key: cord-0872317-x5pslpr7
authors: Bradford, Laura; Aboy, Mateo; Liddell, Kathleen
title: COVID-19 Contact Tracing Apps: A Stress Test for Privacy, the GDPR and Data Protection Regimes
date: 2020-05-28
journal: J Law Biosci
DOI: 10.1093/jlb/lsaa034
sha: f75339221dc1966832373685bd6ea2e70ee6ceeb
doc_id: 872317
cord_uid: x5pslpr7

Digital surveillance has played a key role in containing the COVID-19 outbreak in China, Singapore, Israel and South Korea. Google and Apple recently announced the intention to build interfaces to allow Bluetooth contact tracking using Android and iPhone devices. In this article we look at the compatibility of the proposed Apple/Google Bluetooth exposure notification system with Western privacy and data protection regimes and principles, including the General Data Protection Regulation (GDPR). Somewhat counter-intuitively, the GDPR’s expansive scope is not a hindrance, but rather an advantage in conditions of uncertainty such as a pandemic. Its principle-based approach offers a functional blueprint for system design that is compatible with fundamental rights. By contrast, narrower, sector-specific rules such as the US Health Insurance Portability and Accountability Act (HIPAA), and even the new California Consumer Privacy Act (CCPA), leave gaps that may prove difficult to bridge in the middle of an emergency.

Digital surveillance and tracking has played a crucial role in containing the Coronavirus outbreak in China, Singapore and South Korea, among others. 1 On April 10, Google and Apple announced a joint effort to enable public health authorities to build applications to perform contact tracing using iPhone and Android devices. 2 The collaboration between government agencies and Silicon Valley tech giants immediately raised privacy concerns. Whether large-scale tracing of exposure can coexist with more stringent legal protections and norms for individual privacy and autonomy prevalent in Europe and the United States is unclear. Some may even be tempted to suspend data protection mandates in a state of emergency. 3 The need to track individual movements and health status on a broad basis offers a crucial ‗stress test' of Europe's nascent, comprehensive General Data Protection Regulation (GDPR) and other privacy and data protection regimes based on OECD Privacy Guidelines. 4 In this article we look at the compatibility of the proposed Apple/Google Bluetooth Exposure Notification System (-ENS‖) and associated applications with Western privacy and data protection principles, including the EU General Data Protection Regulation (GDPR). Depending on their final details, and how they develop over time, our view is that the Apple/Google ENS will fall within the governance system of the GDPR and, along with associated software applications, can be operated in a way that is compatible with the GDPR rules. In contrast, substantial parts of the Apple/Google ENS and any associated applications may fall outside data protection laws in the US. As a consequence, uptake of such systems by health agencies and citizens may prove slower. Narrower, sector-specific rules such as the US Health Insurance Portability and Accountability Act (HIPAA), and even the new California Consumer Privacy Act (CCPA), leave gaps that may prove difficult to bridge in the middle of an emergency. Thus, somewhat counter-intuitively, the GDPR's expansive scope is not a hindrance but rather an advantage in conditions of uncertainty such as a pandemic. The GDPR framework offers a comprehensive, functional blueprint for digital system design that is compatible with fundamental rights. Indeed, it is clear that GDPR's Article 5 core principles were very much front of mind for the two technology companies as they designed their new interfaces. 5

Many, if not all, EU countries are currently working on applications (-apps‖) aimed at facilitating the fight against the COVID-19 crisis. Some of them are based on geolocation, such as Coronamadrid and StopCovid19 in Spain, whereas others are based on the Bluetooth technology known as a -digital handshake‖, such as Stopp-Corona-App in Austria, StopCovid in France, ProteGo in Poland or an app being developed by the NHS in the United Kingdom. 6 The Apple/Google ENS enables interoperability between Android and iOS devices and apps to permit tracking using Bluetooth technology of ‗contact events' between devices. 7 Apple/Google have stated that only apps designated by public health authorities will have access to this framework and such apps must meet specific criteria around privacy, security, and data control. 8

The Google/Apple ENS allows iPhone or Android devices to detect other devices that have been within a certain distance for a significant duration. That ‗handshake' will cause unique identifier codes to be stored, in encrypted form, on both devices. 9 If 5 E.g. Press Release, Apple supra note 2 (stating that user privacy and security were central to the design of their APIs); Zach Whitaker & Darrell Etherington, Q&A: Apple and Google discuss their coronavirus tracing efforts, TECHCRUNCH Apr. 13, 2020 https://techcrunch.com/2020/04/13/apple-google-coronavirustracing/ (describing the service as ‗privacy-focused'). 6 Christian Runte et al, Is a privacy-friendly use of mobile applications to combat COVID-19 our exit plan from the crisis? CMS Law Now Apr. 17, 2020 https://www.cms-lawnow.com/ealerts/2020/04/is-a-privacyfriendly-use-of-mobile-applications-to-combat-covid19-our-exit-plan-from-the-crisis?cc_lang=en. 7 Press Release, Apple supra note 2. 8 someone subsequently tests positive for the virus, that person will upload information centrally to an app server together with their unique identifier codes. The ENS will download positive diagnosis identifier codes daily and will match them with codes stored on individual devices. A match will generate an automatic notification from the app that will appear on any device that recorded the infected individual's device identifier(s) during the relevant time period. Information about exposure events largely stays on each user's phone, while the central server and ENS process only ‗deidentified' information about individuals with a positive diagnosis. 10 In the coming months, Apple and Google will work to enable a broader Bluetooth-based ENS by building the enabling functionality into their underlying operating systems. Removing the need to download an app widens the reach of the platform and would enable interaction with a broader ecosystem of apps and government health authorities. 11

