U.K. Data Privacy Regulator Weighs in on Apple and Google’s COVID-19 Contact Tracing Proposal

On April 17, the U.K. Information Commissioner (Commissioner) published an Opinion on the recently announced joint initiative by Apple and Google to assist health authorities with contact tracing in the fight against COVID-19, referred to by the Commissioner as the Contact Tracing Framework (CTF).

In brief, the Commissioner concludes that the proposed CTF incorporates sufficient safeguards by design to ensure that it meets data protection standards, on the basis of the information publicly available at this stage. However, the Opinion also emphasizes that any apps designed to make use of the CTF will have to be assessed on a case-by-case basis, and it will be the responsibility of app developers and app stores in their capacity as data controllers to ensure that their respective apps comply with data protection law. The Commissioner also identifies risks from further developments which might be necessary to enable the effective use of tracing technology, such as the need for monitoring compliance with isolation requests and preventing uploads of false positives to the apps which could limit their efficacy.

The CTF and Contact Tracing Apps

Contact tracing is likely to play a significant part in any plans for easing out of lockdown as an effective tool to facilitate social distancing and social or professional gatekeeping, as has been seen in countries like Singapore and Taiwan. The CTF is not itself a contact tracing app, but includes new application programming interfaces (APIs) which will enable interoperability between Android and iOS devices, so enabling third parties to create contact tracing apps that exchange information via Bluetooth between any and all devices (in theory).

The idea, as envisioned by Apple and Google, is that each mobile device would emit an anonymous identifier Bluetooth signal that is then picked up by any devices nearby and locally stored as an anonymized log of contacts. If a user were to test positive for COVID-19, they could update this in the app and consent to have this log uploaded to the cloud. Anonymized data about anyone testing positive would regularly download to all devices with the app installed, and any devices matching that identifier data would then receive notification that the user had been in contact with someone who has tested positive.

ICO Assessment of the CTF

The Commissioner notes several key ways in which the CTF design looks to be effective from a data privacy perspective from the information currently publicly available:

1. The CTF seems to comply with the data minimization principle because information exchanged between devices does not include personal data (e.g., usernames or account information), any matching processes take place on-device and the system does not use location data.
2. The CTF gives power to consumers, because app installation is voluntary and any diagnosis uploads are voluntary.
3. The CTF complies with the security principle because it uses cryptographic techniques and no persistent user ID is broadcast (rather a series of pseudo-random tokens), meaning there is a limited risk of identifying a user from the interaction between two devices.

Risks and Further Developments

The Commissioner highlights that it is vital for eventual users of the apps to understand who is collecting and processing their data. The U.K. Information Commissioners Office (ICO) will continue to monitor progress, including all apps that are developed, to ensure continued compliance — particularly given suggestions that the “Phase 2” version of the CTF API may form part of each device’s operating system (OS), therefore greatly limiting the ability of users to give genuine consent. The risk of scope creep from app developers seeking to use CTF-enabled apps to collect additional data (such as location data) will also need to be monitored.

Wider issues around obtaining consent from the user also need to be ironed out, in particular the question of how allowing users to withdraw their consent can be reconciled with ensuring the effectiveness of contact tracing, for example what notifications to other users at risk after contact with a positively diagnosed individual who has withdrawn consent might still be possible. As far as compliance goes, the Commissioner confirms that the ICO will continue to take into account the overriding public interest during this health crisis, which is impacting the approach to enforcement that is being taken, as we recently discussed in detail here.

Data protection issues aside, it has been widely reported this week that there are estimates as many as 2 billion phones worldwide will not be able to use the CTF because it relies on wireless chips and software not available in many models, particularly those released over five years ago. How national and regional governments across Europe and the U.S. choose to harness this technology will become clearer over the coming weeks and months.

For further information, please read the Information Commissioner’s Opinion in full.

As the number of cases around the world grows, Faegre Drinker’s Coronavirus Resource Center is available to help you understand and assess the legal, regulatory and commercial implications of COVID-19.