Issue link: https://maltatoday.uberflip.com/i/1243341
12 maltatoday | SUNDAY • 3 MAY 2020 OPINION WHAT is all the fuss with con- tact tracing apps about? Contact tracing apps are a public health initiative to com- bat the spread of COVID-19. Users install an app on their mobile phone that sends out short, little coded bursts of gobbledygook. When someone tests positive for COVID-19, the app can tell if someone else has come in close contact with that person, will send the user a notice, and then that person can choose to self-isolate. The app traces who you have come into con- tact with and notifies those who have come into contact with someone who has tested positive. The system is purported to only really be feasible if a large percentage of the population download the app. Doing so will require an un- precedented level of trust in governmental authorities to ensure that users who down- load the app will not regret handing over the power of 24-hour monitoring and sur- veillance to the State without protection of our fundamental rights. In recent weeks, Malta and other EU member states were grilled by privacy advocates who have expressed concern on the compatibility of such apps with human rights to pri- vacy and data protection. There are also concerns these apps fail to comply with the European Union's General Da- ta Protection Regulation (GD- PR). At the core of the debate is whether the interference with our human rights are justified and whether that interference is proportional to the aims of states faced with an unprece- dented public health crisis. Understandably governments are looking to technology to help fight the battle against COVID-19 and contact tracing has emerged as a tool that may help to do so. The question is: Do we design for privacy? Or do we design in a way that ensures efficiency in tracking? The latter rightly evokes serious questions about government surveillance. So how the apps are designed re- ally matters to how much pri- vacy we give up. The extent of privacy inva- siveness of a contact tracing app is very much dependent on its in-built features, the system underlying the technology and how it is actually deployed. But in order to comply with the GDPR, certain legal tests must be satisfied. The privacy impact assess- ments for contact tracing ap- plications must entail a case- by-case analysis: does the app collect health data that is ade- quate, relevant and limited to what is necessary in relation to the purpose of combating the spread of the disease? Is the collected data only to be used for the specific purpose of con- tact tracing? What rules have been implemented to ensure erasure of data within speci- fied time-frames? Will the data be processed and stored only within the European Union? What privacy and data pro- tection safeguards have been implemented? Are privacy and data protection 'by design' principles built into the 'code' of the app? For example, is the data stored locally, on users' phones? Or is it stored central- ly by some government agen- cy? There is still a lot to learn about this virus and how it spreads. Yet contract tracing apps could be a vital tool in keep- ing the right people at home as governments look to start their economies back up again. Therefore, deployment of these tools must be undertak- en quickly and without all the necessary evidence to justify their invasion of our privacy. Privacy advocates would be unreasonable in insisting that an app not be deployed pend- ing conclusive evidence of the efficacy of the deployment of such an application to contain the virus. The UN Special Rapporteur on the Right to Privacy, Joseph Cannataci, is reported by Mal- taToday as stating: "There are many confound- ing variables which can distort analysis, but what is going to happen if, in a year or two, we would realise that the intro- duction of such apps, or indeed even more invasive contact tracing using mobile phone da- ta, did not significantly arrest the impact of COVID-19?" he asked. But what if it did significant- ly arrest the impact of COV- ID-19? Most people would conclude that the interference with our right to privacy would have been justified. While the ringing of a precautionary bell may well be expected, it would be wrong to assume that all contact tracing apps are a dis- proportionate or an unjustified interference with our funda- mental right to privacy. What is of utmost importance is transparency and accounta- bility: the detailed description and information about in-built privacy and security safeguards must be made publicly availa- ble and analysed. The source code should be made available and the deploy- ment of the app should be put on a lawful basis. In this man- ner the safeguards enacted in law and coded into the contact tracing system would be known to the public, who will have reasonable expectations about how and for what purposes the data processing will be carried out, including the impact upon their rights to privacy and data protection. It is essential that the priva- cy and data protection impact assessment be made public. This would support communi- ty confidence in the app. The GDPR requires app providers using personal data which is deemed high risk to the rights and freedoms of natural per- sons to undertake a data pro- tection impact assessment. This includes processing on a large scale of health data, which would certainly be in the case of a contact tracing app. Government would do well to heed advice and guidance as it considers the privacy issues through the data protection impact assessment. The Information and Data Protection Commissioner's Office should have an en- hanced role watching the im- plementation closely, auditing the system, and investigating any complaints from the pub- lic. If we let privacy stand in the way of effectively controlling a pandemic, we would be doing nothing more than giving pri- vacy a bad name. Yes, crises like the 9/11 terror attacks or the London Bomb- ings have sparked surveillance legislation in the past. But the fundamental rights to privacy and data protection are not absolute. We give up some of our privacy to feel safe and secure all the time. You agree to constant monitoring on the London Underground if it means you are safe. This poses challenging ques- tions about trade-offs. Govern- ments are tasked with ensur- ing fundamental rights while promoting other countervail- ing public interests like pub- lic health and, ultimately, the right to life. The deployment of contact tracing apps will require an unprecedented act of trust by users. Protocols should be followed to ensure fundamental rights are protected and law should be enacted to put the app's use on a lawful basis. But if the app does what is promised, trusting technology will have played a fundamental part in controlling a pandemic. What we should avoid doing is enacting new surveillance laws in a time of crisis that actually outlive the crisis itself. Thank you to Dr M.R. Leiser of Leiden Law School for his contributions to this article Mireille Caruana Giving privacy a bad name What is of utmost importance is transparency and accountability: the detailed description and information about in- built privacy and security safeguards must be made publicly available and analysed Dr Mireille M Caruana is senior lecturer at the Centre for Distributed Ledger Technologies