Alert April 27, 2020

Contact Tracing Apps in the UK, EU and U.S.: Privacy Implications

The world is facing a significant public health crisis that requires a strong response and common approach. Governments and scientists around the world are relying on automated data processing and digital technologies as part of their toolkit in the fight against COVID-19.

Contact tracing apps are part of that toolkit, already being developed and deployed globally. For example, in March 2020, the Singaporean Government Technology Agency and Ministry of Health introduced the TraceTogether app, reportedly the first national Bluetooth tracing solution in the world. Local governments in South Korea have also been on the front line of containment efforts to track patients and disclose critical information to the public. There is an increasing interest in contact tracing apps in the UK, EU and U.S., particularly with lockdown restrictions being relaxed in some countries. As such, the UK, Italian, French and German governments, and others, have announced their development of contact tracing apps to detect potential chains of COVID-19 infections. The UK National Health Service, for example, is testing its forthcoming COVID-19 tracing app at a Royal Air Force base.

Separately, the United States is rolling out contact tracing. In California, the state with the most significant data protection regulations in the U.S., the Governor announced that he was exploring an Apple/Google joint contract tracing initiative.

Essentially, the aim of the contact tracing techniques is to discover whether any individual has been in contact with an infected person during the time that person was possibly infectious. That information can be used to support prompt communications with individuals at risk of infection to make them aware of the risk, allow them to take steps to protect themselves and others around them, as well as provide them with additional support. Due to the automated nature of digital contact tracing, contact tracing apps can help health authorities interrupt transmission chains on a far greater scale than manual contact tracing. Often these technologies come with other functionalities, such as guiding individuals on testing for COVID-19, how to avoid transmission to others, and when to seek medical care (e.g., a ‘symptom checker’).

Privacy Implications

Contact tracing and related technologies inevitably rely on the collection of data from individuals, including device identifiers and health information. Companies will, therefore, need to ensure that any initiative that links to COVID-19 tracing apps and any solution is privacy preserving and complies with applicable privacy and data protection laws.

UK and EU

Data protection regulators in the UK and EU have been quick-off-the-mark to issue guidance in this area. The UK’s Information Commissioner has issued an opinion in response to the joint effort announced by Apple and Google to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of COVID-19 by building contact-tracing technology into iOS and Android smartphones. The Commissioner’s Opinion is available here. The Commissioner broadly supports the initiative, showing it is willing to take active leadership to address the privacy concerns. In particular, the Commissioner has commented on the use of data minimisation techniques to help protect user identity.

Also, the European Data Protection Board (EDPB) has been actively engaged on this topic. It has said that one should not have to choose between responding to the current crisis and the protection of our fundamental rights: both can be achieved and data protection principles can play a very important role in the fight against the virus. European data protection law allows for the responsible use of personal data for health management purposes. In particular, the EDPB has adopted Guidelines 03/2020 on the Processing of Data Concerning Health for the Purpose of Scientific Research in the Context of the Covid-19 Outbreak (the Scientific Research Guidelines), which are available here, and Guidelines 04/2020 on the Use of Location Data and Contact Tracing Tools in the Context of the Covid-19 Outbreak (the Tracing Guidelines), which are available here

The UK Commissioner’s and EDPB’s guidance, collectively, highlights the main areas of focus when addressing the privacy aspects in connection with developing contact tracing apps to ensure compliance with the EU’s General Data Protection Regulation (GDPR), the ePrivacy Directive and UK’s and EU member states’ implementing legislation. The following data protection issues need to be taken into account with respect to contacts tracing apps:

  • Data Minimisation. The data processed should be reduced to the strict minimum – only using anonymised or pseudonymised data where appropriate. Essentially, the app should not collect unrelated or unnecessary information. For example, the EDPB has said that these apps do not require tracking the location of individual users. Instead, proximity data should be used. Also, the apps can function without direct identification of individuals, and appropriate measures should be put in place to prevent re-identification.

  • Legal Bases. Collecting proximity data and storing of, or accessing, other information on a user’s device is allowed only if the user has given prior consent pursuant to the ePrivacy Directive (except for activities which are ‘strictly necessary’ for the app to be installed and activated by the user, which do not require consent). Consent must meet the GDPR standard – i.e., be informed, “freely given” for a specific purpose, and demonstrated through some affirmative action (such as checking an unchecked box). Also, the processing of personal data obtained through use of a contact tracing app requires a GDPR lawful basis (such as legitimate interest and, for health data, explicit consent or public interest if applicable). The EDPB’s Scientific Research Guidelines focusses on the available legal bases for processing personal data (including sensitive data) for ‘primary’ and ‘secondary’ use.

