Contact tracing apps: A new world for data privacy

Publication May 2020

The COVID-19 pandemic has seen governments across the world restricting civil liberties and movement to new levels. To aid the safe lifting of current public health restrictions, new technologies are being developed – contact tracing apps - and rolled out to automate labour intensive tasks critical to containing the spread of the virus. Our contact tracing survey summarises the principal regulatory and policy issues applicable to contact tracing across a range of key jurisdictions in real time.

Contact tracing global snapshot

Contact tracing global map

Canada China France Germany Hong Kong Italy Indonesia PolandRussia Singapore South Africa Thailand The Netherlands Turkey United Arab Emirates United Kingdom United States

Canada

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

The Government of the Province of Alberta has introduced a mobile contact tracing app, “ABTraceTogether”, which utilizes Bluetooth with the aim of letting users know if they have been exposed to COVID-19 or exposed others. Alberta’s “ABTraceTogether” app was developed using the same code that formed basis of Singapore’s “TraceTogether” App.

Currently the government of the Province of Alberta is the only Canadian government to introduce a COVID-19 contact tracing app. The Canadian Federal Government and other Canadian Provinces and municipalities are set to similarly introduce contact tracing apps.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

The App is viewed to be minimally intrusive from a privacy perspective (especially in light of Alberta Privacy Commissioner’s positive comments) as it is voluntary and collects very little information, which is only used for the limited purpose of contacting users in the event of a positive test. Major privacy concerns centre around employers potentially requiring employees to download the app as a condition of being permitted to return to the workplace.

Currently a major issue is that there is insufficient uptake within the population for the app to be effective and technological issues in that the app is always required to be open and on to work properly and transmission can be interrupted while other phone applications are being used (i.e. email).

More

China

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

China established a nationwide telecom data analysis platform under the leadership of the Ministry of Information Industry Technology after the COVID-19 crisis outbreak. Based on this platform, telecom carriers (China Mobile, China Unicom and China Telecom) may provide a tracking record of the cell phone users’ location in the past 15 days or up to 30 days.

In addition, various apps with similar functions were introduced in different regions of China to achieve a dynamic certification of health status of the local residents. Different status (red, yellow or green) will impose a different level of restrictions or regulations.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

When the personal data is collected and used for public security purposes, no consent from individuals providing it is required. This is the principle established by the Personal Data Security Specifications. The notice issued by the Cybersecurity Administration of China supporting mechanisms to control COVID-19 (Notice) provides that entities authorized by National Health Committee are entitled to collect this data without consent.

In practice, both the Government or authorized private sector organizations may have access to personal data, but the mechanism for the processing, use and storage of the personal data lacks transparency, with the potential for abuse of personal data in the future.

More

 

France

As at May 22, 2020

Key points Commentary
Is technology being used by the government to monitor and control the spread of COVID-19 
(e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

The app, StopCovid, has been developed by INRIA (National Institute for Research in Digital Science and Technology). Tests are still in progress and the French Government is hoping to launch the app in early June.
Parliamentary debates will be held on May 27.

What are considered to be the major privacy concerns in relation to the app in your jurisdiction (in relation to its use (a) by the government; and (b) by private sector organisations)?

The CNIL has stressed that the collection and storage of data should be limited to that which is strictly necessary for the use of the app (for example, the app cannot collect geolocation data), and for a limited period of time. The data must be deleted when the app is no longer in use. However, it is impossible to estimate such a duration.

The other main risks raised include:

  • The use of a centralized server increases the risk of possible cyber-attacks and the temptation to exploit this data for purposes other than those provided for by law.
  • Discrimination – people who do not use the app might not be able to work or access certain public places freely, meaning their consent was not freely given and therefore is void.
  • Surveillance – in the event that the app is adopted by part of the population, it is feared that the French Government may more easily impose it on the rest of the population against their will. Moreover, the app is not based on pure anonymization – it is at best pseudonymous, which does not protect against any kind of individual surveillance.
  • Security acclimatization – once the app is deployed, it will be easier for the French Government to add coercive functions to it (individual control of lockdown). Moreover, the app provides an incentive to subject one’s body to constant surveillance, which will reinforce the social acceptability of other technologies, such as facial recognition or automated video surveillance, which are currently widely rejected.

