In the weeks and months ahead, contact tracing technologies will play a critical role in the societal fight against COVID-19, and the quest to restore order.  A number of recent developments both in the European Union and the United Kingdom offer insight on the regulatory expectations in the widespread use of location data for this new health policy purpose. 

In this post, we summarise key points from the following UK and EU regulatory guidance, which are relevant for any organisation developing or using contact tracing technologies or apps.

  • The UK Information Commissioner published a statement on the data protection implications and key considerations in relation to new technologies such as contact tracing;
  • The European Commission (the “Commission”) published version 1.0 of its Toolbox for contact tracing apps as well as accompanying guidance on data protection, developed in consultation with the European Data Protection Board (“EDPB”); and
  • The EDPB published guidelines on the use of location data and contact tracing tools in the context of COVID-19 (the “Guidelines”).

UK – Information Commissioner’s Statement on Privacy and Contact Tracing

In the UK, the Information Commissioner recently published a statement on use of new technologies such as contact tracing and the data protection considerations.  

The Information Commissioner reiterated its earlier message that data protection laws do not get in the way of innovative uses of personal data in a public health emergency, such as contact tracing.  However, the principles of data protection law such as transparency, fairness, and proportionality still apply.

The ICO stated it will want to see evidence that contact tracing initiatives to combat COVID-19 work in practice and as intended, are proportionate to purpose, allow people to exercise their legal rights, and include plan to end such measures when they are no longer needed in responses to the public health emergency.

In light of the ICO’s discussions as chair of both the Global Privacy Assembly of privacy regulators and the OECD Working Party on Data Governance and Privacy, the ICO produced six questions for organisations using new technologies such as contact tracing to consider with the aim of ensuring that data protection implications are properly considered and addressed, which focus on:

  1. Demonstrating how privacy is built into the processor technology – although there is a onus on organisations to move quickly in the current environment, in the ICO’s view an initial privacy impact assessment is a minimum requirement;
  2. Whether the planned collection and use of personal data is necessary and proportionate – organisations should think about finding the least privacy intrusive solutions, in particular when location data is used. In the ICO’s view proportionality should be informed by evidence, as well as context (for now society is accepting restrictions on liberty to protect public health, although this is not a permanent state of affairs);
  3. The control users have over their data – the ICO expects app developers to provide people with clear information on how their information is used and options for preventing processing where relevant. If contact tracing is incorporated into a wider package or measures, additional information should be made clear to users;
  4. How much data needs to be gathered and processed centrally – the ICO’s view is that contact tracing should be in decentralised systems that shift processing onto the individual’s devices where possible. This is the starting point, and safeguards and security measures also need to be in place;
  5. Governance and accountability processes within the organisation for ongoing monitoring and evaluation of data processing – to ensure it remains necessary and effective and to ensure safeguards are suitable and in place;
  6. A plan for what happens when the processing is no longer necessary – the ICO highlights this a crucial consideration. The ICO notes that what is appropriate and proportionate at this time in response to an international public health emergency is different from when the emergency ends. The initial privacy impact assessment may not cover what happens when the data is no longer needed, which is why the ICO expects these assessments to be updated and revisited when possible.

The ICO noted it can help by offering guidance and tools as well as providing assurance via audit once a project is up and running, and cited a recent example of the input it provided for the proposed NHS contact and tracing app.

EU – The Commission’s Toolbox and Data Protection Guidance

On April 8, 2020, the Commission published its Recommendation for use of technology and data to combat  the COVID-19 crisis, in particular concerning mobile apps and use of anonymised mobility data.  The Recommendation established a process for developing a common approach (the “Toolbox”) to use digital measures to address the COVID-19 crisis (and we summarised the key points from the Recommendation in a separate blogpost, which you can read here).

The EU Member States, backed by the Commission, have now published version 1.0 of the Toolbox itself, as well as accompanying data protection guidance.  Although the Commission’s guidance was prepared in consultation with the EDPB, it is distinct from the EDPB’s own guidance on contact tracing apps which has also recently been issued and which is further discussed below. 

