Privacy & Information Security Law Blog

Elizabeth Denham, the UK Information Commissioner, has released an opinion in response to the joint effort announced by Apple Inc. (“Apple”) and Google LLC (“Google”) to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of COVID-19 by building contact-tracing technology into iOS and Android smartphones. In the opinion, the Information Commissioner concludes that the "Contact Tracing Framework" (“CTF”) being developed supports data protection principles. The approach taken by the Information Commissioner in her opinion highlights the pragmatic leadership demonstrated by the Information Commissioner’s Office (“ICO”) in enabling organizations to process personal data for the purposes of combatting COVID-19. In the Information Commissioner’s blog from April 17, 2020, Elizabeth Denham references how the ICO will continue to offer help and guidance to projects looking to find innovative ways to help society, in particular, those that assist in combating the COVID-19 pandemic.

Section 115(3) of the Data Protection Act 2018 allows the Information Commissioner to issue opinions to Parliament, Government or other institutions and bodies as well as to the public on any issue related to the protection of personal data. The opinion sets out the Information Commissioner’s current thinking on the joint initiative (based on the information made available on April 10, 2020), and is primarily for organizations involved in the CTF’s development, as well as organizations developing apps that may use the CTF. However, the Information Commissioner acknowledges that it may also be of interest to those involved in other contact tracing initiatives.

The purpose of COVID-19 contact tracing is to determine whether any individual has been in contact with an infected person during the time they were possibly infected. Contact tracing could be used to communicate with individuals to ensure they (1) are aware of the risk; (2) are provided with the required information; (3) take the necessary steps to protect themselves and others; and (4) receive the support they need. The CTF being developed by Apple and Google is not itself a contact tracing application. Instead, the current aim is to enable third parties, such as public health authorities, to develop applications themselves that exchange information via Bluetooth between devices.

In the opinion, the Information Commissioner states that the CTF itself “appear(s) aligned with the principles of data protection by design and by default." The Information Commissioner notes in particular the CTF’s apparent compliance with the design principles of data minimization and security. With respect to data minimization, the Information Commissioner states that the exchange of information between devices does not include personal data, such as usernames. Instead, the data exchanged between devices includes periodically-generated cryptographic tokens (“tokens”) that are not associated with other data that may further identify or locate the device user. In addition, the matching of tokens takes place on-device and not by the application host or with the involvement of any other third party. With respect to security, the opinion notes that “the exchange of information between devices and the upload of information to the app host incorporate a number of security measures.” In particular, the CTF uses appropriate cryptographic functions with additional safeguards.

Further, the Information Commissioner notes that purpose limitation is a core principle of data protection, and cautions that the CTF may lead to scope creep by application developers that wish to develop the functionality to collect additional data for further uses. To this end, the Information Commissioner will monitor all developments to limit scope creep, and notes that each data controller designing an application incorporating the CTF is responsible for ensuring the application is compliant with data protection law. The opinion also states that users may not be aware that while the CTF enables the collection of some data, the application itself is designed by another organization that may also collect personal data. The concern is that users may assume that the data protection by design and by default principles applicable to the CTF will extend to all aspects of the application using the CTF. With this in mind, all relevant data controllers must ensure that users are fully informed about how their data will be processed, and by whom.

The Information Commissioner’s opinion notes that the CTF initiative is not directly associated with the “Decentralized Privacy-Preserving Proximity Tracing” (“DP-3T”) system of a separate expert group. That said, the Information Commissioner states that, whilst it has not undertaken a detailed review of the DP-3T system, the underlying principles of both the CTF and DP-3T initiatives appear to be similar. The Information Commissioner’s view is that these similarities give “further comfort that these approaches to contact tracing app solutions are generally aligned with the principles of data protection by design and by default.”

The ICO has demonstrated global leadership on data protection issues related to the COVID-19 pandemic, in particular those issues related to contact tracing and the use of location data in the context of COVID-19. The ICO recognizes that the use of new technologies and tracking to combat the pandemic is a global issue, and in the above referenced blog, the Information Commissioner notes how the ICO has used its position as chair of both the Global Privacy Assembly of privacy regulators, and the OECD Working Party on Data Governance and Privacy, to bring together more than 250 commissioners, government representatives, privacy professionals and key stakeholders to debate these issues, and seek pragmatic solutions to these data protection challenges.