COVID-19 Apps and Websites – The “Pan-European Privacy Preserving Proximity Tracing Initiative” and Guidance by Supervisory Authorities

Pan-European Privacy Preserving Proximity Tracing Initiative

According to media sources, an EU consortium led by Germany’s Fraunhofer Heinrich Hertz Institute for telecoms (HHI) will soon release software code that can be used to create apps that will help track transmission chains of COVID-19.  The Pan-European Privacy Preserving Proximity Tracing (“PEPP-PT”) project comprises more than 130 members across eight European countries, including scientists, technologists, and experts.

The PEPP-PT project has published a manifesto explaining its intention to create “well-tested proximity tracking technologies” that national authorities can use to create their own COVID-19 apps.  According to the manifesto, these technologies ensure “secure data anonymization” and “cross border interoperability”.  The apps concerned would inform users, based on the phone’s Bluetooth signals, whether they have been in the proximity of a person who was tested positive for COVID-19.

National public authorities developing apps on the basis of this software remain free to decide how to inform persons that have been in contact with someone who has tested positive.  The PEPP-PT website states that national cyber security agencies and national data protection agencies will assess the apps that are created using the code released by the PEPP-PT.  EU Commissioner Thierry Breton indicated that the European Commission is also investigating whether an app using the PEPP-PT software would be compliant with “EU values”, reflecting the privacy concerns associated with such apps.

Several Member States have been considering using apps in the fight against COVID-19 (e.g., Ireland and Germany).  Polish authorities, for example, have developed an app that individuals who tested positive for COVID-19, and are in quarantine, can voluntary use to prove that they remain in quarantine (i.e., by sending selfies with their location to the authorities), as an alternative to receiving police visits.

COVID-19 Apps and Websites

Since the start of the COVID-19 crisis in Europe, private and public entities have begun releasing COVID-19 related apps.  In response, some EU Supervisory Authorities have issued statements in relation to such apps:

  • The Belgian Supervisory Authority provided brief guidance to developers of COVID-19 apps (and websites). It clarifies the expected standard of anonymity and, in particular, it states that IP addresses should always be considered as personal data. It also distinguishes apps offered by healthcare providers and other health apps.  In the latter case, the apps should provide at the time of set up, and before any personal data is collected or shared, all the information required by Article 13 of the GDPR. According to the statement, “at the end of the use of the application”, all personal data should be deleted.
  • The Italian Supervisory Authority states that it “would have no objection” to an app managed by public authorities that tracks persons who tested positive with COVID-19 and people who have come into contact with such persons, provided the app complies with data protection law.
  • The German Supervisory Authority of Rhineland-Palatinate states that an app that tracks the transmission of COVID-19 using Bluetooth technology “is possible”, provided it complies with data protection law. The statement lists various criteria that, in the opinion of the authority, are decisive in order to comply with data protection law.  In particular, the authority notes that use of the app should be voluntary, the purposes for processing the data be limited, that pseudonymization techniques are applied to the data and that the data be deleted if there is no longer a risk of infection.
  • The Slovenian Supervisory Authority issued a statement about the website, which allowed individuals to report and record their COVID-19 symptoms, provide information about the symptoms, indicate the number of family members in the individual’s household, record the date symptoms were first detected, and the individual’s phone number and residential information. Despite claiming that it only collected anonymized data, the authority’s investigation revealed that the data was only encrypted and not anonymized and therefore did not comply with the GDPR.  As a result, the website announced that it has deleted its database and is looking into how to provide this service in a GDPR-compliant manner.  The same authority issued a statement on the use of geolocation data to fight COVID-19, which states that this is only possible in exceptional circumstances and provided appropriate safeguards are in place.
  • The Spanish Supervisory Authority states that only public authorities have the authority to process personal data to control the epidemic. This includes collecting data in order to offer self-assessment tools and the collection of geolocation data for creating maps of high/low risk areas, or to control whether individuals who have tested positive comply with quarantine restrictions.  Private entities may only process personal data pursuant to the instructions of the public health authorities.

In general, the statements released by EU Supervisory Authorities so far suggest that the use of apps or websites by public authorities to track the spreading of COVID-19 will be allowed, provided they comply with the principles found in EU data protection laws.  By contrast, regulators appear far more skeptical that private-sector bodies should be deploying and using such apps or websites.  Covington’s Privacy and Cyber practice will continue to monitor these developments closely.

