Desperate times call for desperate measures? Understanding the privacy risks of digital-contact tracing in the COVID-19 fight

Reading Time: 5 minutes


Trilateral Research

Date: 2 April 2020

During the current COVID-19 pandemic, a number of Asian countries initially experiencing the outbreak have relied upon technological tools (apps, tracking technologies, and big data analytics) to mitigate and contain the spread of the virus. Now, similar approaches are being developed in Europe and North America where – depending on how privacy is embedded in the culture of the country – some resistance has been encountered. This article aims to explain what ‘digital-contact tracing’ is and to analyse the risks and responsibilities of public authorities aiming to develop similar tools to the fight against this Coronavirus. 

What is digital contact tracing?

Contact tracing is a monitoring process employed to prevent further transmissions of viruses aiming to trace back people who have been in close contact with someone who is infected. It can be broken down into 3 basic steps:

  1. Contact identification: the practice of identifying contacts, usually by asking about the infected person’s activities and the roles and activities of the people around them.
  2. Contact listing: the practice of listing contacts of an infected person and informing them of the meaning of their contact status, as well as the necessity to take appropriate measures like quarantine or isolation.
  3. Contact follow-up: the practice of regularly following-up with all contacts to monitor symptoms and test for signs of infection.

Being traditionally carried out through questionnaires and interviews to infected people, contact tracing has now relied on Information Technology. During recent outbreaks, such as SARS in 2003, the development of more technological approaches has been put in place to rapidly detect the sources of infection, cluster of cases and transmission routes. With COVID-19, the employment of ICT tools is becoming increasingly common and countries across the world are placing confidence in ‘digital-contact tracing’ to come out of the emergency as soon as possible.

How does it work? Privacy experts at the Brussels Privacy Hub and Privacy International are monitoring the measures that have already been implemented or are currently being debated across the world. Usually, they involve the collection of detailed location data through smartphones logging from a variety of sources – including cell towers, GPS, Bluetooth beacons, and Wi-Fi networks.

Some less-intrusive applications consist of mobile operators sharing aggregated and anonymised datasets with public officials to track population movements without the need for user opt-in. In other cases, an app is voluntarily installed by people with symptoms, people in quarantine or isolation, people travelling to high risk areas, or whoever wants to get alerts on the overlaps of their activity maps with those of infected individuals. The app would then collect data on coronavirus diagnosis and user movements, integrating it with information on proximity contacts and sharing it in a centralised server. With this information, and – if possible – cross-referencing it with other available datasets, authorities can both monitor the efficiency of their containment measures and identify recently infected individuals, achieving rapid epidemic control.

Is there a risk for mass surveillance?

Since these measures have been implemented first through surveillance tools in countries that are often criticised for a suboptimal protection of individual rights, privacy experts in Europe and North America are looking with a certain degree of suspicion at the possible developments of digital contact tracing. The most common objection concerns the intrusiveness of these measures as well as their power to enable mass surveillance, creating a dangerous environment that could allow governments to continue collecting sensitive information well beyond the end of the emergency. Furthermore, even success stories like the so-called “South-Korean model” sheds light on the possible dangers of the use of such tools and the concrete possibility that they may lead to social stigmatisation and discrimination.

Nonetheless, supervisory authorities in Europe have underlined how data protection rules should not and are not intended to hinder measures taken in the fight against the COVID-19 pandemic. On the one hand, the GDPR and its implementing national legislation allows competent public health authorities and employers to process personal data with added flexibility to preserve public health. On the other hand, national laws implementing the ePrivacy regime set the condition to lawfully process telecom and location data, allowing Member States to introduce legislative measures to safeguard public security (Art. 15 of the ePrivacy Directive). Such exceptional legislation can be adopted to restrict the scope of the rights and obligations provided by the ePrivacy regime only when these restrictions constitute a necessary, appropriate and proportionate measure within a democratic society. Furthermore, adequate safeguards should be put in place to guarantee, among other things, the right to a judicial remedy for the users of electronic communication services.

With specific regard to the collection of mobile location data in digital contact tracing, the EDPB has recently clarified that public authorities should comply with the proportionality principle and seek to process data in the least intrusive way, considering the specific purpose they wish to achieve. Therefore, the processing of anonymous data (e.g. aggregated in a way that individuals cannot be re-identified) should always be preferred over the processing of historical, non-anonymised location data.

In addition, in a communication to DG CONNECT envisaging a coordinated European approach for European institutions, the EDPS has highlighted that:

  1. Effectively-anonymised data fall outside of the scope of EU data protection legislation;
  2. obligations related to information security, access, confidentiality and prohibition on further use will continue to apply;
  3. public authorities should put in place adequate measures to ensure the secure transmission of data from and to telecom providers;
  4. public authorities should ensure the temporary character of these measures by deleting the obtained data as soon as the current emergency comes to an end.

Although these comments have been focused on processing operations led by European institutions, their contents can be transferred and applied to national entities and other organisations. 

Towards a holistic approach

We should not forget that identifying and listing contacts is only a part of the whole containment strategy. Digital contact tracing alone is no panacea to a global pandemic and should always be supported with general preventative population measures and an increase in the number of tests across the population.

Furthermore, only by being transparent about the information collected and the purposes of the collection, authorities can establish the public trust and confidence that are necessary for these measures to be accepted by society. For these same purposes, the pressure and urgency led by the state of emergency should not lead public authorities to avoid putting in place the appropriate measures and safeguards to be compliant with data protection and privacy requirements. For example, while reports on the concentration of mobile devices at a certain location (‘cartography’) should be favoured in reason of their limited intrusiveness, the development of apps for digital contact tracing should always require a preliminary test on proportionality. Data Protection Impact Assessments must be undertaken, and the principles of data protection should be implemented during the design phases and as default features once these tools are live. Only by developing privacy conscious protocols and privacy-preserving approaches the use of such tools can be limited to the needs of the emergency at hand, preventing similar systems being used for oppressive purposes by anti-democratic regimes.

Trilateral Research has meaningful experience working for public and international organisations carrying out healthcare-related projects that required DPIAs. If you think we might be able to assist your efforts to enhance your policies and procedures please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.

Related posts