Written by Ruth Promislow, Michael Whitt and Stephen Burns
In the fight to combat the spread of COVID-19, governments throughout the world have been considering the use of digital contact-tracing apps. Contact-tracing apps seek to interrupt the onward transmission of the coronavirus by identifying and notifying recent contacts of an infected person in an anonymous fashion. Privacy issues have been central to the considerations of how such technology should be implemented to achieve this important public health objective with the least impact on the privacy of individuals.
In some digital contact-tracing systems, location and identity information may be sent to a central system for analysis, most often operated by a government health organization. In others, the systems are decentralized, where the users obtain information and are invited to update their COVID-19 health status (positive test results, for example). This decentralized contact-tracing technology is generally described to work as follows:
- users download an app and enable bluetooth communications on their smartphones;
- the app sends out a unique, anonymized beacon to other devices nearby using the same app. When two devices are in a defined proximity for a specified period of time, each registers the 'token' of the other device, and they become an anonymous 'contact' of the other for purposes of the app;
- once an individual is confirmed to be infected, with their consent, their phone uploads the last 14 days of tokens (or put another way, the last 14 days of “contacts”);
- the recorded contacts of the infected person are matched to uploaded contacts of registered users, and these contacts are sent a notification of their risk exposure; and
- the data is stored in an anonymous form—such that neither the infected person nor the contacts can be identified, and the data cannot be accessed by anyone.
- Apple and Google have jointly proposed software for their separate mobile operating systems (IOS and Android) which is designed to interact on a protected-identity, anonymized, consent-dependent basis. In contrast to the decentralized model of the contact-tracing app, Apple and Google have recently confirmed that they would ban the use of location tracking in apps that use the new contact-tracing system.
The Canadian federal government has yet to release its formal position on the use of contact-tracing apps, but certain provinces (Alberta, Newfoundland and Labrador) have already moved toward the use of this technology on a voluntary basis. Alberta has developed the ABTraceTogether App, a voluntary app that can be downloaded to one’s personal device. Details on privacy safeguards are available on the Alberta government website. Key provisions of the privacy safeguards include the following: only random anonymized user ID and other de-identified data will be used; consent can be withdrawn at any time; and logs used for contact tracing are only stored for 21 days. A number of technology and security issues have been raised in respect of the ABTraceTogether App, slowing its adoption. An updated version is expected soon.
The government of Newfoundland and Labrador has indicated that it intends to offer a voluntary contact-tracing app but the app has not yet been made available.
Federal, provincial and territorial Privacy Commissioners issued a Joint Statement last week to Canadians regarding the use and implementation of contact-tracing apps given the "important privacy risks" raised by such technology. The Commissioners state that some applications of the technology do not provide an effective level of protection. The use of location data is specifically identified as a privacy concern. The Commissioners set out the principles to be respected in the implementation of the technology:
- Consent and Trust: The use of apps must be voluntary.
- Legal Authority: The proposed measures must have a clear legal basis and consent must be meaningful.
- Necessity and Proportionality: Measures must be science-based, necessary for a specific purpose, tailored to that purpose and likely to be effective.
- Purpose Limitation: Personal information must be used for its intended public health purpose, and for no other purpose.
- De-Identification: De-identified or aggregate data should be used whenever possible, unless it will not achieve the defined purpose. Consideration should be given to the risk of re-identification, which can be heightened in the case of location data.
- Time-Limitation: Exception measures should be time-limited: any personal information collected during this period should be destroyed when the crisis ends, and the application decommissioned.
- Transparency: Governments should be clear about the basis and the terms applicable to exceptional measures. Canadians should be fully informed about the information to be collected, how it will be used, who will have access to it, where it will be stored, how it will be securely retained and when it will be destroyed.
- Accountability: Governments should develop and make public an ongoing monitoring and evaluation plan concerning the effectiveness of these initiatives and commit to publicly posting the evaluation report within a specific timeframe.
- Safeguards: Appropriate legal and technical security safeguard, including strong contractual measures with developers, must be put in place to ensure that any non-authorized parties do not access data, and that the data is not used for any purpose other than its intended health purpose.
This Joint Statement follows the April publication by the Office of the Privacy Commissioner of Canada of an assessment framework intended to assist government institutions with responding to the COVID-19 crisis. The April assessment framework set out the same principles as those above to guide the government in the assessment of measures proposed to combat COVID-19 and that have an impact on the privacy of Canadians. It is these same principles that form the backbone of the federal privacy legislation and provincial privacy legislation.
Similar direction has been issued by European Data Protection Commission which recently published guidance for EU governments that set out features and requirements that the contact-tracing apps should meet to ensure compliance with EU privacy and personal data protection legislation. Key features identified are the need for people to have certainty that the apps will be used only for the specifically defined purposes, and will not be used for mass surveillance.
The UK Information Commissioner has issued an opinion on the Apple-Google joint initiative on contact-tracing technology. In the written opinion, the Commissioner states that the proposed technology is "aligned with principles of data protection by design and by default." She notes, among other things, that the app only generates a limited amount of data, and the tokens are not associated with any other data that could be used to identify or locate the device user. The Commissioner sets out similar principles to those outlined by the Canadian Commissioners and by the European Data Protection Commission to be respected with the implementation of this technology, including data minimization, as well as transparency and user control.
There have been a number of contact-tracing apps developed or proposed in various jurisdictions. All have come under scrutiny by privacy advocates and regulators. In some parts of the world (such as Indonesia, China, South Korea, Taiwan, India and Norway), governments have already implemented contact-tracing apps. India has made use of a mandatory contract-tracing app for civil servants. In Australia, a voluntary contact-tracing app is currently being finalized by the government.
While some governments have implemented a contact-tracing app without the use of the Apple-Google technology, several are adopting it in place of alternatives. Without the Apple-Google technology, apps built by governments apparently have limitations. For example, one limitation identified is that the phone's screen has to be unlocked for the app to work properly raising a number of technology and security concerns. Germany recently changed course over which type of technology to use, choosing to proceed with the Apple-Google technology. An increasing number of European countries are likewise opting for an approach that incorporates the Apple-Google technology.
The COVID-19 pandemic presents unprecedented issues, which necessarily involve privacy considerations. In this manner, the pandemic has forced innovation and data protection to coexist. While governments roll out the implementation of this technology, it is clear that privacy regulators and commissioners around the world will be watching. For more information on COVID-19 and privacy-related issues, please visit the Bennett Jones COVID-19 Resource Centre.