Based on initial specifications released by Google/Apple, the ENS framework will, together with associated apps, generate and collect four types of information:

1. Bluetooth identifier codes and associated contact event information: generated by the ENS and stored de-centrally on individual devices. 2. Positive diagnosis information: uploaded to the app server by the user along with their associated contact identifiers (-diagnosed identifier codes‖). 3. Associated information: When an individual notifies via the app that they have the virus, their individual IP address and other metadata will be detectable by the app server. 12 Apple and Google currently require that apps using the ENS promise not to collect and retain this information. 13 -Associated encrypted metadata‖ including information about the timing and proximity of relevant exposure events will be stored de-centrally on user devices and upon diagnosis notification will be decrypted locally. 14 4. Notifications to exposed users: The ENS will download and broadcast diagnosed identifier codes once per day. 15 14 Bluetooth Specification, supra note 9 at 3-4 (received rolling proximity identifiers will be timestamped and the associated encrypted metadata broadcast by a device will include data about radiated transmit power levels for better distance approximation). 15 with matching codes and will employ an algorithm locally to assess the risk of exposure based on the de-encrypted associated exposure metadata. The ENS will share information with the app about how many alerts were generated and the dates of exposure events. 16 The app will then generate an exposure detection notification to users identified as at risk. At the time of exposure notification the app server will receive additional information from matched users about the time and attenuation of exposure. 17 Apps may request or require additional information from users at the point of exposure notification. For example, exposed individuals may elect to upload their own unique identifiers to warn those with whom they may have been in contact. 18

A potential fifth category of information would be a combination of the exposure data collected by apps using the Google/Apple ENS with individual user identities and location data in order to (i) assist law enforcement to ensure quarantine of infected and/or exposed individuals; (ii) use location data in aggregate to track the spread of the virus across a population or (iii) use individual exposure data to make inferences about health such as a green light or ‗all clear' indication that could be shared with third parties such as employers. Apple and Google have designed their system to make automated collection of this fifth category of data using their ENS prohibitively difficult. 19 However, those who administer apps using the system could collect some of this information separately at the time of diagnosis or exposure notification. Furthermore, it should be noted that Apple/Google's ENS has reserved functionality for additional unspecified associated metadata which might be collected later. 20

a. GDPR: Is this data relating to an identifiable natural person?

The information broadcast by devices and collected by the app should be considered personally identifiable information as defined by the GDPR. The GDPR defines personal data as:

any information relating to an identified or identifiable natural person (‗data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an 16 See Cryptography Specification, supra note 10 at 6 (stating that server operators will not learn the identity or location of those recently in contact with diagnosed user). It isn't clear, however, if the app operator will learn any other information about devices receiving exposure notifications. See FAQ, supra note 15 at 3, 5-6) (stating that Apple, Google and other users will not have access to information shared by the ENS technology but that government health authorities will, subject to ‗specific criteria around privacy, security and data control.') 17 Bluetooth Specification, supra note 9 at 6 (app server receives a -detection summary‖ with the number of matches detected, dates of detection and requests further information from exposed users about day, duration and attenuation of contact); FAQ, supra note 15, at 2 (Digital exposure notifications -will enable public health authorities to contact and provide guidance to the [exposed] individuals.‖) 18 Any data stored on individual phones is information ‗related' to an individual. 22 Although encrypted, the unique identifiers broadcast by the ENS could be linked to natural persons. For example, geolocation tracking systems already present on most user devices could re-associate the Bluetooth beacon identifiers with particular devices. 23 Google itself operates some of the most ubiquitous of these trackers. 24 The encrypted beacon signals therefore most likely meet the GDPR definition of personal data, as they are information in relation to an -identifiable‖ natural person. 25 The technology companies' promises not to track location data for the Bluetooth signals or access the Bluetooth contact information held on individual phones are helpful technological and organizational measures that minimise the burden on individual privacy and increase security of processing. However, as a matter of law, they do not disassociate the data completely and so the activities remain subject to the GDPR. 26 Similarly, associated apps receive diagnosis information linked to an individual IP address, and will receive individuated information about those in contact with infected persons. 27 If the agencies follow-up with in-person interviews, as is expected, they will have identifiable personal data on at least a subset of people potentially exposed to the virus. 28 . If an entity with access to this location data also ‗eavesdrops' on the Bluetooth beacons they could link broadcast identifiers to individual devices through GPS tracking. If this entity also downloads the official app it will receive diagnosis keys that they conceivably could use to pinpoint and identify infected individuals. See, e.g., https://github.com/DP-3T/documents/issues/169 24 Thompson & Warzel, supra note 23. 25 DPIA for the Corona App, supra note 22 at 47 (-The question of whether the operator of the app or the operator of the server can access the encrypted or pseudonymised data is irrelevant in terms of whether personal data are processed . . . . In order for the processing of personal data to be confirmed, it is sufficient for the TempIDs to be generated on the user's terminal equipment. The fact that the tokens are sent in encrypted form via a secure network does not change the personal nature of the tokens. Even with encrypted personal data, the personal reference remains intact.‖) constitute sensitive -data concerning health‖ requiring extra protection under the GDPR is a closer question. The definition of ‗data concerning health' includes data which reveal information about an individual's health status. 29 The purpose of collecting the Bluetooth identifiers is to determine virus exposure. Organizations would therefore be wise to treat this information as special category data under Article 9 of the GDPR.

