The NHSX is currently testing their digital contact tracing app in the Isle of Wight, and is set to release it nation-wide sometime soon. This application will keep record of our encounters by using the bluetooth sensors of our smartphones, allowing app users which have been exposed to infected persons to be notified.
As a side result, this system will also build a government controlled database of our social circles and daily interaction, unprecedented for scale and level of details to anything we have ever seen.
Furthermore, the Government decided to rely on a number of private partners, which will be entrusted to keep our data safe and private. Among those, there happens to be Palantir, an online surveillance company, and Google, whose efforts to gain access to NHS health data are not entirely new.
Given these circumstances, the Joint Committee for Human Rights (JCHR) aims to introduce new primary legislation, and provide adequate safeguards to this interesting yet potentially troublesome contact tracing system. Unfortunately, Matt Hancock seems not to share their concern: on 21 May, he answered to the JCHR’s Bill on Covid19 (Coronavirus) Contact Tracing App with a firm refusal , stating that he has every confidence about the App being compliant with the law.
We cannot but disagree with our Health Minister: we highlighted before how the NHSX Data Protection Impact Assessment (DPIA) reveals significant shortcomings of the current system with data protection laws. Furthermore, the GDPR provides baseline legal standards for the use of personal data: it does not draw any red lines over how Palantir and Google will or will not be allowed to reuse your contact tracing data, and its general purpose makes its safeguards uncertain within an unfamiliar context as the one we are living in.
Taking stock of these facts, new primary legislation could provide legal certainty where it is needed the most. Also, emergency situations require fast and bold responses; thus, stronger safeguards would allow public scrutiny to keep peace with fast developments, as well as to safely contain and deal with any mistakes.
This is why — together with Article 19, Index Censorship, and another 20 academics and legal experts — we decided to support the JCHR and submit our recommendations. Our aim is twofold: on the one hand, we want to help the JCHR improve their Bill. On the other hand, we hope to push the Government to reconsider a proposal which could introduce much needed legal protection and certainty.
What we proposed
Although we fully endorse JCHR in their effort, we found their Bill to fall a little short of their own objectives. Thus, we proposed a number of changes, based on three main pillars:
We believe the Bill should include further protections, to foster public trust and rule out potential discriminatory behaviours. In particular, we believe the Bill should rule out any attempt from an employer, or a business owner, to force your adoption of the Contact Tracing App.
Furthermore, we proposed stronger transparency requirements for the public and private bodies involved in the operation of the contact tracing systems, such as the proactive disclosure of DPIAs, legal agreements, and other relevant legal documentations.
Finally, we find enforceability to be the strongest safeguard against abuses. Thus, we proposed to harmonise the role of the watchdogs supervising the contact tracing system, as well as to introduce collective redressing mechanisms which could empower organisations to keep the Government and its watchdogs accountable.
Interactions with the GDPR, and Further Improvements:
Second and third pillar of our proposal concerns how the law should clarify and tighten, rather than derogate, data protection rules. Further on, we also propose some measures to strengthening some of the safeguards which were already enshrined in the bill.
Long story short, we aimed at closing any legal loophole which could allow the unduly restriction of our rights, and pave the way for the reuse of contact tracing data after the pandemic is over. These proposals answer to tangible issues which have emerged along the way: the NHSX stated in its DPIA that it is considering whether to allow users to exercise their right to erasure of personal data, and we have read in the news how the Contact Tracing App may be the first stepping stone to the immunity passport. Therefore, it is important that:
- GDPR standards for consent, pseudonymous data, and anonymisation are applied consistently, and with all the safeguards which they entail;
- Discretion over usage of contact tracing data, and their disclosure to contractors and third-parties, is limited by statute.
The ball is now in the field of the Government and the JCHR, while ORG will keep working with all stakeholders which are willing to ensure the protection of our digital rights in time of crisis.