Joint Statement on Digital Contact Tracing From Convention 108 and Council of EuropeMay 12, 2020 – Alerts
Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe released a Joint Statement on Digital Contact Tracing.
- Looking at contact tracing (and alerting) in particular, it should first and foremost be recalled that this monitoring process has always been used – manually – in epidemics to reduce the spread of infections.
- Although technological tools can play an important role in addressing the current challenge, the first – essential – question we have to ask ourselves before systematic and uncritical adoption of technology (not having assessed their effectiveness and proportionality) is: are those “apps” the solution?
- Considering the absence of evidence of their efficacy, are the promises worth the predictable societal and legal risks?
Trust: Achieving broad acceptability can thus be supported by implementing a trustworthy system, which is not imposed upon people but used on a voluntary basis instead. This also means that there should be no negative consequences imposed for not participating in the system.
Impact Assessment and Privacy by Design
- Considering the likely impact of digital contact tracing systems on the rights and fundamental freedoms of individuals, their development should be based on a prior assessment of such a likely impact prior to their deployment.
- They should be designed in such a manner as to prevent or minimize the risk of interference with those rights and fundamental freedoms, to ensure notably that location data of individuals is not used, that no direct identification is possible, that re-identification is prevented.
- Considering the particular nature of location data, and the fact that proximity between persons can be obtained without locating them, digital contact tracing should be done on the basis of records of connections between devices rather than on the basis of location data (GPS generated data for instance).
- As the implications may be serious (self-isolation, testing) for the individuals identified as potential contacts of someone infected, ensuring the quality and accuracy of data is crucial.
- Data processed for digital contact tracing purposes should be reduced to the strictest minimum and any data that is not related or necessary should not be collected.
Automated Decision Making
- Even in the current situation, individuals retain the right not to be subject to a decision significantly affecting them based solely on automated processing of data without having their views taken into consideration. It is clear that implications such as self-isolation and testing can have such significant effects.
- Users of the digital tracing system must therefore not have consequences imposed on them without a clear facility to challenge these consequences, particularly in light of the inaccuracies or misrepresentations possible in such systems.
- Users of the digital tracing system must not be directly identified.
- Digital contact tracing systems should only use unique and pseudonymized identifiers, generated by and specific to the system. Those identifiers must be renewed regularly and must be cryptographically strong.
Digital contact tracing systems have to include state-of-the-art encryption, communications security, secure development practices and user authentication to prevent risks such as unauthorized access, modification or disclosure of the data of the digital contact tracing system.
Digital contact tracing systems should be based on an architecture which relies as much as possible on the processing and storing of data on devices of the individual users.
Interoperability between systems should be ensured to enable the exchange of available information beyond national borders, provided that the necessary safeguards are ensured, including appropriate grounds for transferring data, robust security measures and means to ensure accuracy of inbound and outbound data.
- Full transparency through an open source development of the code is highly recommended, enabling anyone interested to audit (and possibly improve) the code.
- Individuals have the right to obtain knowledge of the reasoning underlying data processing where results are applied to them, such as in the case of digital contact tracing. The general manner in which a particular digital tracing system works must be made fully public before and during operation.
The data used for digital contact tracing should only be kept for the duration of the management of the COVID-19 pandemic and storage limitation periods should be defined in light of the epidemiological relevance of the data (such as the incubation time of the virus for instance.)
- Digital contact tracing systems should be subject to independent and effective oversight and audits to ensure respect of the rights to privacy and data protection.
- Data protection authorities should be involved from the outset in the development of those systems, and use their powers of intervention and investigation to ensure that data protection requirements are enforced.
Odia Kagan is Chair of the firm's GDPR Compliance & International Privacy Practice. She can be reached at 215.444.7313 or [email protected].