Track and Trace Apps: Privacy review

With the sudden global pandemic which has had the world population on lockdown, we have seen the rules around personal data being used for public health reasons in practice on a large scale for the first time. As lockdowns across the globe are easing up, governments are looking to new technologies, such as mobile applications, to try to trace infections and spread of the virus, to help populations move forward with the ‘new normal’. 

However, with events moving so quickly, there hasn’t been much time to consider whether the responses have been proportionate and minimal enough, as required by privacy laws. In this article we consider the French StopCOVID App compared to the UK NHS Covid-19 App and other European approaches, and whether they are effective from tech, legal and ethical perspectives.

GDPR and Health Data: What do the rules say about public bodies using sensitive personal data during a pandemic?

The GDPR requires all personal data to be processed lawfully, and governments just as businesses require a legal basis under Article 9 which allows for processing of special category, or sensitive data. Since most of the information involved in track and trace is health data, it is classed as a special category of data and falls within the remit of Article 9. The World Health Organisation has declared the Coronavirus to be a pandemic, and Article 9(2)(g) of the GDPR means that governmental and public bodies can collect health data as an exception, and without the consent of the individuals concerned, with processing being necessary for reasons of substantial public interest such as protection against threats to health. 

As well as this, Recital 46 of the GDPR lists examples where personal data might be required in the public interest - if it is essential for the life of data subjects, for “monitoring epidemics and their spread” or such other humanitarian emergencies. Therefore it would seem that technically, the app’s being developed by governments have a lawful basis pursuant to European privacy laws.

Whilst these grounds therefore seem to apply to the French and British track and trace apps, we would wonder which lawful basis under the GDPR would apply for health data to be collected via the apps proposed by Apple and Google - other than each user’s informed and specific consent. We will review the Apps currently available in France, under development in the UK and proposed by Apple and Google with a unique collaboration.

France’s StopCOVID App

With a gradual easing of lockdown restrictions since early May, France was one of the first European countries to commence with plans to control the spread of Covid-19 with a track and trace app. The app has been available for download since the start of June, and at the time of writing, has already been downloaded by over one million people. 

The French StopCOVID app aims to trace people who have tested positive with Coronavirus using Bluetooth signals to keep track of anonymous devices that people have come into contact with for a prolonged period of time. The app runs constantly on mobile phones in the background, generating an anonymous ID number which is shared with other mobile phones that also have the app installed. Then, if any of these phone users test positive with the Coronavirus in the future, the others they have been in contact with will be warned to self-isolate - without telling them where and when the possible transmission have taken place. 

Despite now being live, and processing data on a large-scale, the Privacy Policy contained within the French StopCOVID app does not, as we would have expected, set out the legal bases for processing the sensitive personal data, explain where the data will be stored, or advise data subjects of their rights.

Pandemic or no pandemic, and public health exception or not, the privacy policy needs to be up to the same standard that is expected of businesses.

UK NHS StopCovid App

The UK version of a track and trace app is currently still in testing phase with citizens of the Isle of White using it. It is expected to be released during June, if the tests are successful.

The UK app follows the same principles of the French app, with users who download the app voluntarily opting in to record details of their symptoms if they start to feel unwell. The app keeps a trace of others who have been in close contact, using Bluetooth signals transmitting an anonymous ID, however a study of the NHS Covid-19 App has suggested that there is no mechanism to opt into or out of third party trackers which are included in the app - a serious requirement which has been underlined on a number of occasions by the European Union.

As well as this legal issue, there are tech issues that the app only seems to work when it is operating in the foreground meaning its efficacy is questionable, and the app might be incompatible with a range of older devices raising ethical issues around older people or people on low incomes who do not have or cannot afford the new models of phones that are required. 

Tech Giants Teaming Up?

