Contact tracing apps have emerged as a complimentary measure to ending COVID-19 lockdown measures. These tools could help to reduce the risk of transmission of the virus in the community. Throughout Europe there have been different approaches in development and use of such apps, here we consider the technology and the various ways countries have approached their use.
What are Contact Tracing Apps?
Contact tracing apps purport to track individuals in contact with a person infected with COVID-19. The concerned individuals receive a notification and a series of measures can then be taken – such as self-isolation and close self-monitoring, or testing. Digitising the process allows a more widespread and quicker solution than manual contact tracing.
The apps on devices communicate through Bluetooth technology – creating links between a device in close proximity to another. This contact-tracing framework (CTF) does not use geolocation data of the data subjects. The framework operates on the collection of anonymised identifiers from other devices. If a user notifies the app of their symptoms or if they have tested positive, the information is then sent out to the anonymised identifier holders that were in contact with that user in the specified amount of days and time prior, through a notification on the app. This matching can be done in a centralised or decentralised manner, i.e. matching can either be performed on a centralised server or alternately it can be done on the user devices themselves, which some advocates consider essential to preserving privacy.
These apps operate in a voluntary and non-penalising manner, meaning that the app would not be a prerequisite for access to activities or services.
Concerns About Contact Tracing Apps
For tracing apps to be a success, the public needs to have trust in how the data will be stored and processed. Transparency is therefore paramount for significant public uptake of such apps. Compliance with Articles 13 and 14 GDPR through privacy notices needs to be achieved.
A Data Protection Impact Assessment is also necessary for such apps under Article 35 GDPR to mitigate risks to the rights and freedoms of individuals. In correlation, the principle of data minimisation and purpose limitation need to be complied with, in that the data is highly sensitive and should only be used for specified purposes.
The appropriate legal basis for processing needs to be assessed. Consent is one likely basis for such processing and careful consideration should be given on how to obtain consent and the options for withdrawing it. As such, some might look to rely on other relevant legal means for processing and Article 89 (2) (j) notably allows derogations for processing of scientific research data.
A practical issue with such apps is that the technology will not be available to everyone, as not everyone has a smart device or, where necessary, connectivity.
Centralised and Decentralised Approaches to Contact Tracing Apps
As explained above, the matching of anonymised identifiers can be done in a centralised or decentralised manner. Each way poses different challenges and issues. When done in a centralised manner, privacy concerns arise from the storage of data in one place. Bluetooth technology is used in both situations, but what differs is the lack of, or presence of, central control over users’ data. Centralised approaches allow authorities broader control but require stronger safeguards.
France has chosen a centralised approach for its StopCovid app. The French regulator for Data Protection (the CNIL) has approved such technology, and as such essentially approved a data trust – what may be a first among the EU regulators. The CNIL recommends that the French Minister for Health (or other health authority devoted to the crisis management) be the data controller of the app and emphasises that the security of data is paramount.
The United Kingdom – through the NHS – is releasing its NHSX app that operates in a centralised manner. The UK’s Information Commissioner’s Office (ICO) approved in its opinion published on 17 April 2020 the Apple-Google initiative to develop a Bluetooth-based CTF, aligned with principles of data protection by design and by default. The ICO stated that the data minimisation principle is complied with, as the CTF exchanges data between devices that is not personal data and the matching takes place only on devices themselves.
Germany will deploy a decentralised CTF app, after failing to agree with Apple to change specific iPhone settings to enable the use of a centralised app.
Ireland is expected to follow the decentralised model in which all the information is stored on the device in order to mitigate data protection concerns. The Health Service Executive (HSE) is developing such an app and cooperating with Apple and Google for support. This app will be limited to people aged 16 years or over.
A data breach has already occurred in the Netherlands, where its COVID-19 Alert app source code was published online and resulted in exposure of around 200 names, email addresses and hashed user passwords from a previous project. This shows the need for strong safeguards for contact tracing apps to protect data privacy rights.
We are available to discuss the above with you and to advise you on any relevant issues you might have. Please contact David Cullen, John O’Connor, Leo Moore or your usual William Fry contact with any queries.
Please visit our COVID-19 Hub for more information from our other practice areas which might be relevant to your business.
Contributed by Karolina Rozhnova