  • Purpose Limitation. Data collected through the apps can only be used for the specific purpose of managing the COVID-19 health crisis, and must not be used for further unrelated purposes (e.g., commercial or law enforcement purposes).

  • Security. Taking into account the use of technology (such as, Bluetooth/ GPS), the sensitive nature of health data and the risks when re-using health data for the purpose of scientific research, strong measurements must be taken to ensure an appropriate level of security.

  • Data Sharing. Who will have access to the personal data? Likely recipients may include the government, health authorities, academia, police, private companies and other app users. Measures will need to be taken in respect of any sharing of personal data.

  • Data Storage. Where will the data be stored? If data will be stored outside the UK or European Economic Area, appropriate safeguards will need to be considered to safeguard the data.

  • Transparency. Those companies in control of the personal data collected via the tracing apps will need to be transparent with potential and actual app users about how their personal data is being used and how they can exercise their data protection rights.

  • Assessment. Given the likely sensitive nature and large scale processing of personal data in connection with contact tracing apps, a data protection impact assessment should be carried out to assess these data protection considerations and have them documented.

  • Algorithms. Algorithms underpinning the apps should work under the strict supervision of qualified personnel to limit of any false positives and negatives. Algorithms must, also, be auditable and should be regularly reviewed by independent experts. The app’s source code should be made publicly available for the widest possible scrutiny.

United States

Although the United States does not have a broadly applicable federal privacy law that applies to all personal data across industry sectors, there are still a number of significant privacy and security requirements in place, both at the federal and state level that could impact COVID-19 contact tracing apps and related technologies.

At the federal level, businesses should be mindful that privacy and security rules under the Health Insurance Portability and Accountability Act (HIPAA) could come into play if they are partnering with entities that are regulated as “covered entities, – including health plans, healthcare providers or health clearinghouses, or the business associates of these organizations – to develop or manage COVID-19 apps.

Additionally, a number of U.S. states have comprehensive and stringent privacy and data security laws. Notable among these is California’s landmark privacy law, the California Consumer Privacy Act (CCPA)  which went into effect on January 1, 2020. The CCPA grants expansive consumer privacy protections through new data privacy rights, including rights involving:

  • Personal information, including rights of access and deletion
  • Opting out of the “sale” of personal information (i.e. the sharing of personal information in exchange for money or other valuable consideration)
  • Being free from “discrimination” for exercising rights granted by the CCPA

Businesses developing COVID-19 apps are advised to consider the impact of applicable privacy and data security requirements early on in the process and adopt privacy by design principles. This will help to ensure that businesses stay ahead of their privacy and data security obligations and that their plans for contract tracing apps will not be frustrated by unanticipated legal hurdles.

Conclusion

The success of contact tracing apps will largely depend on who actually uses them. Oxford researchers believe at least 60% of the population must adopt the technology for it to be effective. In some jurisdictions that were early adopters of contact tracing apps, the technology has been made compulsory, whereas use of the apps should be voluntary. A public weary of lockdown, however, may well embrace this technology if it helps pave the way back to “normality” and is implemented respectfully and carefully.

If properly deployed, the technology has the potential to yield a treasure trove of data to help fight the virus. Success of these apps, however, depends on individuals trusting that any data collected will be protected and used strictly for the purposes for which that data is provided. That means that governments, scientists, and any other recipients of the data must act with full transparency and due respect for the data they are entrusted with, and restrict themselves to narrow processing purposes and implement the strictest of security protections and appropriate privacy measures. The data protection regulators have already shown they are willing to take active leadership in the contact tracing framework and expect the data protection principles to be at the forefront of the Government and the developers’ minds.

****

To learn more about how Goodwin can help your company address privacy and cybersecurity, contact Brenda R. Sharton, partner and Chair of the Privacy & Cybersecurity practice, Karen L. Neuman, Privacy & Cybersecurity partner and privacy lead in Washington, D.C. or Gretchen Scott, Technology and Privacy & Cybersecurity partner in London.

Goodwin’s Chambers and Legal 500 ranked Privacy & Cybersecurity practice offers a multi-disciplinary approach to clients’ data protection needs. One of the longest-standing of any Am Law 50 firm, our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks; have advised on over 700 public and private transactions in the last year alone; and have designed strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have litigated landmark privacy cases and defended against class action and government enforcement actions brought by the FTC, OCR/HHS, state attorneys general and regulators across the globe.

****

Please visit Goodwin’s Coronavirus Knowledge Center, where firm lawyers from across the globe are issuing new guidance and insights to help clients fully understand and assess the ramifications of COVID-19 and navigate the potential effects of the outbreak on their businesses.