More

 

Germany

As at May 26, 2020

Key points Commentary
Is technology being used by the government to monitor and control the spread of COVID-19 
(e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

The German Federal Government plans to launch by mid-June an official app “Corona-Warn-App” which is currently being developed by SAP and Telekom on behalf of the German Federal Government. The “Corona-Warn-App” is based on the Privacy-Preserving Contact Tracing (“PEPP-IT”) technology. The app and backend infrastructure will be entirely based on open source code - licensed under Apache 2.0. The app is being developed with the Exposure Notification Framework (“ENF”) provided by Apple and Google, which will use Bluetooth Low Energy technology (“BLE”). The app will collect pseudonymous data from nearby smartphones using BLE. The data will be stored locally on each device, thus preventing any access or control over the data being available to authorities or other third parties.

Currently there is an app available in Germany launched by Robert Koch Institute (German federal government agency and research institute responsible for disease control and prevention, “RKI”) called “Datenspende-App”. This app traces general movement and fitness information using the fitness tracker only but not contacts and then sends the data to the RKI. The RKI will analyze anomalies in the data. It claims that the app can help detect COVID-19 by analyzing changes in the user’s pulse rate, sleep rhythm and activity level.

What are considered to be the major privacy concerns in relation to the app in your jurisdiction (in relation to its use (a) by the government; and (b) by private sector organisations)?
 

“Corona-Warn-App”: As providers of the operating systems, Apple and Google will have access to all user data. There are some concerns regarding their plans to develop the app.

“Datenspende-App”: There are several concerns indicated by Chaos Computer Club, a cyber security NGO, in particular:

  • RKI can directly retrieve the fitness data from the provider of the fitness tracker or Google Fit and only then the data will be psedonymized (except Apple Health). RKI may have access to the activity history and the names of the users.
  • Easy reversal of the pseudonymisation and insecure handling of the confidential pseudonym: the app does not use a standard browser but an embedded web view which is insecure due to possible man-in-the-middle attacks.
  • The RKI server exposes additional functionality such as a management and admin interface as well as a SOAP API via the Internet. This increases its vulnerability.

More

 

Hong Kong

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

Quarantine monitoring – mandatory wristbands have been introduced for those arriving from overseas and are required to be worn for a 14 day home quarantine period. The wristband is linked to an app, StayHomeSafe. There is no contact tracing app under development for use in Hong Kong.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

The key privacy concerns are excessive data collection and that data may be used for other purposes such as tracking. The Hong Kong Government addressed this concern by using geo-fencing technology rather than GPS location tracking. Other privacy concerns include storage and access to the data, as the privacy policy of the app does not contain clear information regarding retention of and access to such data.

More

 

Italy

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

The Government has selected a contact-tracing app developed by a well-known software house. On 29 April the Italian Government issued a law decree setting out inter alia the rules governing the adoption of such app (Law Decree no. 28 of 30 April 2020, the Decree).

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

The Data Privacy Authority considers that the Decree on the app complies with its previous comments on this topic and with EDPB guidelines.

Main privacy concerns lie in data minimization, data security, and actual prevention of use of such data for other purposes. The Decree addresses a wide-spread concern about ownership and localization, providing that the data controller shall be the Ministry of Health, and that data shall be stored in servers on the Italian territory.

Private sector apps to be used in the workplace will need to comply with strict Italian rules on remote monitoring of employees, as well.

More

 

Indonesia

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

The Ministry of Information and Communication (MOCI) launched a mobile application called PeduliLindungi. The app enables users to compile data related to the spread of COVID-19 in their communities to help bolster the Indonesian Government’s efforts to trace and track confirmed cases. Users are expected to register as participants and share their locations when travelling and also trace whether they have had contact with persons exposed to COVID-19. The app will also alert users entering crowds or COVID-19 red zones, namely locations where there are confirmed COVID-19 cases.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

That said, the Government has not been very transparent on what measures or methods it is using to ensure protection of data privacy. For instance, the app mentions that it will have periodic updates to improve security and privacy. Whilst the private sector has conveyed privacy concerns, there has not been anything major as of yet.

