International: Privacy implications of Coronavirus tracking mobile apps
The World Health Organisation declared, on 11 March 2020, COVID-19 (‘Coronavirus’) a pandemic. In light of the rapidly evolving situation, contact tracing has been prioritised by many countries as a fundamental part of outbreak control, along with self-isolation and lockdown measures to minimise the exposure of individuals to risks. Governments, as well as technology companies, have been trying to digitise the process of contact tracing to combat the spread of Coronavirus. Different approaches have been developed, with technologies ranging from Bluetooth and geo-location, to artificial intelligence (‘AI’) and facial recognition, to inform individuals about potential risks, as well as support authorities in monitoring and controlling compliance with quarantine measures.
The Government of Singapore announced, on 21 March 2020, that SGUnited, GovTech, and the Ministry of Health (‘MOH’) had developed an app called TraceTogether, aimed at enhancing contact tracing in order to mitigate the possible spread of Coronavirus. In particular, the Government outlined that the app enables contact tracing without relying on location-based services or global positioning services (‘GPS’). Furthermore, the Government noted that once installed on a mobile phone, the app detects other nearby phones that have the app installed through the use of Bluetooth technology, and can be used to identify close contacts based on the proximity and duration of an encounter between two users.
Charmian Aw, Counsel at Reed Smith, told OneTrust DataGuidance, “Whilst the Personal Data Protection Act 2012 (No. 26 of 2012) does not bind public agencies such as the MOH and GovTech, they are still subject to internal government rules which are in the process of being updated following recommendations from the Public Sector Data Security Review Committee. The security measures relating to the TraceTogether app, include the following:
- the app does not collect any geolocation data of users;
- the app does not track users’ contacts;
- data is stored locally on users’ phone and in an encrypted form;
- data is only stored on users’ phone for a period of 21 days;
- data will not be accessed unless a user is identified as a close contact of another user; and
- users’ mobile numbers are substituted by random permanent IDs. A user’s mobile number and its corresponding user ID are stored in as secured server, and as an added layer of protection, temporary IDs are created that change regularly. Only the temporary IDs are exchanged between phones as opposed to actual numbers.”
GovTech highlighted, on 25 March 2020, that contact tracing was essential to contain the Coronavirus, however, that using location data for contact tracing raises serious privacy and data security concerns, which would diminish the ability of the smart system to connect the dots and monitor the spread of Coronavirus. Unlike other systems, TraceTogether only requires location permissions and Bluetooth technology to know the relative distance between users, and the app does not collect or use any real-world geographic information.
In relation to data retention and sharing, Aw highlighted, “A user retains the ability at all times to choose whether to grant the MOH access to their app data, including revoking his/her consent at any time. Upon any user revoking their consent, the mobile number and user ID of that person will be deleted from the server.” The data collected through the app can be shared with the MOH so that it can be decrypted and used solely for contact tracing purposes. In addition, it is clearly stated, on the app’s official website, that TraceTogether will only communicate with nearby phones for a limited time and that, once contact tracing ceases, users will be prompted to disable the app’s functionality.
In preventing the spread of the Coronavirus, the Government of Indonesia took a number of steps, one of which is the creation of the PeduliLindungi app by the Ministry of Communication and Information Technology (‘Kominfo’). The Government outlined that the app, which was created to identify and warn individuals in close proximity with patients who have tested positive for Coronavirus, as well as individuals under investigation, could help to prevent the transmission of Coronavirus and ensure compliance with social distancing measures.
Lia Alizia, Reagan Roy Teguh, and Budhy Apriastuti Evita, Partner, Senior Associate and Associate at Makarim & Taira S., told OneTrust DataGuidance, “Based on the information published on PeduliLindungi’s official website, the data collected include the user’s name, phone number, identity of the gadget, location, and the timestamp when the user is located near another user in order to trace whether the user has ever been in close proximity with the other user who is suspected to have, or has tested positive for Coronavirus. Accordingly, data collected may be classified as personal (identifiable) data of the user. The rule of thumb for personal data protection requirements under the current legislations is that the use of any information through electronic media that involves personal data requires the express written consent of the data subject. Government Regulation No. 71 of 2019 on The Organization of Electronic Systems and Transactions and Kominfo Regulation No. 20 of 2016 on the Protection of Personal Data in Electronic Systems (‘Kominfo Regulation 20/2016’) also requires personal data that is stored in an electronic system to be stored as encrypted data.”
Kominfo also noted that conducting surveillance related to the Coronavirus will include data collection, data processing, data analysis, and dissemination. The PeduliLingundi app relies on community participation to share location data on the go, to enable contact tracing of people who have tested positive. Alizia, Teguh and Evita added, “According to Kominfo Regulation 20/2016, no specific laws or regulations specifically govern the retention period of certain data, [instead] the data must be stored for at least five years. From the official website we understand that the data collected by the app will be used among the relevant government institutions that developed the app, and only for the purpose of monitoring or contacting the user if he/she has been in contact or in close proximity with Coronavirus positive patients. The data will be encrypted and will not be shared with other parties.”
The app was introduced in Kominfo Decree No. 159 of 2019 Concerning Efforts to Manage Coronavirus Disease through Post and Information Sector Support (‘the Decree’). Kominfo also clarified that the Decree is special and only applies to emergencies of epidemics until the Government declares the condition conducive, and the emergency to have ended.
