Trace to the finish? Data concerns on contact-tracing apps

King & Spalding’s Kim Roberts examines issues raised by the rapid deployment of covid-19 contact-tracing apps.

One of the proposed remedies to help restart the economy from the grip of the covid-19 lockdown is contact-tracing apps. The concept is that parties can access data from mobile phones to scrutinise a user’s movements and potential interactions in a bid to identify the spread of covid-19.

Employers have closely monitored the idea. The hope is to use the data gathered from the apps as part of the efforts to kickstart the economy and to get the workforce back to work. If employers can pool together data on the health of their staff they can ensure – and try to maintain – the wellbeing of workers, and help restart their businesses.

The development of the technology for such apps, which differ from country to country, is remarkable. Collaborations between public health services and technology giants are unprecedented. Needless to say, while the intentions may be legitimate, the associated risks of using such apps for personal data are not all the same.

There has been growing discontent from privacy commentators, activists and individuals alike over the monitoring of their data and the use of it.

Cause for concern

Concerns around the use of contact tracing apps centre around the protection of personal information (including location data and health information) and ensuring appropriate technological safeguards are inherent in the technology at all stages of their development and utilisation.

Contact tracing apps are like a mass GPS-tracking system. They function by tracking users of the app and what contact they have had with each other. The EU system in development, for example, utilises Bluetooth to broadcast signals from one user’s phone to another, which registers that one user has been in close proximity to another. Users that develop covid-19 submit that information to the app, which traces all other users who have been in their proximity. The app then messages users that have been in proximity of the infected person within the previous two weeks to signal that they may have been exposed to the virus, without revealing which individual they have been in contact with who has the disease. Subsequently, users are sent instructions about what their next steps should be.

GDPR issues

Where such apps fit into the GDPR is a topical issue. Indeed, the European Data Protection Board (EDPB) has issued comprehensive guidance on the privacy issues associated with contact-tracing apps.

The EDPB guidance flags that ensuring a balance between processing personal data as a way to manage the covid-19 pandemic and how data protection is ensured is indispensable to build trust, and create the conditions for social acceptability of any solution.

In terms of compliance with the GDPR, the processing of personal data for the purposes of assisting with the spread of disease is a lawful ground for processing personal data. However, the guidance also makes clear that voluntary use of the app by way of users clearly giving consent is also mandatory. It is apparent that requiring an employee to use the app, perhaps as a pre-condition to allowing them to return to the workplace after lockdown, is inconsistent with the guidance that participation must be voluntary.

Commentators and the EDPB alike acknowledge that to ensure public trust in the technology, an individual cannot be forced to use it. There is a clear tension here between required voluntary use and the fact that to be effectively deployed for their intended use, it is estimated that 80% of smartphone owners will have to download and use contact-tracing apps. This is an ambitious requirement for technology which is both novel and potentially intrusive.

Anonymisation

One such intrusion is perhaps best illustrated by the concern about whether the technology is capable of completely anonymising the data. The guidance states that sharing anonymised data is permissible in the EU provided that it “does not allow for individuals to be identified in any way”.

For the developers of the technology, a fundamental problem is that data about location is notoriously difficult to anonymise, as well as the fact that anonymisation is capable of being reversed. We all create “geoprints” by reference to our unique geographical movements from home to work, to a place of exercise, and a favourite place to shop; it is likely that nobody else visits the same configurations of locations as a given individual. If that geoprint is combined with the fact that an individual worships at a certain location, the religion of the user may also be quickly discovered.

The guidance also identifies other specific safeguards such as the requirement to minimise the amount of data that is processed by the app and to limit the period that the data will be retained. The need to give assurances to the public that their personal data will not be used for purposes which are wider than the specific purpose of tracking the spread of the disease is fundamental.

This certainly seems to rule out the ability for employers to compel employees to use the app, as under current proposals there is no justification for employers to have access to information that the app is designed to capture. Staff too may be anxious that an employer is monitoring their movements.

In addition, the guidance states that an individual who exercises choice around whether to use contact-tracing apps or not, should not suffer any disadvantage, seemingly ruling out the ability for employers to require employees to become users of the technology as a pre-condition, and perhaps an ongoing requirement of their return to the workplace.