c. GDPR: Is the Data Anonymised or Pseudonymised?

Apple and Google claim that user data broadcasted through their ENS has been ‗anonymised' by virtue of deidentification and decentralisation. 30 However, anonymisation is a moving target legally. The European Data Protection Board (‗EDPB') 31 has made it clear that true data anonymisation is a very high bar and data controllers often fall short of actually anonymising data. 32 Information is anonymised, and outside of the reach of the GDPR, if, taking into account the means reasonably likely to be used, including the available technology at the time of the processing and technological developments, the information cannot be associated with a natural individual. 33 Recent research has demonstrated that a large range of techniques exist to re-identify individuals using seemingly anonymous information. 34 That more such technologies are being developed every day means that users can never be confident that data shared ‗anonymously' will not be associated with them in the future. Data controllers equally cannot be sure that they will not be found liable for failing to protect de-identified data. 35 Perhaps for this reason, although Google and Apple claim the data processed through the ENS is ‗anonymous,' they have still instituted multiple controls to prevent re-identification in their design, in keeping with the GDPR's data minimisation and security of processing principles. These controls result in data that is at least pseudonymised. In contrast to anonymisation, Article 4(5) GDPR defines pseudonymisation as -the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.‖ By implementing pseudonymization as a security of processing measure, data controllers can benefit from several relaxed standards under GDPR, including potentially processing for other compatible purposes pursuant to Art.6(4)(e) GDPR.

29 GDPR Art 4. 30 See, e.g., Whitaker & Etherington, supra note 5. 31 The European Data Protection Board (EDPB) is an independent body, tasked with ensuring consistent application of data protection rules throughout the European Union and promoting cooperation between the EU's data protection authorities. The EDPB is composed of representatives of the national data protection authorities. For public health authority apps, these controls may render the ENS data fully anonymous. However, depending on how the apps are designed, the operating entities could collect personally identifiable information, such as IP addresses, in addition to the encrypted diagnosis keys generated by the ENS. 36 It is not possible to judge whether the apps process only anonymised information without analysing the design of a specific app and understanding what information collection practices, such as manual contact tracing interviews or third party tracking, might be used alongside it.

Based on the information currently available, automated notification of exposure using the ENS and associated apps is a personal data processing system subject to oversight under the GDPR. Article 24 of the GDPR mandates that data controllers, including joint controllers, implement appropriate technical and organisational measures to ensure and to be able to demonstrate that covered processing is performed in accordance with the Regulation. 37 All of the GDPR Article 5 Principles, (i) lawfulness, fairness and transparency, (ii) purpose limitation, (iii) data minimisation, (iv) accuracy (v) storage limitation, (v) integrity and confidentiality and (vi) accountability, must be observed in the design and implementation of these systems. 38

These principles translate into a specific architecture of protection and enforcement for data subjects. Articles 12-23 of the GDPR mandate clear ‗pre-defined' rights for the data subject, including rights of access, rectification and erasure. To ensure accountability, each Member State must empower a competent and independent supervisory authority to enforce the terms of the Regulations, including the power to investigate and impose fines and other penalties. 39 Controllers and processors must maintain records of processing activities, including the purpose for the processing, and ensure the processing is technologically and organizationally secure. 40 Controllers must also conduct specific impact assessments (Data Protection Impact Assessment or -DPIA‖) including risk mitigation measures for processing activities which pose a high risk to data subject rights. 41 45 (CCPA) to a proximity tracking system is more limited. This lack of coverage might seem to encourage innovation, but there is a greater risk that the absence of comprehensive standards could undermine public trust and delay rollout of contact tracing technology at a critical moment.

