Governments around the world are scrambling for technological solutions which might facilitate a relaxation of the current lockdown measures. One idea which is being explored is the use of apps which can alert users when they have come into contact with someone who may be carrying the virus. Such apps have already been used by countries such as China, South Korea and Singapore in their responses to the virus, while Israel and Turkey have also announced plans to use smartphones to track infected individuals.
But while the use of an app may seem an attractive alternative to large scale lockdowns, what are the privacy implications of such potentially invasive technology?
The UK proposals
The NHS digital innovation unit, NHSX, has been working with a US software developer to develop an app for the UK. This proposed app appears to be of similar design to the TraceTogether app which was used in Singapore. Like TraceTogether, the app is intended to be deployed on an opt-in basis and will use Bluetooth. It has been reported that the app could be deployed within weeks and is already being tested at an RAF base in North Yorkshire.
The app will record details of other phones close to the user's phone, through Bluetooth. Users would upload any details of symptoms or a positive test result through the app. A person who has come into contact with another app user who has recorded such Covid symptoms would be notified, and advised to get tested, self-quarantine and/or maintain social distancing.
It has been estimated by the team of Oxford University academics advising NSHX that in order for such contact tracing to be effective in limiting infection rates, the app would need to be used by 56% of the population. Ofcom data suggests that in the UK this would require the involvement of 80% of all smartphone users. Given that the app has been proposed to be opt-in, reaching this level of participation could be a challenge. For instance, the voluntary TraceTogether app was only installed by 12% of the Singaporean population. This would be complicated additionally by the Bluetooth Low Energy system which is required for the app, as this is not supported by some phone models.
Because the app is voluntary and largely relies on self-reporting of Covid symptoms its efficacy also depends on users' awareness, integrity and honesty. Malicious or incorrect recording of symptoms by a user could lead to false notifications for their contacts, causing unnecessary worry.
Despite the potential public health benefits, the use of such technology raises obvious questions regarding individuals' right to privacy, both under Article 8 of the European Convention on Human Rights (given effect in the UK by the Human Rights Act 1998), which protects a person's right to a private life, and as a matter of data protection law.
These apps inevitably involve the collection, retention and processing of a massive volume of potentially identifiable personal data. Bodies like Privacy International have noted that in some countries coronavirus containment measures have involved unprecedented levels of surveillance, often based on emergency powers.
It has been acknowledged that the intrusive measures which have been deployed in some countries may not be appropriate for the UK. For example, South Korea has published the personal details of infected individuals to anyone within 100 metres via text message. Such an approach would likely be unlawful under current UK law, and the UK proposals do not go this far.
It appears that under the current UK proposals, location data will not be saved (unlike, for example, with Norway's equivalent app). There has been no suggestion of the app sharing data with the police, as reportedly occurred in China. However, there is still a question over whether such a large data gathering exercise is appropriate or safe, or whether it could have the inadvertent effect of normalising surveillance.
If such technology is rushed out in response to the pandemic, there could also be increased potential for security issues, accidental data breaches or malicious hacks. There have already been reports in Italy and Iran of suspicious or outright malicious copycat apps. Security issues were also identified in relation to the Colombian app, which put user health information at risk of being compromised.
NHSX appears to be trying to build various safeguards into the app. For example, the decision to use Bluetooth tracing, rather than GPS location data, was made to allay privacy concerns. Notification of contact with an infected person would also be delayed, so as to avoid the possible identification of individuals. An ethics board has been proposed to oversee the project. Health Secretary Matt Hancock has stated that “all data will be handled according to the highest ethical and security standards, and would only be used for NHS care and research, and we won’t hold it any longer than it’s needed." Finally, and crucially, use of the app would be voluntary.
