Legislating for the UK Government’s Covid-19 Contact Tracing App, by Oliver Butler

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com

Successful contact tracing, testing and self-isolation are necessary to reduce the spread of Covid-19 to both prevent avoidable deaths and to restart economies. The UK Government’s development of a contact tracing app was originally presented as a key part of its strategy to respond to the pandemic. The app has been the subject of substantial criticism and delay in its development and implementation. Although it is now presented as a valuable supplement to a more traditional contact tracing service, as the “cherry on the cake”, it remains the case that privacy and data protection issues are a significant concern. As the effectiveness of contact tracing apps depends on widespread voluntary use by the public, addressing these concerns to enhance public trust remains key to the app’s success.

Following the UK Government’s repeated delays of the deployment of the app, it has now abandoned a centralized model after three months of development in favour of a decentralized architecture. Little is known about the outcome of the May 2020 trial of a contact tracing app on the Isle of Wight, which was criticized by data protection academics. Although the contact tracing service opened in May 2020, the app is now not expected until winter 2020 and is not “a priority” accordingly to answers given to the UK Parliament’s Science and Technology Committee. The Government’s intentions for the app therefore remain unclear.

On 7^th May 2020, the UK Parliament’s Joint Committee on Human Rights (JCHR) produced a draft Bill for the UK Government’s contact tracing app in response to these privacy and data protection concerns. It is in itself highly unusual for a parliamentary committee to draft legislation to propose for adoption as a Government Bill and this speaks to an attempt to make its adoption as straightforward as possible in the urgent context of Covid-19, as well as an attempt by the JCHR to put pressure on the Government. The development and implementation of any app by the UK Government is of course subject to Article 8 ECHR, protected in the UK by the Human Rights Act 1998, and the EU General Data Protection Regulation and the UK’s Data Protection Act 2018. The JCHR’s arguments for the necessity of such legislation rest primarily on the need to further enhance public trust and participation and to ensure adequate parliamentary scrutiny of the app’s development and implementation. The Secretary of State for Health and Social Care has so far rejected the claim that bespoke legislation is necessary.

This draft Bill is most interesting for its identification of ways in which the JCHR perceives the general law on privacy and data protection to be inadequate for contact tracing data. In this blog post, I analyze the draft Bill and the perceived deficiencies of the current law that it reflects. The draft Bill shows a desire for heighted control over processing contact tracing data, heighted transparency requirements, and more specialized and focused independent oversight.

Heightened Control

The draft Bill seeks to impose specific purposes on processing contact tracing data by defining “permitted contact tracing purposes”. These might exclude alternative purposes based on broader ministerial common law powers and therefore ensure that legislative amendment is required before any expansion of purposes. GDPR purpose limitation, by contrast, only prohibits further processing for purposes which are incompatible with the original purpose for collection (Article 5(1)(b) GDPR) and would do comparatively little to constrain an app based on broad underlying powers.

The draft Bill also seeks to create new criminal offences for unauthorized persons to collect or process digital contact tracing data or for any person “knowingly or recklessly to re-identify de-identified digital contact tracing data”. The Secretary of State would be empowered to specify authorized persons by regulations. The effect is to centralize Government control over the processing of contact tracing data, permitting the exclusion of all other parties from contact tracing, even those who have the consent of the data subject as required by the GDPR. The re-identification offence is also more restrictive than the general offence of re-identification in section 171 of the Data Protection Act 2018.

The draft Bill also requires much more detailed provision for the deletion of contact tracing data. Clause 12 requires the Secretary of State to publish binding “approved arrangements” for the deletion of contact tracing data in consultation with the Commissioner or, if not yet appointed, the Information Commissioner. These “approved arrangements” must require the automatic deletion of digital contact tracing data from mobile devices “as soon as is practicable”, that specific consent is given for the upload of digital contract data from a mobile device, the anonymization of digital contact tracing data as soon as it is no longer required for a permitted contact tracing purpose, and to ensure that digital contact tracing data is deleted where a data subject “so requests”. This is more onerous that the storage limitation requirements of Article 5(1)(e) GDPR and more generous than the right to erasure in Article 17 GDPR.

Heightened Transparency

Clause 13 requires the Secretary of State to carry out periodic reviews every 21 days, to consider the effectiveness, security, and equality and human rights compliance of digital contact tracing. Such reviews are to be published and laid before Parliament as soon as possible after being conducted. Clause 14 also requires the publication of any Data Protection Impact Assessments, information relating to the design and security of the app, and minutes of the Contact Tracing Ethics Advisory Board, as soon as reasonably practicable and in any event no more than 14 days after they are received by the Secretary of State. The Contact Tracing Ethics Advisory Board is an advisory panel of privacy experts and academics established by NHSX. These requirements go beyond the transparency requirements of the GDPR. They are also faster than, and not subject to the same exemptions as, UK freedom of information requests.

Specialized Independent Oversight

The draft Bill makes provision for a dedicated Digital Contact Tracing Human Rights Commissioner, in addition to the Ethics Advisory Board and closely modeled on the Information Commissioner’s Office. Clause 10 also requires the security of contact tracing systems to be reviewed by the National Cyber Security Centre. The functions and powers of the proposed Commissioner overlap significantly with those of the UK Information Commissioner.

The JCHR report argues that the Information Commissioner is “not designed to monitor the significant rights-based implications that app based-surveillance raises” and “in addition… has been involved in the development of the app”. The first reason is, fundamentally, a critique of generalist data protection authorities over specialized technology regulators. If the Information Commissioner cannot consider the rights-based implications of apps, then can it really consider the rights-based implications of ad tech, the Internet of Things, or algorithmic decision-making? The second reason is unconvincing. Article 57(1) GDPR requires the Information Commissioner to “advise… the government… on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing” and, in particular, to “give advice” on “high risk” processing operations that require prior consultation under Article 36 GDPR, which it did following the Isle of Wight trial of the app. It would be a strange proposition to suggest that the mere discharge of independent advisory functions is able to compromise the very independence upon which those functions are premised. It might, however, reflect a more fundamental criticism of combining advisory and enforcement functions in the Information Commissioner’s Office at all.

A further potential rationale for a specialized Commissioner would be to force a closer focus on contact tracing. The generalist Information Commissioner, who has considerable discretion to set her own priorities for oversight and enforcement, has been criticized by the Open Rights Group and by Privacy International for failing to take enforcement action on “ad tech, data brokers, political data exploitation and the use of mobile phone extraction by law enforcement as well as close scrutiny of responses to Covid-19”. A dedicated Commissioner would not be able to prioritize other regulatory work over reviewing contact tracing.

Perceived Deficiencies in Data Protection Law

The JCHR draft Bill therefore reflects perceived deficiencies in privacy and data protection controls in the context of contact tracing technologies, a desire for greater transparency about such processing, and skepticism about generalist data protection authorities. Although legal safeguards are only one factor that shapes public trust, it is regrettable that more has not been done by the UK Government to address these concerns in the context of Covid-19 contact tracing.

Dr Oliver Butler, Fellow, Wadham College, University of Oxford and Research Fellow, Bonavero Institute of Human Rights.