19 May 2020
Belgium has taken the decision that a coronavirus ‘App’ is not necessary for contact tracing. In the UK, NHSX has launched a trial on the Isle of Wight of a proprietary smartphone App. Other European countries, including Germany, have opted to deploy systems facilitated by co-operation between Apple (iOS) and Google (Android) on Blue-tooth technology. Are there clear benefits of using data applications for contact tracing? What are the potential detriments?
Contact tracing – a proven technique
Contact tracing is used to help break chains of transmission and control virus outbreaks. Using interviews and questionnaires to carry out the contact tracing manually is a well-known and proven technique. Nevertheless, it is labour intensive and time consuming. (You can consult the WHO’s report on using manual tracing to help control outbreaks of Ebola here.)
Digital proximity tracing using smartphones
The idea behind digital proximity tracing is to make use of ‘Bluetooth’ Low Energy (LE) signals, from the smartphone in your pocket, to record and estimate the distance between you and other smartphone users with whom you have come into reasonably close contact. Such tracing can establish, from among those who subscribe to and turn on the App, a list of persons to whom you have been physically close. If you test positive, contacts identified through the App can be alerted to take action, by self-isolating or accessing a Covid-19 test for example.
Centralised or decentralised digital proximity tracing?
In digital proximity tracing, users download an App to their smartphone which, when enabled, transmits random ‘identifiers’ (a string of digits) using Bluetooth LE. Other similarly enabled smartphones, that come close enough, detect and record the unique identifiers.
In a centralised system, if a person tests positive for Covid-19, the anonymised identifiers transmitted by their phone can be uploaded to the central server together with the time and duration of near contacts with other smartphones. Third-party contacts calculated to be at risk are centrally contacted and notified that they have been in proximity to an infected person.
In a decentralised system, a person who tests positive for Covid-19 self-reports their identifiers to a database. The database of positive identifiers is available to be consulted daily by all other users of the App, but any matching takes place on the user’s own device – not centrally.
The legal issues?
A balance needs to be struck between a government’s duty to protect public health and restrictions of individual rights to privacy. Even if App usage is voluntary, the health advantages must be weighed against privacy disadvantages (see the open letters here and here). Public confidence that the right balance has been struck will underpin widespread adoption.
Data Protection Authorities and Contact Tracing Apps
The ICO document about how data protection principles should be implemented in such Apps is here. Data protection aspects of the UK’s current NHSX proposal were criticised by politicians here and by an academic here. France’s CNIL emphasised that voluntariness, a correct legal basis, transparency and technical efficiency are all necessary to generate public confidence. Its cautious initial approval for a (centralised) French contact tracing system is here.
Disclaimer: This general memorandum may not deal with every important topic or cover all important aspects of the subject matter. It is not intended, and should not be used, as a substitute for seeking appropriate legal advice on specific questions.