Tracking, tracing and proximity Apps in response to Covid-19

The current Covid-19 pandemic is creating significant challenges for us all, in terms of how we live our lives, how we work, and even how we maintain our democracies, to name a few. Governments across the world are doing their best to find ways to control the spread of the virus to reduce as much as possible the impact upon our incredible health services, and ultimately save lives. They are already thinking of the next phase and how best to maintain the control and containment of the virus when the current situation starts to ease.

One of the many initiatives emerging in a number of jurisdictions is that of developing mobile phone applications and utilising mobile telephone networks to assist in tracking and tracing the movements of people, and warning them that they may have been in close proximity to a person infected with Covid-19. This, on the face of it, seems like a sensible idea – of course, anything that is going to save lives in this crisis must be viewed as a priority. But these technologies also bring with them a number of privacy implications which must be fully considered in advance of implementation to ensure both effectiveness of the measures, whilst also being as least intrusive as possible into the private lives of individuals.

Some countries, such as South Korea have utilised smart contact tracking using mobile phone networks, and specifically location data to identify the movements of citizens. Taiwan have gone a step further using ‘mobile fences’ to identify when an individual has moved outside of a permitted perimeter, with sanctions imposed for those who flout the rules. In effect, your mobile phone becomes an electronic tag, like those used on recently paroled prisoners.

Of course, there are far less autocratic systems in place in other jurisdictions. Singapore – a country that has experience of similar pandemic outbreaks, has introduced a community-driven contact tracing system called ‘Trace Together’, which provides accountability, complies with data protection principles, and has attracted the attention of over 50 other jurisdictions who are interested in adopting the technology.  A company in Germany has developed a privacy-friendly App which works on the basis of proximity tracing, rather than using location data, and uses minimal personal data of individuals. The United Kingdom is also looking to develop a similar App. In common in all these countries is the fact they have all engaged and worked very closely with privacy experts, cyber security specialists, ethical hackers and data protection authorities to ensure that privacy protection is baked into the system from the earliest stages of development. Data protection by design and default at its best.

Tracking entire populations of countries by way of mobile phone location is an intrusion into our natural freedoms, and impacts not only upon our civil liberties, but potentially upon our democracy, such is the power shift in the relationship between the citizen and the state. As is common in responses to global crises, whether that be terrorism or a pandemic such as the one in which we are currently immersed, it is easy to focus so much attention on the present that we forget to think about what the future will look like. Given that our future is based on the decisions we make today, this is why organisations such as the European Commission have been quick to set out their position and their expectations in terms of how such tracking technologies can be mobilised in accordance with data protection rules. This week they have published guidelines in relation to tracing and tracking applications, together with a comprehensive ‘toolbox’ for EU Member States to adopt, founded on the provisions of the General Data Protection Regulation and the principles of necessity and proportionality. [1]

As a data protection regulator, one thing is abundantly clear: Data Protection Law continues to apply. It has not been put on hold until the pandemic is over, and the pandemic should not be used as an excuse for organisations or authorities to run roughshod over our basic, fundamental right to privacy.

So, what do we expect to see from App developers and public authorities from a data protection perspective?

  • Firstly, systems and App developers and authorities should set out a very clear purpose of what the App is intending to achieve. Is it being used just for Covid-19? Alternatively, is the intention to expand its use to cover other things once the pandemic is over? It is important to ensure, no matter what the temptation, that the possibility of ‘function creep’ is avoided.
  • As with any personal data processing, the principle of data minimisation should be at the forefront of developer’s minds. Only the personal data that is absolutely necessary to achieve the intended purpose should be collected from App users (don’t collect information just because you think it ‘might’ be useful in the future).
  • Personal data should, wherever possible, be anonymised or pseudonymised, or aggregated so it breaks the identifying links between the person and the data. This can be a challenge in itself given the varying accuracy of location data, from providing a very rough estimate of where somebody is, to pinpointing their specific location, accurate to within a matter of metres. In addition, there should be no ability to re-identify individuals by authorities, other users or third parties.
  • Most authorities are relying upon emergency powers during this crisis, so it is critical that such technologies do not remain active once these emergency powers cease to have effect or once the pandemic is over, and assurances must be given that systems are de-activated once the crisis is over and they have fulfilled the purpose for which they were implemented. A clear sunset clause for the tracking to expire must be included at the outset and reviewed on an on-going basis.
  • Adequate guarantees of security of personal data must be given, remembering too that medical data is considered as special category data under the law, and as such, a higher degree of security around its processing is required. The security of the system must be watertight with robust cyber security controls in place to protect the data.

In addition to these general compliance considerations, engendering public trust is critical if the desired objective is to be achieved. However, for such large-scale tracing to just rely on trust would be dangerous. Transparency will also be essential to ensuring and proving that the system or App functions as it was intended and advertised. This is important because for such systems to be truly effective, a high take-up of the population is required (the UK are talking about 60% or higher), so trust and transparency will need to go hand in hand if those take-up numbers are to be achieved.

Finally, quite often in times of crisis it is heard that citizens must balance security against privacy, as if it is some sort of trade-off. Following 9/11 for example, liberty-impacting legislation was enacted with far-reaching consequences for American citizens (and those visiting the USA), and numerous restrictions imposed upon them in terms of their freedoms and in terms of their privacy, all in the name of fighting the war on terror that was the focus of the time. However, all of those measures continue to exist and have simply been accepted as the new ‘normal’.

I am of the firm belief that it is possible to have both [tech and privacy] working alongside each other, rather than in opposition on some sort of metaphorical seesaw. The goal therefore should be to find a way of achieving the effective use of tracking or tracing alongside preserving the privacy and civil liberties of our citizens, so we are best placed to serve the people both today, and in the future. This current pandemic will pass, however the decisions we make during this difficult time will continue to affect us all for much longer.

[1] https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf