Elizabeth Denham, the UK Information Commissioner, has released an opinion in response to the joint effort announced by Apple Inc. (“Apple”) and Google LLC (“Google”) to enable the use of Bluetooth technology to help governments and health agencies reduce the spread of COVID-19 by building contact-tracing technology into iOS and Android smartphones. In the opinion, the Information Commissioner concludes that the "Contact Tracing Framework" (“CTF”) being developed supports data protection principles. The approach taken by the Information Commissioner in her opinion highlights the pragmatic leadership demonstrated by the Information Commissioner’s Office (“ICO”) in enabling organizations to process personal data for the purposes of combatting COVID-19. In the Information Commissioner’s blog from April 17, 2020, Elizabeth Denham references how the ICO will continue to offer help and guidance to projects looking to find innovative ways to help society, in particular, those that assist in combating the COVID-19 pandemic.
Section 115(3) of the Data Protection Act 2018 allows the Information Commissioner to issue opinions to Parliament, Government or other institutions and bodies as well as to the public on any issue related to the protection of personal data. The opinion sets out the Information Commissioner’s current thinking on the joint initiative (based on the information made available on April 10, 2020), and is primarily for organizations involved in the CTF’s development, as well as organizations developing apps that may use the CTF. However, the Information Commissioner acknowledges that it may also be of interest to those involved in other contact tracing initiatives.
The purpose of COVID-19 contact tracing is to determine whether any individual has been in contact with an infected person during the time they were possibly infected. Contact tracing could be used to communicate with individuals to ensure they (1) are aware of the risk; (2) are provided with the required information; (3) take the necessary steps to protect themselves and others; and (4) receive the support they need. The CTF being developed by Apple and Google is not itself a contact tracing application. Instead, the current aim is to enable third parties, such as public health authorities, to develop applications themselves that exchange information via Bluetooth between devices.
In the opinion, the Information Commissioner states that the CTF itself “appear(s) aligned with the principles of data protection by design and by default." The Information Commissioner notes in particular the CTF’s apparent compliance with the design principles of data minimization and security. With respect to data minimization, the Information Commissioner states that the exchange of information between devices does not include personal data, such as usernames. Instead, the data exchanged between devices includes periodically-generated cryptographic tokens (“tokens”) that are not associated with other data that may further identify or locate the device user. In addition, the matching of tokens takes place on-device and not by the application host or with the involvement of any other third party. With respect to security, the opinion notes that “the exchange of information between devices and the upload of information to the app host incorporate a number of security measures.” In particular, the CTF uses appropriate cryptographic functions with additional safeguards.
Further, the Information Commissioner notes that purpose limitation is a core principle of data protection, and cautions that the CTF may lead to scope creep by application developers that wish to develop the functionality to collect additional data for further uses. To this end, the Information Commissioner will monitor all developments to limit scope creep, and notes that each data controller designing an application incorporating the CTF is responsible for ensuring the application is compliant with data protection law. The opinion also states that users may not be aware that while the CTF enables the collection of some data, the application itself is designed by another organization that may also collect personal data. The concern is that users may assume that the data protection by design and by default principles applicable to the CTF will extend to all aspects of the application using the CTF. With this in mind, all relevant data controllers must ensure that users are fully informed about how their data will be processed, and by whom.
The Information Commissioner’s opinion notes that the CTF initiative is not directly associated with the “Decentralized Privacy-Preserving Proximity Tracing” (“DP-3T”) system of a separate expert group. That said, the Information Commissioner states that, whilst it has not undertaken a detailed review of the DP-3T system, the underlying principles of both the CTF and DP-3T initiatives appear to be similar. The Information Commissioner’s view is that these similarities give “further comfort that these approaches to contact tracing app solutions are generally aligned with the principles of data protection by design and by default.”
The ICO has demonstrated global leadership on data protection issues related to the COVID-19 pandemic, in particular those issues related to contact tracing and the use of location data in the context of COVID-19. The ICO recognizes that the use of new technologies and tracking to combat the pandemic is a global issue, and in the above referenced blog, the Information Commissioner notes how the ICO has used its position as chair of both the Global Privacy Assembly of privacy regulators, and the OECD Working Party on Data Governance and Privacy, to bring together more than 250 commissioners, government representatives, privacy professionals and key stakeholders to debate these issues, and seek pragmatic solutions to these data protection challenges.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code