No one can have missed the fact the world is engaged in a struggle against the COVID-19 disease, also known as the corona virus. In The Netherlands, the advice is to stay home whenever possible and to keep at a distance from others. On April 7 2020, Public health minister Hugo de Jonge announced the cabinet’s intention to use special ‘corona apps’ in an attempt to prevent further spreading of the corona virus. 1 But what does this mean in terms of privacy?
During the entirety of the press conference, two apps were mentioned. The first of these (hereinafter to be referred to as the ‘tracing app’) should be able to map which persons an infected individual has interacted with. The second app, developed by the Amsterdam OLVG hospital, assists in self-monitoring and contacting a physician. Up to this point, it remains unclear exactly what shape these apps will take. On April 11 2020, the Dutch Ministry of Health, Welfare and Sport extended an invitation to commercial companies of all kinds to join the effort of developing and deploying specialised anti-corona apps. So far, more than 750 proposals have been submitted. 2 In the week leading up to April 28, the first details on design and functioning of the apps are expected to be made public.
Protection of personal data
The necessity of safeguarding the privacy of individual citizens was one of the points explicitly made at the press conference. After all, apps offering the functionality required for the purpose they are intended to serve, will by definition be processing health-related data which are considered sensitive data to which, under the General Data Protection Regulation (GDPR), specific protection applies to the extent that processing them is prohibited in principle. 3 Similar restrictions apply to smartphone-stored location data which, according to the e-Privacy Directive, can only be processed if the user has given explicit consent after having been clearly and fully informed. 4 The legislation mentioned above, however, does include exemptions for situations in which processing sensitive data is necessary for the protection of vital interests, 5 for reasons of general interest in the area of public health, 6 or prevention of threats to public security. 7 That having been said, these exemptions not only require a necessity test, they also need to be strictly assessed in terms of proportionality and subsidiarity.
The rules and restrictions mentioned above would not apply if the personal data had been anonymised, which, according to the European Data Protection Board in an official statement, 8 is always the preferred option. For this reason, the European Commission, in the recent past, intended to collect anonymised and aggregated data to map the locations of European citizens. 9 A plan that was opposed by several parties in the Dutch House of Representatives, 10 with the Dutch data protection authority (AP) emphasising that collecting telecom data is only allowed where a legal arrangement is in place, because anonymising telecom data is impossible and the data can eventually be traced back to personal data.
In the press conference, minister de Jonge mentioned the possibility of the tracing app being Bluetooth-based. Which could be done with anonymised data if the app would exchange unique numbers with other nearby smartphones that also have the app installed, thus creating a log of smartphones that have been in the same general location. Then, if one person gets infected, the persons who have been close to him or her can be contacted. Currently, Singapore is already using an app called TraceTogether which is based on this Bluetooth technology and which stores the unique numbers being exchanged only on the smartphone itself, not in a central database. According to minister de Jonge, therefore, no government agencies should have access to the app. Meanwhile, tech giants Apple and Google have announced that as of next June, they will be adding Bluetooth contact tracing to their iOS and Android platforms, allowing users to activate the functionality without having to install a separate app.
Whether or not future apps will sufficiently respect peoples’ privacy, will depend on how exactly they will be designed, in terms of technology. Apart from the question whether such apps are really essential in preventing further spreading of the corona virus, it is also important for any tracing app to be reliable in measuring distances. 11 Moreover, for a tracing app to work properly, it would have to be installed on smartphones by large parts of the national population, which might call for making it obligatory for citizens to download the app and always carry their smartphones with them. 12 This, in my opinion, would be highly undesirable. On April 13 2020, sixty scientists, in a letter to the Dutch cabinet, pointed out the importance of critically assessing ‘usefulness, necessity and effectivity of the now proposed apps, while also taking into account the impact they may have on the overall social institutions. including the fundamental rights and freedoms of individual persons’. Presumably, before actual adoption of any of these apps, they will be studied and tested by the Dutch data protection authority (AP), the good news being that its chairman, Mr Aleid Wolfsen, has already expressed the AP’s serious concerns about possible deployment of apps tracing the whereabouts of corona patients, commenting that ‘If there is to be such an app, we will make very sure that it fully, completely respects and protects the privacy of our citizens’.
1. On April 6 2020, the European Data protection supervisor promoted the development of a single app to be deployed throughout the European Union: https://edps.europa.eu/sites/edp/files/publication/2020-04-06_eu_digital_solidarity_covid19_en.pdf.
3. Article 9 of the GDPR.
4. Article 5, paragraph 3 of the ePrivacy Directive.
5. Article 9, paragraph 2, sub c of the GDPR.
6. Article 9, paragraph 2, sub i of the GDPR. This requires a lawful basis. See also recital 46 to the GDPR: ‘Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics’.
7. Article 15 of the ePrivacy Directive.
8. The Board is currently working on drawing up two guidelines concerning the processing of health data and geolocations in the context of the corona pandemic: 9. https://edpb.europa.eu/news/news/2020/twentieth-plenary-session-european-data-protection-board-scope-upcoming-guidance-data_en.
11. See for instance: https://www.volkskrant.nl/columns-opinie/opinie-alleen-messcherp-metende-apps-hebben-nut~b64a1d0d/.
12. Apart from the fact that not all citizens have smartphones.
13. https://autoriteitpersoonsgegevens.nl/nl/nieuws/privacyblog-aleid-wolfsen-om-wakker-van-te-liggen. There have also been parliamentary questions: