An insight into the legality of Contact Tracing Applications by Bashar Fteiha.
As many aspects of the lockdown measures have been eased across the world, the fight against the further spread of COVID-19 continues through the adoption of stringent measures to prevent the further spread of the virus. In this respect, states and their own bodies have been working on the deployment of contact tracing applications, as part of their overall policy response to the pandemic. These applications are mainly developed to notify people who have come into close contact with an infected person, so that they can make an informed decision about their situation, including getting tested or self-isolating. While the use of digital tracing applications could possibly represent a cost-effective plan for tracing and mitigating the spread of COVID-19, it raises various legal and ethical concerns about data protection and privacy risks, particularly when taking into consideration that the use of such applications rests mainly on processing and collecting personal data belonging to individuals.
When performing their tasks as programmed, contact tracing applications rely exclusively on collecting and processing a vast amount of proximity data or geolocation data or both. Proximity data concerns specifically the data that permits the data controllers to determine the distance between two persons and the period of their interaction with each other to assess whether a possible transmission of the virus has taken place. In other words, the possession and collection of this kind of data will allow the health authorities to determine whether the concerned persons have been exposed to COVID-19 or are at risk on the basis of the distance identified and the period of interaction. With regards to geolocation data, it refers to the information relating to the actual and physical location of an individual at a specific point. The identification of an individual’s physical location is determined through specific advanced technological systems such as WIFI or GPS.
Before going into an in depth analysis of the key risks that the use of contact tracing applications significantly poses to the right to privacy and data protection, it is necessary to discuss its use from the public health perspective. In this respect, the World Economic Forum asserts that pandemics like COVID-19 pose a significant threat to international security, which affects adversely the public health of world citizens. Therefore, when a certain disease, as exemplified by COVID-19, reaches an alarming level and becomes a threat to the public health security, it falls within the state’s powers to adopt very stringent health measures or even declare a state of emergency for the sake of public health interest. Under such circumstances, the involvement of state authorities such as the military or intelligence services becomes a necessity to guarantee the full enforcement of the adopted measures. However, despite the fact that states are required to strike a clear balance between the rights of the public and the rights of the individual when adopting their measures, it is certain that such measures will either require the imposing of certain restraints on the rights of individuals or limit the enjoyment of such rights.
In light of the foregoing, given that contact tracing applications form an integral part of governments’ policy response to the COVID-19 pandemic, the question of the proportionality of such a response becomes highly relevant. Therefore, while states are obliged to ensure that use of contact tracing applications respects the principle of proportionality and must not go beyond what is necessary to achieve the purpose of suppressing the transmission of the virus, the absence of comprehensive guidelines aimed at clarifying how such applications should be deployed to collect data, and most importantly, the purposes of its collection puts the rights of individuals to privacy and data protection at the risk of being exploited or abused by state authorities for other unintended purposes. In other words, while an interference with the rights of individuals is allowed when a virus poses serious threats to public health security, the proportionality of such an interference must be held in the highest regards to ensure it remains within its extent. In the case of contact tracing application, there is no guarantee that the interference with the rights to privacy and data protection caused by the use of such applications will remain within its pre-defined extent due to the lack of guidance on the use of such applications in the fight against COVID-19.
The fact that data is the lifeblood of data-driven technologies places the rights to privacy and data protection in the epicenter of concern. Central to this latter view is the question whether the current contact tracing applications strictly comply with the core requirements of data protection laws. In this regard, contact tracing technologies normally allow data controllers to access and collect more data than necessary for achieving the necessary purpose. Therefore, due to the COVID-19 pandemic, governments must ensure that the collection of that data does not go beyond what is needed for achieving the purpose of stopping the virus. In addition, any use of contact tracing applications must be strictly consistent with the purpose limitation requirements in the sense that governments must refrain from using the collected data for new and unforeseen purposes beyond the original scope. However, ensuring the strict compliance with such requirements seems nearly impossible especially because of the fact that many of data-driven technologies including contact tracing applications operate within a block box, which means that there is no guarantee how data will be collected and used, and more importantly, for what purpose. This, coupled with the fact that the COVID-19 has led to the involvement of many states institutions such as the military and intelligence services, which normally possess the power to interfere with individual’s privacy, means legal compliance with the requirements of data minimisation and purpose limitations will be hardly guaranteed.
Furthermore, governments contemplating the use of contact tracing applications should identify the legal basis for collecting and processing data under laws such as General Data Protection Regulation (GDPR). However, with reference to contact tracing applications, the issue of legal basis becomes highly complicated. While GDPR retains consent as a key legal basis for collecting and processing the data, the GDPR grants Member States the authority to make use of that health data without consent. In particular, Member States are allowed under GDPR to process health data belonging to individuals without their consent where it is necessary for scientific research purpose and for public interest. Under such circumstances, the relevance of ‘consent’ as a legal basis for collecting and processing data lawfully will be greatly neglected by states. Given that the COVID-19 pandemic poses a significant threat to public health security, it becomes unnecessary to establish that the use of tracing contact technology will be clearly based on the voluntary and informed consent of the person. In doing so, states can easily push forward the argument that when there is blatant conflict between public health and individuals’ rights, as is the case with COVID-19 crisis, the interests of the public health must prevail. As a result, the presence of such circumstances clearly indicates governments’ willingness to proceed with their use of contact-tracing applications even if the consent of the person is not granted particularly in cases where the absence of that consent will hinder contact tracing applications from performing its tasks in tracing contacts as well as notifying those at risks, which in turn will put the public health security at jeopardy.
There is no doubt that contact tracing technology represents an effective strategy for tracing contacts as well as notifying those at risk in a timely manner. This will certainly contribute to suppressing the transmission of the virus by getting ahead of its spread through the quick identification of infected persons and all the people that have come into close contact with them. Therefore, to ensure the full potential of contact-tracing applications in tracing and mitigating the further spread of COVID-19, a holistic framework explaining how contact-tracing applications function should be adopted. For example, the adoption of an EU Toolbox that sets out a common approach to the use of contact tracing applications in European Member States should be seen as a positive step towards ensuring that such applications operate within clear guidelines.
Written by Bashar Fteiha and edited by Stephanos Christodoulou.
Make sure to follow our social media accounts.
Donate & Support