On April 17, 2020, the UK’s Information Commissioner’s Office (“ICO”) issued an opinion on the recently announced Apple-Google initiative to develop a Bluetooth-based Contact Tracing Framework (“CTF”) to help prevent the spread of COVID-19.  The ICO opinion is generally supportive of the Apple-Google proposal and perceives it to be, at this early phase, aligned with principles of data protection by design and by default.  The ICO also cautions that since apps developed under the CTF could also be used to collect additional data using other techniques beyond those currently planned, developers of such apps must ensure compliance with data protection laws.

Scope of the Opinion

This opinion follows from a general statement issued by the ICO in March about data protection and the coronavirus (see our blog post on it here), as well as several other recent statements and resources the ICO has made available on its data protection and coronavirus information hub.

In its introduction, the ICO makes clear that this opinion: (i) represents the views of the Commissioner herself at the time of publication; (ii) is based on publicly available information published on April 10, 2020 about the Apple-Google initiative; and (iii) only pertains to “Phase 1” of the CTF project.  The ICO also points out that, thus far, Apple and Google are not proposing to develop their own app under the CTF.  Rather, their plan is to establish a technological framework based on application programming interfaces (“APIs”) and operating system technology, to enable other third parties (such as public health authorities) develop these apps.  Therefore, the opinion is directed at parties involved in developing the CTF, as well as those who plan to eventually deploy apps based on the CTF.

Overview of Contact Tracing under the CTF

Contact tracing is a strategy designed to promptly warn individuals who have been exposed to an infectious person so they can take appropriate steps to self-quarantine or undergo testing.  Under the CTF proposal, individuals would download an app that periodically generates cryptographic tokens (not associated with any identifier or location-based data) that are shared with all nearby phones via Bluetooth.

These exchanged tokens would remain stored on users’ devices for 14 days.  If a user were to test positive for COVID-19, the user could then give explicit consent for the app to upload the last 14 days of tokens to the cloud and send out a broadcast beacon to all other users’ devices who were in proximity to the infected user in the prior two weeks.  Exposed individuals would then receive an alert stating they were recently in contact with an infected person, and be provided with information on next steps.

Assessment of the CTF

The ICO says this approach appears to comply with the principle of data minimization, since (i) the data exchanged between devices is not personal data, (ii) matching of cryptographic tokens takes place only on the devices themselves, and (iii) location data is not used at any step in the process.

In terms of legal basis, the ICO notes that the use of these apps is to be voluntary, and that the upload of tokens will be subject to a separate consent process.  That said, the ICO points out that in “Phase 2” the plan is for the CTF API to be integrated directly into mobile device operating systems.  Here, the ICO states its general view that users should not have to take action to prevent tracking, and believes that further review is required about the potential implications for individuals’ rights and freedoms.

As for data security, the ICO considers the cryptographic functions proposed to be appropriate for keeping the risk of user re-identification low.  The ICO also notes that purpose limitation is one of the core issues when talking about risks associated with apps developed under the CTF – and here, it shifts the discussion to the apps themselves.

Apps Developed under the CTF

The ICO first acknowledges that some further processing of data beyond the basic CTF plan proposed may be legitimate and permissible (e.g., to ensure someone is not intentionally flooding the system with false positives).  However, any additional processing must be subject to a separate review by the data controller, and may necessitate the completion of a separate data protection impact assessment.  In terms of transparency obligations, the ICO says that the app developer’s apps stores are primarily responsible for providing information to users.  The ICO says that apps developed under the CTF must also be documented and auditable.

While consent is proposed as the legal basis for processing the data, the ICO mentions that a few points remain unclear at this stage, in particular:

  • precisely how consent for the upload of tokens will be obtained;
  • how the consent signal will be managed and how users will be able to control it; and
  • what impact the withdrawal of consent would have on the effectiveness of the solution.

Conclusion

The ICO concludes by reiterating that while the CTF proposal is aligned with the principles of data protection by design and by default, it should not lull users into thinking that these default principles extend to all aspects of apps developed under the CTF.  Rather, it is the obligation of the controller to assess and ensure that all data processing by such apps is compliant with data protection laws.

The ICO adds that further questions are likely to arise over time in this area, and indicates that it will continue to closely monitor developments and possibly issue further opinions on this topic.