Shielding the digital treasure: A dyad of economy giants in their quest to (for)get your health
data
Case study of Italy v. Wales and England’s exposure notification apps
Candidate number: 6009
Submission deadline: 16 August 2021 Number of words: 13741
i Table of contents
1 Introduction ... 1
1.1 Neolithic personal data ...3
1.2 Using technology to catch up with biology ...4
1.3 Methodology...5
1.3.1 The research ... 6
1.3.2 Terminology ... 6
2 Communication protocols in the EU ... 7
3 England and Wales ... 9
3.1 Legislation ... 10
3.2 Compliance with data protection principles ... 11
3.2.1 Lawfulness, fairness and transparency ... 11
3.2.2 Data minimisation ... 14
3.2.3 Storage limitation ... 16
3.3 Other matters... 18
3.3.1 Age requirements ... 18
3.3.2 Interoperability partners ... 19
4 Italy ...20
4.1 How the app works ... 21
4.2 Data gathered from the app ... 22
4.3 Compliance with data privacy principles... 22
4.3.1 Lawfulness, fairness and transparency ... 22
4.3.2 Purpose limitation... 24
4.3.3 Storage limitation ... 24
4.4 Other matters... 25
4.4.1 Terms of Use... 25
4.4.2 The Privacy Notice ... 26
4.4.3 Age requirements ... 27
5 Immuni vs. NHS Covid-19 app ...29
6 Conclusion...31
7 Table of reference ...33
1 1 Introduction
Throughout a pandemic, the question of “How is my privacy being protected?” is probably the last thing on people’s minds. Survival instincts like worries about health, food and finan- cial means to support good health and food take priority and it is understandable. Afterall, we are only a bunch of intelligent animals and the instinct of protecting our privacy is not written in our DNA, but rather learned throughout the process of modernisation of life.
The earliest academic discussion of privacy is considered to be “The right to privacy”1 in 1890, but the first written mention of it dates back to 3300 years ago by Aristotle2. Anyhow, it did not come to be an internationally recognized law3 until the adoption of the Universal Dec- laration on Human Rights in 19484.
Assessing this timeline is important because the attitude of the collective consciousness to- wards privacy, deeply influences people’s behaviour towards it in times of big distress, like throughout a pandemic. For instance, during the bubonic plague in the Middle Ages, it is very unlikely that people had the slightest concern regarding how their privacy was being protected while fighting the pandemic. But while experiencing the coronavirus disease 2019 (Covid-19) pandemic, some people have expressed, even publicly, their concern regarding how their pri- vacy expectations are being met. The reason behind this different approach lays in the fact that now more people are aware of the importance that preserving their privacy has. This awareness is undeniably a result of the right to privacy being talked about more in public dis- cussions and the incorporation of it in legal regimes all around the world. The illiteracy rate declining sharply over the last decades has also played a role in this. Our growing concern as a society from one pandemic to the other is also linked to the fact that there has never been a time in the history of humankind when our privacy has been more exposed than it is right now. From cell phones to laptops collecting data about our every click; from security cameras to people taking pictures of other people on the street without being noticed; from hacking a celebrity’s cloud from miles apart to exposing important governmental documents; this is of course a peculiar time to live in. Another reason could lay in the fact that in this age, as a re-
1 Warren and Brandeis, “The right to privacy”.
2 Swanson, Aristotle's Political Philosophy, p. 205.
3 Article 12: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspond- ence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks”.
4 Diggelmann and Cleis, "How the Right to Privacy Became a Human Right", p. 441.
2
sult of the immense medical progress made since the last global pandemic hit us5, we know that our chances of survival are greater than they would have been a century ago and that is why we have the “comfort” of shifting our attention towards other concerns like how our pri- vacy is being safeguarded. Probably people also came to the realization that if the protection of privacy seems like the least important thing in situations like these might make it even more susceptible to misuse.
Sometimes there is confusion in this domain of law regarding terminology. “Data privacy”
and “data protection” are used as two interchangeable concepts, with the latter being the ter- minology used in Europe6. Probably for this reason, sometimes privacy and data protection are also used interchangeably even though they are not the equivalent of each other7. Data protection can be defined as “…a set of norms that specifically govern the processing of data relating to persons (i.e., personal data) in order to protect, at least partly, the privacy and related interests of those persons.”8. Privacy on the other hand is often thought of as the right of the individual to have a personal life and for their personal information to not be available to others without their approval. However, as it is obvious from the definitions, these two concepts are not adversary to each other either, because there would not be one without the other. For example, it would be impossible for an individual to have complete privacy if there would be no data protection laws safeguarding their personal information. On the other hand, if privacy laws would have never been conceived, there probably would not be any data pro- tection laws right now, because the latter emanated from the former.
The question of who can misuse personal data is very important, because the answer to that determines the legal approach towards the perpetrators and also the rules and principles that should be implemented to prevent data abuse. In the coming paragraphs, the focus will be on public authorities of selected European countries as entities that control and process data.
The old continent, unlike others, presents a challenge to research on because its legislation is as complex as its cultural diversity from region to region. Besides local and national executive bodies, in member states, there are also the European Union (EU) bodies to be taken into ac- count. Then, some other countries are made up of supralocal structures like cantons or federal
5 According to medical professionals, the last global pandemic is considered to have been the 1918 Spanish flu pandemic.
6 Bygrave, Data privacy law, p. 2.
7 Ibid., p. 3.
8 Bygrave, “Data Protection vs Copyright”, p. 3.
3
states9, all of which have their own local legislation. There are also the other European coun- tries that are not part of the European Union, so EU legislation is not mandatory on them10. It is understandable that not all the above-mentioned executive levels deal with data processing, but they all force some kind of rules and obligations, that even though not directly related to data processing issues, can either be a blessing or a curse for the protection of personal data.
For example, in Germany, the laws regulating the declaration of “a case of disaster” vary from federal state to federal state11. But whether the state of disaster is declared or not has an im- pact on which human rights can be limited by the state and that is directly linked to the right of privacy or the protection of personal data.
