EU Positions on Contact Tracing Applications During COVID-19: No Lockdown for Privacy & Cybersecurity
After weeks of shelter-in-place orders around the world, some governments and public health authorities are working on exit strategies. Digital technologies and data are deemed to play an important role in that respect, with many European and other countries adopting or planning to adopt mobile contact tracing applications.
In the recent past, the sense of urgency to come up with technology-oriented solutions in the context of the fight against COVID-19 has led to a number of responses at the European Union ("EU") and national levels.1 At the EU level:
- The EDPB first published a statement on March 19, 2020, that discussed the use of mobile "location data" and made clear that such use will be subject to enhanced scrutiny and safeguards to address privacy concerns.
- Taking the initiative for a coordinated approach across the EU, the EU Commission, on April 8, 2020, issued a call for a common EU toolbox for “the use of technology and data to combat and exit from the COVID-19 crisis” (the "Recommendations").
- The EU’s eHealth Network, on April 15, 2020, released that toolbox, "Mobile applications to support contact tracing in the EU's fight against COVID-19; Common EU Toolbox for Member States" (the "Toolbox").
- In a letter to the EU Commission on April 14, 2020, the EDPB announced that it was working at a fast pace on a set of guidelines on privacy aspects of contact tracing applications.
- Those guidelines were issued on April 21, 2020—"Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak"(the “EDPB Guidelines”).
What is at stake? What are the risks to privacy? What are the guiding principles that these applications would have to follow according to the EU bodies? And, more importantly, would these applications deliver on their expected benefits? Those questions, among others, are addressed in this Legal Update.
Contact Tracing Applications
Contact tracing is typically carried out manually by public health authorities; it is a time-consuming process, and it relies on the patient’s memory. Digital tools, such as mobile applications with tracing functionalities, could be a support in the process; these applications could be used to reach out to and warn individuals who have been in contact with a patient who is unknown to them. The aim of contact tracing and warning is for public health authorities to reach out to as many people as possible who have been in contact with a confirmed COVID-19 case, to ask them to self-quarantine and to ask them to get tested if they develop symptoms.
At this stage, there is no consensus on which technology to rely on2 or on what these contact tracing applications will be used for. For example, Singapore’s TraceTogether, a pioneer among these applications, warns users of the risk they face because of contact with a person who has been tested positive for COVID-19. Other possible uses include monitoring and enforcing quarantine or discouraging people from going into certain "more at risk areas," such as South Korea. Some applications even include symptom-checker functionalities.3
Using Them Efficiently
Regardless of the contact tracing application’s intended use, the Toolbox states that for an application to work efficiently, it must be deployed through a large swath of the population (a deployment rate well over 50 percent, according to the Toolbox).
Contact tracing applications should also be interoperable, not only among the applications themselves but also across terminals running on different operating systems—and across borders, for use by multiple countries’ public health authorities.
Risks Identified: "Grave Intrusion” into Privacy
The systematic and large-scale monitoring of the locations of and/or the contacts between individuals is, according to the EDPB, a "grave intrusion" into privacy; the EDPB is therefore calling for the use of contact tracing applications to be voluntary and for those applications not to trace an individual’s movement but, rather, users’ proximity. The EDPB states that the voluntary nature will mean not only that people will be free to install the application but also that no one will face adverse consequences if they choose not to install (and use) the application. For example, installation of a contact tracing application cannot be a condition to accessing public transport or work premises.
Absent sound and solid technical features, the use of pseudonymized data potentially leaves open the risk of re-identification of individuals, along with actual physical tracking. And the fact that, in an effort to promote transparency, application source code will be made publicly available might aid the work of malicious actors. Depending on the level of data collected and processed, data subjects could suffer various harms. Security incidents have already occurred: one of the Dutch government's shortlisted contact tracing applications experienced a leakage of users' data (names, emails and encrypted passwords) when its source code became available.
Guiding Principles for Data Protection, Safeguarded by Ad Hoc Cybersecurity Measures
The development and deployment of a contact tracing application must, according to the EU bodies, respect key privacy principles and be supported by state-of-the-art security measures.
- Privacy by design and by default and data minimization
Developers must ensure that data protection is embedded in the applications—from the design stage and beyond, through an application’s lifecycle. Public health authorities must factor in this security aspect when they select applications or develop their own.
Use of pseudonymized and unique identifiers for broadcasting proximity data is essential, as is the need for such identifiers to be refreshed frequently. Because contact tracing applications can function without direct identification of individuals, appropriate measures should be put in place to prevent re-identification. Further, the collected information should reside on the terminal equipment of the user as much as possible (with only limited information sent to central servers).
