Technology lawyers Alicia Young and Alexander Yap explain key privacy and data protection considerations relevant to a new generation of decentralised contact tracing software.
The COVID-19 pandemic has led governments to limit civil liberties to an extent previously unthinkable except in times of war. Features of the COVID-19 virus suggest that traditional contact tracing measures are insufficient, and reliance upon smartphone data and associated data analytics is necessary to properly manage the contagion. The new contact tracing software raises the question: is legal protection of privacy the next casualty of COVID-19?
We discuss what data is actually being collected and disclosed, who will use the data and what key privacy considerations arise from a legal perspective.
Contact tracing for COVID-19 - how it differs from traditional methods
Epidemiology suggests that contact tracing helps manage contagion rates, and early efforts against COVID-19 in countries such as Singapore and South Korea demonstrate its effectiveness.
Unfortunately, 'traditional' contact tracing is highly labour intensive, reliant on interviews with infected persons, and subject to the knowledge of the infected individual and the vagaries of human memory – could you describe the stranger you sat next to on the bus to work?
Even if these obstacles are overcome, the high transmissivity of COVID-19 threatens the availability of traditional contact tracing. Singapore was initially able to provide daily reports with contact tracing investigations complete, but when the number of daily confirmed cases increased, cases pending investigation also increased and drove the need for more accurate real time data.
Singapore is one of the first countries to deploy a contact tracing app known as Trace Together. Trace Together stores information based upon the proximity of the user to other users running the app, calculated by use of Bluetooth technology. If a user tests positive, the data may be accessed by health authorities, so that other app users who have been exposed can be identified and perhaps isolated.
New Zealand, Australia, the UK and France have signalled they may deploy apps with a similar methodology in the near future, and Apple and Google have suggested that new versions of their mobile operating systems will have built-in contact tracing functionality, based on a similar methodology.
Top 3 privacy considerations of contact tracing apps
Data which relates to an identifiable individual constitutes personal data in many countries, and is subject to stringent legal protection. With this in mind, it may seem that a substantial amount of personal data will be collected by this new generation of Bluetooth tracking apps and operating systems (collectively 'BT Trackers') for contact tracing, but is this really the case?
Location data
The first category of data usually relevant to contact tracing is information of initial and final locations, and all travel routes, of each infected individual. As a starting point, this information is likely to be the personal data of that individual. However, many BT Trackers are deployed by app providers on the basis that no geolocation data (e.g. as captured by GPS, Galileo or BeiDou) will be stored, or ultimately shared.
Instead, the BT Trackers appear to be focused only on which other users were 'close' to the infected individual and different apps vary in the features they offer and the type of data collected. Some intend to map proximity of users only (without identifying users), others enable the identification of other users who have come into contact with an infected user. So the key factual and legal determination here is whether any personal data of other users is collected by the infected individual’s BT Tracker.
Identification data
Further considerations will be relevant where the BT Trackers assign users with an anonymised ID which is retained, but also offer the option to identify users who have come into contact with an infected individual. Again, the legal implications will depend on whether the temporary, anonymised ID is actually personal data at some point, in order to enable the identification of other users.
Consent
As a matter of law, there appears to be an easy solution available – the BT Trackers may require users to consent to their personal data being used to contact them if they have been exposed to an infected individual; and also in some jurisdictions, exceptions to consent or other legitimate bases for such use of personal data may be applicable.
We believe that this could be acceptable, and in compliance with many legal regimes protecting privacy and personal data – but perhaps only to the extent that use of BT Trackers is voluntary. This approach appears to be supported in early indications from countries such as Australia, where Prime Minister Morrison emphasised this week that voluntary use, the need for consent as well as good user uptake, will be key for the success of any contact tracing app deployed in Australia.
How to mitigate other legacy privacy risks that arise from tracking apps and operating systems
The most immediate risk may be in ensuring that the BT Trackers do what they intend to do, no more and no less. In this regard, Trace Together and other similar apps may be off to a good start, as key functionality including the applications for both iOS and Android, and the associated server software, has been open sourced as 'OpenTrace' under the GNU GPL (General Public License).
We would also suggest that BT Tracker data is stored only for a specified and limited period, perhaps 14 or 21 days from the date of first collection, and irretrievably destroyed thereafter, with the period to be determined and amended from time to time based on the latest science on COVID-19 behaviour, including incubation timelines.
Perhaps the most severe risk is: once this technology has been developed, will authorities and businesses be able to resist the temptation of using similar software for other purposes? After COVID-19 has been conquered, it may be that existing privacy and data protection laws need to be recalibrated to deal with this new normal.
Alicia Young is a Special Counsel of the Technology Team of Russell McVeagh, New Zealand. Alexander Yap is a Partner and Co-Head of the FinTech Practice of Allen & Gledhill, Singapore.
As first published by CIO NZ.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.