It is also of importance to distinguish between the different purposes for which a country can implement technology solutions during a pandemic. In some instances, there have been at- tempts to use it as a preventative measure12, in others to track the movement of infected peo- ple13 and nowadays to determine who is allowed to enter a country based on their vaccination status.
Anyhow, in the coming paragraphs, the focus will be on contact tracing apps14, the most prev- alent way around the world to (try to) keep infection under control. Many theoretical studies on the privacy implications of these apps have been conducted around the world, but very few of them give a pragmatic approach by comparing systems with each other. Just like competi- tion in a capitalist economy is always a driving force for enterprises to offer better products to customers, the same can be said for these apps. Comparing them could be a good incentive for them to do better.
1.1 Neolithic personal data
From the first ever-recorded pandemic in 3180 B.C. Egypt15 to the latest Covid-19 pandemic of the 21st century, gathering data has been seen as a necessity if a population wants to man- age and minimize the tragic outcomes brought up by dreadful diseases. Between these two
9 So is the case of Switzerland and Germany.
10 Nonetheless, at this point, almost all candidate countries have harmonized a big portion of their legislation to that of the EU.
11 Deutsche Welle, “Emergencies, disasters, curfews”.
12 By notifying people that they cannot gather in groups.
13 In Oman people entering quarantine were required to wear a wristband with a GPS tracker to make sure that they would not leave the quarantine place.
14 Apps that notify users of a possible infection.
15 Choi, “Public Health Surveillance”, para. 2.2.
4
points in history, there is a pivotal moment worth mentioning: the moment when men started analysing and drawing conclusions based on the medical data they were collecting and this novelty (among many others) is attributed to Hippocrates16. But, even though a first, the rea- son why Hippocrates gathered this data was not for the purpose of public health surveillance, but rather for research purposes. Meanwhile, the data during the Covid-19 pandemic is gath- ered for research and also for surveillance purposes. What makes it even more worrisome is the fact that today’s data is fully digitalized, giving it a significant advantage in terms of lon- gevity even to data gathered as late as forty years ago. This means that today’s data is not as susceptible to a force majeure as older or ancient data. Whereas data gathered during 3180 B.C. Egypt might have been wiped out during the burning of the Library of Alexandria, today, because of different storage methods and more control over force majeure outcomes, a fire in a library is unlikely to cause the permanent disappearance of certain data. For this reason (and many others) data gatherers and analysers should be very careful with how they handle data today, because the data they process might still be available and intact to people thousand years from now and that is a very big responsibility.
1.2 Using technology to catch up with biology
The Covid-19 pandemic introduced us to a new approach to public health surveillance: the use of technology. It started as an alternative to more stringent pandemic-curbing measures like total lockdowns17, but the truth is that the use of technology has not abolished the use of other human rights unfriendly alternatives. Lockdowns still got implemented simultaneously with technology.
A myriad of different technological solutions have been implemented since the beginning, either through webpages, apps or wearable devices. In the upcoming paragraphs, the focus will be on apps developed for this purpose. More explicitly, contact tracing apps, which are found in many countries all over the world and as a result have the largest number of users, prompting more interest for researchers.
The World Health Organization (WHO) defines contact tracing as a monitoring process that involves three steps: contact identification, contact listing and contact follow up18. The word
“monitoring” itself does not provide a very data-protection-friendly feeling. For this reason, it
16 Ibid.
17 Bertelsmann Stiftung (2020), p. 4.
18 E-health network (2020), p. 43.
5
is important to assess whether the way it is conducted complies with the main standards of data protection.
1.3 Methodology
The need for this research exhibited itself in April 2020 when articles about apps that would help to deal with the pandemic were all over online newspapers. Many of these apps have changed a lot from the way they were envisioned at that time, but some queries still remain:
How much do they comply with data protection laws nowadays? Could they be better in this regard? If yes, what needs to change in their architecture?
These issues make up the basis of this research and trying to answer them is what the upcom- ing paragraphs are about. The aim of it was to bring a more pragmatic approach to this issue by comparing instead of theorizing. That is why, the first step was identifying the countries the apps of which were of interest to analyse. This means that the choice was made depending on characteristics of the countries and not of the apps. They had to be two countries that would be analogous enough to be able to compare them with each other and distinct enough so it would not seem like comparing a country with itself. The countries needed to be within Europe, so they would have a strong affiliation with the General Data Protection Regulation (GDPR). Since there are many data protection mechanisms around the world today, one could wonder why would the GDPR be as important as to determine the research path. The answer lies in its impact. The GDPR is deemed so important that it has been considered the Magna Carta of data protection19 and its influence in legislations beyond EU or Europe is undeniable.
Among EU countries, Italy was chosen since it was one of the first badly hit countries in Eu- rope and their app was developed as a hope and powerful tool to bring the country back to normality. Then, the other country was the United Kingdom because it is an isolated case of a once-EU country20, and this one-of-a-kind nature makes its post-Brexit data privacy approach very interesting to be studied. Of course, in both cases the attention had to be on the official national apps. This was of importance to identify, because in Italy for example there are many regional Covid apps resurfacing since the beginning of the pandemic, but only one, named
“Immuni”, is the official national app. In UK, there are regional apps as well, but one of them
19 Gal and Aviv, "The Competitive Effects of the GDPR”, p. 386.
20 Greenland as well has left the EU in 1985, but since it is not a fully independent country, its analysis would be more complicated. Also, there is no Covid app implemented in the country and there have only been 34 cas- es of infection since the beginning of the pandemic.
6
is developed by the National Healthcare Service (NHS) and serves in England and Wales as their national official app. The app is named “NHS Covid-19 app”.
1.3.1 The research
In order to better understand how these apps work, an empirical perspective was needed. That is why, both apps were downloaded and put to use. In the Immuni app, one of the Italian prov- inces listed was randomly selected as the place of habitation (Lombardia), while at the NHS app, a random postcode was entered (Liverpool). Entering a location is mandatory in both apps in order to be able to use them. Then, in order to better understand their shortcomings and strong points, some of the apps features were used like: reporting a Covid-19 positive result, ordering a test, entering symptoms etc.