More

 

Poland

As at May 11, 2020

Key points  Commentary 
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)? The Polish Government has launched two apps (“Kwarantanna domowa” app and “ProteGO Safe Safe” app).

The “Kwarantanna domowa” application is intended for people who are subject to 14-day mandatory house quarantine due to suspected COVID-19 exposure. The application uses geolocation and face recognition technology to ensure that relevant people are quarantined.

The “ProteGO Safe Safe” application is designed to allow users to monitor their level of risk of getting infected. The app facilitates self-assessment of the risk of COVID-19 infection and, if the user decides to do so, it allows the user to scan the environment for other smartphones on which the application is installed and saves the history of anonymous identifiers encountered.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

“Kwarantana domowa” – It is unclear what methods have been used to protect personal data collected by the application and there may be a risk of data leakage. Due to concerns that the use of the “Kwarantanna domowa” application violates users' rights to personal data protection, the Polish Ombudsman has asked the President of the Office for Personal Data Protection for an opinion on this matter.

“ProteGO Safe” – There are three main concerns indicated by Panoptykon, a Polish NGO:

  1. risk of deanonymisation and reconstruction of the map of social links;
  2. threat to the safety of users (Bluetooth constantly on); and
  3. the risks associated with automatic decision making, which can have significant consequences for people using the application.

More

 

Russia

As at May 15, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

There is no single technology that has been introduced consistently throughout Russia.

However, monitoring of the spread of COVID-19 is done at the local level and some technologies have been introduced in certain regions of Russia. Moscow, where the number of cases is highest (about 50% of the total cases), is the only region of Russia that has introduced a technology for monitoring the location of citizens (as well as their close contacts) with confirmed COVID-19 via an app called Social Monitoring.

The Social Monitoring App was developed by the Department of Information Technologies for the city of Moscow. The app is intended for monitoring violations of a self-isolation regime and quarantine established for those who are being treated at home and/or are limited in leaving their places of residence.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

There are significant privacy concerns regarding the implementation of a Social Monitoring App. In addition to those mentioned above they include the following:

  • The use of unprotected sources of transmission of personal data which may increase possible exposures, cyber- attacks, leakage of information and its further disclosure to unintended users in the market;
  • Launching the process of personal registration and institution of online surveillance over the population for some state aims which cannot be clearly identified at this time (e.g., taxation or other).
  • Since the app allows easy monitoring of a change of geolocation and any movements from the place of personal residence, it allows identification of violators of the regime and for significant penalties to be imposed.
  • The scope of information collected and transmitted with the use of the app raises issues. In particular, this concerns photos/selfies transmitted with the use of the app. Given that only limited information regarding how the app works is available, there are questions as to whether information transmitted with the use of the app is properly protected.

More

 

Singapore

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

The Singapore Government launched a contact tracing app (TraceTogether) on 20 March 2020.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

Concerns have focused on data security issues associated with the collection and storage of the data. The existence of data privacy issues associated with the TraceTogether app has been acknowledged by the Singaporean Prime Minister who commented at a national address on 21 April 2020 (which encouraged the use of the TraceTogether app) that “there will be some privacy concerns, but we will have to weigh these against the benefits of being able to exit from the circuit breaker [Singapore’s lockdown measures] and stay open safely”.

More

 

South Africa

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

The South African government has partnered with the University of Cape Town to develop a smartphone app to assist government with tracking people who may be unaware that they have COVID-19 and to track people who have come into contact with others who are COVID-19 positive. The App is called Covi-ID.

The South African Government acknowledged that it is critical that the Government works collaboratively with South African technology companies and individuals to leverage technology capabilities in the fight against COVID-19 and its effects.

We are aware that the Government has approached technology companies to identify suitable projects that may assist the Government with its response to the crisis, in particular, its plan to develop a national COVID-19 Tracing Database. The database seeks to track people who are known or suspected to have come into contact with persons known or suspected to have COVID-19.

