Shortly after the first corona infections were recorded in Europe, discussions flared up about the use of data in the fight against corona. Initially this was mainly about the use of telecommunications data to map the spread of the corona virus, followed later by calls for a contact-tracing app. By now we have all witnessed the hastily organized appathon, where none of the seven participating tracing apps turned out to be able to comply with the General Data Protection Regulation (AVG). Anonymity was not guaranteed, the risk of false positives was not eliminated, bluetooth proved not flawless, and on top of that, a data breach was found with one of the apps from the preselection.
This past week, both the use of telecommunications data and the development of the tracing app were back in the news. The main message: with proper safeguards and without hasty decisions, technology and data are an excellent tool in the fight against corona. The right to privacy does not stand in the way of good (preventive) health care. It provides a framework within which good and thoughtful techniques can be deployed.
In late March, EU Internal Market Commissioner Thierry Breton asked European telecom companies to share anonymized data from cell phones. Breton believes this telecom data is needed to analyze patterns of the outbreak. In several member states, including Italy, Austria and Germany, telecom providers already shared anonymized data with health authorities.
Under the Telecommunications Act, telecom data may only be processed when personal data is completely anonymous or when prior consent has been given for its (further) processing. According to the AP, while telecom data can be aggregated, the processing cannot be completely anonymous. Since consent is not a viable option, telecom data should only be shared with an emergency law that contains sufficient safeguards for the privacy of data subjects.
The Cabinet then set to work on a temporary emergency law. This emergency law should make it possible to keep track of how many cell phones are in an area per hour, along with information about where those phones are coming from. The latter the telecom provider bases on information about where the device is most of the time. The data are transmitted to the Central Bureau of Statistics (CBS), which produces reports at the instruction of the RIVM. The RIVM can use this information to monitor the spread of the virus and, in the event of an increase in infections in a particular area, immediately alert the regional GGD. With the information, measures can be adjusted in time. The data made available to the RIVM via the CBS are not traceable to an individual. To ensure privacy of data subjects in sparsely populated areas, only numbers of 15 or more people are reported.
The temporary emergency law is linked to coronavirus control and expires after one year. Every six months, the utility and necessity of the emergency law will be evaluated in the House of Representatives. If it turns out that after a year it is still necessary to process telecom data, the emergency law can be extended by royal decree for periods of two months each time.
The first proposal for the temporary emergency law was reviewed by the AP on May 19, 2020, and the AP issued an opinion with recommendations to the Cabinet. In it, the AP informed that the sharing of telecom data is a very drastic measure about which data subjects cannot make their own choice. The need for this was insufficiently substantiated in the first bill. According to the AP, important safeguards were also missing, such as a specific purpose, data minimization, provision of information to data subjects and an unambiguous maximum retention period. After processing the advice of the AP and positive advice from the Council of State, the cabinet submitted the temporary emergency law, the Temporary Act on the Provision of Information RIVM in connection with Covid-19, to the House of Representatives on May 29, 2020.
Last week was not only telecom data week, but also steps were taken toward a new and balanced(er) version of the contact-tracing app. After the damning appathon, the Ministry of Health concluded that the tracing app, or notification app as the ministry now calls it, needs to be more epidemiologically based and researched. Based on that, the technology needs to be rethought. The Ministry of Health is now working on a prototype of the notification app with IT experts from inside and outside the government.
A first draft of the notification app has appeared on software developer platforms Github and Figma. This surely gives a taste of what the app might look like. The creators are asking the public to help think about the notification app and provide feedback for the next version via a Ministry of Health Slack channel.
The notification app is intended to assist GGDs in conducting contact investigation. When a large group of people use the notification app, people who may be infected can be detected early, tested, quarantined and treated if necessary.
The notification app works with locally stored data and bluetooth. Every time your smartphone comes near another smartphone, the devices exchange unique IDs. Every day, your smartphone retrieves the IDs of people who have tested positive for Covid-19 in your area. If any of those IDs match the IDs on your phone, it means you've been near an infected person and you get a notification in your app with information on what to do. To get a notification, you must have been near someone determined to be infected with the coronavirus for at least 10 minutes. IDs are kept for 14 days.
The notification app uses the contact research API jointly developed by Apple and Google for apps from official health organizations and government agencies. On May 20, 2020, an update for the iPhone was released, iOS 13.5 that is completely ready for the notification app. In the settings, if the notification app is there, you can turn on the "Exposure to COVID-19" option. This functionality is disabled by default.
More articles by SOLV Lawyers
