government.

This reflects Apple and Google’s approach: their jointly developed APIs (application programming interfaces) will be available for use in apps ultimately published and controlled by national health authorities.

Consent and control

The Commission stresses that users of COVID-19 tracing apps ought always to remain in control of their personal data. Aside from ensuring that users can exercise their GDPR rights, the installation of these apps should be entirely voluntary. Users should have as much information as possible available to them about the processing of their personal data. Where the apps provide multiple functionalities (e.g. contact tracing and symptom checking), individual consent must be provided for each function rather than tied together.

Consent also operates as the most appropriate legal basis for storage of user data on the device, and as per the GDPR it must be freely given, specific, explicit and informed.[1]

Limiting the scope and duration of data collection and processing

The Commission reiterates the principle of data minimisation; that “only personal data that is adequate, relevant and limited to what is necessary in relation to the [purpose] may be processed.” [2] This requires national health authorities to carry out assessments,[3] involving data protection authorities as appropriate, to determine the necessity of personal data to specific app functions.

Personal data collected by COVID-19 tracing apps should be destroyed as soon as possible. For example, for the purposes of contact tracing or symptom checking, proximity data should be deleted after a month as this securely encompasses the coronavirus incubation period. This is a strong indication that these apps may not be used for other purposes, such as advertising tracking. In order to attract as many users as possible to make contact tracing apps effective, developers, including Apple and Google must make it clear that the identifiers created by these apps may not be used elsewhere, but also that they will be deleted as soon as possible, and in any event after the end of the crisis caused by the outbreak. The importance of limiting the duration of data collection has also been emphasised by Elizbeth Denham, the UK’s Information Commissioner.

Proximity as opposed to location tracking

Bluetooth technology detailed in the Commission and the joint Apple-Google proposals, which involves exchange of randomised, ephemeral identifiers between smartphones devices meeting one another, offers multiple benefits:

• Unlike technologies such as GPS, this data could not be used to track user location.
• It is precise (itself a data protection legislation requirement), decreasing the risk of false warnings to users who in reality have not had significant contact with a person testing positive for COVID-19.
• It minimises the volume of data processed centrally, so has the benefit of lowering the likelihood of a large-scale data breach. Whilst possible to upload data to a centralised database, Bluetooth technology lends itself to decentralised processing, whereby the identifiers a device encounters are stored on the device itself. This type of processing better suits the data minimisation principle, and echoes proposals made earlier this month by a pan-European group of privacy experts, who have more recently published an open letter in support of decentralised processing to prevent large-scale government surveillance.

Anonymisation

As mentioned above, the technology relies on identifiers, and it is key that users who do test positive for COVID-19 and report it through the app do not have their identity disclosed to other users with whom they have come in contact; the Commission Guidance warns that users should only be informed that they have come into contact with a person who has tested positive for COVID-19 in the past 16 days.

Conclusion

We continue to monitor the rapid developments in this space, where coordinated engagement of stakeholders – tech companies, regulators and data protection authorities alike is required to balance data collection and data protection; this is something we also see with regards to issues of competition and data protection in digital markets. However, data collection and data protection can be “mutually reinforcing concepts”; as a global group of data protection stakeholders and regulators remarked last week, apps that provide privacy are more likely to attract users, which is integral to their effectiveness.

The proposals are yet unclear as to the exact method by which individuals would use the apps to report that they have tested positive for COVID-19. However, the speed at which the Commission is acting and engaging with experts, provides some hope that not only will the technological response help curb the coronavirus outbreak, it will do so with user privacy in mind.

With thanks to intern Adel Msolly for his assistance with this blog.

Footnotes

[1] See, inter alia, Article 7 and Recital 32 of the GDPR.

[2] See e,g, Article 25 of the GDPR on data minimisation.

[3] Including data protection impact assessments pursuant to Article 35 of the GDPR.