By Lex Keukens en Sander Tempel
On April 7, Minister De Jonge announced that the government wanted to use tracking apps (‘the App’) to fight the COVID-19 virus. In addition to tasks regularly carried out by the Dutch Municipal Health Services (GGD), the government wants the App to provide smart digital solutions for source and contact tracing.1 This means that the App will need to process personal data, including data from which an individual’s health situation can be extrapolated.
Before focusing on the starting points which the App must meet according to the government, it must first be determined whether the General Data Protection Regulation (GDPR) applies to this form of data processing and if so, whether there is a lawful basis for processing personal data.2 After that we will focus on a number of critical comments in relation to data minimisation, protection and data storage. We conclude with some food for thought.
In the government’s view, the App must satisfy a number of starting points. We have selected some of them and worked them out in greater detail in terms of the GDPR:
• it must not be possible to trace data to individuals; de-anonymising the data must be impossible.
• the data may only be read out or shared a) in the event of contact or source investigation within the meaning of section 6 of the Dutch Public Health Act (Wet publieke gezondheid, Wpg), or b) if consent is given by the user.
• the digital solution stores the minimum data required for as briefly as possible and complies with the customary security standards.
If and to the extent that personal data is put into an anonymous form that is irreversible, the GDPR is not applicable. However, this is unlikely to be the case. There is a considerable risk that by combining such data with other data, the anonymised data can nevertheless be traced to an individual – for example, if insufficient measures are taken to prevent the possibility of identification numbers being traced to individuals. As a result, the GDPR will apply in full to the processing of personal data by the App.
“There is a considerable risk that by combining such data with other data, the anonymised data can nevertheless be traced to an individual.”
Basis for processing data
Controller: Before a basis can be established for the App to process data, it is necessary to determine who will be the controller in the context of the GDPR.3 A controller determines the object of and the means for data processing by the App. The GGD would seem a likely candidate, considering its task in the field of public health and its obligation to conduct a source and a contact investigation after receiving a report stating that an infection with the COVID-19 virus is suspected or has been established. We infer from the starting points for the source and contact investigation as stated in the invitation that the Ministry of Health, Welfare and Sport (VWS) seems to hint at this explicit role for the GGD.
We see defensible arguments for basing the lawful processing of personal data on a statutory obligation of the GGD, or a role for the GGD in carrying out a task in the public interest. In a ministerial regulation, the government has designated the COVID-19 virus as a Group A infectious disease, thus placing the control of it under the scope of the Dutch Public Health Act. This means that the GGD has the statutory obligation to include, at any rate, source and contact tracing in controlling the COVID-19 virus. The general interest served by the GGD is public health concerns, which includes combating infectious diseases.
However, processing special personal data, including data on health, is not permitted unless there is justification for doing so under the GDPR. For this type of processing, it could be argued that there are reasons of compelling public interest, or reasons of public interest in the area of public health which could form the basis for lawful processing.
For all such bases, any processing must also be necessary for the object to be achieved, which is a smart digital solution for source and contact tracing by the GGD. Whether the necessity criterion is met, shall not be covered under the scope of this article. However, we do refer to the considerable legal and social debate taking place about the need for the App.4
Another basis might be obtaining consent. To the extent that consent is used as a legal ground for processing personal data by the App, it must be freely given and be specific, explicit and based on information within the meaning of the GDPR. It must be given unequivocally and actively by the data subject; it may not be a tacit or implicit form of consent. An attendant question is whether the interest to be served can only be achieved if the government opts for a voluntary App. It is conceivable that an (overly) limited portion of the population will choose to install this voluntary App, meaning that effective source and contact tracing among the population will not be possible.
“Processing of personal data without a time frame determined in advance is a danger to our privacy and must be avoided.”
According to the principle of data minimisation, personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.
If the object of the App is to be helpful in a source and contact investigation by the GGD, then it can be argued that data showing proximity is relevant. This is because the COVID-19 virus spreads in the form of droplets that can be transferred over a limited distance. It is possible to break the chain of infection by promptly informing persons that they are in the proximity of a person carrying the COVID-19 virus. Proximity can be established using Bluetooth technology5, but some critical comments are called for. Processing proximity data via Bluetooth technology can help to break chains of infection. However, this requires some explicit comments about the adequacy of the Bluetooth technology, given the not inconsiderable likelihood of many false positives. Consider, for instance, the case of a neighbour who has not been seen in weeks but who is sending out Bluetooth signals. The App is not suitable for processing location data. Such data says too little about the risk that a person has been infected.6 It could also be argued that this involves processing more data than necessary for the object to be achieved; large-scale tracking of individual movements does not meet the data minimisation requirement.