Apple and Google have also announced they will work together to offer each country a piece of their technology in order to turn iPhones and Android devices into contact tracing devices. These apps would also use bluetooth technology to send users exposure notifications if they have been in contact with someone who has contracted the virus by recording a smartphone which has been close to another device for up to 10 minutes. The technology is already built into devices and an app just needs to be downloaded so that users could input any test results they have.

The information would not be accessible by other apps that have been downloaded, only in the health data app contained within the phone.

The tech giants say that the advantage of this technology is that it covers different countries, and the data will be decentralised in that it will not be sent to national governments, only to users themselves. At the time of writing, technology has not officially been released to the public in order to fight the virus, so we have not been able to review it.

Ethical and Legal Dilemmas

Unsurprisingly, there are major privacy concerns around the quick creation and dissemination of track and trace apps. Some conservative political parties in France are expressing concern about how the data collected through the app will be used after the crisis, and there are worries that a legal precedent is established during the pandemic which could be extended to other more private areas of our lives, when things return to normal. 

For example, criticism in the UK is already arising from the fact that the data that would be collected through the NHS Covid-19 App would not allow for identification of individual data subjects, and remains entirely optional. According to critics, whilst the envisaged set-up safeguards privacy rights by relying on anonymous data (which falls outside the scope of the GDPR), the anonymity aspect reduces the effectiveness of the App overall. This of course creates certain ethical dilemmas if individuals were to be personally identified. 

On this question, the European Commission has confirmed that the EU considers it to be fundamental for the apps to be voluntary, in order to ensure trust in their security and privacy. Thierry Breton, the EU’s Industry Chief, stressed that strong privacy-safeguards would be a prerequisite for the development and use of such apps- “while we should be innovative and make the best use of technology in fighting the pandemic, we will not compromise on our values and privacy requirements”.

Currently, the UK NHS Covid-19 App appears to be being designed in accordance with the EU considerations, but time will tell whether users will ultimately be personally identified and how the UK plans to maintain European privacy standards at the end-of the transition period as we firmly enter a post-Brexit world.

What will happen next?

The CNIL, the French data protection authority, whilst approving France’s StopCOVID App subject to various restrictions, has agreed that that the technology raises serious issues around privacy. The CNIL has stressed that use of the app must remain voluntary - with no threat of sanctions if not used - if the app is to remain lawful.

However, experts have suggested that despite France’s StopCOVID App being voluntary, it needs to be used by at least 80% of the population for it to be effective. Studies in France have found that only 15% of the population are certain that they will download the app, with 28% saying they are certain that they will not download it. As we stated above, one million users have already downloaded the StopCOVID App - but there are currently no statements from the French government about how this affects the efficacy of the results gained from the use of the App.

Practically speaking, we could envisage the issues encountered in France - i.e;, sporadic uptake by the public - also applying to the NHS Covid-19 App once it is available for widespread use across the UK.

Both the UK and French governments are stressing that they remain in charge of the apps, being data controller of the personal data collected within them.

However there are serious concerns around the beginning of an era of widespread unauthorised surveillance, despite the steps we have taken towards privacy in the last two years, with the advent of the GDPR.

It seems that citizens might be forced to decide between apps offered by governments on the basis of public health exceptions, and hope that they are competent enough to deal with the data, or opt for the tech giant’s offering - thereby seemingly avoiding governmental control, but placing our data back into the hands of those who we have been taking steps to regulate because of their advanced knowledge on how to exploit our data. 

What do you think? Is a track-and-trace app an effective way to monitor and control the virus, or does it symbolise a worrying move to surveillance and overall threat to our fundamental privacy rights and freedoms?

As usual, if you would like to discuss or if you have any questions relating to your privacy and personal data, please don’t hesitate to get in touch.

Article by Lily Morrison @ Gerrish Legal, June 2020 / Cover photo by Brian McGowan on Unsplash

Previous
Previous

To Zoom or not to Zoom: A Lesson in Privacy & Security

Next
Next

Part 2 - GDPR @ 2 years and beyond