Data Protection Report - Norton Rose Fulbright

The COVID-19 pandemic has seen governments across the world restricting civil liberties and movement to unprecedented levels. To aid the safe lifting of current public health restrictions, new technologies are being developed and rolled out to automate labour intensive tasks critical to containing the spread of the virus, such as contact tracing.

Contact tracing applications essentially work using either Bluetooth technology or GPS to log every time two or more users are close to each other for a certain period of time. If a person is diagnosed with COVID-19, other users who were close to that person can then be notified. The notified user can then take appropriate steps, such as self-isolation or quarantine. These apps are capable of collecting vast amounts of personal data and significant concerns have been raised including in respect of government surveillance, repurposing of data for uses unrelated to the fight against COVID-19 and data being stored centrally, potentially for an indefinite period.

It remains to be seen whether the apps themselves are effective or if there are limits to what they can achieve. There are not only technological limits (such as Bluetooth not working in the background on iPhones), but also social limits given the key to the success of a contact tracing app relies on widespread use by the community. Widespread use is only likely to be achieved if the apps are developed in an open and transparent manner, and are not unnecessarily intrusive to privacy.

Earlier this week, 300 of the world’s leading academics from 25 countries wrote an open letter[1] setting out the risks if contact tracing does not incorporate Privacy by Design principles (i.e. taking into privacy measures from the outset of the engineering process), is not open, transparent, decentralised and voluntary. The academics’ fear is that “some solutions to the crisis may, via a mission creep, result in systems which would allow unprecedented surveillance of society at large”[2]. The European Parliament also recently supported a decentralised approach to the storage of data generated by contact tracing apps[3], as did Apple and Google who have announced a joint effort to build contact-tracing technology into iOS and Android smartphones[4].

In Asia, where the battle against COVID-19 has been going for longer than in other parts of the world, different technologies have already been rolled out in an attempt to flatten the curve and to move towards the lifting of government restrictions. Some of the most discussed contact tracing technologies have arisen in Hong Kong, China, Singapore and South Korea:

  • In Hong Kong, the focus has been on home quarantine monitoring. Mandatory wristbands have been introduced for those arriving from overseas and are required to be worn for a 14 day home quarantine period. The wristband is linked to an app, StayHomeSafe, and uses geo-fencing technology to alert the authorities if the wearer leaves their home during their quarantine period. Privacy concerns have been deflected on the basis that the wristbands have limited functionality and do not collect location data.
  • In China, the focus has been on contact tracing. The government partnered with Alibaba and Tencent to host health code systems on their popular apps, Alipay and WeChat. The purpose of the health code system is to control and monitor movements around China based on the risk profile of an user. In order to obtain a code, users are required to complete a detailed questionnaire setting out medical and travel history, national identity number, possible symptoms they may have etc. Individuals are then allocated a QR “health code” which is either green (low risk and free to move around), amber (at risk and must quarantine for seven days) or red (high risk and must quarantine for 14 days). QR codes must be scanned before entering public places such as subway stations and shopping malls, and in some cities, before leaving apartment complexes and access will be denied and the authorities alerted if the individual should be in quarantine in accordance with their QR health code.

A number of concerns have been raised in respect of China’s health code systems. These include the allocation and recognition of codes varying by city and province, and databases of confirmed and suspected cases being hosted on a centralised server accessible by the government. In addition, there is a lack of transparency as to how the codes are generated and with whom the data will be shared and concern has been expressed around the apps being hosted by commercial organisations.

  • In Singapore, the government has launched an open source contact tracing app, TraceTogether. The app incorporates Privacy by Design principles and pairs users’ mobile numbers with random temporary IDs which are stored on a centralised server. The app works using the Bluetooth model and does not collect location data. Bluetooth signals are logged and stored on a user’s mobile phone for 21 days and will only be accessed by the central authority if a user tests positive for COVID-19 and consents to their data logs being uploaded to the server. Such data, after decryption by the central authority, would allow them to identify the user IDs of users who have been in contact with the infected user. While there are some privacy features of TraceTogether, concerns have been raised around the centralised nature of the server.
  • South Korea does not have a government contact tracing app in place as such, but high tech methods are being deployed to track peoples’ locations including the use of phone networks, credit card records and CCTV. Emergency text messages are sent when an individual living nearby is diagnosed with COVID-19 and highly detailed information regarding that person’s movements could be included in the alert, from age, sex, gender to the bus taken and whether a mask was worn. While individual names are not released, concerns have been expressed about the specificity of the information disclosed, which when taken together, might lead to the identification of an individual.

To be effective, contact tracing apps need to reach around 60% of the population according to researchers at Oxford University[5]. This is a high threshold to meet, and currently Singapore, even with the privacy safeguards in its TraceTogether app, has reported 1.1 million users, which is only an approximate adoption rate of 18%[6]. It is therefore essential to the success of contact tracing apps that users are comfortable with the privacy protections built into the technology, that the privacy risks can be mitigated, and that the apps can achieve what they are designed to do – help combat COVID-19. Addressing public concerns in respect of privacy, and high trust in governments, will be key to the widespread  adoption of these technologies.

A number of other countries around the world are looking into, or are currently in the process of vetting applications, similar to or based on Singapore’s TraceTogether app, or developing an app alongside the technology being developed by Apple and Google.

We will be closely monitoring all developments in respect of contact tracing and other COVID-19-related technologies and will continue to provide updates on this topic.