Today the Joint Committee on Human Rights will take evidence from the Information Commissioner, academics and the CEO of NHSX on the risks to the right to privacy (Article 8 ECHR) if a contact tracing app is introduced to track and slow the spread of the coronavirus. This is helpful scrutiny of the government’s plans. Yet if the government goes ahead with its proposed contact-tracing application it is essential that the processing of large amounts of personal data by the state, even if done in the public interest, needs a clear legal basis in the form of specific legislation.

How do the UK’s plans for contact tracing apps in response to the coronavirus pandemic compare to those in other countries?  Are we on course to safeguard the Rule of Law and what can we learn from debates elsewhere?  Last week French parliamentarians decided to postpone debate on their contact tracing app: StopCovid, which will be subject to a dedicated vote by senators and MPs once it is ready. This follows heated debate within and between European countries about the preferred privacy-protecting type of technology necessary to trace coronavirus infections; and significant public hostility to contact tracing in France; based on concerns about their utility, and security of the app.

In the UK, the race is on for the NHS to deliver its contact-tracing app CV19 within weeks. Although individual use of the app will be voluntary, the UK parliament should follow France and legislate on how the app will be allowed to operate. To uphold the Rule of Law, legislation is necessary to ensure that there is a clear lawful basis for processing for such potentially intrusive data collection and use, including explaining why processing is necessary, and including detailed procedural safeguards against abuse or misuse. 

Legislation governing the app is essential, this would follow the UK’s peers at national level and also the activity of regional bodies. The European Commission has already published draft rules on the development of contact-tracing apps in the context of COVID-19. In Australia a ministerial determination is the legal instrument that temporarily underpins the use of the app until legislation can be passed through a reconvened Parliament in early May. It has been described by law firm Gilbert and Tobin as “sparse but seems clear-cut in its protections”.

First, it is essential that Parliament debates whether this method, which is reliant on a huge amount of sensitive data, is necessary and proportionate even in the current crisis. Second, parliamentarians need to confront issues around the safeguarding of personal data, oversight of the app, and deletion of the app and the collected data once it is no longer epidemiologically useful. The need for debate is particularly acute in light of the NHS’s confirmation that the system will be centralised, rather than decentralised as recommended by privacy experts.

Contact tracing is a fundamental mechanism of outbreak control, a tool used by public health professionals to identify all people who have had close contact with a person who has tested positive for COVID-19. Contact tracing apps go beyond telephone-based contact tracing (for which the UK government is currently recruiting) and enable rapid symptom reporting by individuals on their mobile phones. Bluetooth is used to log the distance between phones and other phones nearby;  this log is stored on the phone to enable users of the app to be alerted if they have come into ‘significant contact’ with a person who has tested positive.

The government still has to pass through a number of stages before CV19 can be delivered. But despite the government’s commitment to “transparency, ethics and the law” and important consultation with the Information Commissioner, a full parliamentary debate is not yet considered as one of these stages. Led by Professor Lilian Edwards, a group of academics in the UK have already published a draft Bill, showing what legislation that puts in place “safeguards in relation to the symptom tracking and contact tracing apps that are currently being rolled out in the UK” could look like.

The UK government should adopt a variant of this Bill, particularly in light of the extensive concerns raised during the oral evidence given to the Science and Technology Committee in a session on 28 April 2020. These include risk of, in the words of Professor Edwards, a “mass land grab in extensive state surveillance”. The importance of caution and debate is amplified by the shadows cast over the accuracy of such an app as we are still, according to Professor Danny Altmann’s evidence in the same session, “flying blind” in understanding exactly who transmits COVID-19, and how it is transmitted.

There are a range of important issues which need to be considered in parliamentary debates, including:

• Justification of the UK’s selection of a ‘centralised’ approach, and the consequences for iOS users given Apple’s refusal to support centralised systems
• How to ensure the app uses the minimum amount of data necessary to fulfil its function: preventing the spread of COVID-19;
• How to protect anonymity, including preventing re-identification of users from anonymised data;
• Open-source publication of the protocol;
• Who will be able to access the data, both within government and relating to third parties;
• Protections around data storage, sharing, and deletion;
• Protections for ‘conscientious objectors’, or those who do not have the capability to download the app, such as those written into Clause 9(2) of Australia’s Ministerial Determination on its app;
• The ‘exit strategy’ for the app, including timelines for the deletion of sensitive personal data.

There are important, existing, legal obligations that will cover some of these issues, including the Data Protection Act 2018 and the Equalities Act 2010, alongside the Human Rights Act 1998. However, these are general pieces of legislation, and an app like this must operate within a specific legal framework.

Aside from clearly explaining how the app will function, the Bill should set out the specifics of the proposed oversight mechanisms; including the role, function and powers of the proposed ethics advisory board chaired by Professor Sir Jonathan Montgomery. Other steps that should be considered include equality impact assessments to ensure the apps are non-discriminatory, and arrangements for ongoing evaluation of the necessity and proportionality of the app.

There is potential for abuse, as judges have recognised in other jurisdictions grappling with the same problem. Last week Israel’s Supreme Court ruled that the government’s mobile phone tracking of COVID-19 risk must be governed by legislation following news that the security agency Shin Bet’s phone-surveillance technology was being used to retrace the movements of those already infected. The judgment, following a petition from Israeli human rights groups, required the government to begin the process of legislation by 30 April and pass the legislation through the Knesset within a few weeks. The court found that “The state’s choice to use its preventative security service for monitoring those who wish it no harm, without their consent, raises great difficulties and a suitable alternative, compatible with the principles of privacy, must be found”.

The Israeli Supreme Court decision underscores global concerns about states using COVID-19 as an opportunity to expand surveillance. Under GDPR Article 25 (2), app developers are required to embed data protection by design into the default settings of apps. This means that the application should be engineered to protect a user’s privacy. Imperial’s Computational Privacy Group provides a helpful description of how this functions in the context of contact tracing apps.

However, relying on privacy by design is insufficient. The disputes around the best privacy preserving model, and concerns about the use of data beyond the app, means that this will not be enough. As I have previously argued, public trust helps to improve public compliance with COVID-19 measures adopted by the government. To obtain the recommended levels of take-up for effectiveness (80% of smartphone users), while keeping the choice to use them voluntary, app creators will need to convince people to participate, by making them believe that they are downloading trustworthy software; legislation is part of this process.

Debate is also needed on the role of this app within the wider government strategy. Research has stressed the importance of fighting on multiple fronts in the attack on COVID-19; app-based contract tracing will not work alone, and must be supplemented by manual contact tracing. Without building the necessary testing capacity, contact tracing alone cannot distinguish between asymptomatic but infectious individuals and healthy individuals. The app cannot become an excuse for authorities not to continue investment in research, testing, and support for general sanitary measures, as pressure to ‘restart the economy’ grows. There is no clear legal requirement to use a Bill to regulate the operation of this app, but this should not be exploited by the government to introduce an app that collects a significant amount of personal, sensitive, information without adequate safeguards. In an area that involves so much processing of sensitive information, the best way to ensure transparency and scrutiny is a Bill before Parliament.

Nyasha Weinberg, Research Fellow at the Bingham Centre for the Rule of Law.

(Suggested citation: N. Weinberg, ‘Parliament must legislate on the government’s plans for contact tracing apps’, U.K. Const. L. Blog (4th May 2020) (available at https://ukconstitutionallaw.org/))