UK Supreme Court Rules That Supermarket Is Not Vicariously Liable For Data Breach Committed By Employee

On 1 April 2020, the UK Supreme Court handed down its ruling in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12.  The Court ruled that Morrisons was not vicariously liable for a data breach deliberately perpetrated by an employee.  The judgment is significant in that it overturned the decisions of the two lower courts (the High Court and Court of Appeal) and provides guidance for employers on when they may be held vicariously liable for data breaches and other violations of the GDPR involving employees, who act as independent controllers in their own right.

Continue Reading

FCC Continues Implementation of TRACED Act with SHAKEN/STIR Mandate and Industry Traceback Consortium

With the adoption of two recent orders, the Federal Communications Commission (“FCC”) continues to implement the TRACED Act.  In the first of these orders, the FCC established a deadline by which certain voice services provides must adopt and implement the SHAKEN/STIR call authentication framework.  In the second of these orders, the FCC established the registration process for an industry “traceback” consortium.  These actions build on the FCC’s prior implementation efforts, which we discussed here and here. Continue Reading

Washington Enacts New Facial Recognition Law

On March 31st, Washington Governor Jay Inslee signed into law SB 6280, a bill aimed at regulating state and local government agencies’ use of facial recognition services.  An overview of the law’s provisions can be found here.

Notably, Governor Inslee vetoed Section 10 of the bill, which aimed to establish a legislative task force that would study and provide recommendations regarding various issues related to facial recognition services (including “potential abuses and threats posed by the use of facial recognition services” and the “quality, accuracy, and efficacy” of a particular facial recognition service).  Governor Inslee stated that the task force was not funded in the existing budget, and recommended instead that the legislature work with the Ruckelshaus Center in crafting a “situation assessment” that would inform the creation of a task force in a subsequent legislative session.

The new law is scheduled to go into effect on June 11, 2020.

COVID-19 Cybersecurity Advice: FTC and FBI Provide Guidance on Cybersecurity Scam Trends and Preventive Measures

In response to the COVID-19 outbreak, several U.S. government entities have released warnings about a rise in scams and fraudulent activity connected to the outbreak.  In a recent bulletin, the FBI warned of a rise in phishing emails, counterfeit treatments or equipment for COVID-19 preparedness, and fake emails from the Centers for Disease Control and Prevention (CDC) purporting to provide information about the outbreak.  The FTC, meanwhile, has released not only a general overview of the steps that it is taking to combat scams related to COVID-19, but has also provided a specific list of seven types of COVID-19 scams that it has observed targeting businesses.  More information about these scams, and guidance from the FBI and FTC on how to protect against and respond to some of the most common risks, is below. Continue Reading

Dutch Supervisory Authority Investigates Connected Cars

On March 24, 2020, the Dutch Supervisory Authority (“SA”) announced the launch of a broad investigation into automobile manufacturers, to determine whether any violations of data protection laws have occurred in relation to connected cars.

The Dutch SA sent a questionnaire to all Netherlands-based car and truck manufacturers, asking what types of personal data they process, how long they keep it, what measures they take to secure it, and with whom they share it. On the basis of the results, the SA intends to engage in dialogue with the sector and, where it deems necessary, initiate enforcement actions.

The SA mentioned in its announcement that, thus far, it has received few complaints on this topic, but attributes this to a lack of privacy awareness among drivers. The SA also alluded to its current understanding that “much is not properly addressed”.

Finally, the SA acknowledged that many automobile manufacturers do not have headquarters or a “main establishment” in the Netherlands. Therefore, the SA indicated it will share evidence or suspicions of data protection violations with the competent authorities of such manufacturers, for further follow-up action and possible enforcement.

This investigation follows the publication of guidelines for connected car manufacturers by the European Data Protection Board back in February 2020.

Greek Data Protection Authority Issues Guidelines on Data Protection and Coronavirus

On 18 March, 2020, the Hellenic (Greek) Data Protection Authority (“HDPA”) issued guidelines on data protection and COVID-19. With these guidelines, the HDPA aims to provide guidance on the interpretation and application of data protection legislation during the COVID-19 pandemic. In this blog, we summarise the key points included in the HDPA’s guidelines.

