As lockdowns continue to be eased throughout the EU, many countries are continuing to look at the way in which contact tracing can be utilised to avoid a resurgence of COVID-19 transmissions. While many countries were quick off the mark with the development of contact tracing apps and solutions, many of these have recently encountered significant data protection issues which have delayed or even derailed the development of the app.
Despite the European Commission encouraging Member States to use digital tools against COVID-19, it has reiterated the importance of ensuring fundamental EU rights do not get overridden in the rush to mitigate the spread of the virus. While the guidance is primarily aimed at how Member States can utilise such technology to enable measures like contact tracing to be carried out by national health authorities, it also makes a number of recommendations that private entities should have regard to. These include ensuring users stay in control of their data, the principle of data minimization is adhered to when processing personal data for a COVID-19 purpose, and ensuring the data is secure.
More generally, the use of technology to rate an individual’s level of health risk and the centralisation of sensitive data, raises questions about the impact on people’s right to privacy and the right to the protection of personal data. Any such impact should be temporary, be strictly limited to what is necessary to combat the crisis, and should cease once COVID-19 has passed, without an adequate justification. Additionally, other GDPR data protection principles must be adhered to when collecting data and sharing this information with others, such as transparency, ensuring there is a clear legal basis for processing, such as user consent, and data minimisation. Appropriate security measures must also be in place for the protection of the data against risk.
What is contact tracing?
Contact tracing is focused on identifying and contacting people who have been in close contact with an infected person, to advise them to get tested and self-isolate. Traditionally, this is carried out manually by health professionals, however this is an imperfect art form as it is difficult for a person to recall who they have been in contact with for a previous two week period, especially as lockdown eases and individuals will invariably be exposed to more people, lots of whom they may not know and therefore cannot contact. Technology offers a potentially more reliable solution that can address these issues, automatically tracking infected persons data and immediately notifying others if they are in contact with an infected person.
However, contact tracing technology will be successful only with high adoption rates and privacy concerns have proved to be a major stumbling block for countries looking to roll out this technology.
How Contact tracing apps operate
The contact tracing apps available currently generally use Bluetooth identifiers to track encounters between smartphones. Although these apps differ in how they process data, there are two types of processing methods: centralised and decentralised.
Centralised processing: the smartphone of an infected or symptomatic user uploads its own identifier to a central server. During the process, that user also uploads the identifiers of other devices which (s)he has encountered within a certain proximity and timeframe. The server then notifies the users of those other devices with, for example, instructions to self-isolate.
Decentralised processing: an infected or symptomatic user’s own identifier is uploaded to a centralised database. Rather than the central server, it is the smartphone itself that then notifies the users of other devices encountered within a certain proximity and timeframe. The joint initiative from Apple and Google for a Bluetooth API (Application Programming Interface) relies on decentralised processing.
European Commission and EDPB guidance
The European Commission published guidance which indicates that decentralised processing complies with the principle of data minimisation under the General Data Protection Regulation, that “only personal data that is adequate, relevant and limited to what is necessary in relation to the [purpose] may be processed.” Similarly, the European Data Protection Board published guidance which stated that while “implementations for contact tracing can follow a centralized or a decentralized approach… in general, the decentralised solution is more in line with the minimisation principle”. This requires public health authorities to carry out assessments, involving data protection authorities as appropriate, to determine the necessity of personal data to specific app functions.
The guidance also emphasises that public health authorities should only have proximity data from infected or symptomatic users after those users voluntarily and proactively share it. This means the data cannot be used to track user location (unlike other technologies like GPS), and it also minimises the volume of data processed centrally, so has the benefit of lowering the likelihood of a large-scale data breach.
The guidance stipulates that data should only be retained for the purpose of contact tracing for as long as strictly necessary. For example, proximity data should be deleted after a month as this securely encompasses the coronavirus incubation period. This suggests that these apps may not be used for other purposes, such as advertising tracking.
It is also key that users who do test positive for COVID-19 and report it through the app do not have their identity disclosed to other users they have encountered; the guidance warns that users should only be informed that they have encountered a person who has tested positive for COVID-19 in the past 16 days.
This prevents a scenario where a central database stores and could potentially expose the identities of infected or symptomatic users to other encountered users.
The European Data Protection Board has also emphasised the importance of processing anonymised location data whenever possible, rather than processing of identifiable information. While it is acknowledged that true anonymization is highly complex, the effectiveness of the measures being adopted should be considered in line with a reasonableness test.
Contact tracing apps in practice
European countries have rolled out different contact tracing apps with varying degrees of success. In April, Norway was one of the first to introduce its contact tracing app (Smittestopp), which was based on a centralised processing method where both Bluetooth and GPS location data carried out contact-matches remotely on a centralised computer server. Recently (in June) the Norwegian Data Protection Authority ruled that the app represented a disproportionate intrusion into users’ privacy and ordered Norway’s health authority to delete all data gathered by it and suspend further use of the app.
France also opted for a centralised processing method in its StopCovid app which was launched at the beginning of June, whereas Germany has opted for a decentralised method, which has recently been launched.
Ireland had been delayed somewhat with its own contact tracing app, but decided to adopt the decentralised method developed by Apple and Google. The Health Service Executive (HSE) conducted field trials in early June to validate the use of the exposure notification service to trace close contacts, and launched their app in July. However, some have questioned the accuracy of the Bluetooth technology the app relies on, and how it will function in crowded areas.
In recognition of the privacy concerns around the operation of this type of technology, the UK has recently decided to shelve its own contact tracing app after its initial trial, and has moved to a model that is based on the decentralised model developed by Apple and Google.
Contact tracing apps that provide privacy are more likely to attract users, which is integral to their effectiveness. Hopefully, this can be achieved through the use of decentralised processing contact tracing apps, provided data protection impact assessments are adequately carried out by public health authorities.
For more information, please contact a member of our Privacy & Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.