HIPAA's Privacy Rule applies only to data collected by health providers themselves, or businesses hired by health providers to process their data. 46 An individual's diagnosis from a diagnostic lab would, therefore, be subject to HIPAA's Privacy Rule, but a Bluetooth exposure proximity system such as the one designed by Google and Apple would seem to fall completely outside HIPAA's parameters. 47 In fact, the reality might be somewhere in between, because associated apps could depend on diagnosis validation from health care providers who are subject to the HIPAA Privacy Rule. 48 However, as long as it is the individuals themselves who disclose health information to the ENS, and not the health provider directly, HIPAA would most likely not apply to the system. 49 This regulatory gap might provide an opportunity for experimentation and market competition for anyone to create virus tracking apps using GPS location data, Bluetooth handshake signals or other personal biometric or commercial data. 50 However, in a national emergency, increased business experimentation is a dubious virtue. 51 A proliferation of products, some less reliable and trustworthy than others, could undermine adoption of reliable notification systems. 52 Furthermore, those whose participation is most important, health providers and public health agencies, may hesitate to share information (such as COVID-19 diagnoses) in machine readable formats without assurances that other system users are engaging in privacy protective practices. 53 The lack of protection could delay uptake by US health authorities and providers at the moment when such involvement is most needed.

The reach of the CCPA is also limited. CCPA is a consumer protection statute. By its terms it excludes data covered by the HIPAA Privacy Rule and other state laws concerning the privacy of medical information. 54 Furthermore, the CCPA does not apply to information collected by small businesses unless data brokerage is their principal business. 55 The CCPA also does not clearly state whether its obligations apply to personal information that has been pseudonymized. 56 The Bluetooth signals gathered by an exposure notification system may qualify as -de-identified‖ or anonymised information under the CCPA even if they would not under the GDPR. 57 Clarifying how these different exclusions and carve-outs apply to a virus tracking and notification system and associated apps is no small task. 58 The law lacks a specialized regulatory agency tasked with its interpretation that can issue necessary guidance in a crisis. Finally, even if the law applied to a proximity notification system or associated applications, it would not necessarily prevent the use or sale of individual data collected through these systems for other purposes unless the user objected. 59 By prioritising individual notice and opt-out over shared principles, the law requires more engagement by individuals at a moment, such as the point of diagnosis with a serious illness, when they are not well-equipped to provide it. 60 Any uncertainty patients and health providers have about how health information shared with third party applications could be used in the future may disincentivize use of the app. Lack of clarity about potential liability may cause companies to shy away from participating in the system. 61 Individuals may hesitate to share diagnosis information without assurances that their illness history and any associated health, contact and lifestyle 52 61 See, e.g., Ghose & Sokol, supra note 33 at 3 (-To enable effective coordination between public and private sectors, government has to provide assurances to technology platforms, telecom providers, and tech firms that such may hesitate to engage in tracking without official protection from liability under existing data sharing will be exempt from any adverse regulatory action or private lawsuits, now or later.‖). __________________________________________________________________ 10 information will not be shared broadly in a way that could draw unwanted attention or impact employment, credit scores or insurance rates. 62 Meanwhile, widespread immediate adoption of the technology may be crucial for its success in containing spread of the virus. Even if adoption is widespread, damage to fundamental rights of privacy and security of individuals from unregulated sharing could linger for years.

When a contact tracing ENS, or associated app, falls within the GDPR's governance, processing of personal data must have a ‗lawful basis', and processing of personal data concerning health must meet further ‗lawful basis' thresholds. The public/private collaborations envisioned by digital COVID tracking systems raise interesting questions in this regard. Public health and disaster response functions are typically overseen by democratically accountable public agencies. But here private, commercial tech companies are getting involved -either as initiators, partners, or organisations picking up outsourced tasks. Understanding the scope and purpose under which public and private entities may perform these functions will be crucial for complying with the ‗lawful basis' requirements in the GDPR. It will also be crucial for public trust.

Apple and Google have presented their ENS technology as a public-spirited and voluntary effort to assist in a time of crisis. This characterisation may be reasonable. Nevertheless, Apple and Google are commercial entities accountable in governance and operation to profit-minded shareholders. In China, where Alipay and WeChat hosted the Health Code app used to track coronavirus exposure, those companies have asserted rights contractually to keep the data once the crisis is over. 63 One German technologist lamented to Reuters that it was a less than ideal solution to have large private technology platforms in control of the architecture holding -all the contacts plus the medical status of citizens around the world . . . .‖ 64 At the same time, others are similarly wary of authoritarian governments and their law enforcement apparatus having unfettered access to such information. 65 The risk of ‗function creep' and use of data for purposes unintended by the data subjects exists whether the government or private entities collect this data. 66 The GDPR's insistence on a lawful purpose for processing, while not an absolute structural safeguard, can help to hold organizations legally accountable for the uses they make of data. Article 6 of the GDPR requires organisations to have a legal basis for processing personal data. 67 In addition, Article 9 states that processing of special category data such as information concerning health is forbidden unless a specific exemption applies. 68 Organizations must therefore have a general lawful basis and a special category exemption lawfully to collect and analyse data concerning health. Any use of data that exceeds what is necessary for the stated lawful basis is prohibited by the GDPR unless it is covered by a separate permissible basis. A data controller needs only one lawful basis in each of Article 6 and 9 as a ‗floor', but it might choose to go above the floor. For example, the lawful basis for a public health authority's processing of data in a COVID-19 tracking app might be to protect the public from infectious disease. In addition, it might state that citizens have a choice whether or not to download or delete the app. The processing allowed by the GDPR is thus based on multi-dimensional limits, which sometimes differ from what an individual considers appropriate protection. In contrast, the floor in notice-and-choice based systems, such as the CCPA, depends on users individually setting boundaries as to what organisations can and cannot collect and for what purposes. If an individual is poorly informed, or for one reason or another is not a rational or fair decision-maker, the GDPR's approach is preferable.

