What are contact tracing apps?
Contact tracing apps are applications which keep track of an individual smartphone user's real-life interactions with, or proximity to, other smartphone users (the individual's contacts). Their primary aim is to ensure that - if the individual is suspected or confirmed as having COVID-19 - contacts will be able to be comprehensively and quickly notified of the need to self-isolate and get tested.
Many jurisdictions globally have implemented or are exploring the possibilities of contact tracing apps, in a bid to help their economies return to normality after weeks or months of strict restrictions. These apps are perceived as offering a safer way out of lockdown, by providing the authorities with a means of quickly tackling new case clusters, interrupting the chain of infection, and mitigating the public health risks posed by individuals resuming their normal activities.
What are the key legal issues with contact tracing apps?
Aside from the technical challenges of developing effective contact tracing apps and uncertainty around the level of user adoption required for them to be successful, these apps give rise to a number of legal concerns. The biggest concerns are around privacy and government encroachment on our liberties. Critics argue that these apps are invasive, non-transparent and inappropriately allow governments to collect and process vast quantities of private information. Skeptics also doubt the ability of government to keep collected data secure in a world plagued by high-profile public sector data breaches. Other concerns relate to the potential for coercion and discrimination based on whether a person does or does not use a contact tracing app. Data protection authorities in some jurisdictions have started to develop and issue guidance on contact tracing apps in response to some of these concerns. Use of contact tracing apps on employee devices can also give rise to employment law issues.
How are different jurisdictions approaching contact tracing apps?
Jurisdictions are approaching contact tracing apps in their own way, and are at different stages on the journey to implementation. In the European Union, there was an initial impetus to align on contact tracing. However, a schism soon developed between supporters of a centralized Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) initiative, and proponents of a Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol. These and other differences of opinion globally have resulted in divergence.
Some notable trends and differences in contact tracing app methodology are:
- Public sector-driven initiatives: in many jurisdictions, public sector agencies have developed their own apps, sometimes in partnership with or with input from the private sector. An early mover on this front was Singapore, whose government developed and released its TraceTogether app, discussed in our client alert here. This app became the basis for Australia's Digital Transformation Agency to develop its COVIDSafe app. The UK's NHSX has also developed a home-grown contact tracing app. In contrast, only a few US states have pioneered their own contact tracing initiatives, in the absence of a national government offering. However, it is possible that, in some jurisdictions, solutions developed by private sector tech companies or industry and academic groups will fill the gap or supersede any existing public sector efforts.
- Centralized and decentralized solutions: there is a split between jurisdictions who are adopting a centralized approach to collection and storage of contact tracing data, and those who are following a decentralized approach. A centralized approach involves contact data being reported to a central server controlled by a national authority, with authorities then able to use the data to link and communicate with contacts who could be at risk of infection. Under the decentralized approach, data is stored locally on devices. Users are then required to upload a token which has no intrinsic information, but can be used by users' devices to derive and then match contact identifiers. Therefore, under the decentralized model, contact data remains on user devices rather than being shared with authorities or other third parties. Jurisdictions which started with, or are currently looking at, models with some element of centralization include France, Poland, Singapore, Australia and the UK. Austria, the Czech Republic and Italy are examples of contrasting decentralized models. As already mentioned, debate has been raging about whether a centralized / PEPP-PT or a decentralized / DP3-PT model is preferable. A cross-jurisdictional group of 300+ academics recently issued an open letter strongly advocating a decentralized model. Shortly afterwards, it was reported that Germany would move to a decentralized model. Privacy concerns and functionality issues with centralized solutions, and moves by key tech industry players towards a decentralized framework for contact tracing apps, may mean that more jurisdictions adopt the decentralized approach going forwards.
- Underpinning technology and collected data: the vast majority of the contact tracing apps in existence or development use Bluetooth handshakes to exchange contact data between users' phones. However, some apps use also supplementary or alternative technologies to improve the accuracy of data. For example, Austria's STOPP CORONA uses Bluetooth, Wi-Fi and ultrasound; Iceland's Rakning C-19 and Israel's HaMagen apps use location data. Due to these differing approaches, collected data also varies between apps. For example, in Australia, COVIDSafe users' registration data (names, age ranges and telephone numbers) are collected centrally, with contact data collected locally unless uploaded later. No location data is collected. In contrast, users of Israel's HaMagen app would have their location data and history of wireless network collected on their phone.
- Compulsory or voluntary adoption: driven by data privacy considerations, most jurisdictions have so far adopted a voluntary approach to contact tracing, meaning that it is up to individuals whether they decide to install and use these apps. However, a few outliers are mandating adoption for certain users. For example, China's QR health code system is reported to be mandatory, linked with individual's identification and a pre-condition for access to certain premises and services (e.g., public transport). Poland is requiring everyone under mandatory quarantine (barring a few exceptions) to use its Kwarantanna Domowa (home quarantine) app, but Poland's ProteGO app remains optional for anyone. At the far end of the spectrum, India's Ministry of Home Affairs has ordered that use of its Aarogya Setu app is mandatory for all public and private sector employees, and that employers are responsible for ensuring 100% coverage of their employees. This has generated significant debate about whether this level of intervention is appropriate, and criticism from civil rights advocates. The compulsory adoption approach contrasts strongly with Australia's stance, where the government has been at pains to emphasize that its COVIDSafe app is purely voluntary, and even introduced criminal penalties for those who coerce others to implement the app or discriminate against those who do not use the app. Singapore has also retained a voluntary approach, but asks employers to encourage adoption amongst their workforce.
We won't know the efficacy of these apps until weeks or months after they are rolled out. But looking at the different approaches taken across the globe, it is clear that there is no easy answer on how best to implement contact tracing.