In addition to the PeduliLindungi app, Kominfo also launched the 10 Safe Houses app to combat the spread of Coronavirus. This app uses AI technology to connect map-based data and the surrounding environment through mobile devices, and is connected to social media platforms. Moreover, Kominfo noted that 10 Safe Houses contains features such as periodic temperature measurements, self-checking, and updating maps of individual distribution based on normal and above normal body temperatures.
The Office of the Leading Group for the Prevention and Control of New Coronary Pneumonia Epidemic in Beijing recently issued a notice promoting the use of the Health Code app (‘the Notice’). The Notice encourages the use of the app in order to help the prevention and control of Coronavirus, as well as to facilitate travel for citizens. Furthermore, the Notice highlights that individuals will be provided with a colour-based code within the app according to their individual health status, place of origin, and degree of previous contact with patients who have tested positive for Coronavirus.
Galaad Delval, Data Protection Officer at Chen & Co., told OneTrust DataGuidance, “Based on its privacy notice the app will be collecting the name of the user, their ID information, phone number, facial biometrics, bank account information, as well as either their WeChat name, or Alipay name, and related account picture information when setting up an account. It will then enable the Health Code service to collect information regarding the web browser, the user’s device, as well as location information through GPS or wifi. In addition, the app will also collect information about the user from relevant government departments and, depending on the user’s preference, collect further personal information, such as gender, date, and place of birth.”
The Notice clarifies that the Health Code app can be used by citizens to enter residential areas, parks, factories, business building, and administrative service centres at all levels, as well as medical and health institutions, telecommunication and banking services. In addition, the Notice encourages orgnaisations to use the app to prevent and control internal situations.
Delval noted that, “Current information security and safeguards mechanisms are provided for in the Cybersecurity Law 2016 which covers all network operators, including mobile application operators. For the Health Code app, based on their privacy notice, we know that they have in place encryption of data, secure transfer protocols and backups to protect the confidentiality, integrity and accessibility of the processed personal information. The processed data can be shared with the judicial systems, government agencies, as well as ‘authorised, trustable, business partners’ for facial recognition purposes, though they are not listed. The privacy notice also outlines that, with the consent of the user, their data can be sent to associated companies, third party providers, and contractors. There are no specific provisions on the retention period for such data. In principle, they should be retained for only as long as they are necessary for the purpose of the processing.”
Furthermore, other cities in China have also launched similar systems. The city of Nanjing has developed the Sukang Code app, that works with a similar colour-based code through data analysis to assess risk levels in relation to Coronavirus. Moreover, similar systems have been implemented in the provinces of Jiansu, Zhejiang, and Anhui. The Government of China notes that it will gradually establish a mutual recognition mechanism between health code apps.
The South Korean authorities have worked with local governments to survey security camera footage, smartphone data, and credit card record to assess and manage risks in relation to the Coronavirus outbreak. The Government of South Korea has invited companies to develop apps that visualise patients anonymised location data. As a result, the Corona 100m app was launched on 11 February 2020 and uses government data to send alerts to users in proximity with a location visited by an infected person.
Kwang Bae Park and Minchae Kang, Partners at Lee & Ko, told OneTrust DataGuidance, “Since Corona 100m app appears to use patients tracking information provided by the Government, which is publicly available, it is unlikely that the app collects and uses health information of individual patients. However, the Corona 100m app uses personal location data of patients who have tested positive for Coronavirus and app users, therefore will be regulated primarily by the Act on the Protection, Use, etc. of Location Information (‘the Location Act’) and also by the Act on Promotion of Information Communication Utilization and Information Protection (‘the Network Act’), and the Personal Information Protection Act of 2011.”
According to Article 5 of the Location Act, any person who intends to engage in location information business handling personal location information shall first obtain permission from the Korea Communications Commission.
Park and Kang highlighted, “Each of the relevant data protection laws provides a specific set of technical and managerial measures to be taken by the data handlers, such as the service provider of Corona 100m app. For example, the Location Act prescribes that each location data provider must take managerial and technical measures, such as installing a firewall or using encryption software to protect personal location data of the data subjects. [In addition], under the relevant data protection laws, personal data may be retained for a period as specified in the consent form, or until the purpose of the collection, use or provision of such personal data has been achieved, whichever comes first.”
The Corona 100m app is one example of an app developed and operated by South Korean companies to support the Government’s initiative to fight the pandemic. The ‘self-quarantine safety protection’ app, developed by the Ministry of the Interior and Safety, uses GPS data to track location of people required to self-isolate in order to monitor their compliance. Similarly, the Coronamap website displays travel histories of confirmed Coronavirus cases.
The Government of India announced, on 2 April 2020, that it had launched the ArogyaSetu App, developed in public-private partnership, to track the Coronavirus outbreak. In particular, the Government noted that the app will calculate individual’s interactions with others, using Bluetooth technology, algorithms, and AI. In addition, once installed on a smart phone, the app will detect other devices which have the app installed that come into proximity.
Aadya Misra, Associate at Spice Route Legal, told OneTrust DataGuidance, “The primary data collected by the app include users’ location data, as well as medical and travel history. While the Government is not covered by India’s data protection law, the Constitution of India places obligations on the Government to protect an individual’s right to privacy. The Constitution requires the Government to obtain the consent of a data subject prior to collection of sensitive personal data, however, public health issues are a notable exception to this requirement.”