  1. Categorization of personal data

The HDPA draws the following distinction with respect to the types of personal data:

  • data concerning the health status of an identified or identifiable natural person (“data subject”), including whether the data subject has received health care recently, is data concerning the health of the data subject, and, therefore, falls within the special categories of personal data (under Article 9 of General Data Protection Regulation – “GDPR”), which are subject to stricter protection. Examples of types of data related to the health of the data subject include data concerning i) whether the data subject has been infected by the virus or not, ii) whether he or she remains at home due to illness and iii) whether he or she has presented any signs of illness (g., cough, fever);
  • in contrast, other personal data, such as information regardingthe data subject’s recent visits to a foreign country with a high number of COVID-19 cases, or whether one of the data subject’s relatives or colleagues has been infected by COVID-19, does not constitute data related to the health of the data subject. As a result, such data does not fall within the special categories of personal data.
  1. Scope of application of GDPR and Greek data protection law

Pursuant to Article 2(1) of the GDPR and Article 2 of the Law 4624/2019 (the Greek law implementing the GDPR), the legal framework for the processing of personal data applies solely in cases where personal data is processed wholly or partly by automated means or where it otherwise forms part of a filing system or is intended to form part of a filing system. As a result, although information provided orally concerning – for example – whether a data subject has been infected by COVID-19 or whether one’s body temperature is higher than normal does not fall within the scope of the GDPR, where it not recorded.

  1. Processing by public authorities

Public authorities acting as data controllers may process personal data in the context of adopting the necessary measures to tackle the COVID-19 outbreak and limit its spread. Notably, this data processing may be based on different legal bases under the GDPR, such as those provided by Article 6(1)(c), (d) and (e), pursuant to which the processing is necessary i) for compliance with a legal obligation to which the controller is subject; ii) to protect the vital interests of the data subject or of another natural person; or iii) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Further, public authorities may process sensitive personal data based on Article (9)(2)(b), (e), (h) and (i), where the data processing is either necessary i) for the purposes of carrying out obligations derived from employment and social security and social protection law; ii) for the purposes of preventive or occupational medicine for the assessment of the working capacity of the employee; iii) for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health; or iv) where the processing relates to personal data which is manifestly made public by the data subject.

That said, the HDPA points out that the right to the protection of personal data is not an absolute right and, as such, it must be balanced against other fundamental rights, in accordance with the principle of proportionality. As a result, the right to the protection of personal data does not present a barrier for the authorities to adopt the necessary measures to combat COVID-19, provided that the basic principles are respected and the relevant substantive and procedural guarantees and conditions for lawful processing are ensured.

  1. Issues concerning businesses and employers

With respect to private sector companies, the HDPA notes that, pursuant to national legislation, employers have the obligation to take the necessary measures to ensure the safety and health of their employees. This means that employers may lawfully process the personal data of their employees to ensure the protection of their safety and health, as long as the basic principles of Article 5 of the GDPR are respected. Notably, this processing may be based on Article 6(1)(c), (d) and (e), and Article 9(2)(b), (e) and (i) of the GDPR, and should be carried out in accordance with the guidance of the authorities.

In addition, the HDPA notes that it has received many queries from employers asking for guidance with respect to the conditions under which the processing of personal data of employees, suppliers, customers and others is lawful. For example, companies have asked whether measures, such as taking the temperature of people entering their business premises, or asking employees to complete questionnaires about the health of their relatives or their travel history, or informing other employees about the identity of an employee infected by COVID-19, would be compliant with the GDPR. The HDPA explains that all employers acting as data controllers should carry out all data processing activities that are necessary to ensure the protection of their employees’ health, and that none of the measures mentioned above could be considered automatically unlawful, especially during these unprecedented circumstances.

However, the HDPA highlights that any data processing should be carried out in accordance with Articles 5 and 6 of the GDPR, noting that the employers are responsible for demonstrating compliance with the GDPR (based on the principle of “accountability”). Further, employers should also make sure that i) they collect only data that is related to the processing purpose in accordance with the GDPR principles of purpose limitation and proportionality; and ii) the confidentiality of the data collected is protected through the requisite security measures.