The lawful basis which is open to a COVID-19 exposure notification system under the GDPR will depend on the particular controllers involved. Each controller will need its own lawful basis. Under the GDPR the data ‗controller' is the entity that alone, or jointly with others, determines the purposes and means of the processing of personal data. 69 A data controller can be a private or public entity, but the lawful bases that each can rely upon differ.

Apple and Google's ENS could have multiple controllers. In May 2020, both companies released APIs that enable interoperability between Android and iOS devices using ‗official' apps from public health authorities. 70 Second, in the following months, Apple and Google will enable a broader Bluetooth-based contact tracing platform by building this functionality into their underlying operating systems. These changes would enable interaction of the ENS platform with a broader ecosystem of apps (some of which might be offered by private entities) and government health authorities. 71 The purposes of those using the tracking technology are important for determining which lawful basis they may rely upon. They are likely to differ. For instance, public entities will have public functions which private entities do not.

67 GDPR Art. 6. The CCPA does not set a list of grounds that businesses must adhere to a priori to collecting, selling and disclosing personal information, and only provides for a posteriori mechanism, namely allowing customers to opt-out to the sale and disclosure of their personal information or to ask for erasure of the information. 68 GDPR Art. 9 69 GDPR Art 4. 70 Kari Paul, Apple and Google release phone technology to notify users of coronavirus exposure, GUARDIAN May 20, 2020; Apple press release, supra note 2. 71 Id. Apple and Google have since clarified that -Only public health authorities will have access to this technology and their apps must meet specific criteria around privacy, security, and data control.‖ FAQ, supra note 15 at 3. However, the situation is complex and still evolving. It's also possible that commercial entities can design workarounds once the functionality is embedded in the device operating system. The simplest cases under the GDPR involve apps managed by public health authorities. Apple and Google plan to limit access to the ENS to apps designated by a single public health authority in each state. 72 This section considers the lawful basis for processing carried out by a COVID-19 exposure app designed and managed by a public health authority.

While many people will consent to health systems using their data for the purpose of tracking exposure, the European Data Protection Board has emphasized that consent is not the optimal basis for public authorities. 73 Consent given to public authorities is generally not considered to be given freely due to the power or potential power of public agencies to compel compliance. 74 Users also may withdraw consent at any time, which could compromise the agency's public health mission if consent were withdrawn after notification of a positive diagnosis. Instead, the EDPB has clarified that public authorities should most likely rely on Articles 6(1)(e) -necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.‖ 75 An additional basis under Article 6 would also be subsection (1)(d) -to protect the vital interests of the data subject or of another natural person.‖ 76

Recital 46 of the GDPR states explicitly that both vital interests and the public interest are proper bases in the midst of humanitarian crises such as an epidemic:

Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters. 77 Where an app uses the Google/Apple ENS functionality and collects additional data (beyond proximity), such as user location, equipment details or subsequent health status, the public agency controller will need to evaluate such processing separately. Additional lawful bases may be required to justify it. 78 Organisations also need a special category exemption in order lawfully to collect and analyse data concerning health. Article 9 provides for several exemptions for special category data relating to public health. Agencies using data concerning health could do so pursuant to Articles 9(2)(g) (-substantial public interest‖), (2)(i) (-preventative 79 Many national health authorities are sufficiently empowered through their implementing or public health regulations to process contact tracing data according to one of these special category conditions. 80 However, the EDPB has suggested that Member States may want to pass specific implementing legislation to promote voluntary use of the app and setting out functional requirements for its use. 81

