Thursday, July 9, 2020
The long awaited Irish COVID Tracker App was launched by the Health Service Executive in conjunction with the Irish Department of Health on the 6 July 2020. At the time of writing, it is reported that there have been one million downloads of the app since it went live.
We published an article on 24 June looking at what was happening in the world of contract tracing apps. This article provides an update on what we know of the Irish app and will review the newly published information concerning user privacy.
In line with the recommendations set out in the Common EU Toolboxes for Member States (15 April 2020, Version 1.0), the use of the app is completely voluntary and has an opt-in to use different services available on the app, which can be deleted at any time. The app can also record contacts that a person may not notice or remember.
The main features of the app are:
Tracing and Exposure Notifications
The app uses technology developed by Apple and Google called COVID-19 Exposure Notifications where anonymous rolling identifiers are exchanged between phones which have the app downloaded. Exposure Notifications enable a user’s phone to generate a random, unique identifier every 10 to 20 minutes. This means that if a user is close to another user whose phone has exposure notifications turned on, the phones will exchange user identifiers, like a “Bluetooth handshake”.
As the app is a decentralised model, it ensures that the identifier data is stored on the person’s phone and neither the person nor anyone else will be able view this data. The idea being that these anonymous identifiers cannot identify the person to other users or to the HSE. This gives the user of the app greater control over their data and, as with most decentralised apps, once the app is deleted all of the data is deleted with it.
If a user subsequently receives a positive diagnosis, the HSE’s Contact Tracing Centre will call the user. The user will then be asked if they would like to assist the contact tracing process by uploading the identifiers stored on their phone to a HSE Registry, where identifiers are published publicly and referred to as Diagnosis Keys.
Every few hours, the latest Diagnosis Keys from the HSE Registry will be downloaded by every user’s phone. These will then be used to check for matches against identifiers that have been collected by the user’s phone. If there is a match indicating that a user has been in close contact with a person who was diagnosed with COVID-19, the user will receive a ‘Close Contact Alert’.
What data is collected and processed?
The HSE and the Department of Health are Joint Data Controllers.
The information processed by the app is a combination of personal data, special (health related) data and anonymous data. It is processed in 3 different ways, depending on whether the information has been provided by:
The user data that is collected is the information that the user chooses to provide to the app. These include details relating to sex, age range and county. A user’s phone number (if provided) is used for follow-up calls by the HSE if a person receives a Close Contact Alert.
In respect of the tracing features, the following data is processed for the operation of the Exposure Notifications:
It is important to note that the above identifiers are pseudo-random alpha numeric values that cannot be used for identification.
Data provided by the User’s Phone or the App
The HSE has noted that as a consequence of how network traffic is passed on the internet, a user’s IP address will also transfer. However, the HSE offers assurances that a user’s IP address is not used for the purposes of identification and is “removed at the front door of the HSE server”.
Data Privacy and the Interoperability of EU wide Contact Tracing Apps
The launch of the Irish app arrived later than most member states, with Germany, France and Italy rolling out their apps earlier in June. However, the app is intended to work seamlessly when Irish users travel to other EU countries which also follow the decentralised approach.
The Commissioner for Internal Market Thierry Breton recently stated that “As we approach the travel season, it is important to ensure that Europeans can use the app from their own country wherever they are travelling in the EU. Contact tracing apps can be useful to limit the spread of coronavirus, especially as part of national strategies to lift confinement measures”.
With that in mind, the European Data Protection Board (EDPB) recently released a statement on the interoperability guidelines for contact tracing apps in the EU. The statement builds on the EDPB Guideline from 04/20 with regard to data protection and the tracing apps.
The EDPB reiterated that the use of contact tracing applications relies on the pseudonymised personal data of the users of the applications, and any enabling of the sharing of data should only be triggered by a voluntary action of the user. When personal data is obtained by the controller(s), the data subject needs to be given clear information about the additional processing related to the use of interoperability. The goal of interoperability of the apps should not be used as an argument to extend the collection of personal data beyond what is necessary.
Domestically, the HSE has committed to dismantling the app once the COVID-19 crisis is over. It will be interesting to see if a similar approach will be taken by all member states.
It remains to be seen how effective the app will be. It is clear however, that the greater the uptake by the Irish population, the better its chances of success.
There has been much debate on privacy related issues concerning the app, such as users IP address as referred to above, the use of consent as a legal basis and indeed the location settings having to be always on for Android users in order for the “Bluetooth handshake” to work. It would appear for the later issue however, that this is not a flaw of the app (from a privacy perspective or otherwise) but rather an issue in how the Android technology works.
Notwithstanding these concerns, with a million downloads in less than 3 days, the response to its use has been overwhelmingly positive and should greatly aid the Irish fight against the virus.
It has to be said that such response may also be due to the approach taken by the HSE and Department of Health, easing concerns with regard to user privacy. The Government have to the best of their ability been transparent with the app and chose the decentralised and anonymised model, based on voluntary participation by users. The Data Protection Impact Assessment, the source code and a product explainer were all made publicly available in advance of the launch, demonstrating the commitment to user privacy and transparency.
The strong message from Government is to download the app and help us all protect one another in the fight against Covid-19.
Article written with the assistance of Deidre Brannigan, Trainee Solicitor.