Avoiding a steep increase in the number of infections depends on quickly identifying and isolating persons who might have been exposed to the virus. This is achieved through manual contact tracing, a process of retracing a carrier’s movements to identify people they have come in contact with and to notify those people as soon as possible. However, contact tracing tends to be a slow and laborious process.
Technology in the form of digital tracking via mobile software applications, generally via smartphone apps (though depending on a nation state’s laws and preferences additional data sources could be used), can supplement—but not replace—this process. While at this point the usefulness of smartphone apps as a means of contact tracing is unproven, a large number of applications are being or have already been developed and deployed with government support in many nation states and regions. There is currently no globally consistent standard; there is also no consistency in how these applications collect and store data, and how governments use the data.
Contact tracing apps have also played a role in the EU’s consideration of measures to deal with the pandemic. On 8 April 2020, the EU Commission recommended a common EU approach to developing digital apps to ensure effectiveness of measures to combat the pandemic (e.g. interoperability), and on 13 May 2020, the Commission included the use of such apps among the guidelines for the resumption of travel in Europe.
The 8 April recommendation established a European approach, developing the first iteration of a so-called “toolbox” for the development of COVID-19 contact tracing apps. The European Commission in cooperation with the member states and relevant European agencies also prepared guidelines underlining the need for assurance of privacy and compliance with EU data protection and privacy laws as set out in General Data Protection Regulation (EU) 2016/679 (GDPR). GDPR regulates processing of personal data in the EU, including information such as name, photos, date of birth, but also IP addresses of an identified (or identifiable) natural person and, crucially in the context of contact tracing, location data if this data can be related to an identifiable/identified person. The GDPR sets out six principles for data processing: (a) lawfulness, fairness and transparency, (b) purpose limitation, (c) data minimization, (d) accuracy, (e) storage limitation, (f) integrity and confidentiality. While the GDPR contains a provision, Recital 46, for data processing on the grounds of public interest inclusive of the monitoring of epidemics, the six principles still apply. In line with the principles, deployment of apps requires approval by a national health authority, voluntary use, assurance of data security, and sunset clauses to ensure utilization ceases once pandemic conditions end.
Further guidance is provided by the European Data Protection Board’s Guidelines on the use of location data and contact tracing tools and Guidelines on the processing of data concerning health for the purpose of scientific research.
However, while there is some consensus, there are also differences in the approaches taken by EU member states. Some member states may not institute any contact tracing at all (or haven’t yet made a decision). For others the question centers on data storage: decentralized or centralized storage.
Centralised storage entails storage of all data of a tracing app user’s interaction data on government servers where data analysis and contact matching is performed. This has the advantage of enabling development of a network model of contacts, revealing clusters and super-spreaders. This could help authorities achieving containment of the disease. However, there are privacy concerns, such as hacking or government function creep. Decentralised storage keeps the list of contacts on the phone itself.
And while contact tracing apps may be a useful measure to supplement manual contact tracing, there are a number of issues associated with their use. For an app to be effective a certain percentage of the population need to download it and so far it seems there is reluctance globally to download the respective apps. An app needs to be operational (which currently seems to be a problem with Apple devices). There is the possibility of false negatives or positives in densely populated areas. Apps also depend on smartphone use but there is some evidence that at-risk groups such as over-70s and migrant workers may not have that access.