Even where consent is not relied upon as the ‗lawful basis' under Articles 6 and 9 for processing, European authorities have been clear that voluntary use is an important safeguard under the GDPR. 82 The foundational 1980 OECD Principles on the Protection of Privacy, including the principles of Collection and Use Limitation, as well as Security Safeguards and Individual Participation, require that any use of personal data should be undertaken with the knowledge and consent of the data subject where possible. 83 Requiring explicit consent supports the autonomy and control of the data subject over their personal information as well as inherently limiting the type of data that can be collected and how long it is kept. As such, a consent requirement should be viewed as an ‗organisational measure' under the GDPR that facilitates GDPR principles of data and storage minimisation, and lawfulness and transparency of processing. Even though public authorities do not need consent as a lawful basis, the GDPR requirements for Privacy by Design and Default require that it be sought as a safeguard where possible. 84 User consent is also required under related legislation, such as the EU ePrivacy Directive, which protects individual data located on mobile devices from being accessed via mobile communication networks. 85 The articulation of these principles through legislation has caused designers of tracing and notification systems to prioritize voluntary use. In contrast, officials in China and Israel, for example, have imposed virus exposure tracing software automatically. 86 India's mobile app began as a voluntary tool, but the 79 Interestingly, vital interests, while available as an exemption under Article 9, would probably not apply to contact tracing as in the Article 9 context it can be used only where the data subject is -physically incapable of giving consent.‖ GDPR Art 9(2)(c government recently mandated its use as a condition of returning to the workplace. 87 Such non-consensual tracking, as well as default sharing of data with law enforcement and national security services, greatly increases the risks that agencies may abuse their authority and use public health data for illegitimate surveillance, law enforcement or targeting purposes. 88 For this reason, the Israeli Supreme Court recently barred the Israeli security service from continuing to access citizen mobile data for virus tracking without specific legislative authorisation. 89 Furthermore, the Court specified that even under such legislation, mobile tracking should be voluntary. 90 Note, however, that if a system is ‗voluntary' but does not depend on consent for a ‗lawful basis' under Article 9 of the GDPR, controllers can define informed consent in a way that differs from the GDPR's definition of ‗consent'. For example, information about choices may not be as specific and extensive (they might seek what is known as ‗broad consent'), and some choices may be opt-out. Furthermore, controllers would not be obligated to provide the same automatic rights of withdrawal or erasure. 91 However, data subjects will retain other GDPR default rights, such as the to object to processing, 92 to rectify any inaccurate data held, and to seek associated legal remedies. 93

Any company acting as a controller as part of the ENS, and arguably Google and Apple themselves in administering and updating the ENS, will be a separate ‗data controller' from the public authorities discussed above and thus will need their own distinct lawful basis for processing under Articles 6 and 9. Other private companies are not currently expected to be involved as data controllers with the Apple/Google ENS. Commercial entities coming into contact with the ENS in its first phase will most likely be doing so as processors for these public health authority systems. For example, the national health services in the UK and Australia operating their own notification systems have contracted with Amazon and Microsoft for certain data storage and information management tasks. 94 Processors act according to the instructions of the data controller and so do not need their own legal justification. 95 It is possible, however, that in the second phase of the rollout of the Google/Apple system, a greater variety of apps will be permitted to use the interface. A company running an app on the Google/Apple system could be a separate data controller. In addition, a public health agency in a Member State might delegate management of their system to a private company in such a way that it becomes a data controller, at least for some aspects of personal data management.. 96 We consider first apps managed under the authority of private entities, and then the role of Apple/Google themselves.

To qualify for the public health-related bases set out in Article 6, such as vital interests or task carried out in the public interest, a commercial entity would most likely need to act in concert with and under the direction of public health authorities. 97 The GDPR is clear that there must be some basis in Member State or EU law that defines the nature of a -public interest,‖ -vital interest,‖ or -legal obligations‖ for these bases to apply. 98 A private entity cannot just cloak itself in good intentions and claim to act for the public. 99 For example, Israeli spyware firm NSO, the firm suspected of helping the Saudi government track down dissident Jamal Khashoggi, is also marketing to various governments its software capabilities for monitoring individual virus exposure. 100 While such tracking might be broadly in the public interest during a pandemic, the GDPR requires some foreseeable basis in law before such an entity can purport to represent the public good. Recital 41 GDPR clarifies that -where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament […] However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable to persons subject to it.‖ Private entities that exercise a clear public function, such as a university conducting medical research or a public utility, may also be able to rely on a public interest or official authority basis for processing if supported by law. 101 Instead of a public interest basis, private companies could claim a ‗legitimate interest' basis for processing exposure-related data, but, with exceptions, this will also require coordination with a public health authority or the agreement of the data subject. Article 6(1)(f) of the GDPR allows processing that is -necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where __________________________________________________________________ 16 such interests are overridden by the interests or fundamental rights and freedoms of the data subject.‖ 102 Third parties certainly have a legitimate interest in knowing whether they have been exposed to COVID-19. However, a private company controller must have a legitimate claim to be the appropriate entity to vindicate that third-party interest based on their relationship to the data subject. This could include some kind of affiliation with a public health authority that typically would conduct contact tracing. Other situations include an employer-employee relationship where a safe workplace is an expectation, or situations where data subjects are clients and infection exposure is a concern (eg clients of a gym). 103 Otherwise, the processing would be outside of the -reasonable expectations of data subjects based on their relationship with the controller‖ and therefore the rights of the data subject would likely override the third-party interest. 104 Furthermore, any processing permitted under this basis must be limited only to what is necessary and proportionate. 105 An alternative basis for processing is where it is -necessary for performance of a[n existing] contract‖ with the data subjects. 106 For this basis to apply, it would not be sufficient that the contract terms might allow tracking of exposure events, unless such tracking has a close and substantial link to the contract's main purpose. 107 Furthermore, tracking of exposure must be necessary to achieve the contract's purpose, and the data subject must have been informed that this processing would occur. 108 As an alternative, affirmative and informed consent can provide a basis for exposure tracking so long as the consent is given freely. 109

All considered, it is likely that, absent an employment or other relevant and close relationship, commercial entities providing tracking architecture through an app must either act together with and under the supervision of a public health organisation or obtain affirmative individual informed consent for the processing of infection exposure data.