The next step was identifying the data protection authorities of each country and the docu- ments they have published regarding these apps. Then, the privacy notices and terms of use of both apps. Later, issues of compatibility between the privacy notices of the apps and the GDPR21 were identified and interpreted separately for each app. After that, issues identified when using features of the apps were drawn and the problematics found were put in front of the GDPR and evaluated for each app separately.
Both of the controllers of the apps were contacted through the email provided on their web- site, not only to ask about confusions but also to understand how long a user would have to wait to get an answer for their data protection problematics.
In the end, the results concluded from researching on both of these apps were compared to understand the perfections and imperfections of each app.
1.3.2 Terminology
In 2016, Microsoft bought Linkedin for 26.2 billion dollars, claiming that this move was aimed at integrating Linkedin with Microsoft’s software for enterprises22 and thus creating a unique platform for professionals. Since that acquisition was finalized, Microsoft, in the words of CNBC “mostly left Linkedin alone”23 and there has not really been a big integration of the two platforms24 with each other. A lot of voices in the tech world, claim that the per-
21 Or the UK GDPR.
22 Microsoft, “Microsoft buys Linkedin”.
23 CNBC, “Microsoft paid $26 billion for LinkedIn”.
24 As of June 2021.
7
sonal data generated by its 740 million users, was the real reason why Microsoft agreed to pay such a big price and the claim of integrating the platforms with each other was just a façade.
People hear a lot about how these big companies profit from their personal data, but it is only when they hear about news like these that they come to realize how vast this value really is. It is for this reason, that our professional data, preferences data or health data can be considered a “digital treasure”, because of the immense value it generates.
The term “economy giants” is used to depict two of the world’s largest economies. According to the World Bank25, in 2020 United Kingdom had the fifth largest gross domestic product in the world (Nominal GDP) and Italy the eighth. But they have held the position of one of the twenty biggest economies in the world for many decades26. Even England and Wales com- bined27 make up a GDP that would qualify them in the top ten world economies.
Being the largest economies, these countries have, in theory, the capability of implementing the best contact tracing systems by hiring the best developers. Besides that, they are demo- cratic societies that do not implement infection control measures that invade flagrantly the basic human rights, which would take the discussion into the realm of criminal law. Also, these countries have large populations, which implies that a higher number of people will use their apps and thus there will be more feedback by users and more caution by the govern- ments. So, in a way this research could also be regarded as a research to identify the problem- atics of contact tracing apps implemented in almost ideal conditions.
The reason why the title implies that these economy giants are the ones on a quest to get and forget users’ personal data, is because the governments themselves are the controllers of the country’s contact tracing apps.
2 Communication protocols in the EU
Communication protocols in contact tracing apps are a system of rules that designate how users’ phones exchange information with each other. Since the beginning of the pandemic, various communication protocols have been developed for contact tracing apps but some of them are more popular than others.
25 World Bank, “Gross domestic product 2020”.
26 Rahman and Alam, “Driving factors of world’s largest economies”, para. 3.2.
27 ONS, “Regional economic activity in UK”.
8
There has been a big debate in media regarding the communication protocols of these apps, because the type of protocol that is used is a huge contributing factor in the user’s data protec- tion level2829. In this regard, the apps are divided into two categories: Centralised apps and decentralised apps. The main distinction between the two is where the data is stored. It is im- portant to underline though, that data gathered from these apps in the EU, no matter the com- munication protocol used, has to be in the form of arbitrary identifiers30. Apps that use cen- tralised communication protocols generate arbitrary identifiers from their user and then this data gets sent to a central server (usually of the country’s public health authority) where it is collected and stored for a certain period that varies from app to app. The risk of infection of the user is calculated in the public authority’s server as well. Whereas in apps that use the decentralised communication protocols, the arbitrary identifiers are generated and stored in the user’s own device and the risk of infection is calculated there as well31. In both cases the suspected users can choose to have their contact information disclosed to the public health authorities of their country to get support and guidance and get calls from the public health authorities32, but that is not a prerequisite for anything and it does not change the way the app functions.
The Immuni app and the NHS Covid-19 app both use the decentralised communication proto- col. Although the latter first started out with the centralised one, but because of the criticism it received, it soon changed to the decentralised one. Anyhow, it should be noted, that the fact that an app has a decentralised communication protocol, does not mean that no data is ever stored in the central server. As it is explained in the coming paragraphs, even Immuni and the NHS Covid-19 app store some information in the central server, even though for a short peri- od.
28 E-health network (2020), p. 14.
29 European Parliament, (2020), p. 2.
30 European Parliament, (2020), p. 2: “… it is worth mentioning that contact data mainly refers to the arbitrary, encrypted and ephemeral COVID-19 identifiers of phones that have been in proximity to an infected user, and the contact’s risk of infection data”.
31 E-health network, (2020), p. 14.
32 Ibid., p. 14-15.
9 3 England and Wales
Covid-19 reached The United Kingdom in late January 202033 and by February the govern- ment was already considering the idea of contact tracing, even though the suggestion of doing this through an app had not yet surfaced. By March the first quarantine was implemented in the country and in the coming months even voices who believed that contact tracing was not important and public gatherings should not be limited had started to fade. By the beginning of May, a contact tracing app for the UK was proposed to be launched34 but it got postponed because of issues and glitches the app faced. For this reason, by June the government agreed to use the Google-Apple Exposure Notification API instead of their self-created technology35. Finally, the new NHS Covid-19 app was launched on 24 September 202036 but only for Eng- land and Wales. It is not known why this app is not used in all of the UK, which would make sense since it is developed by the NHS which is the unified government-funded healthcare system of the UK. Anyhow, Scotland and Northern Ireland have their own apps, respectively:
ProtectScot and StopCOVID IN37.
