Contact tracing apps: is the data privacy risk worth the benefit?
In the fight against the COVID-19 pandemic, we have all seen the rights and freedoms that we take for granted on a day to day basic being eroded in the name of fighting the virus. However, the vast majority of people have accepted the current lockdown measures as being completely justified and necessary to attempt to control and fight off the virus, safe in the knowledge that those freedoms will return one day (hopefully sooner rather than later).
As a key part of the next phase of fighting the pandemic, the Government are proposing the use of “contact tracing” apps. These apps will aim to track the spread of COVID-19 and allow for people to be notified if they have been in contact with anyone who has tested positive for the virus. The benefits are clear – jumpstarting the economy, returning to a more normal way of life – but the downsides and privacy impact such an app will have on individuals creates plenty of data protection questions which will need to be answered.
How will contact tracing apps work?
It is currently proposed that contact tracing apps will work by using short-range Bluetooth to log each time that someone with the app installed comes into contact (for at least 15 minutes) with someone else using the app. That log of contacts will be stored on the individual’s phone.
If a person who has been using the app develops COVID-19 symptoms, they have the option to alert the NHS through the app, which will then notify each app-user who has been in contact with that person and recommend certain precautions. Crucially, the app is not going to inform people which individual they have been in contact with had COVID-19 symptoms.
A trial of the NHS contact tracing app is due to commence in the Isle of Wight this week. Once implemented, it is estimated that at least 50% to 60% of the population would need to be using the app for it be effective.
How does data protection apply to contact tracing apps?
Guidance released by the European Data Protection Board (“EDPB”) on the use of contact tracing apps makes it clear just how great of a data protection impact these apps can have when it states “The systematic and large scale monitoring of location and/or contacts between natural persons is a grave intrusion into their privacy.”
Whilst this type of intrusion into individuals’ privacy would not be acceptable in normal times, it goes to show the nature and extent of the global pandemic that such technology is even being considered. Even at the start of the COVID-19 pandemic, when reports of contact tracing apps being used in places such as South Korea were emerging, the idea of these apps being used in the UK seemed very unlikely.
However, the COVID-19 pandemic does not mean that data protection law no longer applies and the Government does not have free reign to do as it pleases with our personal data. The EDPB guidance states that “data protection is indispensable” when searching for solutions to assist the management of the pandemic. If anything, this use of contact tracing apps will be the greatest test of our data protection legal framework yet.
On what basis will personal data be processed?
Under the General Data Protection Regulation (“GDPR”), for the processing of personal data to be lawful, at least one of the six lawful basis for processing must apply. With contact tracing apps, it appears that the Government will rely on a combination of two of those lawful basis for processing: consent (article 6(a) GDPR) and performance of a task carried out in the public interest (article 6(e) GDPR).
It is not currently proposed that anyone would be forced to use the app without their consent and it is hard to imagine such an approach being accepted in this country. However, achieving use of the app by 50-60% of the population by obtaining consent each time may prove very difficult. Therefore, to say that consent will always be required would probably be foolish and there may come a time where the Government seeks to rely solely on the public interest ground for processing (article 6(e) of GDPR) and no consent is required.
What are the other data protection issues?
For many people, there may be some concern that the Government will use or disclose their personal data for other purposes than solely fighting the spread of the virus.
From a data protection perspective, collecting the contact tracing information for the strict purposes of preventing and reducing the spread of the COVID-19, and then using that personal data for any other purpose (for example, crime prevention), would not be permitted under data protection law. The NHS also claims that people will be able to delete the app and all of their associated data whenever they want.
Another big issue will be the potential for hacking and data breaches. It is very difficult to truly anonymise a data set which includes location data points and contact information, even where the data does not include any typical identifiers such as names and addresses. If the data collected through the contact tracing apps was to fall into the wrong hands, it is possible that it could be reverse-engineered in order to identify individuals and the privacy impact would be significant. The Government will therefore have to ensure that property security measures are being taken.
Is the privacy risk worth the benefit?
For the Government to achieve its stated target of 50% of the population using its contact tracing apps, a majority of people will have to buy in to the benefits of contact tracing outweighing the risks.
Therefore, the Government will have sell the public on the benefits and how, specifically, the use of the app will help reduce the spread of the virus. The key benefit, and one which the Government will surely use as a main selling point, is the return to more normal lifestyle.
At the same time, in order to obtain proper consent under GDPR, the Government must allow people to make fully informed decisions as to whether they use the app. This will include providing details of the risks involved by setting out exactly what the data is going to be used for, for how long, how it can be deleted and how it will be protected.
Overall, whilst it is amazing that we have come to a point where the idea of the Government tracking our movements does not seem completely unacceptable, it would not be a surprise to see a majority of the population decide that the benefits of contact tracing outweigh the risks, at least initially.
However, the continued use of the app by the public will be based on trust in the security measures that are put in place and that the data will only be used for a very limited purpose. If the Government loses the public’s trust by suffering a data breach, for example, it is likely that the numbers of app-users would show a sharp decline and any benefit of the app would be lost.
If you have any questions on the content of this article, please contact a member of our Corporate & Commercial Team by email or by calling 01603 610911