Data minimisation can perhaps be achieved if the App stores as much personal data as possible locally or in a decentralised location.7 This starting point is also included in the Decentralized Privacy-Preserving Proximity Tracing Protocol (DP-PPT). The protocol requires the risk analysis to take place in the App on the basis of the proximity data, and not on a central server. If the risk analysis reveals a risk of infection, the health care authorities can then contact the individual, for example by sending a warning. This would then make it possible to fulfil the data minimisation requirement.
Other points of criticism
Security: An App must comply with the security obligations set by the GDPR. For instance, it requires that personal data must be suitably secured against destruction, loss, alteration or unauthorised access. ‘Suitably’ means that the security measures must be geared to the risks for the persons whose data is processed.
In this case, the protection level of the App will need to be high, because large quantities of highly sensitive personal data will be processed. Obsolete or incorrectly applied security measures and non-encrypted data can lead to unauthorised access to sensitive personal data.8
Data storage: Under the GDPR, personal data may not be retained in a form that would allow identification of the data subject any longer than necessary for the purposes for which their personal data is processed.
Under the GDPR, it must also be possible to permanently remove personal data as soon as its processing is no longer necessary. However, the uncertainty lies mainly in the duration of the storage of personal data. No one can determine in advance when the COVID-19 pandemic will end and when the App will no longer be considered necessary. Processing of personal data without a time frame determined in advance is a danger to our privacy and must be avoided. It could be argued that the proximity data must be removed as soon as it is no longer needed to warn the relevant individuals. A maximum time frame in this regard might, for example, be one month (incubation period plus a margin) or after the data subject has been tested and is virus-negative.
It will be an immense challenge to ensure that the App requested by the government complies with the privacy principles of the GDPR.9 These are principles that we may not simply throw overboard, and certainly not during a pandemic. It is our duty as a society to look critically at our government. In doing so we must also ask ourselves if we really want to allow this level of ‘state surveillance’. The government is apparently convinced that an App will help to combat the COVID-19 virus and has set its sights on its swift development and commissioning. To achieve its aim, it will first of all have to go back to the drawing board and critically consider, step by step, the privacy law complications that this App clearly creates.
• The goverment is exploring the possibilities to use a tracking app as a self-proclaimed solution for source and contact tracing during the COVID-19 pandemic;
• The development and use of the app comes with complex legal dilemmas related to our right to privacy and data protection;
• In this article we review some of these highly important privacy values and legal obligations the app must comply with benchmarked against the privacy principles of the GDPR.
About the authors
Sander is a senior lawyer at TK specialized in health law. Sander’s clients operate in the cure, care and preventive healthcare sector, where digital solutions are an increasingly important part of the standard care provision.
Lex is a senior tech lawyer at TK Tech specialized in privacy and data protection aspects in relation to technology and innovation. Lex advices his clients on all legal and policy aspects of the information society including the processing of information.
1 VWS, ’Uitnodiging slimme digitale oplossingen Corona’ (Invitation to submit smart digital solutions to Corona), 11 April 2020.
2 The authors leave the e-Privacy Directive outside the scope of this article.
3 The document titled “Invitation to submit smart digital solutions for corona” published by the of Ministry of Health, Welfare and Sport does not say anything about who should be the controller.
4 Critical issues as expressed in several publications: elderly people are not reached, it creates false security, etc.
5 Pels Rijcken, ‘Public summary of privacy analyses of source and contact study of apps’, 19 April 2020. It follows from this study that Bluetooth technology has its limitations. For example, Bluetooth links can be made with devices that are a sufficient distance away, such as behind a wall, window or plexiglass. The Bluetooth technology makes no distinction in this regard, which may lead to false positives.
6 Netherlands Environmental Assessment Agency (PBl). EU, ‘Coronavirus Guidelines for comprehensive data protection by apps that fight the pandemic’.
7 Whitepaper Decentralized Privacy-Preserving Proximity Tracing.
8 A data breach has already been simulated in Covid19Alert, one of the government-selected Apps.
9 In its research report of 20 April 2020, the Dutch Data Protection Authority already expressed several reservations about the App.