Currently in the UK there are two apps that can be easily confused with one another. There is the regular NHS app that is a general healthcare app used throughout all the UK and then there is the NHS Covid app used as a contact tracing app for Covid-19 in England and Wales38. What could be considered somehow concerning is the fact that they serve two differ- ent primary purposes, but their names are easily confused and to add to that confusion the regular NHS app can also be used to share the user’s Covid-19 status. The issue with a regular app that is also used for Covid contact tracing is that contact tracing apps are highly regulated from different organizations and institutions issuing advise, regulation and laws to govern them. But a regular health app, probably does not have a whole “army” of privacy-keen pro- fessionals monitoring it very carefully. This could, in theory, pave the way of the regular NHS app to neglect compliance with data protection regulations aimed at contact tracing.
The Information Commissioner’s Office (ICO)39 has issued few documents dealing with data protection issues of the app, especially when compared to Italy’s national data protection au-
33 The Week, “UK Coronavirus timeline”.
34 The Week, “Why has UK abandoned its app?”
35 The Guardian, “Covid chaos”.
36 Welsh government, “NHS Covid app launches”.
37 NHS Covid-19, “How does the NHS Covid-19 app differ from other apps?”.
38 NHS Digital, “Differences between the NHS app and NHS Covid app”.
39 UK’s national data protection authority.
10
thority. For this reason, the NHS Covid app’s analysis will rely more on EU regulation and opinion.
The app operates with a centralised communication protocol and it can be used to report symptoms, order a Covid test, and to “help NHS to trace individuals that are infected”40. The latter can generate debate because in another paragraph, it is stated that “nobody will know who or where a particular user is”41 and that “The app helps the NHS track the virus, not in- dividuals.42”. These sentences contradict with “NHS tracing individuals that are infected”, so the only reasonable explanation is that it could be an error in writing.
3.1 Legislation
UK Data Protection Act (DPA) came into force on the same day in 2018 as the EU GDPR43. For more than two years, the DPA served as the implementation mechanism of the GDPR in the country. But, as a result of Brexit, on the first day of 2021, after a transition period of one year, all EU regulations lost their juridical power inside the UK territory. This does not mean that the UK legislation is now completely dissociated from EU, because not very substantial changes have been made in it since the beginning of 2021. But the change should still be kept in mind, because it is very easy to get confused and interpret them in the light of EU law.
The NHS Covid app was already in use before 2021 so there might have been a short time frame when the app had to be compliant with the EU GDPR. Anyhow, what is of interest is how it complies with the legislation now.
Since the NHS Covid app does not fulfil any of the requirements set out by the territorial scope of the GDPR44 anymore, then this regulation does not apply to the app. But this does not mean that the NHS Covid-19 app differs much from other apps in the EU, also because
“…the GDPR has been kept in the UK law as UK GDPR.45” as the ICO acknowledged.
As a result, the app has to comply mainly with two important laws, the DPA and the UK GDPR.
40 NHS, “Introducing the NHS Covid-19 app”, p. 2.
41 Ibid.
42 Ibid., p. 3.
43 ICO, “About the DPA 2018”.
44 GDPR, art. 3.
45 ICO, “Data Protection and the EU”.
11
3.2 Compliance with data protection principles
3.2.1 Lawfulness, fairness and transparency46
The principle of lawfulness, fairness and transparency, established in the UK GDPR, is prob- ably the most inclusive principle of data protection, also because it is made of three elements that need to be fulfilled in order for the principle to be met.
3.2.1.1 Lawfulness
This is a key element because it sanctions the need of data processing to be lawful and a law- ful process theoretically means that it complies with every article of the UK GDPR and be- yond it. Whereas, in a more general approach, a lawful process can be said to be47 one that is allowed either by the data subject’s consent48 or one that arises as a result of a legal permis- sion49. The latter is the case with the NHS Covid app, according to its Privacy Notice50, stat- ing that this is a task carried out for the public interest51 and five other lawful reasons for pro- cessing are listed even though one is already enough for the GDPR. It could be argued that there could be a seventh one: that of the given consent from the data subject. In fact, it could even be the base reason for the lawful processing done throughout the app. When opening the app, the user goes through three windows that need the user’s approval to continue with the other step, which means that there is no doubt that the user has given their consent once they reach the final step.
The European Data Protection Board has presented a list of minimum requirements that would qualify the consent given as an informed one52 and has stated that this minimum infor- mation should not be hidden inside complicated general terms and conditions of the app. For that reason, on the last level of consent, the app gives a compact information containing most of the minimum requirements for an informed consent, except safeguards and risks for inter- national data transfers. Probably, the fact that two elements of the minimum information are
46 UK GDPR, art. 5 (1) (a)
47 Voigt and Von Dem Bussche, The GDPR, p. 88.
48 UK GDPR, art. 6 (1) (a)
49 Ibid., art. (6) (1) (b) to (f)
50 NHS Covid-19, “Privacy Notice”.
51 UK GDPR art. (6) (1) (e).
52 EDPB, “Guidelines on consent”, para. 64.
12
missing, make it impossible for the user to give their informed consent. Another reason why consent could be left out as a reason for processing, could be if the app would start collecting data before the user has started using it (e.g., from the moment it is downloaded), but that would be very flagrant. What’s more, in the DPIA, it is clearly stated that “use of the app will start to populate the analytical data set”53.
3.2.1.2 Fairness
Fairness is a difficult element to grasp because it is very broad and can be interpreted in many ways54. In a very superficial definition, fairness can be thought of as not acting in intentional malice towards the data subject. The European Court of Human Rights (ECHR) has defined it as processing personal data in a way that complies with the data subject’s expectations55. The way fairness is often explained makes it seem like a very subjective element. The ICO goes as far as stating that: “…you need to stop and think if you can use this data.”56 or even “…. con- sider the interests of the people concerned…”. This makes it seem like an element linked to personal evocation rather than law. For this matter the EDPB’s explanation on fairness57 is so important, because it is probably the first time that fairness as an element of article 5 of the GDPR is explained so thoroughly58.
To determine if fairness is a fulfilled element in an app like this, studying the Privacy Notice is not enough. It requires further technical analysis for determining if the data was really pro- cessed as it was supposed to be and surveys to understand if data subjects feel like their ex- pectations were met. For this reason, it is an element that cannot be addressed hypothetically.
3.2.1.3 Transparency
Transparency means that the information should be easily accessible and easy to understand.
