Contact tracing apps: balancing the privacy risks

Countries around the world including the UK have announced their intention to rapidly develop and deploy contact tracing apps to access data from mobile phones as a means to carry out surveillance about the spread of COVID-19. The aim is to use the tool as part of the efforts to kickstart the economy and return to a state of normality more rapidly.

The collaborations between public health services and technology giants are unprecedented. Whilst there are differences in the technologies used, the speed of development of the technology is simultaneously astounding and a cause for concern for privacy commentators, activists and individuals alike. Many have been quick to raise a myriad of issues about protecting personal information (including location data and health information) and ensuring appropriate technological safeguards are inherent in the technology at every stage of its development and utilisation.

Contact tracing apps work by tracking people users have been in contact with – physically close enough to – to have potentially caught the virus. The apps in development in the EU work by broadcasting a unique Bluetooth ID from your phone simultaneously with the phones of those around you who are using the app. The exchange of data registers that a user has been in proximity with another user. Subsequently, if a user learns that they have become infected with the disease, they enter that information into the app. At that point their last two weeks of encounters data are sent to a cloud database. Once there, the data that the user has the disease together with ID security keys are sent to others using the app. When the system picks up there has been contact, the users of the app are informed that they may have been exposed to the virus (but not by whom) and is given instructions on what to do next.

In the European Union, the supervisor of the data protection authorities for each of the 28 Member States (which includes the UK for now), the European Data Protection Board (EDPB) has mobilised quickly to issue comprehensive guidance on the privacy issues associated with the development and deployment of contact tracing apps.

One of the functions of the EDPB, as the overall supervisor of the EU’s reformed privacy laws since the General Data Protection Regulation (GDPR) came into effect almost two years ago, is to give guidance on issues which impact on the protection of the privacy rights and freedoms of individuals in the EU.

The Guidance reflects this focus and notes that “whilst processing personal data is necessary for managing the COVID-19 pandemic, data protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures”. Later in the Guidance, the EDPB describes the potential misuse of the technology as a “grave intrusion into the privacy of individuals”.

Whilst in terms of compliance with the GDPR, there is no doubt that the processing of personal data for the purposes of assisting with the spread of disease is a lawful ground for processing personal data – the primary requirement under the GDPR. It seems it is intended, however, that this lawful processing ground sits alongside the additional concept that individual users of the app must do so voluntarily and by giving their consent to the processing of their data in this way. It is widely acknowledged that to ensure public trust in the technology, an individual cannot be compelled to use it. However, in order for contact tracing apps to be effectively deployed for the intended purpose, it is estimated that 80% of smart phone owners will have to download and use the app – a high hurdle to achieve for a technology which is both new and potentially intrusive.

The Guidance further makes clear that the full ambit of protections under the GDPR must be adhered to. Key concerns around protecting personal data include whether the technology is capable of completely anonymising the data. The Guidance states that, in general, sharing anonymised data is permissible in the EU provided that it “does not allow for individuals to be identified in any way”.

The problem for the developers of the technology is that data about location is notoriously difficult to anonymise.

As every individual creates a “geoprint” by reference to their unique geographical movements from work, to the gym, to a particular shop and within their neighbourhood – nobody else might visit the same configurations of locations as a particular individual. If that information is combined with the fact that an individual worships regularly, and you could also quickly also identify that user is a Muslim, or Jewish, thereby revealing a further layer of personal information which GDPR protects to a yet higher standard.

Other key safeguards which the Guidance draws out are the requirement to minimise the amount of data which is processed by the app and to limit the period that the data will be retained.

Fundamentally, the public demand for assurances that personal data collected by the app is not used for other purposes than the specific purpose of tracking the spread of the disease and contact between individuals who have the disease, or have been in contact with someone with the disease is overwhelming.

In an environment where technology giants frequently face scrutiny by privacy regulators about their use of personal data for multiple purposes which have not been transparently communicated to users, the need for safeguards here is paramount.

Whilst there is intense pressure on government to get the workforce back to work and to relaunch the economy, and corresponding desire on behalf of the public for life to return to normal, it remains to be seen whether contact tracing apps can really be an effective part of the roadmap to achieve this. If they can, it will surely require the developers of the technology to do enough to win the trust of the public that personal data will be held securely and will only be use for the narrow purpose of halting the spread of the disease.

For more information, see Practical Law legal updates:

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this post on: