The government seems yet again caught in trying to find its own makeshift solution for controlling the coronavirus pandemic. After abandoning the initial herd immunity strategy in favour of the World Health Organisation approach of test, trace and isolate that has seen much lower mortality wherever it was adopted, UK authorities seem on the brink of another U-turn this time on the contact-tracing front.
When the government announced its ‘NHS COVID 19’ app, legal experts condemned it as incompatible with the data minimisation principles of the GDPR. Neither privacy nor testing have high priority in the UK. Privacy watchdogs saw it as a threat to the integrity of personal data and individual privacy that would allow centralised data collection, re-purposing and onward selling without the explicit consent of the individual. This made it far more than a relatively simple device designed to anonymously notify passers-by of Covid-19 positive status who would then be expected to follow-up with a test. Moreover, smartphone use is not ubiquitous and therefore the app would be socially discriminatory.
A recent poll for The Guardian showed just 50 per cent of smartphone users being willing to download the app. Academics warn that at least 60 per cent would be needed to qualify the system as effective.
A barrister with Matrix chambers, Jessica Simor, tweeted:
While presented as a fluffy ‘NHS-contact-tracing app’, the involvement of various private interests give rise to concern. Now it seems the government may scrap it and opt for the Apple/Google system already being considered by other EU countries and Germany. The issues that separate the two systems are privacy, state and private company intrusion, and data control. Even so, German MPs are insisting that privacy is safeguarded sufficiently before they permit the app to be rolled out.
It’s easy to say, ‘I’ve got nothing to hide and I want Covid-19 sorted’. But it is far less easy to find out what you are about to consent to when downloading any Covid tracing app. This is often called the privacy challenge: how much privacy will you give up to boost your personal safety?
Hauliers had been quick to complain that the NHS app would be incompatible with that used in other EU states. But the real problem lies with the app’s purpose. If it is purely to alert a passer-by if someone nearby has Covid symptoms, very little data needs to be held on the smartphone and none needs to be held centrally. If data collected is intended for multi-purpose use and held off the device, questions arise as to whether the app is a doorway for government (or any private company running the system on its behalf), to access all manner of private sensitive health data. Such data could then be sold for private profit, or used to exclude or charge very high premiums to people for travel or health insurance.
On 7 May, the Information Commissioner’s Office had to issue a statement about the data protection impact assessment for the NHSX trial of its contact-tracing app. Their published guidance has not quelled disquiet, because the definition of personal data is slippery. A biometric – an iris scan, how you walk, your DNA – can be highly revealing and of commercial value. So if that is collected by an app it needs to be clear whether you have explicitly consented to onward use. Lawful, fair and transparent data processing cannot be assumed and the principles of privacy-preserving, data protection by design and by default have to be honoured.
That is why the German government, having first agreed to launch the Google-based Covid-19 App, is re-considering it. It wants any information about the Covid-19 status of a smartphone carrier kept on the phone, not stored centrally and/or linkable to any other accessible personal data. By contrast, the UK wants everything potentially linkable and held centrally.
The legal principles and framework regarding anyone, or anything, sharing the data of an EU citizen are clear: consent must be obtained from the individual concerned. That individual has fundamental rights enshrined in the EU treaties and possesses data protection rights that any data handler anywhere is obliged to uphold. It does not matter where the individual happens to be in the world, data has to be handled according to EU regulations.
The UK government does not intend to uphold EU regulations in this respect but wants to access EU citizens’ data. This is a minefield, as shown by rows over EU citizen settled status issues and by the recent increasingly tense EU-UK exchanges about the border in the Irish Sea. While this may seem tangential to the app, it is not: what is at stake, is information about individuals. The EU has repeatedly stated that as a third country, the UK “may not enjoy the same rights and facilities as a Member State”. Nor are separate standalone agreements acceptable, as they would undermine the legal consistency in the areas of law enforcement and judicial cooperation in criminal matters.
The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, on 7 May issued a draft opinion on the EU’s draft 440-page legal text that will probably form the basis of the future relationship. It cautioned that “any sharing of information [with the UK], including personal data, should be subject to strict safeguards, audit and oversight conditions, including an equivalent level of protection of personal data to that provided by Union law,” (Para.16). It went on to insist on the importance of “robust rules on data protection” (Para 17), with the UK not being allowed to “cherry-pick” (Para 22).
EU governments and watchdogs are more aware of the balance that must be struck between adopting measures to help contain Covid-19 and persuading people voluntarily to give up more privacy. For the EU, protecting the latter is important and publicly debated. Test, trace, isolate requires not just an app but efficient staffing to implement it. The risks of outsourcing this to private interests has already been queried – most recently by the Shadow Chancellor for the Duchy of Lancaster, Rachel Reeves, MP for Leeds West. See her letter to Michael Gove of 14 May published on twitter:
All this heightens suspicion that the app is another ruse to undermine the NHS whilst pretending to support it; part of a wider strategy to dismantle and sell off bits of the NHS by stealth. Public health requires more than applause. Until testing becomes universal, and until we have a vaccine, an app may be the best we can hope for. But it could also give false hope and greater cavalier attitudes to social distancing as well as enabling surveillance and steps that could compromise our personal privacy, dignity, equality, autonomy and collective democracy. The ethics of doing that is giving cause for thought in many states across the Channel. Here in the UK perhaps we should simply press pause.