Data protection – another COVID-19 casualty?

Data protection – another COVID-19 casualty?

With more than one third of the planet’s population currently under some form of COVID-19 related restriction, the wider impact of ‘lockdown’ is becoming apparent. In the UK alone, the wider human cost of this necessary measure has been staggering: two million routine NHS operations cancelled; close to one million applications for universal credit benefit in the final two weeks of March; and calls to a national domestic abuse helpline 49% above average. The global economic picture is equally bleak. The IMF calculates the world economy will shrink by 7% in 2020, with trade levels sinking dramatically and national borrowing set to rise to levels not seen in peacetime. In the face of such dire prospects, for a relaxation of lockdown have grown increasingly vocal. But with a vaccine still 12-18 months off, governments around the world are weighing the apparent trade-off between easing restrictions and maintaining public health.

To lengthen the odds of a second infection wave, countries have been exploring how to harness technology to automate contact-tracing of those potentially infected with the virus, releasing the remainder of the population to go about daily life. Though simple-sounding, such technology is far from straightforward. It also brings serious practical and ethical concerns already playing out in some countries, and risks pitting health care against data protection.

What is contact tracing?

Contact tracing has long been a key tool in preventing the spread of communicable diseases such as STDs. Essentially detective work, it involves tracking down and alerting those who have been in contact with a confirmed sufferer.  However, it has readily apparent limitations: with air-borne diseases such as COVID-19 where symptoms are delayed, it is difficult to identify everyone who may have been exposed. It is also time-consuming and works best where infection levels are low. On 12 March, the UK Government stood down Public Health England’s 290 contact tracers, believing them already overwhelmed by the spread of the coronavirus.

In April, however, seemingly following best advice from the World Health Organisation, the Government reversed its decision, announcing plans to recruit and train 18,000 contact tracers, and decided to support their efforts through automation using a contact-tracing app developed by NHSX (the digital arm of the NHS) downloaded to smartphones to ‘track-and-trace’ those exposed to the virus.

How would automated contact tracing work?

Individual nations are developing their own particular contact tracing apps but, broadly, two methodologies exist: one employing the user’s geo-location, often in conjunction with credit card data and surveillance camera records (which formed part of pandemic containment measures in South Korea), and a more privacy-friendly version based on Bluetooth being developed by many countries in the West.

In the Bluetooth version, as the user moves about, the phone would connect with other phones within a certain range. A ‘Bluetooth handshake’ would take place in which connected phones exchange and each store a unique ‘key’ signifying physical proximity. In the UK, when users subsequently display symptoms they may choose to allow the app to inform the NHS which would then alert other app users whose smartphones hold the infected person’s key, indicating that those other users should self-isolate. (Presumably anybody choosing to tell the NHS that they are suffering symptoms would themselves have sensibly already decided to self-isolate). Crucially, the key would be anonymous and would not reveal the personal identity or location data of the infected individual to those receiving alerts.

To facilitate automated contact tracing, Apple and Google, which dominate the global smartphone market, are collaborating to release interfaces (APIs) to enable Android and iOS devices to work together using apps from public health authorities.

How effective is it?

Although elementary, automated contact tracing has significant practical limitations. Bluetooth is an imprecise tool. Plainly of less concern when adopting a precautionary approach, it risks false positives such as smartphone proximity but through a wall. Necessarily it is ‘blind’ to disease transmission in spaces vacated by infected individuals moments before, where no Bluetooth handshake between handsets would take place. Crucially, automated contact tracing relies on uptake – how many people download the app. In the UK, 60% of the population would need to download the app for it to make a positive difference, but Singapore’s version was downloaded by only 19% of the population.  Additionally, with 20% of Britain’s population estimated not to own a smartphone and with a slew of older devices with limited app capability, large numbers of those living in the UK would be excluded – leaving a potentially significant gap in coverage and efficacy.

A further difficulty arises from the multiplicity of contact tracing apps currently under development – how will they work together? Moreover, once international travel resumes, will national contact tracing apps be interoperable? Finally, there is a risk that automated contact tracing will be seen as a panacea by ‘fanboys’ for utopian technological solutions, whereas in reality, it can only be part of the answer, along with adequate infection testing and traditional confirmatory contact tracing which are essential components of any useful roll-out. The latter appears to have been recognised by the UK Government in its recruitment drive for contact tracers.

Authoritarian regimes around the world have been quick to use the pandemic to restrict their citizens’ freedoms, with China introducing a “traffic light” system in conjunction with tech companies like Alibaba Group to control citizens’ movements, and Russia deploying aggressive surveillance methods in the name of COVID-19 lockdown enforcement in cities such as Moscow and St Petersburg. The risk is that, even in more libertarian states, contact-tracing apps will effectively morph into ‘immunity passports’ by which access to amenities is determined, widening the ‘digital divide’ still further.

