Open Rights Group (ORG) is deeply concerned by this possible development: we highlighted before how the privacy implications of contact tracing have been consistently ignored. On top of that, recent events have doubled down on the issues we previously highlighted.
Having this in mind, we will try to make some sense out of this situation, taking stock of where we stand, where we are heading to, and what we can do about it.
Government still has to justify reliance on centralised contact tracing
Since the very beginning, experts pointed out that centralised contact tracing is more invasive, thus requiring “much more factual justification”. We have yet to receive any meaningful justification at present, and we wonder if we will ever receive one.
On the other hand, rumours about Government considering to switch toward a decentralised system have been intensifying over the past weeks, implying that centralised contact tracing may not be so necessary after all. Also, the Data Protection Authority in Norway has conducted an assessment of their domestic contact tracing app, concluding that centralisation entails a disproportionate intrusion into users’ privacy.
None of the issues which were exposed have been addressed so far
We highlighted before how the Data Protection Impact Assessment (DPIA) revealed a number of vulnerabilities in the way the contact tracing app operates, which were not properly addressed. Those include lack of safeguards against illicit use of symptom reporting, which could result in false alarms and, ultimately, unnecessary self-isolation for those receiving these fake alerts.
On top of that, a proper DPIA for Test and Trace still has to be released, and reassurances that contact tracing data will be deleted once the pandemic is over may sound less convincing, knowing that our data will be retained for 20 years.
A Coronavirus Safeguards Bill is still missing
If anything, this track record indicates that Matt Hancock’s confidence “that the NHS COVID-19 App complies with the law and the high information governance standards expected of public services” may be slightly misplaced.
Other than that, it is worth noticing that other issues, independent from the contact tracing app itself, remain unresolved: are we sure that employers and businesses will not force individuals into using the contact tracing app, for instance as a requirement to be admitted to their workplace or to enter a certain place? Will security services be kept at bay from our contact tracing data for the remaining 20 years they are intended to be stored? And who ensures that Government private partners will not try to reuse this data for their commercial activities after the pandemic is over, for instance by trying to exploit any legal loophole?
Good news is, these are all issues that could be addressed with dedicated primary legislation, such as the Bill which has been proposed by the Joint Committee for Human Rights. Although we believe the Bill could be improved, we supported this initiative before, and we still do.
We have very good reasons for that: Italy and France already released their contact tracing app to the wider public, with the important difference that in both instances the application was reviewed by their Data Protection Authority (in the Italian case, subject to prior authorisation). It follows that data protection compliance is not only about respecting our privacy, but also a measure about governments’ competence and capacity to respond effectively to the pandemic.