However, some argue that these protections do not go far enough. A team of academics has drafted a proposed "Coronavirus (Safeguards) Bill 2020", which includes the following minimum safeguards:
- non-penalisation of those without a phone or the relevant app;
- no compulsion to install apps or share data (unless such requirement is subject to and justified by transparency, legitimacy, necessity and proportionality tests);
- no sharing of collected personal data beyond the NHS and coronavirus researchers unless securely anonymised; and
- personal data must be deleted as soon as possible or at the latest immediately once the emergency period has expired.1
UK citizens already enjoy extensive rights to privacy and to autonomy over their personal data.
Article 8 of the European Convention on Human Rights safeguards the right to respect for individuals' private life.
As long as use of tracking technology remains voluntary, it is very likely to be compatible with Article 8.
However, the technology's efficacy relies on very high take-up. Were the government to seek to guarantee take up by mandating the use of specific tracking technology, under Article 8 (2) it would need to show that any such measures were "necessary in a democratic society", for example in the interests of national security, public safety, the economic well-being of the country and/or the protection of health.
While curbing the spread of a pandemic is likely to be deemed a legitimate aim in the interests of public safety, the question of whether the mandatory use of what amounts to surveillance technology is a "necessary" measure may be more contentious. It would need to be answered in light of scientific evidence, as well as ethical considerations about what is deemed an acceptable level of state interference in citizens' private lives, in the context of a pandemic.
Likewise, most concerns around data protection can be overcome as long as users give informed consent to all processing of their personal data, and appropriate measures are put in place to guarantee the security of the data. However, were use of a given technology to be made compulsory, the picture would be more complicated.
Given the necessity of processing individuals' data for the operation of the proposed app, consent to processing would be inextricable from participation. If the government were to ease lockdown measures. by making certain activities (such as using public transport) contingent upon participation in the app, then this would undermine the principle of genuine free choice which is integral to consent. If refusal to participate caused real detriment, the app would probably not be seen as voluntary for the purpose of the GDPR.
Even if the information gathered from the proposed app is not locational data but simply mobile numbers and some form of identifying code which only the operating body can decrypt, personal data is likely still being processed, so the GDPR will be engaged. Under the GDPR, personal data must be processed lawfully, fairly and transparently, for specific and legitimate purposes, limited to that which is necessary for such purposes, and must be stored with appropriate security and retained for no longer than necessary. The GDPR also gives the individuals whose data is being processed rights of access, rectification and erasure, among others.
All data collected through any tracking app would therefore need to be dealt with in line with these principles and rights.
Data relating to individuals' health and Covid-19 symptoms will be "special category" data, and will therefore be subject to more stringent protections under Article 9 GDPR. It can only be processed for specified purposes where there is "explicit consent" from the data subject. As with the ECHR considerations, this should not be a problem if participation is voluntary, and there is a robust process by which a clear, specific and explicit statement of consent is obtained for the processing of individuals' health data.
However, if the app were to be made mandatory, the government would need to justify processing on the basis of one of the exceptions set out in the GDPR, Article 9(2). One potential justification would be necessity for reasons of public interest in public health (Article 9(2)(i)), as long as suitable and specific safeguards were present to protect the rights and freedoms of the individual.
GDPR does not therefore prevent the use of a tracking app, but it provides a detailed framework for the lawful processing of data, with which any new scheme must comply.
Ultimately, the clear and robust protection of privacy and personal data will increase public confidence and encourage greater take-up of any app. This confidence should also improve the quality of the data which is collected, if it means people are more willing to provide full and accurate information without concerns as to its use.
It is reassuring that the legal framework which already exists in Europe appears to be encouraging the development of apps with privacy as a central consideration. The objective must be to leverage technology to provide genuinely effective measures to combat the spread of the virus and the disease, whilst making sure that the recent advances in the protection of privacy and autonomy over personal data are not lost.
Neil O'Sullivan and Sam Walley
1 Edwards, Lilian, et al. “The Coronavirus (safeguards) Bill 2020: Proposed Protections for Digital Interventions and in Relation to Immunity Certificates.” LawArXiv, 13 Apr. 2020. Web. https://osf.io/preprints/lawarxiv/yc6xu/