On 2 May 2020, the Department of Health also launched a Whatsapp based symptom reporting process. The details of the back end and privacy controls are unknown at this stage.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

Given that South African privacy laws are not yet in force, there is a concern that personal information may not be properly protected during the pandemic and may be used for further processing not anticipated on collection of the data. On the WhatsApp symptom tracker it is unclear who is processing the information submitted and where else it may be disclosed. There are no terms and conditions available regarding the use of this functionality.

Even though South African privacy laws are not in place, there is a constitutional right of privacy; however this may be infringed where there are larger public interest considerations that outweigh the impact on privacy.

The Covi-ID App has a GDPR-based privacy policy and also voluntarily submits to the South African data privacy laws not yet in place.

More

 

Thailand

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

The technologies being used in Thailand for tracking COVID-19 are mostly contact tracing applications used together with the cell phone location data of the user. The Thai Government authorities (e.g. Department of Disease Control (DDC), Office of The National Broadcasting and Telecommunications Commission (NBTC) etc.) are currently using these applications to monitor and track individuals who have been infected or classified as being in a “high risk cluster” (including the individuals who may have been infected) with support from the private entities and state enterprise (e.g. Airport of Thailand (AOT), mobile service providers and digital start-ups). The apps in use are:

  • DDC-Care – this contact tracing application will require the user (those who have been diagnosed by the hospital or the disease screening point in Thailand, including the airport, that they are at risk of being infected) to submit a self-assessment report directly to DDC during the 14-day detention period. Also the user will be required to report all of their travel history, including the people who have been in contact with them. The general public is allowed to install and register this application;
  • AOT Airport Application – the application is required to be installed before passing through immigration points for those who have travelled to, or returned from, contagious areas outside Thailand. This application will track tourists and returnees by using the mobile phone location data and will notify the NBTC, and the mobile phone service provider, if the user is infected after entry into Thailand. If the tourists, returnees or any person is diagnosed as infected, such persons will then be required to install the application in item (1);
  • MorChana application – the application offers a contact tracing solution that enables smartphone device users to perform self-assessment and determine the risk level of infection based on exposure and travel history. It is designed to track the spread of the novel coronavirus, prompt quick and accurate public health responses, and ensure effective and measurable social distancing measures; and
  • Sydekick for THAIFIGHT COVID-19 – the application, developed by a Thai start-up, was previously developed for the purpose of emergency care. People who have been discharged from detention at a quarantine centre and who have returned home to self-quarantine will be required to install and register the application before leaving the quarantine centre. As a result of the registration, such persons will be monitored by the DDC officer and required to submit the self-assessment reports on a daily basis.
What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

Excessive data collection which may be used for other purposes such as tracking individual after the spreading of COVID-19 has ended.

More

 

The Netherlands

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

The Dutch Government is currently investigating whether a contact tracing app should be launched. In this context, the Dutch Government asked the public to submit proposals. Approximately 700 proposals were submitted.

Subsequently, the Government selected seven apps that were further presented during an “appathon” held on 18 and 19 April.

Following this “appathon”, the Government decided that none of the apps met the requirements, inter alia under privacy legislation.

Therefore, the Government will, working with various experts, be working on the development of an app during the next few weeks. Currently, there are a lot of uncertainties surrounding the contact tracing app and it is even unclear whether such an app will be launched at all. Nevertheless, some aspects of the framework have already been confirmed, which are indicted below.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

There are significant privacy concerns regarding the implementation of a contact tracing app. According to the Dutch Data Protection Authority, it is unclear whether the apps are necessary and effective in combatting COVID-19. This clarity is required in order to justify the extensive intrusiveness that the contact tracing app will have on the fundamental right of privacy.

Furthermore, the purpose(s) of the app is/are unclear, as well as the legal grounds to justify processing the data, including special categories of personal data (i.e. health data) regarding which more stringent requirements apply under the General Data Protection Regulation (GDPR). It is unclear which (governmental) organisations will use the app and who the data controller is in respect of the personal data.