The last one should be achieved through a clear and plain language59. Transparency should of course be interpreted on a case-by-case scenario, but the GDPR makes it as inclusive as pos- sible by stating that any further information that ensures fair and transparent processing
53 DPIA, p. 291.
54 Bygrave, Data privacy law, p. 146-147.
55 Drechsler et. al., GDPR Commentary, p. 313.
56 ICO, “Lawfulness, fairness and transparency”.
57 EDPB, “Data Protection by Design and by Defaul”, p. 18.
58 Kuner et. al., GDPR Commentary update, p. 69.
59 GDPR, rec. 39.
13
should be made available. If interpreted literally, this element can be understood as asserting that no information regarding the way the app interacts with the user should be hidden from the data subject. A very good explanation is offered in Recital 58: “The information offered to the user should be easily accessible and easy to understand with clear and plain language.”.
Then another condition is added through article 12, which states that the information should be intelligible. According to the Article 29 Working Party, an intelligible information is one that can be easily understood by the average user60. An information that is easy to understand cannot be one in a language that the user does not speak. As a result, offering the service in more than one language is crucial. The NHS Covid app can run in twelve different lan- guages61 making it one of the most inclusive Covid apps. The app’s support website is also available in the same number of languages. What is noteworthy is that out of these twelve languages only two of them are official languages in the territories where the app is official:
English and Welsh. This means that the other ten languages are added to make it easier for foreign communities residing there to understand and use the app. But, referring to the statis- tics of UK’s Office for National Statistics (ONS)62, these foreign languages only coincide to a certain degree with the foreign communities in England and Wales63. This means that resi- dents who speak Portuguese, Hindi and Italian are not represented. For this reason, there have been some reports of discontent within communities that cannot use the app in their own lan- guage64.
As for the website, in some languages the information is more complete, together with in- fographics and YouTube videos, while for other languages the information is scarcer65. But the core information on functioning and data gathering is nonetheless present in all the lan- guages.
According to the GDPR, transparency is not considered an executed element unless the in- formation aimed at the child is formulated in a language that is easily understandable from the them66.
60 WP29, “Guidelines on transparency”, p. 7.
61 NHS, “NHS Covid-19”.
62 ONS, “Population of the UK”, tab.1.4.
63 According to ONS’s statistics from July 2019 to June 2020, the biggest numbers of non-British residents in England were those of Polish, Romanian, Indian, Italian and Irish nationalities. Whereas in Wales the classi- fication was Polish, Irish, Indian, Nigerian, Portuguese.
64 The Guardian, “NHS app does not work for French and Spanish”.
65 NHS Covid-19, “Information and resources.”
66 GDPR, rec.58.
14
All over UK a child is considered someone who is younger than 18 years old67, even though the age of consent for processing personal data is 13 years old68. For this reason, the app’s privacy notice is available in three formats69: the long original version; one for young users from 16 to 18 years old and an easy read one70. The privacy notice for 16 to 18 year olds is enclosed to fulfil the special provision of transparency for children. Of course, the transparen- cy element would have been more complete if the privacy notice for children would have been avilable in the ten other languages as well.
Besides the easy read version of the Privacy Notice, the app also offers infographics and vid- eos to better fulfil the transparency principle.
3.2.2 Data minimisation
The app has a feature which is said to check if the user’s symptoms mean that they might be infected71. If the user taps the “Report Symptoms” button, they will be taken to a page where three choices are listed, each of them representing a set of symptoms. In the apps introductory electronic brochure, it is stated that: “The app will then tell you if your symptoms could be caused by coronavirus…”72. But the truth is that even if the user chooses only one of the symptoms, no matter which, the app will still advise them to book a Covid test because they might be infected. This shows that the app does not need to know the actual symptoms a user has in order for it to achieve its purpose73, but according to the privacy notice, symptoms data is gathered for the apps accreditation as a medical device74.
It is important to identify not only the purpose of the app as a whole but also of sections of the app, because the assessment of the necessity of processing the data will be carried out based on that purpose75. In this case the purpose of this section of the app is determining if the user needs to test themselves or not. In reality, as long as the user replies that they have one of the symptoms (without mentioning which one) the apps’ purpose is achieved76. It would have
67 ICO, “Children and the UK GDPR”.
68 ICO, “Children”.
69 NHS Covid-19, “Privacy Notice”.
70 The two simplified formats are available only in English and Welsh.
71 NHS “Introducing the NHS Covid-19 app”, p. 2, p. 7.
72 Ibid.
73 The purpose in this case is advising the user to take a test.
74 NHS Covid-19, “Privacy Notice”, p. 17.
75 European Commission, “Apps supporting the fight against the pandemic”, p. 7.
76 UK GDPR, art. 5 (c).
15
been more privacy-friendly if the question would have been formulated with only one option to choose, inside of which all symptoms were mentioned. That way, if the user would choose that only option, that would mean that they have one of the symptoms without revealing which one.
The above-mentioned sentence in the electronic brochure is misleading by claiming that the app will tell the user if the symptoms they choose qualify them for a test or not, when in fact whichever symptom they choose qualifies them for a test. That is why, in order to meet the principle of data minimisation and that of privacy by design, the processor should change the architecture of this section of the app. Especially when NHS has stated itself in their Data Protection Impact Assessment (DPIA) that the minimal possible data will be collected from the user77.
The principle of data minimisation is an ever-changing one, especially since it is dependent on technology which evolves rapidly nowadays. This means that in the coming months the min- imum data the app might need to fulfil its purpose might be a lot less, because technology might be a lot better. In this case it also depends on the future progression of the pandemic. If the pandemic starts fading, less and less data will be required until it will reach a point where it will not need any more data related to Covid. A general viewpoint on this was given by the CJEU in GC and Others78 when it stated that the fact that a data processing is lawful in a giv- en moment, does not mean that it will continue to be so in the future. For the NHS Covid-19 app this means that the amount of data they are allowed to collect might change from time to time and for that reason a periodical assessment should probably be made.