Misra added, ”It is worth noting that data may be shared with ‘necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.’ This includes a wide pool of individuals, organisations, and departments, and could include both private and public institutions.” In addition to the ArogyaSetu app, the Department of Science and Technology of the Government of India (‘DST’) launched, on 15 April 2020, an integrated platform with geospatial information tracking individuals infected with Coronavirus. In particular, the DST highlighted that integration of demographic information with geospatial data is essential for decision making, and that the different data sets available on the platform will assist in area-specific aid and strategies to handle the socio-economic impact of the Coronavirus. Additionally, the DST clarified that the information that is collected and used are from different mobile applications including, Sahyog and ArogyaSetu, both launched by the Government, for response activities, contact tracing, public awareness and self-assessment objectives.
The city of Moscow has launched a mobile app, called Social Monitoring for monitoring patients who have tested positive for Coronavirus and are staying in their place of residence rather than a hospital.
Sergey Medvedev and Stanislav Rumyantsev, respectively Partner and Senior Lawyer at Gorodissky & Partners told OneTrust DataGuidance, “Mobile app data can be classified as personal data. The operator must protect such data from unauthorised access, use, or disclosure by implementing different security measures, as required by the law.
The app may have access to about 20 various functions of data of smartphone users, including:
- photos and videos;
- exact and approximate geo-location;
- health state sensors, including heart rate monitor;
- modification and deletion of certain data on drivers; and
- other data.
As a result, a special data protection regime will have to be complied by Social Monitoring, as well as respective data processors regarding the relevant mobile app data. The Federal Service for the Supervision of Communications, Information Technology, and Mass Communications (‘Roskomnadzor’) has all powers and competence to verify the compliance of the same.”
While this new monitoring system is still nascent, and details have yet to be confirmed, official statements have indicated that the Russian Federation’s strategy to combat the spread of Coronavirus includes mobile apps that track user’s location data, as well as mobile phone data, and credit card records. In addition, Prime Minister, Mikhail Mishustin, has promised technological solutions to enforce the self-isolation regime.
Medvedev and Rumyantsev noted, “Personal data cannot be shared with third parties, or distributed further, unless the data subject gives their consent. Therefore, if Social Monitoring wants to share certain categories of personal data with third party, written consent will have to be requested and obtained in advance. At the same time, if the processing of certain sensitive data (i.e. health data) is necessary for the protection of life, health, and other vital interests of the data subject, and obtaining the data subject’s consent is impossible, the data processing of such data is still admissible and lawful.”
With respect of retention requirements for data collected, Medvedev and Rumyantsev highlighted, “Different categories of personal data may have different storage and retention periods. In general, the data controller shall not retain any personal data longer than dictated for the purposes of relevant data processing. After that, personal data must be destroyed or depersonalised.”
U.S. Senator, Edward J. Markey, announced, on 17 March 2020, that he had sent a letter (‘the Letter’) to the White House Office of Science and Technology Policy (‘OSTP’) regarding reports that it was considering partnerships with technology companies in relation to collecting location data of smartphone users to fight the Coronavirus pandemic. Other stakeholders and human rights organisations, including the Electronic Frontier Foundation and the Electronic Privacy Information Center, have raised questions about the use of such technologies and the protection of personal data of individuals concerned.
Caitlin Potratz Metcalf, Senior Associate, CIPP/US, at Linklaters LLP, told OneTrust DataGuidance, “While the standard for US companies collecting precise location data or geolocation is to store it in an encrypted format given its sensitive nature, it is often difficult to apply other safeguards, particularly when sharing the data with third parties. There’s no express requirement that location data be encrypted, but the U.S. Securities Exchange Commission expects US publicly-traded companies to take reasonable safeguards to keep consumer data secure and prevent a breach. Notably, the big tech companies reported to be in some discussions with the U.S. Government on developing a tracking app are all publicly-traded. In addition to encryption, another safeguard these companies are likely to take is providing data in the aggregate to third parties. Such deidentified data may be an effective workaround to their privacy policies to the extent that companies are not providing personally identifiable information about users. Otherwise, these companies may be left with three main options:
- they will need to continue complying with their existing privacy policies, including whatever security measures are disclosed therein;
- amend their policies; or
- draft newly tailored privacy policies specific to any new Coronavirus tracking app developed.”
The Letter urged the OSTP to balance privacy with any data driven private partner initiative developed by the US Government. Furthermore, Markey warned that the misuse of geolocation data may extend to more sensitive information including employment information, religious affiliations, or political preferences and emphasised that the collection, and processing of the information, even anonymised and aggregated, must be adequality safeguarded, particularly, as the Coronavirus pandemic has led to increase data sharing between private entities. In addition, the Letter raised concerns on data retention policies of geolocation apps and tools.
Metcalf outlined that, “App-providers in the US must simply give consumers the ability to disable or opt-out of geolocation tracking, but how the data is stored, for how long, and who it is shared with is at the companies’ discretion, so long as disclosed in their privacy policies. Even so, many of the proposed Coronavirus tracking apps may not use this type of geolocation data from your device, but rather may collect location data through the mobile device’s Bluetooth capabilities allowing it to identify other nearby devices, cell towers and wifi networks. Another advantage of using this type of location data is that it can be stored locally on the device. [Since] the US generally has no restrictions on the retention of personal data, including geolocation data, companies are at liberty to retain it consistent with their privacy policies. Often companies will retain such data for the duration of a consumer’s active account and for a reasonable time thereafter. Still, there may be practical limits for Coronavirus tracing apps if locally storing data on location and Bluetooth ‘contacts’ on the device itself.”