Against this background, automated contact tracing has raised acute privacy concerns. Whereas campaign groups (as well as Apple and Google) prefer a decentralised model where the Bluetooth handshake keys are stored only on a user’s handset, many health authorities around the world (including the NHS) prefer centralised records of anonymised data offering greater data about the infection’s spread. What cannot be ignored is that centralised systems do permit re-identification by governments (or even by hackers). In the UK, such concerns were highlighted when a draft Government memo was leaked in March suggesting Ministers may be empowered to order the re-identification of individuals from their smartphone data where they deemed it proportionate at some stage.

To reduce such risks, Apple and Google have limited the operability of their proposed interface where centralised systems are created, seemingly rendering the system practically unworkable. Austria, Switzerland, Spain and – despite earlier reluctance – Germany have now signed up to decentralised systems. The UK, however, has decided to press on with a centralised system, claiming it has found a way to make the software work sufficiently well on iPhones, overcoming the deliberate limitations imposed by Apple and Google, albeit at a cost to phone battery life and necessitating that screens remain unlocked (which may itself present data security risks).

Beyond the pandemic, the wider impact of the UK Government’s approach may be to fuel pre-existing concern over excessive state surveillance powers arising from the Investigatory Powers Act 2016 (the so-called ‘Snooper’s Charter’) and whether the UK’s level of personal data protection is essentially equivalent to that of the EU. This would present yet another concern to be added to the existing list – ‘bulk surveillance’, facial recognition technology, data sharing with the US, and criticism of the UK Government over data compliance breaches – which may further jeopardise the prospects of an ‘adequacy decision’ from the European Commission at the end of the Brexit transition period. Without an adequacy decision, there would be significant obstacles to the future flow of personal data from Europe to the UK.

Data protection laws – help or hindrance?

In a straight contest between health and data privacy, polls show the public in favour of allowing government to use mobile phones to track coronavirus sufferers and inform others of potential infection. Some surveys go further, suggesting almost half the UK population would support the use of phones to identify and penalise non-compliance. As regulators have been at pains to say data protection laws are not incompatible with public health safety, and both the UK’s Information Commissioner and the European Data Protection Board (EDPB) – comprising data supervisory authorities across Europe – have expressed their broad support for a data-driven solution as part of the response to the health emergency.

To ensure proper consideration of privacy implications, and to build public trust in contact tracing apps, the ICO has blogged a series of questions for those developing technological solutions, focusing on transparency, fairness and proportionality (ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/04/combatting-covid-19-through-data-some-considerations-for-privacy/). In her second ever official Opinion issued under the Data Protection Act 2018, the Information Commissioner approved the joint Apple-Google interface initiative, though she warned organisations developing the apps themselves of their obligation to comply with data protection laws (https://ico.org.uk/media/about-the-ico/documents/2617653/apple-google-api-opinion-final-april-2020.pdf ). The ICO also issued a statement about the contact tracing app under development in the UK, recognising the role that data can play in beating COVID-19 and indicating that it had been working with NHSX to ensure high levels of transparency and governance.

The EDPB too has emphasised how the GDPR was designed to be flexible and rejected any suggestion that public health safety and fundamental human rights and freedoms are incompatible. On 21 April, the EDPB issued guidelines clarifying the proportionate use of location data and contact tracing tools but warned that, such was the grave privacy intrusion of systematic and large scale monitoring of location and contacts, though legally undertaken on public interest grounds, only voluntary adoption could legitimise it. Those who cannot or decide not to use a contact tracing app should suffer no disadvantage. GDPR principles of data minimisation (only collecting what is necessary); storage limitation (not keeping personal data longer than is necessary); and purpose limitation (particularly excluding processing for commercial or law enforcement purposes), should be observed.

Conclusion

Despite the hue and cry that surrounds it, data protection law is remarkably malleable. Although the legislative framework is complicated there is a path through it which legally permits the potentially life-saving benefits of automated contact tracing but simultaneously acts as a bulwark against authoritarianism. With the Chief Executive of NHSX informing Parliament  that he will be ready to roll out the UK’s contact tracing app in May, it remains to be seen, though, whether the practical problems such apps face can be adequately overcome to restore a semblance of normality and allow the UK and the rest of the world to begin the path to recovery after this extraordinary period.

If you’d like to discuss any of the issues raised in this article with one of our solicitors then please get in touch in the strictest confidence.

Julian Hayes is a Partner specialising in all aspects of corporate crime and regulatory work. As well as dealing with high profile fraud and corruption matters, including investigations with an international dimension, he has considerable experience of advising corporates on data protection and cybercrime issues.

Andrew Watson is a legal assistant and has been involved in a number of matters concerning HMRC, Trading Standards and the SFO and has a particular interest in relation to cash seizure and forfeiture under the relevant provisions of POCA 2002 and the Criminal Finances Act 2017. Recent data protection work has included advising on the obligations placed on a data controller by the DPA 2018/GDPR when considering whether to comply with a non-mandatory ‘Request for Information’.