The Toolbox is intended to form part of a coordinated pan-European approach to support the gradual lifting of lockdown measures. The Toolbox and the Commission’s accompanying guidance on data protection set out a number of essential requirements for contact tracing apps, including:

  • Voluntariness.  Contact tracing apps should be voluntary.  Individuals should be able to decide whether or not they wish to install a contact tracing app, without any negative consequences for individuals who choose not to use these apps. 
  • Data retention.  Apps should be subject to strict limits on data storage to ensure personal data is not kept for longer that necessary.  Timelines should be based on medical relevance, as well as the realistic duration for any necessary administrative steps to be taken.  Apps should also be disabled automatically as soon as the pandemic has passed, and all remaining personal data and proximity data should be erased as soon as the crisis is over.
  • Location data privacy.  Apps should aim to exploit the latest privacy-enhancing technological solutions. In general, contact tracing apps are likely to be based on Bluetooth proximity technology.  The collection of location data is not considered necessary or recommended for contact tracing apps, and tracking an individual’s location or movements in this context is likely to violate the principle of data minimisation. 
  • Anonymisation.  To avoid stigmatisation, apps should be based on anonymised data. They can alert people who have been in proximity for a certain duration to an infected person to get tested or self-isolate, but in doing so should not reveal the identity of the people infected.
  • Interoperability.  Apps should be interoperable across the EU so that citizens are protected, even when they cross country borders.
  • Cybersecurity.  They should be anchored in accepted epidemiological guidance, and reflect best practice on cybersecurity and accessibility.
  • Secure and effective.  In particular, the Commission recommends that data is encrypted and is stored on the user’s device (so-called “decentralised processing”).  While the Commission recognises a more “centralised” solution (where pseudo-randomly generated identifiers of the devices in contact with a user are stored on a central service to which the health authorities have access) as a possible alternative, the Commission nevertheless considers that a decentralised solution is more in line with the data minimisation principle. 
  • Public health agency coordination.  They should be implemented in close coordination with, and approved by, public health authorities.

The Commission has stated that the development of the Toolbox is an ongoing process, and that Member States will work together to refine it in the coming weeks and months.   This is expected to include addressing other types of apps and the use of mobility data for modelling to understand the spread of the disease and exit from the crisis, as set out in the Commission’s original Recommendation of 8 April. The Commission has also indicated that by 30 April 2020, public health authorities will assess the effectiveness of the apps at national and cross-border level, and that Member States should report on the actions they have taken in relation to contact tracing apps by 31 May 2020.  Meanwhile, the Commission will assess the progress made and publish periodic reports starting in June 2020 and throughout the crisis, recommending action or the phasing out of measures that seem no longer necessary.

EU – EDPB Guidelines on Location Data and Contact Tracing

On 21 April 2020, the EDPB adopted its final Guidelines on location data and contact tracing in the context of the COVID-19 outbreak.  Notably, the Guidelines were not submitted for public consultation prior to adoption, due to the urgency of the current situation, and the need to have the guidelines readily available.

In the Guidelines, the EDPB highlights the importance of data protection considerations in any data-based initiatives aimed at combating the pandemic in order to build trust and create the conditions for social acceptability of any solution, and thereby ensure the effectiveness of that solution.  While the EDPB recognises that automated data processing and digital technologies can be key components in the fight against COVID-19, the EDPB also cautions against a “ratchet effect”.  In particular, the Guidelines stress that every measure taken in these extraordinary circumstances should be limited in time, of minimal extent and subject to periodic and genuine review as well as to scientific evaluation, and should be limited to what is necessary to combat the pandemic.

As expected, the Guidelines are broadly aligned with the Commission’s data protection guidance and with the EDPB’s recent letter to the Commission in relation to contact tracing apps, and contain a detailed set of recommendations for app designers and implementers.  Key points include:

  • Apps should be voluntary:  Like the Commission’s guidance, the EDPB’s Guidelines state that contact tracing apps should be voluntary.  This means in particular that individuals who decide not to or cannot use contact tracing apps should not suffer any disadvantage.
  • Legal basis for processing:  The Guidelines clarify that, while apps should be voluntary, this does not necessarily mean that the processing of personal data should always be based on the user’s consent.  In particular, the EDPB suggests that where contact tracing apps are provided by public authorities based on a mandate under EU or Member State law, the most relevant legal basis for the processing is necessity for the performance of a task in the public interest, i.e. Art. 6(1)(e) GDPR, subject to any such EU or Member State law incorporating meaningful safeguards and in particular reference to the voluntary nature of the app. 
  • Special category data processing.  The EDPB also notes that the use of an app to fight the pandemic might lead to the collection of health data (e.g. the status of an infected individual).  The Guidelines confirm that processing such data is permitted where:
    • the processing is necessary for reasons of public interest in the area of public health under Art 9(2)(i)GDPR (namely protecting against a serious cross-border threat to health), provided that the processing is based on EU or Member State law which incorporates suitable safeguards;
    • the processing is necessary for health care purposes (Art 9(2)(h)), provided that the data is processed by or under the responsibility of a professional subject to obligations of professional secrecy (such as a doctor or other healthcare worker);
    • the data subject has given their explicit consent (Art 9(2)(a)); or
    • the processing is necessary for scientific research purposes or statistical purposes (Art 9(2)(j)).
  • Accountability. To ensure accountability, the controller(s) of any contact tracing app must be clearly defined and their role explained to users. The EDPB considers that the national health authorities could be the controllers for contact tracing apps, but there could also be other controllers depending on context.
  • Data minimisation / data protection by design and default: In keeping with the principle of data minimisation and other aspects of data protection by design and default, the data processed in the context of contact tracing apps should be limited to a strict minimum, and apps should not collect information which is unrelated to the purpose of combating the pandemic or which is not needed for this purpose.  In particular, similar to the Commission, the EDPB considers that the processing of location data is not necessary in the context of contact tracing apps, and that proximity technologies such as Bluetooth should be used instead.
  • Purpose limitation: To comply with the principle of purpose limitation, the purpose of any contact tracing apps must be limited to managing the COVID-19 crisis and processing for other unrelated purposes (e.g. commercial or law enforcement purposes) should be excluded.
  • Decentralised approach: Implementations for contact tracing can follow a centralised or a decentralised approach and in the EDPB’s view both are viable options. subject to the implementation of adequate security measures.  However, like the Commission, the EDPB also considers that a decentralised solution is more in line with the minimisation principle.
  • ePrivacy compliance: With respect to the lawfulness of the processing, the EDPB notes that contact tracing applications involve storage and/or access to information already stored in the terminal, which are subject to Art. 5(3) of the ePrivacy Directive. As such, if those operations are strictly necessary in order for the app provider to provide the service explicitly requested by the user, the processing will not require the user’s consent. However, for operations that are not strictly necessary, providers will need to seek the consent of the user. 
  • Data retention:  The Guidelines state that the current health crisis should not be used as an opportunity to establish disproportionate data retention mandates. Retention periods should be defined by reference to true need and medical relevance (this may include epidemiology-motivated considerations like the incubation period, etc.) and personal data should in any case be kept only for the duration of the COVID-19 crisis. Afterwards, as a general rule, all personal data should be erased or anonymised.
  • Automated processing: The Guidelines state that procedures and processes including algorithms implemented by contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives.  In particular, the task of providing advice on next steps (for example, self-isolating until testing negative) should not be based solely on automated processing. 
  • Security: The Guidelines make a number of recommendations on security.  In particular, the Guidelines state that the reporting of users as infected on the application must be subject to proper authorisation, for example, through a single-use code tied to a pseudonymous identifier of the infected person and linked to a test station or health care professional. If confirmation cannot be obtained in a secure manner, no data processing should take place that presumes the validity of the user’s status.  Data should also be encrypted using state-of-the-art cryptographic techniques.
  • DPIA: The Guidelines state that a DPIA should be carried out before implementing any contact tracing tool as the processing is likely to result in a high risk (due to anticipated large-scale adoption, systematic monitoring, and use of new technological solutions).  The EDPB also strongly recommends publication of DPIAs.

What should organisations do now?

Organisations developing or those planning to use contact tracing technologies or apps in the UK or EU should take account of these regulatory materials in developing and implementing those technologies and apps, as well as the various statements and guidance made by the UK Information Commissioner and the European Commission – all of which are broadly aligned.  However, given the speed at which the situation is evolving, organisations will also want to watch closely for future regulatory developments, as well as regularly reviewing their processing activities in this context to ensure solutions developed to combat the pandemic remain in line with current guidance and continue to be appropriate and proportionate in the circumstances. 

If you have any questions about these developments or any other privacy law, please do not hesitate to reach out to Elisabeth Dehareng (Brussels), Brian Hengesbaugh (Chicago), Harry Small (London), and Harry Valetk (New York).

Related article: Tracing Apps and Mobile Data: European Commission’s Toolbox for Industry in Response to COVID-19 Technological Solutions

Author

Joanna advises on a wide range of technology and commercial agreements and matters. Her practice focuses on regulatory issues, especially data protection, consumer law, and advertising and marketing, and she regularly advises clients on these areas in particular.

Author

Ben advises clients in a wide range of industry sectors, focusing in particular on data protection compliance, including healthcare, financial services, adtech, video games, consumer and business-to-business organisations. Ben regularly assists clients with global data protection compliance projects and assessments as well as specific data protection challenges such as international transfers and data security breaches. Ben is also regularly involved in drafting and negotiating data protection clauses in agreements for various clients in a wide range of industry sectors. Ben also regularly advises clients on electronic direct marketing and cookies.