Finally, the North Dakota Governor, Doug Burgum, announced, on 7 April 2020, that his Office and the North Dakota Department of Health, in partnership with ProudCrowd, had launched a free mobile app to help slow the spread of Coronavirus. The app provides individuals with a random identification number and anonymously cache their locations throughout the day, after which individuals would be encouraged to categorise their movements based on activities. However, the Burgum’s Office noted that the ID number of each individual contains no personal information besides location data, and if an individual tests positive for Coronavirus, they will be given the opportunity to consent to providing their information to the NDDoH to help in contact tracing and forecasting the pandemic’s progression with accurate, real-time data.
In relation to processing of personal health information (‘PHI’), Metcalf explained that “Depending on the type of health data and whether the company collecting it is a regulated healthcare provider, encryption—among other privacy and security safeguards—may be required under the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’). The Department of Health and Human Services has stressed that privacy and security requirements not be set aside during this public health emergency. HIPAA also requires that medical records be retained for at least six years. It’s safe to assume that the big tech companies likely involved in developing a Coronavirus tracking app aren’t HIPAA-covered entities, though they could be captured by HIPAA if acting as a business associate of a covered entity. It will depend on how the data is collected (voluntarily by those with symptoms and/or confirmed cases versus receiving PHI directly from healthcare providers, insurers, and the like).”
OneTrust DataGuidance confirmed, on 9 April 2020, with Alan Campos Elias Thomaz, Associate at Mattos Filho, Veiga Filho, Marrey Jr. e Quiroga Advogados that the Ministry of Health had developed an app named Coronavirus – SUS (‘the App’). In particular, Thomaz highlighted that the App collects geolocation data and sensitive health data of its users which can be used for this purpose in the near future.
Paulo Vidigal and Luis Fernando Prado Chaves, Partners at Daniel Law, told OneTrust DataGuidance, “[The] current Brazilian legislation, Decree No. 8771 of 11 May 2016, which Regulates Law No. 12965 of 23 April 2014 (‘the Civil Framework for the Internet’) determines in its Article 13 that application providers shall adopt security controls to protect personal data, such as access management and encryption or any equivalent measure to guarantee data confidentiality. [In addition] Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (‘LGPD’) which is under a pending discussion as to whether its effects would be postponed from August 2020 to January 2021, provides that data processing entities shall adopt measures capable of protecting personal data (by design) against unauthorised access or any other violation without specifying them. Hence, in a risk-based approach, entities are expected to apply do appropriate measures envisaged in relation to the nature, volume and other characteristics of data processing activities.”
In addition, a contact tracing app must meet specific requirements in relation to data retention periods. Vidigal and Prado Chaves noted that, “Paragraph 2 of Article 13 of Decree 8771/2016 enunciates that personal data shall be deleted by application providers as soon as the processing purpose is achieved or after the expiration of any legal obligation.”
Finally, Vidigal and Prado Chaves explained that, “The LGPD, which is still not applicable, reinforces this provision, establishing that personal data shall be eliminated after the data processing reaches its goals, authorised retention for reasons of compliance with a statutory or regulatory obligation which the controller is subject, studies by official research bodies, transfer to third parties or exclusive use of the controller, provided the data are anonymised.”
The Presidency of the Council of Ministers (‘PCM’) announced, on 3 April 2020, the launch of an app in light of the pandemic, outlining that the App would allow the user to, among other things, share their location in the event that they have tested positive for Coronavirus, in order for health professionals to assist such individuals in emergencies, and to send citizens alerts about risk areas in Peru. In addition, the PCM discussed the functioning of the app and noted that if the app determines that the user is at risk, it would notify the user of this and will asked for the user’s personal data, such as identification and phone number.
Iván Blume Moore, Partner at Estudio Rodrigo told OneTrust DataGuidance, “Given that the app is administered by the PCM this entity should ensure the confidentiality and the security of information collected. For instance, the encryption of both data in transit and stored data and, therefore, guaranteeing [its] confidentiality.”
There have been recent developments in Peru in relation to privacy and data security mechanisms in the public sector, of which the PCM would be involved in. Blume explained that, “For the public sector, the app will have to comply with the regulatory guidelines established on Ministerial Resolution No. 004-2016-PCM. These guidelines include the mandatory compliance of the Peruvian Technical Standard Provision No. NTP ISO/IEC 27001:2014 related to Security Techniques for Information Technology. In the light of these regulations, the data controllers and those responsible for the processing of personal data must adopt technical, organisational and legal measures necessary to guarantee the security of the personal data they hold. The measures taken must ensure a level of security appropriate to the nature and purpose of the personal data involved.”
In addition, as the app has data stored in cloud-based service provider’s servers there are additional requirements. Blume outlined that, “The cloud service provider is also expected to follow the Guidelines for Cloud-Storage use by Administrative Authorities of the Peruvian Government, approved by Digital Government Secretary Resolution No. 001-2018-PCM/SEGDI. [Moreover], the Digital Government Secretariat Resolution No. 001-2018-PCM/SEGDI in the public sector establishes some additional security standards for the transference of personal data. Such as, establishing the availability of information portability by the cloud provider, setting the accesses and limitations regarding the transfer of data and applications from the cloud provider to user systems. Also, the provider must ensure the availability of the data and the continuity of the service.”