- Purpose limitation
If contact tracing applications are meant to encourage people to "do their own part" once they have been exposed to an infected person (similar to self-isolating and getting tested), these applications must be used for no more than that. This means that the identification of the people using these applications is not necessary.
- Legal basis for processing
The EDPB Guidelines state that developers of contact tracing applications have to comply with both the GDPR and the e-Privacy Directive.
For the GDPR, the EDPB Guidelines seem to favor the adoption, by national laws, of specific frameworks for the processing of personal data to protect public interest. The Toolbox is less affirmative, as it includes some consent references (even though only discussed as part of the installation of the application and not in relation to the processing of the personal data).
For ePrivacy, the EDPB Guidelines state that storage of data or access to already-stored data in users’ devices is permitted solely if the user has consented or if the storage or access is "strictly necessary" for the functioning of the application explicitly installed and activated by the user. The EDPB Guidelines, however, seem to support that the "strictly necessary" test might already be met in the case of contact tracing applications.
Both the EU Commission and the EDPB agree that putting in place a global contact tracing methodology using both applications and manual tracing may require additional information to be processed through the application (e.g., the contact details of an individual). This additional information should only be processed when strictly necessary and with the individual’s prior and specific consent.
- Building user trust
The EU bodies identify factors that might contribute to gaining user trust. Having the national health authorities be the data controllers could be one of them.
In its Toolbox, the EU Commission advocates for the applications to be tested, approved and reviewed by independent experts (before and after deployment) at the EU and national levels. The data protection authorities must also play a role in that regard. Similarly, according to EDPB Guidelines, algorithms used in contact tracing applications should be under the supervision of qualified personnel so as to limit false positives or negatives.
Strict retention periods will be put in place; proximity data must be deleted as soon as they are no longer needed. Further, the applications and data gathered must be removed once the spread of COVID-19 has been limited/managed. The only justification for retaining the personal data could be their use for scientific and historical research purposes and only under the condition that the data get anonymized, in addition to meeting the other requirements set forth under GDPR.
- Cybersecurity safeguards
All of the EU bodies acknowledge the necessity for safeguarding the cybersecurity of contact tracing applications. For this purpose, the Toolbox includes some of the main technical requirements to be taken into account, such as the use of encryption, communications security or secure software development practices. A risk assessment that identifies the potential cybersecurity risks of contact tracing applications must be conducted as a priority by national authorities. In addition, in-depth technical audits of the applications must be performed, and national authorities must allocate a clear contact point to raise potential security issues and have in place incident response plans.
Will Contact Tracing Applications Limit COVID-19's Spread After All?
The reason for deploying contact tracking applications is to help, in a realistic and effective manner, stop the spread of COVID-19. However, limited adoption, especially considering the poor penetration of the necessary smart devices within the more at-risk populations, might hinder the applications’ efficacy. Further, and more fundamentally, one should consider what the actual benefit is of a user receiving daily notifications on (potential) contacts with infected person(s). COVID-19 symptoms are known to most by now, as are the measures to take when those symptoms appear. Social distancing and other hygienic measures are being encouraged worldwide (and strictly enforced by authorities).
Data privacy legislations should not be among the factors that hinder the development of contact tracing applications (and the adoption of effective measures to fight COVID-19 more generally). However, as the chairwoman of the EDPB has mentioned, strict EU privacy rules should not mean that people have to choose between an efficient response to the crisis and the protection of their fundamental rights.
Adoption of exception laws may give the necessary legal basis to process health data at an unprecedented scale using new technologies. Boundaries and principles may be stressed and repeated to mitigate cyber threats on data collected and to promote the accountability and transparency of contact tracing applications. However, now more than ever, Stefano Rodota's words should resonate in our minds: "Not everything that is technologically possible is also socially desirable, ethically acceptable and legally legitimate." The circumstances are exceptional; ethics and the rules of law are not.
1 Among the various national data protection authorities that have issued guidelines on contact tracing applications, the UK Information Commissioner Office issued an opinion on April 17, 2020 on a technical architecture supporting the contact tracing application, and the French CNIL issued a deliberation on the StopCovid application on April 24, 2020. For commentary on the UK ICO's opinion, see the Mayer Brown blog post.
2 The operation of these applications, including the exchange of information, can be achieved using various common protocols or technologies such as Bluetooth Low Energy (the "BLE") or geolocation data ("GNSS/GPS" or cellular location data). BLE is the protocol most referred to in the Toolbox and the EDPB Guidelines; GPS data not only is less accurate but also is more likely to invade privacy intrusion as it shares geolocation data.
3 In this regard, the EU Commission in its Recommendations questioned whether such an application should be considered as a medical device and therefore be subjeSct to the scope of the medical devices regulatory framework. The Recommendations are not conclusive in that respect, but the actual consequences of such a qualification on the development of those applications should be considered.