But on the other hand, ICO has also issued an opinion regarding data minimisation for the functioning of Google and Apple API, stating that the contact tracing framework is aligned with the principle79. Anyhow it should be noted that this opinion refers only to the exposure notification interface and not the whole app. Also, the opinion was presented five months be- fore the app was actually released for use, which means that it only evaluated the API.
77 DPIA, p. 30.
78 Kuner, et. al., GDPR Commentary update, p. 68.
79 ICO, “Apple and Google joint initiative”, p. 14.
16 3.2.3 Storage limitation80
The app calculates the risk factor of someone being infected through a scoring mechanism by taking into consideration the time and distance between two phones81. The formula or scoring mechanism used is not explained in the Privacy Notice but on the NHS website82, even though the factor which gets multiplied with the total score in order to determine the degree of possible infections is not revealed. The wording of the Privacy Notice implies that no matter if the scoring determines that the user has a risk of being infected or not, the app sends the measurements it collects to the backend server of the Department of Health and Social Care
83. The data sent includes the distance, duration, and risk score of the interaction over a timeframe of 30 minutes84. It could be argued that to respect the principle of data minimisa- tion, distance and duration do not need to be sent to the backend server, but only the risk score calculated through these two measurements. Because for the app to fulfil its purpose, it only needs the risk score. But according to the DPIA this data is used in the central system for:
“…assurance of the app, technical checks and the public health functions.”85. It would have been better if NHS would have explained what they mean exactly with these terms, so the users could have been more informed on why distance and duration measurements are sent to the backend server. ICO itself has stated that only data which is “strictly necessary” should be collected in the backend server86. For this reason, it is NHS’s responsibility to argument why this data is strictly necessary.
When it comes to the 30-minute time frame of collecting proximity data, EU’s advice is for the timelines of contact tracing apps to be based on medical or administrative relevance87. In NHS apps’ case, the reasoning behind this 30-minute timeframe is not mentioned in the priva- cy notice, but on the NHS’s webpage that explains the app’s algorithm: A high-risk encounter (for which a user is notified) is considered one where the user has been within 2 meters of a positive user for at least 15 minutes. This means that, timewise, 15 minutes is the threshold and anything above that is still considered high risk. So, if any amount of time over 15
80 UK GDPR art. 5 (e).
81 Ibid., p. 8.
82 NHS Covid-19, “Risk-scoring algorithm”.
83 NHS Covid-19, “Privacy Notice”, p. 8.
84 Ibid., p. 9.
85 DPIA, p. 268.
86 ICO. “Data protection expectations on app development”, p. 9.
87 European Commission, “Apps supporting the fight against the pandemic”, p. 8.
17
minutes is enough to fulfil the purpose of this feature of the app, why does the app collect data on a time frame of 30 minutes? NHS justifies this timeframe with a list of reasons88 that come down to a main theme of identifying if the app is doing its job as it should and at the same time acknowledges that it collects samples of exposure windows that they know fall below the high-risk threshold. Which means that it is obvious that this information is not collected for the main purpose of the app: notifying possible infected people.
The test codes that link the user’s test result to the app are kept in the backend server of the app for 24 to 48 hours after the test result has been received by the user89. According to the privacy notice this timeframe is long enough “to send your app your test result”90. What’s more, the test code and the test result are not stored as anonymized data91. In this case the principle of storage limitation seems to not have been implemented very good in this feature of the app, because it appears like there is no reason for which this data would need to be kept for up to 48 hours after the user has received the result, since the purpose of collecting this data (informing the user about their test result) is already achieved. This storage period could have been assigned because of technical reasons (e.g. the system can only delete data once every 48 hours) but nonetheless, the reasoning behind it should have been mentioned.
Another issue, that needs to be addressed, is the fact that the venue check-in together with the time of visit, gets stored for 21 days92 in the app. According to the privacy notice: “The choice of 21 days takes into account the 14-day incubation period, and the infectious period of the virus.”93. Since the European Commission recommends that the duration of data storage should be based on medical evidence, the NHS should have provided a reference to the timeframes proposed for the retention of venue data, ideally an epidemiology study. Anyhow the way this information is used does not seem to be so problematic, because the matching of the venue of high risk with the user’s check-in is done in the user’s phone and the information does not get send to the backend server.
88 NHS Covid-19, “Privacy Notice” p. 8-9.
89 NHS Covid-19 app. “Privacy Notice” p. 10.
90 Ibid., p. 10.
91 Ibid., p. 18.
92 Ibid., p. 10.
93 Ibid., p. 19.
18 3.3 Other matters
3.3.1 Age requirements
The app cannot be used by anyone younger than 16 years old. But this is true only in theory.
To prove this, the app was downloaded from the Google Play of an adult user. When opening the app for the first time it required to confirm that the user was at least 16 years old by click- ing on the option: “I am 16 or over”. But, if the user’s birth year in their Google Account is changed to represent a minor and the user goes back to the app (even after restarting the sys- tem), the user can still confirm that they are over 16 years old and use the app normally, even if their Google Account says otherwise. This issue represents a legal/ethical dilemma: Does protecting the processing of special categories of personal data of children justify drawing data94 from users’ Google or Apple accounts? It is understandable that by retrieving this in- formation, the app would cross a very dangerous line, especially since it can be argued that it would not be proportionate to the aim of controlling the mass infection in the country95. But an example of crossing this line for a better good is the enforcement of the Italian Supervisory Authority towards a social media app to stop processing the personal data of users within Italy whose age could not be verified96. According to them the legal basis97 for this was the obliga- tion of public authorities to always take actions taking into consideration the child’s best in- terest (Article 24 of the Charter of Fundamental Rights of the European Union) and recital 38 of the GDPR which lays out that children merit specific protection with regard to their per- sonal data. A similar provision, denoting the best interest of the child as a primary considera- tion can be found in the United Nations Convention on the Rights of the Child98 where UK is part of. A debate of this sort is resurfacing again after Apple announced that it plans to scan its users’ iCloud photos through artificial intelligence on a quest to spot and denounce child abuse images99.