Across Europe, various governments or health authorities have launched or proposed apps which utilise the location data from the user’s mobile device to construct a digital map of Coronavirus cases and notify users of their interaction with such cases. In most cases, the apps are voluntary and the data is anonymised or aggregated. However, the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) apply to such apps which collect and process data which is personal and is not anonymised or aggregated. In particular, Angela Livgieri, Junior Partner of ALG Manousakis Law Firm, told OneTrust DataGuidance, “These apps trigger the pan-European applicability of GDPR along with the upcoming ePrivacy Regulation, the principles of Directive on Application of Patients’ Rights in Cross Border Healthcare and the Decision on Serious Cross-Border Threats to Health (No. 1082/2013/EU) which lays down specific rules on epidemiological surveillance, monitoring, early warning of, and combating serious cross-border threats to health.”
The responses from European data protection authorities highlight the need to balance the advantages of using digital tools to prevent the spread of Coronavirus with the potential adverse impact on the fundamental right to private life of European citizens. In particular, the European Data Protection Supervisor, Wojciech Wiewiórowski, called for, on 6 April 2020, a pan-European approach and ‘digital solidarity’ in the reaction to the pandemic, noting that the use of big data tools must not constitute the ‘discredited business models of constant surveillance and targeting.’
Following this, the European Parliament announced, on 7 April 2020, that the Chair of the Civil Liberties Committee (‘LIBE’), Juan Fernando López Aguilar, had addressed the use of smartphone data to manage the Coronavirus and approved the use of data which is protected by “strong security measures”, anonymised, and does not allow the direct or indirect identification of individuals. As part of this, Aguilar specified that “the GDPR and e-Privacy Directive must continue to apply and be respected” and that LIBE would be closely following the development of these apps due to the potential adverse consequences to the fundamental right to privacy.
Regarding the nature of the data collected through such an app, Livgieri lists, among others, the following as a cross-section of what is being collected in apps across Europe: “contact details, name, surname, full home address, reason for going out, work address when work is the reason for going out, telephone number, date of birth, gender, location data, date/time, telephone number, device IDs, communication partners, creation of movement profiles, credit card records, data from face-to-face interviews, health related data (lack of oxygen sensation, fever up to 37.5 degrees, dry cough, mucus, muscle pain and general malaise), details re-visits to risk areas in the last 14 days, details re-contact with patients.”
Most recently, the European Commission published, on 8 April 2020, its Recommendation on a Common Union Toolbox for the Use of Technology and Data to Combat and Exit From the COVID-19 Crisis, in particular Concerning Mobile Applications and the Use of Anonymised Mobility Data (‘the Recommendation’). In particular, the Recommendation aims at developing a pan-European coordinated approach for the use of mobile applications in order to enable citizens to take effective and more targeted social distancing measures, as well as a common approach for modelling and predicting the evolution of the virus through anonymised and aggregated mobile location data.
In light of the emergence of such apps, Livgieri explained, “Many governments and non-governmental institutions have considered the usage of infection tracking systems (e.g. tracking via mobile network data, locally installed tracking apps) to deal with the Coronavirus. For instance, Poland has implemented ‘Quarantine Surveillance’ as an alternative method to police checks, an app for location confirmation of a person covered by the quarantine restrictions and for conducting basic health assessment, while in Switzerland a ‘WeTrace’ app has been proposed to trace contacts via Bluetooth of an infected person. The data is encrypted, and the server is used for broadcasts of notices to proximity contacts which can be set by each user switching his or her settings to ‘infected.’ Risks should be assessed and, only if deemed necessary and proportionate, the implementation of virus tracking systems could be possible so that compliance with data protection principles is ensured.”
In the UK, the National Health Service’s digital unit (‘NHSX’) proposed an app which would utilise Bluetooth signals within electronic devices to create a database of devices with which it came in contact so that the app would alert possible infected individuals, in the event of such a contact testing positive. The NHSX app would operate on an opt-in basis and NHSX stated that it has sourced expertise internally and externally to aid in the speed of delivery. The NHSX noted that previous methods of public health contact tracing are not fast enough for this unprecedented crisis and that the app would form part of an integrated Coronavirus control strategy for identifying infected individuals using digital tools.
Bridget Treacy and Olivia Lee, Partner and Associate, respectively, at Hunton Andrews Kurth, told OneTrust DataGuidance, “This type of app would therefore involve, at a minimum, the processing of data concerning the device used, its location and proximity to other devices, and the health of the device holder. If the health condition, or any of the other information collected, relates to an identified or identifiable individual (such as by the user’s name or by a unique identifier), then the information collected would constitute personal data (and sensitive personal data for health information), and fall within scope of the GDPR and the Data Protection Act 2018 (‘the Act’).”
However, the Information Commissioner’s Office (‘ICO’) published a statement on the use of location data in the context of tackling the spread of Coronavirus. In particular, the ICO advised that generalised location data trend analysis is support the prevention of Coronavirus spread. Furthermore, the ICO noted that anonymised data used by such a technology would not fall under the scope of the GDPR or the Act and, under the circumstances, privacy laws would not be breached as long as the appropriate safeguards are in place.
