Contact tracing apps are quickly becoming a key tool in helping governments to ease the lockdown measures imposed in response to the 2019 novel coronavirus disease (COVID-19) crisis. Several national authorities and private companies have already joined the race to create their own versions of these apps (see box “Contact tracing apps”). In response, both the EU and the UK have issued guidance on the data protection considerations associated with the development and use of these new technologies.

On 15 April 2020, the European Commission published the first version of its pan-European toolbox, which sets out the essential requirements for contact tracing apps, followed by accompanying guidance on 17 April 2020 (https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf; https://ec.europa.eu/info/files/guidance-apps-supporting-fight-against-covid-19-pandemic-relation-data-protection_en). In addition, the European Data Protection Board (EDPB) published guidance on the use of location data and contact tracing tools in the context of COVID-19 on 21 April 2020 (https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf).

In the UK, on 17 April 2020 the Information Commissioner’s Office (ICO) published an opinion on Google and Apple’s joint initiative, the Contact Tracing Framework, which enables the use of Bluetooth technology to help governments and public health authorities reduce the spread of COVID-19 (https://ico.org.uk/media/about-the-ico/documents/2617653/apple-google-api-opinion-final-april-2020.pdf). On 4 May 2020, it published a paper setting out recommendations to help developers of contact tracing apps comply with data protection laws (https://ico.org.uk/media/for-organisations/documents/2617676/ico-contact-tracing-recommendations.pdf). The Joint Committee on Human Rights also published a report on contact tracing apps on 6 May 2020, following a hearing on 4 May 2020 with the ICO and NHSX, which is a digital branch of the NHS (https://publications.parliament.uk/pa/jt5801/jtselect/jtrights/343/343.pdf).

The regulatory guidance emphasises the importance of contact tracing solutions being developed and implemented in compliance with the General Data Protection Regulation (2016/679/EU) (see feature article “GDPR one year on: taking stock”). Although any assessment of the data protection implications of a contact tracing app must be performed on a case-by-case basis. A number of steps are recommended as best practice.

Data protection by design. Contact tracing apps should only process information that is necessary to fulfil their core purpose. Location data are not necessary as information about the proximity between users should be sufficient. The collected information should stay on-device only; if that is not possible, this must be clearly explained and must not result in any unnecessary risks for the user. Data should be retained for the minimum amount of time necessary to fulfil the purpose of processing. Retention periods should be based on medical evidence and personal data should be erased or anonymised at the end of the crisis.

Anonymised identifiers. The apps must only use unique anonymised identifiers, which are renewed regularly, to limit the risk of individuals being identified.

User control. Users should be able to decide freely whether to download contact tracing apps, opt out after downloading, and exercise rights of access, erasure, restriction and rectification. Individuals who choose to opt out should not suffer any disadvantage.

Lawful basis. The legal basis for processing personal data in a contact tracing app is likely to be the user’s consent or the necessity for the performance of a task in the public interest, especially if the app is developed by or on behalf of a public health authority.

Purpose limitation. Purpose limitation is a fundamental data protection principle, requiring that personal data are used only for a clearly defined purpose, or purposes that are compatible with the original purpose. Therefore, contact tracing apps must be limited to managing the COVID-19 pandemic. However, the ICO acknowledges that the processing of data by contact tracing apps for additional functions, such as to assess compliance with isolation, may be legitimate and permissible provided that a separate data protection impact assessment (DPIA) is also performed by the data controller.

Impact assessments. Processing associated with contact tracing technologies is likely to result in a high risk to the rights and freedoms of natural persons. Therefore, conducting a DPIA is a minimum requirement before any contact tracing tool is deployed.

Security. Back-end infrastructure must be secured with robust and state-of-the-art cryptographic techniques. When reporting infected users on the app, a separate authentication should be made; for example, by using a one-time code linked to both the anonymised identifier of the infected user and the medical professional who made the diagnosis. Adequate processes must be implemented to test the effectiveness of these security measures.

Governance and accountability. The app’s source code should be publicly available to ensure fairness and accountability, and the algorithms must be regularly reviewed by independent experts. App procedures should be subject to the supervision of qualified personnel in order to limit the risk of false positives or false negatives. The task of advising on next steps, after a user has reported having symptoms, should not be based on automated processing. The identities and roles of all of the parties that process personal data as part of the contact tracing solution must be explained clearly to the users.

Exit plan. The ICO underlines the importance of having a decommissioning plan for the end of the pandemic, when the data processing will no longer be necessary. Similarly, the EDPB advises that criteria should be developed as soon as possible to determine when the app should be dismantled and which entity will be responsible for this determination.

In the UK, NHSX has started testing its own contact tracing app. However, the Joint Committee on Human Rights considers that the current legislative and regulatory arrangements are insufficient to adequately protect human rights, such as the right to privacy, and has advised against the implementation of the NHSX app without the following guarantees:

The COVID-19 crisis continues to push boundaries, including in the area of data protection. While the use of contact tracing technology has the power to contribute to fighting the COVID-19 pandemic, it also has the potential to damage individuals’ rights and freedoms if it is not built to prioritise privacy.

In normal times, state-controlled apps that enable the mass surveillance of personal data would be extremely controversial. Although the current crisis makes the use of these apps a necessity, it is crucial to ensure that the evolving technology adequately protects the public’s personal data and fundamental human rights. Developers should ensure that they continue to monitor the regulatory guidance and update their apps to maintain privacy protection.