As mentioned, Google and Apple themselves in administering and updating the ENS could be in a situation where they independently manage collection of exposure data and exchange of Bluetooth identifiers. In this case, they would also need to specify a lawful basis for this processing. It appears that Apple and Google are trying to take steps to minimise situations where they would qualify for ongoing duties of a data controller. The result of these steps is debatable. On the one hand, because the ENS stores data locally on individual devices, Google and Apple may claim that they themselves do not determine the purposes and means of processing or actually process any personal data. The GDPR defines a data controller as -the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.‖ 110 On the other hand, this definition does not require that entities store or physically process data to be a controller: determination of means and purposes of processing by others is sufficient. 111 Just as designers of algorithms that engage in automatic processing are still ‗data controllers', 112 it could be claimed that by virtue of designing, updating and operating the ENS, Google and Apple are either joint ‗data controllers' or in a -data controller-data processor‖ relationship with public health authorities. 113 If they are joint data controllers, Apple and Google should also specify the lawful basis underlying their design and management of the ENS. As stated above, notwithstanding good intentions, these technology platforms would most likely need to rely on affirmative consent. It is unlikely that broad contact tracing, undertaken without regard to the services Apple and Google typically provide, would qualify as -legitimate interests‖ of those businesses within the -reasonable expectations‖ of their customers or -necessary for performance of a[n existing] contract‖ with the data subjects. 114 Furthermore, the ePrivacy Directive requires explicit consent for processing of data collected automatically via the operation of a publicly available electronic communication service. 115 The notion of consent under the GDPR is more robust than consent as defined under the HIPAA and the CCPA. Under the GDPR, consent is only valid if it was given freely and in response to clear, plain disclosures devoid of unfair terms. 116 For special category data, such as data concerning health, enhanced consent requirements apply. These are discussed below.

A similar requirement for public oversight exists when special category data is involved. All of the conditions in GDPR Art 9 that relate to processing data concerning health for the substantial public interest, public health or preventative medicine require that such processing be undertaken -on the basis of Member or Union law.‖ 117 Several of the Art 9 conditions also impose additional substantive conditions (see Table 1 ). Employers may process special category data under 9(2)(h) for the purpose of evaluating the working capacity of an employee, which might provide employers with an independent basis for conducting some form of targeted contact tracing.

Processing necessary to carry out obligations in the field of employment and social security and social protection law is also allowed in so far as it is authorised by Union or Member State law. 118 This basis could allow employers and other commercial entities who have a defined social care function under local law to conduct some form of health care monitoring. Member States could also pass specific legislation or issue administrative guidance authorising commercial parties without a social care function to manage an app or other architecture for contact tracing. That legal instrument could provide the basis for commercial entities offering tracing functionality such as Apple and Google to claim to act according to one of the above special category conditions. 119 That same measure could establish governance and accountability mechanisms to ensure that private use of the data remains responsive to public concerns and democratic principles. Depending on the special basis employed, some processing may also require obligations of professional secrecy. 120 Note that even under the authority of such implementing legislation and professional secrecy, there is a strong argument that use of the app should still be voluntary to enhance public trust and to meet GDPR principles of privacy-by-default and privacy-by-design. 121

Rather than a justification based on public interest reasoning or a special relationship of care, private entities processing data concerning health may rely instead on explicit consent. Enhanced consent requirements apply. The data subject will need to provide explicit, informed consent to the processing of personal data for each specified purpose. 122 Furthermore, under the GDPR, independent supervisory authorities are empowered to investigate any abuses as well as to ensure that rights to the data subject such as right of access, rectification, erasure, ‗right to be forgotten' are respected. 123 By contrast, in the U.S. the CCPA requires merely that businesses that collect personal information from California residents inform those consumers of the uses will be made of their data. Consent is not required; it is up to the consumer affirmatively to object. The HIPAA has consent requirements analogous to those found in the GDPR, but these only restrict covered health entities and their business associates.