Furthermore, Treacy and Lee indicated, “It is not clear whether [the aggregation and anonymisation of data] will be possible with the app apparently proposed by NHSX. The aggregation of data would mean that individuals that became ill would not be identifiable (defeating the purpose of the app) and the full anonymisation of data is likely impossible to the extent that device identifiers are required to identify those individuals that become ill and those who may have been exposed to them, in order to make the required alerts. In other words, for the NHSX app to work effectively, users would need to be distinguishable from one another by their device identifiers. Even though these identifiers may never be available to anyone other than those operating the app, this information likely still triggers the application of data protection law, and as such its developers and operators will need to consider the requirements of the GDPR, the Act (particularly the safeguards required in relation to special category data such as health data), and the Privacy and Electronic Communications (Amendment) (No.2) Regulations 2018 (‘the Amending Regulations’), amending the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’).”
Furthermore, if the proposed app did materialise, NHSX will have to ensure the implementation of information security safeguards to protect the personal data concerned. Thus, Treacy and Lee further outlined, “Security requirements, both those set out under the GDPR (which requires the implementation of appropriate technical and organisational measures to ensure a level of security appropriate to the risk) and those required under PECR, should be an area of priority for app developers, particularly where the aim is to collect the health data of at least half of the UK’s population. App developers will need to implement robust security measures. […] The use of an app like this in the UK will likely be voluntary, but nonetheless any data collection beyond what is necessary should be avoided, in line with the GDPR’s data minimisation requirements.”
In addition, in terms of data sharing for information collected through the proposed app, Treacy and Lee detailed, “While there will need to be a legal basis for sharing data with third parties, the GDPR does not require that consent must be obtained. […] In addition, it is unlikely that the providers of these types of apps will be able to justify extensive sharing of the health data of their users with third parties that intend to use the data for their own purposes, given the context in which the data has been collected.”
In France, the Ministry of Health approved an online Coronavirus self-assessment test which was launched on 18 March 2020. The test is anonymous and voluntary, however, the users are asked, but not required, to submit their postal codes to be used for further analysis. Most recently, the Minister of Solidarity and Health, Olivier Veran, and the Minister of State for the Digital Sector, Cédric O, announced, on 8 April 2020, that the French government had launched project Stop Covid (‘Stop Covid’). As part of Stop Covid, the Ministers explain that the government is in the exploration phase of developing an app to be used during the Coronavirus pandemic by identifying paths of transmission.
In particular, the use of such an app as part of Stop Covid would trigger the provisions of the GDPR and the Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR (‘the Act’). Specifically, Sonia Cissé and Jean Fau, Counsel and Associate, respectively, at Linklaters LLP, told OneTrust DataGuidance, “From a technical point of view, an app can collect precise location data (via GPS), as well as any data voluntarily provided by individuals. This last category can be particularly broad and cover, for example, identification data, relationship data, data related to the individual’s routine, health data in the context of self-diagnostic apps. As such data is particularly sensitive and/or intrusive, in application of the minimisation principle, the publishers of such app (whether private or public entities) should put in place measures not to collect excessive data and only process what is necessary to reach the contemplated purpose.”
In addition, the use of such applications involves the sharing of individuals’ data with third parties to enable the identification of the paths of the virus transmission. Regarding data sharing, Fau and Cisse indicated, “As the existing data protection framework is applicable, under the transparency principle set out in the GDPR, individuals must be informed of the recipients or category of recipients of their data. In addition, data should not be transferred to third parties for other purposes than those for which they have been initially collected. Finally, hosting is also an important factor as hosting providers, acting as processors, also qualify as recipients: their location will be a key factor to consider (notably if they are located in third countries outside the EEA) as well as whether they are certified to host health data (as such certification is mandatory in France for instance).”
Lastly, as pointed out by the French data protection authority’s (‘CNIL’) president, Marie-Laure Denis, during a hearing before the Law Commission of the National Assembly, in managing the crisis and the spreading of the virus, data collected by individuals often includes health data and location data. In light of the nature of the data which would be collected and processed, Cissé and Fau outlined, “The GDPR and the Act provide for a framework of information security and safeguards mechanisms applicable to the use of mobile app data. Encryption (both in hosting and in transit), pseudonymisation as well as a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing are among the security measures provided by the GDPR. However, in the context of Coronavirus, mobile app data will also include health data and location data. It is thus important to remember that they are subject to a stringent regime. The former qualifies as sensitive data, and the latter is considered as particularly intrusive by the French data protection authority (‘CNIL’). As such, their processing generally requires the consent of the concerned individual. But such stricter thresholds do not mean that such data cannot be used in the context of a crisis, as long as data protection principles are complied with.”
Two apps aimed at reducing the spread of Coronavirus based on the processing of sensitive personal data and proximity-tracking are currently developed by the Robert Koch Institute (‘RKI’), a federal government agency and research institute responsible for disease control and prevention. The Corona Data Donation App (‘the Donation App’) transfers pseudonymous data on activity and heart frequencies from fitness trackers and SmartWatches as well as the post code to the RKI and has, since 7 April 2020, already been downloaded by more than 50,000 users. With the help of algorithms, the RKI can identify wide sets of data on symptoms inter alia linked to Coronavirus infections and to estimate the geographical spread of the virus and to reduce the dark figure of cases.
The Proximity Tracking App aims to reduce the spread of Coronavirus infections by analysing social contacts. Instead of processing the location data via mobile radio cells, the app registers whether its users have been closer than two meters for a significant amount of time, using Bluetooth. Dr. Carlo Piltz, Salary Partner at reuschlaw Legal Consultants told OneTrust DataGuidance, “This app aims to inform people when contacts have tested positive for the virus. Contact persons should be stored locally via the app in the users’ mobile phones but without reference to their name or contact details. The phones communicate via Bluetooth and, according to the current information, only device-related random identifiers should be created for each mobile phone in the user’s own radius and stored locally for a limited period of time.”