This is important as the data controller will be responsible for complying with the GDPR and will be the point of contact for data subjects in order to receive information on the data processing and to enforce their data subject rights under the GDPR. Given that no app has been developed yet, it is unclear whether appropriate technical and organisational measures (e.g. pseudonymisation) will be implemented to ensure that the personal data is sufficiently protected. It should also be noted that there is a risk that the app will be used on an ongoing basis (i.e. after the crisis has ended). Pursuant to the GDPR, the app should in any case be a temporary measure.

More

 

Turkey

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

In collaboration with the Information Technologies and Communication Authority and all mobile phone operators, the Turkish Ministry of Health has launched a mobile contact tracing app called “Hayat Eve Sığar” (Life Fits into the House) to monitor the movement of diagnosed COVID-19 patients and to warn users if they enter a high COVID-19 risk zone or if they had crossed paths with a diagnosed patient. Diagnosed COVID-19 patients are warned via text messages and automated calls in the event that they leave their place of isolation.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

The app is not being used by private sector organisations and to the best of our knowledge, there have been no surveys or polls to test public opinion on the app or any privacy concerns around it. However the major privacy concerns in relation to an app of this type would be the risk of a cyber attack and exfiltration of personal data (including sensitive health data) and whether established data processing principles would be duly complied with, including purpose limitation and time limitation.

More

 

United Arab Emirates

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

The UAE’s Department of Health has launched a new COVID-19 tracing app called TraceCovid to “test, treat and track” as an effective measure to prevent the spread of infectious diseases. The app identifies people who have been in close contact with infected individuals, allowing authorities to immediately reach out to possibly infected individuals and provide them with the necessary healthcare treatments. The Department of Health Abu Dhabi invited members of the public to download the app to help authorities track potential infections.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

There is no Federal data privacy regulator or regulations/laws in the UAE so no comments from any such authority exists. The Government has not provided too much information on what measures and actions it is using to ensure data privacy. The Department of Health Abu Dhabi only said that privacy of personal information will be protected - there is therefore a concern that personal data collected may not be properly protected during the pandemic and may be used for further processing that was not anticipated.

More

 

United Kingdom

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

The National Health Service (NHS) reports that it will be launching a contact-tracing app which is currently under development. This is being developed by the technology arm of the NHS (NHSX). A trial was commenced on the Isle of Wight on 5 May.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

Concerns centre on privacy principles of security, data minimisation, transparency and accountability and these apply both to private and Government use of tracing apps.

In particular in relation to Government use:

  • Government surveillance – government harvesting superfluous data and being able to centralise the data and use it for unrelated purposes.
  • Lack of trust in government to store and handle data appropriately if the data is centralised.
  • Centralised data being held indefinitely given the ongoing nature of the pandemic.
  • A lack of Government accountability.
  • Privacy being trumped by community health concerns.

In particular in relation to private sector use:

  • Employee surveillance beyond what is necessary for the purposes of maintaining a safe work environment – e.g. using data for keeping tighter controls on employee movements/engagements.
  • Unnecessary dissemination of data within a business beyond strict confines of relevant HR manager.

More

 

United States

As at May 11, 2020

Key points Commentary
Is technology being used or developed by the government to monitor and control the spread of COVID-19 (e.g. contact tracing app, CCTV, cell phone location data, credit-card history)?

In the U.S., there has been some minimal, state-level efforts in this area, but the main effort has been through a major collaboration between Apple and Google. The tech giants are releasing an API in mid-May that can be used in official public health apps in the iOS and Google Play stores. Although these apps have not been rolled-out yet, they are imminent. The API uses detection of Bluetooth signals in order to track location of users over time. If User A has been in close contact with User B, who later self-identifies as having COVID-19 within a pre-defined time window, then User A will be alerted of the potential exposure.

What are considered to be the major privacy concerns in relation to the app (in relation to its use (a) by the government; and (b) by private sector organisations)?

The major privacy concerns that would normally be associated with this type of data collection appears, on paper, to have largely been mitigated through the use of a complex public key cryptography infrastructure developed by Apple and Google for this API. The devil of course, is always in the detail, and so we will be able to better judge when apps using this API go live. At this point, notwithstanding a fair amount of noise in the media about privacy concerns, this approach could work well, if the crypto implementation by Apple and Google is sound.

More



Subscribe and stay up to date with the latest legal news, information and events...