Something to be noted, is the age limit the app has for children. If the child is 16 or older, it is fully legal for them to give their consent since the UK GDPR allows for any child over 13 to
94 In this case their birth year.
95 Art. 9 (2) (g) of the UK GDPR sets out the basis on which this app functions.
96 Kuner, et. al., GDPR Commentary update, p. 78.
97 Garante, “Provvedimento del 22 gennaio 2021”, p. 2.
98 Art. 3 (1).
99 BBC, “Apple to scan iPhones for child abuse”.
19
give their consent to the processing of their personal data100. The fact that the app considered the age of consent 16 could be because up to some months ago UK was adhering to the GDPR and the GDPR’s age of consent is 16. This is another example of how in these kind of apps the requirements change so often that the apps architecture should be suited accordingly.
3.3.2 Interoperability partners
Even though the NHS Covid-19 app is the official app only of England and Wales, the app will still send an alert to the user if they come in contact with a user that has tested positive101 while being in Scotland, Northern Ireland, Jersey or Gibraltar. The fact that the whole func- tioning of the app is very location-dependent means that it gathers from somewhere infor- mation about the user’s location.
As stated before, the NHS Covid app is the official contact tracing app of England and Wales, which means that it does not work outside these countries, except partially in Scotland, Northern Ireland, Jersey and Gibraltar102. The way it works legally in Scotland and Northern Ireland is not of much concern, since both of them are also countries of the UK and besides minor local differences, they are all ruled under the same union laws. But Gibraltar and Jersey present a jurisdictional challenge. Following the logic of the GDPR that considers “third countries” all countries that are not part of the EU or EEA, it could only be logical to say that for the UK GDPR “third countries” are all the countries that are not part of the UK. Gibraltar and Jersey are not part of the Union but rather a British Overseas Territory and this makes them “third countries”. Of course, it is not so easy to determine firmly the status of Gibraltar, since it has been an issue that has always generated debate, but in relation to the UK GDPR it is difficult to see it otherwise.
This interoperability agreement aims to notify users who have come in contact with an infect- ed user about their probability of being infected as well. This happens by sharing the anony- mized key of the app user that has tested positive103. Before sharing their key, the positive user is asked for permission. According to the app’s privacy notice, matching the keys of us- ers that have been in close contact with a positive user, happens in every user’s phone and not in the app’s main server. The server only serves for sending and receiving the key. This is in
100 UK GDPR, art. 8 (1) revised.
101 NHS Covid-19, “Can I use the NHS COVID-19 app in other parts of the UK?
102 NHS Covid-19, “Privacy Notice”, p. 12
103 Ibid.
20
line with ICO’s reference point document104 that states that apps and servers should not au- thenticate with each other at the backend infrastructures, which besides the servers of the NHS Covid app, also apply to the servers of the interoperability partners. Unfortunately, the text of the interoperability agreement is not to be found online.
The NHS as the controller needs to notify the app users when they intend to transfer the user’s personal data to a third country105. The issue is that after a user results positive, the app asks them for permission to share their diagnosis key with other users106. If the permission is given, then the app will notify not only users of the NHS Covid app but also users of the other in- teroperability agreement apps. So, while it is written in the privacy notice that app users of other countries will be notified, the user is not explicitly asked if they want to share this in- formation with them. The only way the NHS could claim that this does not go against data protection principles, is either through claiming that the diagnosis key is not considered per- sonal data or that they consider their user to have been notified once in the Privacy Notice.
This last argument could be backed up by Art. 13 (4) of the UK GDPR, by claiming that the user already has this information from the Privacy Notice. But according to the Article 29 Data Protection Working Party107, the information is not considered to be provided to the user if it is for example among the terms and conditions of an app108, as is the case with this infor- mation.
4 Italy109
Italy’s official exposure notification app, Immuni, is a project of the Italian Ministry of Inno- vation and Ministry of Health110. It is the only one that is available all over Italy and not only in certain regions like other apps in the country. Also, it is the one Italians trust more111. But this does not mean that its implementation was smooth. The app was criticised by many poli- ticians of the opposition, who made some bold claims that the app was tracking Italian citi-
104 ICO, “Data protection on app development”, p.10.
105 UK GDPR art. 13 (f).
106 NHS Covid-19, “Privacy Notice”, p. 12.
107 WP29 guidelines are consulted whenever they explain parts of the GDPR that have not changed in the UK GDPR after 1 January 2021.
108 Drechsler et. al., GDPR Commentary, p. 427.
109 The research on Italy was partly conducted by reading through some of the articles/laws mentioned in Ber- telsmann’s report concerning Italy.
110 AGI, “La parabola di Immuni.
111 Nortes, Battaglia and Borowiec. "Generation App”, p. 23.
21
zens and collecting sensitive data on them. Some even labelled the app “the trojan horse from Beijing” and some others declared publicly that they would never download it. Among all this debate on 15 June 2020, the app started its availability all over Italy just when the spring lockdown had started to mitigate. The then prime minister, Conte, declared that the app was very safe and deemed its download as a moral obligation of the Italian people112.
The app comes with the promise of living a normal life once again113. A very luring promise, especially when that is what everybody’s dreams have been reduced to in this moment: “Go- ing back to how things were before the pandemic.”.
4.1 How the app works114
After a user installs it, the app assigns a random code to their device (Temporary Exposure Key - TEK). From every TEK, every 10 minutes, a Rolling Proximity Identifier (RPI) is gen- erated. From every TEK up to 144 RPIs can be generated. It is impossible to know from which TEK these RPIs come from, that is why it is deemed to be a very good way of preserv- ing the privacy of the app’s users. These RPIs get broadcasted and when a device comes into contact with them, they exchange RPIs and save them in the device’s memory, together with other information like the date, the duration and the distance of the contact). So, in every us- er’s device is saved a list of their TEKs and also a list of the RPIs they came into contact with.
The TEKs and RPIs are automatically deleted fourteen days after they are memorized.
The app has two options of reporting a positive result: reporting the positivity directly by en- tering the data in the app or by calling a healthcare operator.