Although there are no specific data protection laws for apps in Germany, a special regime applies to their development and operation. In particular, apps are governed by the GDPR and the Telemedia Act (‘TMG’), as apps fall under the scopeof telemedia providers. Pursuant to Section 13(7) of the TMG, telemedia providers must, insofar as this is technically possible and economically reasonable, ensure within the scope of their respective responsibility for telemedia offered on a commercial basis by means of technical and organisational precautions that no unauthorised access to the technical equipment used for their telemedia is possible and that this equipment is protected against violations of the protection of personal data and against disturbances, even if they are caused by external attacks.
Moreover, Piltz highlights that, in 2014, “The German data protection authorities have also published a guide on data protection in the development and operation of apps, [specifying that]:
- to ensure that personal data with normal protection requirements are not read or changed by unauthorised persons during transport, the communication link with the back end should be secured by transport encryption both when sending and receiving corresponding data;
- if data with increased protection requirements, such as health or credit card data, is transferred through or to the app, certificate or public-key pinning must be used to ensure that attackers cannot compromise the connection by inserting supposedly valid certificates. The cryptographic algorithms and key lengths used must be based on the length of time the personal data is worthy of protection; and
- if data with an increased need for protection is stored, it must be secured with strong cryptographic methods according to the current state of the art in addition to the protective mechanisms of the device platform (e.g. sandboxing) [as regards the requirements of the local storage of data on the mobile phone]. “
Due to privacy concerns, both apps have been subject to criticism by German data protection supervisory authorities. The Rhineland-Palatinate data protection authority outlined five key requirements that must be taken into account during the development of the Proximity Tracking App:
- the voluntary nature of participation on the basis of informed consent and the possibility of revocation at any time must be given,
- the movement and contact details must be strictly limited in purpose,
- the effective pseudonymisation and secure transfer of personal data provided (contact details, IDs, MAC addresses etc.),
- decentralised storage on end devices, and
- the deletion of data after the quarantine period of 14 days.
Finally, the Federal Commissioner for Data Protection and Freedom of Information (‘BfDI’) highlighted some remaining privacy concerns with regards to the different devices used for the Corona Data Donation App, stating that the level of data protection for fitness trackers and SmartWatches varies depending on the manufacturer.
In Spain, the Ministry of Economic Affairs and Digital Transformation (‘the Ministry’) announced, on 6 April 2020, that its app (‘AsistenciaCOVID-19’) had been launched, allowing individuals to self-assess for Coronavirus. AsistenciaCOVID-19 was developed in approximately one week through the collaboration of ForceManager, CARTO and Mendesaltaren S.L. in partnership with health officials from the Community of Madrid and with support from Telefonica S.A., Ferrovial and Google LLC. AsistenciaCOVID-19 requires citizens to enter personal data such as names, phone numbers, dates of birth, gender, addresses, postcodes and email. AsistenciaCOVID-19 is expected to be updated to provide provide further analysis of the collected data.
The Ministry outlined that AsistenciaCOVID-19 is able to, with the users consent, geolocate the data so that the relevant authorities can visualise the mapping of infections and perform geospatial analysis in an effort to highlight high risk areas. Following this, the Ministry highlighted that the app guarantees the security of users’ personal data.
Furthermore, the Ministry stated that collected personal data will be retained for the duration of the health crisis, and that data will be subsequently anonymised and use for processing activities for statistical, research and public policy purposes.
In Norway, the Norwegian data protection authority (‘Datatilsynet’) issued, on 27 March 2020, a statement on the adoption of a regulation (‘the Regulation’) by the Cabinet of Ministers, on the creation of an app, to be developed by the Public Health Institute (‘the Public Health Institute’) and others, with the aim of tracking Coronavirus and reducing the time spent on virus detection. It is unclear when such an app will be launched, however, Rune Opdahl, Sebastian Forbes and Pernille Gjerde Lia, Partner and Associates, respectively, at Wiersholm, told OneTrust DataGuidance, “The Regulation will initially apply until 1 December 2020, which may be extended at the discretion of the Norwegian Ministry of Health. It allows the Public Health Institute to establish a system for digital and automatic tracking of those that may have come into close contact with people that are infected with Coronavirus, and notifying them of the same, as well as providing them with further information. The tracking system will use an app that can be downloaded by individuals onto their phones on a voluntary basis.”
Datatilsynet highlighted that the app will involve automated tracking of infected persons and the app would replace large parts of the manual work undertaken in order to alleviate societal restrictions earlier. Datatilsynet emphasised the importance of full transparency about what data is collected and what it is used for, given that the app will process health information and is linked to geolocation, so that potential serious consequences for the privacy of individuals are avoided.
Opdahl, Forbes and Gjerde Lia further explained, “All personal data collected through the tracking system and the app must be handled not only in accordance with the Law on the Processing of Personal Data (Personal Data Act) of 15 June 2018, which includes the GDPR, but also in accordance with other established laws designed to protect health data, such as Sections 6 and 17 of the Health Register Act (‘the Health Register Act’) and Section 2(2) of the Infection Prevention Act. These provide that, among other things, those who handle personal data are subject to strict duties of confidentiality, the same duties of confidentiality that those who work in the health sector are subject to.
