Regulators loom large over covid-19 data sharing efforts

European data protection authorities continue to play a significant watchdog role during the coronavirus pandemic, with Belgian and Dutch regulators chiding their governments’ data-sharing efforts and the Italian watchdog greenlighting its country’s contact-tracing app.

Health authorities around the world have sought the advice of data watchdogs on how best to protect privacy when developing contact tracing apps. The apps are touted as a key way to tackle the pandemic, by tracking and tracing people that may have infected each other.

Other attempts at tackling the pandemic include the sharing of telecommunications data – something regulators have warned against without significant protections in place. 

Data regulators have raised concerns about serious privacy risks involved with contact tracing-apps, as they are likely to be used by large portions of countries’ populations and will process sensitive health data.

Most recently, the Belgian data protection authority issued two opinions on bills issued by its government attempting to create a legal basis for a contact-tracing app and a centralised database. The watchdog proposed 19 amendments to the bill relating to the contact-tracing app and criticised problems with the proposal regarding a centralised database.

The president of the Belgian House of Representatives, Patrick Dewael, requested that the data authority provide opinions on the bills on 15 May. The watchdog issued responses 10 days later, saying that improvements must be made before either bill can go ahead.

Regarding the bill to set up a database, the authority said that its concerns issued in a previous opinion “have not been remedied”. The watchdog said it “insists” that the bill be restructured to give more detail about the data collected, the objectives pursued by the data collection and retention periods. 

It also said the bill’s “legibility” should be improved, and that provisions should be included to ensure that any data processing mandated by the bill is necessary and proportionate. 

The watchdog’s proposed amendments to the bill ran along similar lines – saying that the proposed law should provide greater detail on issues like data minimisation, categories of data to be processed, a “reformulation” of the explanation of the app’s purposes, and details of data storage.

The authority also proposed the imposition of civil or criminal penalties for parties that attempt to restrict access to goods and services on the basis of whether or not users have downloaded the app – saying this would ensure it is truly voluntary. 

The Dutch data authority, meanwhile, said it will issue an opinion on the sharing of telecoms data with government agencies. It has previously indicated that under the existing law, such data-sharing cannot happen, and that to do so, an amendment to the law is required. 

The Dutch government has proposed an amendment, which the authority reviewed and has now come back with additional safeguards. The outspoken head of the authority, Aleid Wolfsen, said that any changes must “guarantee” privacy. 

“It is very sensitive information: who is where, day and night. This is about the privacy of all Dutch people, and participation is not voluntary … that is why extra care is required," Wolfsen said.

But not all European governments have fallen foul of their data watchdogs. Italy's authority, the Garante, yesterday greenlit the “Immune” app developed by the Italian health ministry. The watchdog said that on the basis of a data protection impact assessment produced by the ministry, the data processing carried out by the app can be considered proportionate, as features have been put in place which will protect data rights.

The authority warned that users should be properly informed about the algorithm used for calculating the risk of exposure to covid-19 and said that data collected through the app cannot be used for purposes not provided for by the law establishing the app.