Protection of personal data in the fight against COVID-19: Apple / Google partnership
Written by
Victor Vieira (See all posts from this author)
23 de April de 2020
A few days ago, technology giants Apple and Google announced a joint initiative to develop software for monitoring people during the coronavirus pandemic. This post seeks to discuss some of the main issues related to this partnership, with special attention to the repercussions related to user privacy and data protection. Some similar initiatives adopted in Brazil will also be highlighted, under which the same concerns about digital security fall.
What is the partnership between Apple and Google about?
In general terms, the partnership between the companies was created to combine efforts in the creation of software that makes it easier for health authorities to obtain user data. The aim is to more easily identify possibly infected people and adopt contingency measures for the pandemic, through information on the location of each user, people with whom they have recently been in contact, among others. These data provide health authorities with more detailed information about the spread patterns of the virus, and allow better decisions to be taken to face the pandemic.
The partnership, analyzed from this angle, illustrates how the advancement of information technology and Big Data can be beneficial for better management of random events. In addition, it illustrates that large companies competing in the high-tech market and who have a history of rivalry between each other are willing to unite and face the adverse situation we are going through, which reinforces the seriousness of the disease and the need for collaboration by everyone to fight it.
Concerns about the use of users’ personal data
Despite having important positive points, such as those previously mentioned, there are serious questions that are being addressed to the Apple/Google partnership and the technology that companies have announced are developing.
The main of these questions concerns privacy, data protection and information security. As pointed out by the American Civil Liberties Union (ACLU) in a recent post, the technology, although potentially beneficial to public health, can result in disastrous consequences if poorly developed, and the information made available about the application is not sufficient to guarantee its reliability at this point.
Among the possible consequences, one could highlight, for example, the access to information related to location, housing, workplace, close contacts and users’ health – among others – by unauthorized people. This can include everything from malicious third parties to state agencies that have no legitimacy to treat this information – all considered personal data – for the purposes for which they are being collected (that is, the organization of public health systems to face the crisis brought by COVID-19).
For these reasons, the adoption of security protocols in the technology being developed is essential, but it is not the only necessary measure to guarantee the rights of internet users.
One could also point out the need for effective transparency mechanisms on who has access to the collected data, and the detailed distinction of the purposes and processing activities to which this information is submitted. These measures, in addition to respect for the other rights of the holders of personal data – such as non-discrimination, the need for processing, the quality of the data, free access, among others –, will ensure that the rights of users whose data will be submitted to the application are respected.
The ACLU mentions that the user’s consent to have their data submitted to the application is also extremely important, claiming that the mandatory participation of the population in the activities of the application will result in a feeling of distrust on the part of the users, who will seek means of circumvent the collection of your data. Another concern of the entity is the accounting of false positives or unfounded suspicions that would be avoided if the user had autonomy over the sharing of his information: it may be the case, for example, of a user being close to someone infected, but properly safe with protective equipment, or even in a car in which the infected person is not – both situations that the mere collection of location data would not be able to distinguish and that would make erroneous metrics possible in the application.
It should be noted, however, that, although preferable, consent is announced in several data protection legal documents – including the EU’s General Data Protection Regulation and the Brazilian General Data Protection Law – as not essential to justify the treatment activities, as long as there is some reasonable justification for this, such as a legal basis for life or health protection, or even a public security prerogative.
Thus, if it is used exclusively for the lawful purposes announced by Apple and Google, that is, for sharing with health authorities for purposes solely aimed at overcoming the COVID-19 pandemic, the user’s consent may not be considered an essential requirement for treatment activities. This, in turn, amplifies the need for the adoption of appropriate transparency measures, in order to prove that the collection of users’ personal data is in compliance with international expectations and with the legal provisions of the countries where this technology is applied .
It is also important to point out that the need for user consent is an issue that is increasingly discussed in the European Union. The European Data Protection Board (EDPB) recently published guidelines for the use of location data and contact tracing, in which it emphasizes the importance of these activities being carried out in compliance with the directive on ePrivacy, also from the European Union .
Among the provisions of this regulation, there is, for example, the need for location data collected by connection providers to be anonymized before being sent to state authorities, and that the collection of this information by application providers always requires user consent. that the data processing activity in question is not essential for the functioning of the application used. The entity also highlights the provisions of the directive on contact tracing, stressing that it is a treatment activity in which user consent is essential.
Finally, EDPB emphasizes that, in the case of activities that are potentially very harmful to the privacy of internet users, transparency is essential for the legality of these data processing activities.
The Brazil and the use of similar technologies
Recently in Brazil, information regarding the adoption of similar technologies was disclosed, either by initiative of the federal government and the state governments.
Here, however, we note the particularity that our General Data Protection Law is not yet in force, and has a chance of having its validity postponed to the year 2021. Additionally, the lack of a fully developed National Data Protection Authority corroborates the fact that the Brazilian population is in a situation of considerable lack of rights regarding privacy and protection of their personal data.
In general terms, this results in the vulnerability of Brazilian internet users, who do not yet have effective mechanisms to defend their rights. In view of this situation, the importance of the population requiring detailed information on the technologies used by government agencies is multiplying: in view of the deficiency of the legal mechanisms in vogue, the need to externalize the wishes of internet users is reinforced.
Conclusion
The use of individual tracking technologies can be an extremely important tool for a faster and more effective treatment of the coronavirus pandemic. However, it is important to keep in mind what EDPB mentions at the conclusion of its guidelines document to address the situation. The entity states that “one should not have to choose between an efficient response to the current crisis and the protection of our fundamental rights: we can achieve both, and moreover data protection principles can play a very important role in the fight against the virus.”.
Are you interested in content about how the current global situation regarding coronavirus affects issues related to law and the internet? IRIS has published content on the topic consistently over the past few weeks. To access our most recent post, about the COVID-19 pandemic, health apps and zero-rating practice on mobile phone plans, click here!
The views and opinions expressed in this article are those of the authors.
Illustration by Freepik Stories
Written by
Victor Vieira (See all posts from this author)
Victor Vieira holds a Bachelor’s Degree in Law from the Federal University of Minas Gerais (UFMG) and is a postgraduate student in Personal Data Protection at the Pontifical Catholic University of Minas Gerais (PUC Minas). He is a researcher and data protection officer at the Institute for Research on Internet and Society (IRIS), and a lawyer. Member and certified by the International Association of Privacy Professionals (IAPP) as Certified Information Privacy Professional – Europe (CIPP/E).