In addition, Datatilsynet stated that the tracking system requires the use of algorithms related to location data and that, before downloading the app, users must be given clear and complete information about what information is collected, the purposes of this, the retention periods and the possibility and consequences of withdrawing consent.
Regarding retention periods, Kari Gimmingsrud, Partner at Advokatfirmaet Haavind AS, told OneTrust DataGuidance, “Location data must be deleted after 30 days. When/if the individual deletes the application from his/her mobile phone, all personal data in the system shall be deleted or anonymised immediately.”
Given the requirement for information security measures to protect the data processed and stored as part of the Norwegian tracking system and app, Gimmingsrud highlighted that, “There are no regulatory mechanisms aimed specifically towards mobile app data, but the rules regarding information security, confidentiality for personal data will apply […] In addition, the following must be included as safeguards:
- mobile phone numbers and other direct personally identifiable features must be separated and stored separately from any other registry information; and
- only authorised personnel who perform services or work for the registry and work under the instruction authority of the data controller or data processor may be given access to identifying information in the register. Access cannot be more extensive than is necessary for the person’s work tasks.”
In terms of sharing the data collected through the tracking system and the app, Opdahl, Forbes and Gjerde Lia added that, “Only the Public Health Institute is the controller of personal data in and from the system or app. […] In addition, the personal data in the system or app cannot:
- be shared without the data subject’s consent;
- be used to check whether individuals are complying with advice or any orders; or
- be commercially exploited.
In relation to the health and location data specifically, it cannot in any circumstances (even if the data subject consents):
- be made available to the police/other prosecuting authority;
- be used in connection with insurance purposes; or
- be used by employers.”
The app (‘Smittestopp’) was launched, on 16 April 2020, by the Norwegian Public Health Institute and utilises anonymous data to track movements and eventually notify individuals should they come into contact with infected individuals. Smittestopp functions as an optional app. The Public Health Institute confirmed that all personal data will be deleted after 30 days, data subjects may delete their personal information at any time using the delete functionality, and users can choose whether to turn on and off logging features. Furthermore, the Public Health Institute outlined that security constituted the highest priority in development, using well-established industry and encryption standards and ongoing collaborations with Datatilsynet. The Public Health Institute noted that external suppliers, specialised in security work on the code and solutions. The Public Health Institute will spend the first few weeks ensuring the quality of the data collected, waiting for Smittestopp to be downloaded by a considerable number of individuals. Finally, Smittestop will use GPS and Bluetooth to collect information about where mobile phones are and what other mobiles are nearby.
The sensitive nature of the data concerned could raise various privacy concerns. However, Jonathan Klinger, Lawyer at Law Office of Jonathan Klinger, told OneTrust DataGuidance,”The app itself was designed with a privacy-first approach where the team of experts included Prof. Michael Birnhack, a well-known privacy scholar, to ensure that no data is collected and everything is stored locally.”
The Magen app identifies any contact between individuals and confirmed cases of Coronavirus in the 14 days prior to diagnosis. In particular, the Ministry outlined that the app alerts the user to the location and time of any cross-over with a confirmed case.
Regarding the security of the information concerned, the Protection of Privacy (Data Security) Regulations, 5777-2017 (‘the Regulations’) offer the only statutorily binding document regarding information security in this context. Rachum-Twaig and Dat clarified, “With respect to unauthorised disclosure of personal data processed as part of mobile apps, the Regulations require both a structured secure development lifecycle methods, as well as commercially acceptable in-transit encryption of any personal data transferred over public networks.”
Beyond the statutory security requirements, the Magen app is based on open source data and mutual guarantee values for the purpose of further validating its security level. Klinger explains, “The Magen App was also released in source code form, ensuring that independent security researchers would be able to verify that it does not send data to the government. The Magen App obtains most permissions but currently does not retain data on a server side, this ensures that the location data gathered is not shared with security services or the health administration.”
Once an individual is found to be ill, their personal information will be passed on for a technological check, and the individual will be notified. Locations visited in the last 14 days will be identified, however, call contents will not be logged. The Ministry of Health indicated that it cannot pass on information about who individuals have been exposed to due to patient medical confidentiality. Rachum-Twaig and Dat added, “The Magen App intentionally included a Privacy and Security by Design methodology which led to an architecture which allows users to check if they cross-pathed any confirmed carriers without disclosing any personal data. This is a welcome and uncommon example of how governmental authorities may harness privacy and security to enhance civilian trust while still meeting the objectives of the project. This is somewhat in contrast to other recent examples in Israel, where the government approved, by means of Emergency State Regulations, the use of the Security Service technologies for the purpose of conducting epidemiological examinations and quarantine enforcement without transparency or parliamentary supervision.”
Finally, Klinger concluded, “The Magen App is not the major concern here. Israel’s major privacy concern relates to a few emergency ordinances issued by the Government that allow tracking by the secret services and the police in an unwarranted way (literally) […] Another issue was the Minister of Defense’s, Naftali Bennet, plan to use the infamous NSO group to create a big-data social scoring system for Israeli residents. This was rejected by the Israeli Ministry of Justice, but a call for proposals was issued for big-data analysis systems to determine the spread of the Coronavirus. […] In general, Israel showed that it was not prepared for such an outbreak and had to use the same tools it uses to fight terror. This created a major privacy issue, with no safeguards.”
Article published on OneTrust DataGuidance’s portal. Read it here.