Other businesses, such as Apple and Google, that are not health care providers or insurers, may collect health data freely and need not seek consent if they obtain sensitive health-related data other than from a covered entity. Consent under the GDPR is therefore a substantial use limitation which can help ensure that information provided to apps will not be used to target or disadvantage users. In the US, where consent does not provide firm limitations, a recent poll found that nearly 3 in 5 people would not be willing to download and use an infection-tracing app largely due to mistrust of tech companies and their willingness to safeguard privacy. 124

The GDPR is known to have an expansive scope. COVID-19 app tracking systems are likely to fall within its purview, unlike narrower sector-specific rules such as the US Health Insurance Portability and Accountability Act (HIPAA), and even the new California Consumer Privacy Act (CCPA). Counter-intuitively the scope of the GDPR is not likely to be a hindrance, but rather an advantage in conditions of uncertainty.

The principles in the GDPR offers a ready-made functional blueprint for system design that is compatible with fundamental rights. The principles are flexible enough to accommodate either a centralized system run under the auspices of a public authority, or a completely decentralized system designed by private entities with user consent. The utility of any exposure notification system will depend on the reliability of diagnosis information and the broad availability of testing once notified of __________________________________________________________________ 20 exposure. With these complementary capabilities, exposure tracing and notification is a proportionate response to the coronavirus public health threat that justifies some intrusion on the privacy rights of individuals.

Each system-decentralised processing by private entities or more centralized tracing overseen by public health agencies-has privacy advantages and disadvantages. Public health bodies are, at least in theory, more democratically accountable. On the other hand, users have, at least in theory, more robust rights to withdraw from commercial systems operating based on user consent. Combining both approaches is also possible. It will be important for data protection authorities closely to monitor either type of system to protect against function creep. In addition, each jurisdiction may choose to promulgate official regulations, legislation or orders that set out the rights and obligations of all parties involved in contact tracing even when users consent. These provisions could include requirements that the data not be kept, except in aggregate form, after the public health crisis. 125 It will also be helpful to involve civil society organisations and ensure representation of groups such the elderly, minors, the incarcerated, etc to provide oversight and advice on use of the technology. 126 This is in keeping with the GDPR's mandate to ensure ‗lawfulness, fairness and transparency' in processing. 127

Beyond the Exit Strategy: ethical uses of data-driven technology in the fight against COVID-19

German tech startups plead for European approach to corona tracing app

See Baker, supra note 3; Valentino-DeVries, supra note 1

Beyond the Exit Strategy: ethical uses of data-driven technology in the fight against COVID-19

See Letter from Andrea Jelinek, to Olivier Micol, supra note 48 (stating that consent is not the most relevant basis for use of tracing apps by public authorities)

EDPB Guidelines 04/2020 supra note 32 at ¶ 29; Letter from Andrea Jelinek to Oliver Micol, supra note 48

Statement of the European Data Protection Board on the Processing of Personal Data in the Context of the COVID-19 Outbreak 2

ICO Opinion, supra note 36 at

The Ministry of Home Affairs has backed away from this stance and instead suggested that citizens use -best efforts‖ to use and install the app. Privacy activists pleased as Centre soften stance on Aarogya Setu app

Israel's coronavirus surveillance is an example for others -of what not to do

Singer & Sang-hun, supra note 86

Israel's top court says government must legislate COVID-19 phone-tracking

Supreme Court issues decision on General Security Services' tracking of technological data

)(b) (providing rights of withdrawal and erasure when consent is the lawful basis for processing

supra note 91 at 23; AUS. DEPARTMENT OF HEALTH, THE COVIDSAFE APPLICATION PRIVACY IMPACT ASSESSMENT 11 24

Israeli Spyware Firm Wants to Track Data to Stop Coronavirus Spreading

GDPR Recital 45; see Data Protection Act

GDPR Recital 47 (providing, as examples of ‗a relevant and appropriate relationship between the data subject and the controller,' situations where the data subject is a client or in the service of the controller)

UK Information Commissioner's Office, What is the 'legitimate interests' basis?

)(b) GDPR in the context of the provision of online services to data subjects at 8-9

Letter from Andrea Jellinek, Chair, EDPB to Sophie in‗t Veld, Member of the European Parliament

supra note 76 at 2 (stating that providers of publicly available communication services may only retain and use location data about subscribers if it is made anonymous or used with consent

6 & 9; see also Opinion of the EDPB on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities

) of the ePrivacy Directive provides that, as a rule, prior consent is required for the storing of information, or the gaining of access to information stored in the end-users device constitutes personal data, article 5(3) of the ePrivacy Directive shall take precedence over article 6 of the GDPR with regards to the activity of storing or gaining access to this information. 116 GDPR Art 7 & Rec. 42; see also ePrivacy Directive Art. 2(f)

A duty can arise where there is a reasonable expectation of confidentiality. Duties can also be imposed by contract

) (-A major source of scepticism about the infection-tracing apps is distrust of Google, Apple and tech companies generally, with a majority expressing doubts about whether they would protect the privacy of health data‖

The authors thank David Erdos and anonymous reviewers for their helpful comments but retain all responsibility for the views (and any errors) expressed herein. The authors acknowledge the support by the Novo Nordisk Foundation for the scientifically independent Collaborative Research Program for Biomedical Innovation Law (grant NNF17SA0027784).