French representative Mounir Mahjoubi published on April 6 a note on how technology can help with containing the COVID-19 pandemic while respecting privacy laws and ethics.
IoT, Big Data analytics, AI and blockchain may all be used to monitor this major health crisis. For instance, China has been using the “Alipay Health Code”, which uses big data to automatically draw automated conclusions about whether an individual is sick or not. However, there is a fine line between tracking to surveillance. Singapore collaborated with WhatsApp to offer an update about the virus: interested parties can sign up to receive the latest information about the virus. Individuals in the US and the UK can download an app to voluntarily report how they are feeling, even if they do not have any symptoms. Users can then follow how the virus is developing.
The Mahjoubi note cites an article published last month on the Nature website about how digital tools can help us remediate the COVID-19 outbreak. This article provides several examples, including how Johns Hopkins University’s Center for Systems Science and Engineering has developed a real-time tracking map of COVID-19 cases across the world, using data collected from the US Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO), the European Center for Disease Prevention and Control, the Chinese Center for Disease Control and Prevention (China CDC) and the Chinese website DXY, which aggregates data from China’s National Health Commission and the China CDC. The map allows everyone to follow the location and number of confirmed COVID-19 cases, as well as deaths and recoveries around the world.
The note explains that mobile data tracking may be used three different ways to control the pandemic: (1) to monitor collective mobility practices containment, (2) to identify individuals who have been in contact with a person affected by the virus, and (3) to control whether an individual is indeed confined.
Technologies used for these different purposes may be the telephone, GPS and Bluetooth applications, video surveillance, banking cards…
The first use, monitoring collective mobility, can be implemented using, for example, cell phone data pooled from telephone operators. GPS data an also be used for this purpose. Data is anonymized and aggregated. As such, this use respects the GDPR as it does not apply to anonymized data. However, it should be noted that data can be de-anonymized (or re-identified).
The other two uses identify affected individuals and track whether they are indeed staying confined, and raise ethical and legal issues.
Several technologies can be used to identify an individual who has been in contact with an infected person, sometimes called “contact tracing.” It seems that both China and South Korea used such technology to track the spread of COVID-19. France is developing its Stop Covid contact tracing app. The Pan-European Privacy Preserving Proximity Tracing initiative (PEPP-PT) is an initiative of 130 researchers and technologists from eight European countries collaborating to create a tracing solution fully compliant with the GDPR and preserving privacy.
Indeed, in the European Union, such use of data must be done in compliance with the GDPR. Marie-Laure Denis, the President of the French data protection agency, the CNIL, said in an interview to Le Monde (in French) that such monitoring must be done on a voluntary basis only, based on a free and informed consent, and that there should be no consequences for someone refusing, for example, to download an application. Ms. Denis also noted that such a scheme would have to comply with the data protection principles. Indeed, the GDPR sets out seven key principles: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, security and accountability. She notes that if these principles are respected, there would be no need for a legislative provision.
The GDPR provides that only data necessary for an explicit purpose should be collected. The COVID Symptom Tracker app explains, for instance, that the data can “only be used to help medical science and healthcare providers to better understand Coronavirus.”
Ms. Denis also noted that the choice of the technology used to track is important, as, for instance, an application using Bluetooth technology detecting if another phone equipped with the same application is in the immediate vicinity, provides more guarantees than an app using a precise and continuous geolocation.
On April 8, the European Union Commission recommended the development of a common EU approach for the use of mobile applications and mobile data in response to the coronavirus pandemic.
These recommendations include:
- strictly limiting personal data processing for the purposes of combating the pandemic and ensuring that personal data is not used for any other purposes such as law enforcement or commercial purposes;
- ensuring that regular reviews are being conducted of the continued need for personal data processing for the purposes of fighting COVID-19 and setting appropriate sunset clauses to ensure that such processing does not extend beyond what is strictly necessary for those purposes;
- taking measures to ensure that processing is terminated once it is no longer needed and that the personal data is then “irreversibly destroyed unless, on the advice of ethics boards and data protection authorities, [its ] scientific value in serving the public interest outweighs the impact on the rights concerned, subject to appropriate safeguards.”