If the user decides to call the healthcare operator, they give them TEKs generated by their phone in order to notify users who have been in contact with them. If the user agrees, then the healthcare professional asks them to open the app and use the feature of generating a One Time Password (OTP), made up of 10 characters. The user reads the OTP to the professional who then uploads their TEKs in the system. The healthcare professional, through a special feature made available in the TS system, inserts the OTP code and the date when the symp- toms began and then this info gets transmitted at the backend server of app. In the backend server, the OTP is verified and only the TEKs generated in those days when the patient is considered contagious are taken into consideration.
112 AGI, “La parabola di Immuni”.
113 Immuni homepage.
114 Garante, “Provvedimento di autorizzazione dell’app Immuni”, p. 4.
22 4.2 Data gathered from the app115
Every time a user that has resulted positive to the infection agrees to upload their TEKs at the backend system, by communicating to the healthcare operator the date when their symptoms began, the app transmits automatically other information as well. This means that the app gathers three types of data: the TEKs of the users that have resulted positive, epidemiological info and operational info. The epidemiological info is stored automatically at the backend server from the moment a user agrees to share their TEK with the app and besides the prov- ince of residence, it collects some other data of the last 14 days like: the number of users that have been deemed to be at risk; the number of days since the last risky contact; duration of contact; who has the highest risk index among the close contacts; the date when the risky con- tact happened; Bluetooth intensity during risky contact; duration of risky contact; duration of risky contact; infection risk associated with the TEK in relation to the risky contact; index of risk in relation to the risk contact.
Beside the above-mentioned epidemiological info, the app also transmits automatically to the backend server operational info analytics. These analytics can be operational info without exposure (if there has been no close contact with a positive user) or operational info with ex- posure (if there has been a close contact with a positive user). This means that some opera- tional info is sent to the backend server regardless of whether the user has been at risk of in- fection or not. But, according to the Italian data protection authority, the number of analytics that a single device can transmit to the backend server every month is limited.
4.3 Compliance with data privacy principles
4.3.1 Lawfulness, fairness and transparency
The element of transparency evokes that the information about the processing of data should be accessible and easy to understand, with a plain and clear language116. The main infor- mation about the function of the app is held in its privacy notice and its terms of use.
The app has two versions of its privacy notice: a short one packed with infographic (that is available when opening the app) and the original one, which is more specific. But the latter is
115 Ibid., p. 4–5.
116 GDPR, rec. 39.
23
not so easy to find. On the website of the app, there is a privacy notice in Italian117, but the original privacy notice (that is longer and more inclusive) can only be found by clicking on the button “Show full notice” in the app. In both of these versions the logic behind data gath- ering is explained, understandably better in the long version. Anyhow, at the expense of a clear and understandable description of the app functioning, a more technical description of the way the app works can only be found by reading through the documents of the Italian Da- ta Protection Authority.
When it comes to the short version of the privacy notice, it is presented in a clear language and is very well structured. But for the user who wants to know more, they can only do this after downloading and putting the app to use, because it is impossible to find the original ver- sion of the privacy notice in the Immuni website. This means that the user cannot be informed beforehand of all the privacy implications the app has, but only after installing it.
The website of the app theoretically is offered in Italian, English, German, French and Span- ish, but in reality, when selecting German, French or Spanish, only the titles in the homepage change, but the privacy notice or terms of use are not available in these languages. Most of the information is available in Italian and English, with the original privacy notice only being available in English and not in Italian. This of course defies the purpose of the transparency element of the GDPR, because “the average user” (as laid out by the Article 29 Working Par- ty) speaks Italian and English is not a second official language in Italy. For this reason, the average Italian user cannot possibly understand all the privacy implications of the app. A lan- guage-related issue has been found when using the app as well. Many reviews claim that it is impossible to change the app language from English.
Information about the app in the above-mentioned languages can be found only in the fre- quently asked question page of the website118, which does not have all the information that can be found in the privacy notice.
When it comes to transparency, the data protection authority underlines that the app needs to be accessible from people living with disabilities119. The app can also be used with Voice Over or Screen Reader depending on the device of the user. Both of which are text to speech tools.
117 Immuni, “Informativa privacy”.
118 Immuni, “Do you have any question?”.
119 Garante, “Provvedimento di autorizzazione dell’app Immuni”, p. 11.
24
The term of service are only available in Italian. This is especially problematic when the app is used by children from 14 to 18 years old, because according to the GDPR, any information aimed at them should be in a language that is fully understood by a child120. Since the app is also available for download to people who do not live in Italy but plan to visit Italy soon, the terms of use should have been available at least in English for their non-Italian users (espe- cially children). So, what undermines the principle of transparency in the terms of use is the fact that it is almost taken for granted that the user accepts updates and the fact that they are only available in Italian.
4.3.2 Purpose limitation
The language of the app is determined by the language set on the user’s device and if that language is not supported by the app, then it starts working in English121. Even though when it comes to practicality in using the app this feature is good, the way the app collects this infor- mation from the device is not mentioned in the app’s documents. In the description of the ana- lytics tokens gathered from the app, there is no mention of the language of the app122. The language a user uses to run their device can reveal information about their racial or ethnic origin123 and this makes this information a special category of data, which is prohibited to be processed, unless it fulfils one of the legal obligations set out for processing them124. For this reason, the developers of the app, need to either justify the gathering of this information or stop its collection.
4.3.3 Storage limitation
The app’s privacy notice specifies the data retention time for all categories of data the app processes and most of it has an upper limit of retention up until 31 December 2021125. Usual- ly, it is stated that data retention will be held “until the need for health protection and preven- tion but no later than 31 December 2021.”. It should be noted that it is one of the longest re- tention times of the apps around the world126. It is interesting how the app specifies a date and not a number of days. The latter would have made more sense, since the data needs to be
120 GDPR, rec. 58.
121 Ibid.,
122 Garante, “Provvedimento di autorizzazione dell’app Immuni”, p. 4.
123 GDPR, art. 9 (1).
124 Ibid., (2).
125 Immuni, “Privacy Notice”, para. 4: “…no later than 31 december 2021”.
126 Elkhodr et. al., " User Opinions of COVID-19 Mobile Apps", Multimedia Appendix 1, tab. 3: According to the table only Georgia has a longer retention time of 3 years.