Finally, with respect to processing more privacy-intrusive data (such as temperature controls at the entrance to facilities), the HDPA notes that these activities should be carried out only when the data controller has concluded that there are no other less privacy-intrusive means to achieve the same purpose. As a result, the HDPA concludes that a systematic, constant and generalised collection of personal data leading to the creation and regular update of employee health profiles is highly unlikely to be compliant with the principle of proportionality.

  1. Disclosure of data about deceased persons

Pursuant to Recital 27 of the GDPR, the data protection legislation does not apply to deceased persons. However, the HDPA notes that, because the disclosure of data related to patients who died from COVID-19 may lead to the indirect identification of living natural persons (e.g., who came into contact with or were relatives of the deceased), the principles of Article 5(1) and the provisions of Article 6 of the GDPR may exceptionally apply to the disclosure of such data.

  1. Voluntary disclosure of personal data by COVID-19 patients

The HDPA clarified that, when data subjects publish personal data related to their health voluntarily, such as the fact that they have been tested positive for COVID-19, the processing of this data by third parties should be deemed lawful (pursuant to Article 9(2)(e) of the GDPR). However, the HDPA notes that the principles of Article 5 of the GDPR should be respected in any event.

  1. Disclosure of data by the data controller

The HDPA notes that the disclosure of personal data related to the health of the data subjects should not be permitted if it may i) lead to prejudice and stigma against the data subjects, and/or ii) deter compliance with the measures imposed by the authorities, which may eventually undermine their effectiveness. This prohibition is applicable, even if the disclosure is justified under grounds in Articles 5, 6 or 9 of the GDPR.

  1. Processing for journalistic purposes

The HDPA points out that, before disclosing data enabling the identification of any data subjects (e.g., name, pictures or other characteristics), journalists should always assess the necessity of such disclosure, considering that even public authorities (such as the National Public Health Organization and the General Secretariat for Civil Protection) process anonymised data for epidemiological analysis, or process data that has been previously pseudonymised.

*          *          *          *

These guidelines from the Greek authority follow similar statements and guidance from other European regulators, including the European Data Protection Board and the Supervisory Authorities of Belgium, Czech Republic, Denmark, Finland, France, Germany, Hungary, Iceland, Ireland, Lichtenstein, Lithuania, Luxembourg, the Netherlands, Norway, Slovakia, Slovenia, Spain, Sweden, Poland and the UK. Covington will continue to monitor ongoing developments in this area.

FCC Seeks Nominations for Hospital Robocall Protection Group

Earlier this week, the Federal Communications Commission (“FCC”) took another step toward implementing the TRACED Act by announcing that it is seeking nominations for the Hospital Robocall Protection Group.

As we previously explained, the TRACED Act was enacted with the aim of curbing unwanted robocalls.  One of the law’s provisions directs the FCC to establish a “Hospital Robocall Working Group” by June 27, 2020.  This advisory committee will be charged with developing best practices for preventing robocalls to hospitals.  In addition to having a representative from the FCC and a representative from the Federal Trade Commission serve, the Group must be comprised of an equal number of representatives from:  voice service providers that serve hospitals, companies that focus on mitigating unlawful robocalls, consumer advocacy groups, one-way VoIP providers, hospitals, and state government officials.  Within 180 days of the Group issuing its best practices, the FCC must conclude a proceeding facilitating the voluntary adoption of those best practices.

The FCC’s notice states that the agency intends to establish the Group by June 2020, with its first meeting slated for July 2020.  Nominations for membership to the Group must be submitted no later than May 1, 2020.

HHS Relaxes Enforcement of Certain HIPAA Provisions Amidst COVID-19 Nationwide Public Health Emergency

This month, the U.S. Department of Health and Human Services (“HHS”) issued guidance waiving enforcement of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) in response to the COVID-19 nationwide public health emergency. Continue Reading

Washington State Passes Bill Limiting Government Use of Facial Recognition

On March 12, 2020, Washington’s state legislature passed SB 6280, a bill that will regulate state and local government agencies’ use of facial recognition services (“FRS’s”).  The bill aims to create a legal framework by which agencies may use FRS’s to the benefit of society (for example, by assisting agencies in locating missing or deceased persons), but prohibits uses that “threaten our democratic freedoms and put our civil liberties at risk.” Continue Reading