Written Evidence to the Science and Technology Committee
Dr Audrey Guinchard, School of Law, University of Essex and
Dr Subhajit Basu, School of Law, University of Leeds
We are writing as two academics working in the fields of data protection law and regulation of emerging technologies. Dr Audrey Guinchard is a Senior Lecturer (Law), the University of Essex and Dr Subhajit Basu is an Associate Professor (Law) at University of Leeds and Chair of BILETA. Dr Guinchard latest paper has focused on DeepMind, now absorbed by Google Health UK. Dr Basu is co-author of the critically acclaimed book Privacy and Healthcare Data: Choice of Control to Choice and Control. Routledge, 2016)
Our submission presents a legal perspective on technological issues and highlights where the technology needs to evolve to comply with the legal provisions. This concerns the Committee’s terms of reference n. 5 and n. 7: ‘the capturing during the crisis of data of the quantity and quality needed to inform’; and ‘the UK’s readiness for future outbreaks’.
Summary of proposed steps:
Page 5 of 5
We are not opposed to the ‘contact tracing app’. Our focus is to improve the environment in which this innovative technology is being developed.
In this submission, we are not repeating what has been discussed; instead, we want to add to the existing discussions, bringing to the Committee new perspectives on the current debate about the Covid-19 app and beyond this pandemic.
We think that the Covid-19 issues are not specific to the pandemic. Some of the problems reflect the recurring challenges that the NHS faces for the development and use of digital technologies, along with inherent problems that exist in the development and use of smartphone technology. The solutions lie not in the change of the law, but in better strategic decisions and in the technology underlining the processing of personal data acknowledging that it ‘should be designed to serve mankind’ (Recital 4 GDPR).
The processing of sensitive personal data, i.e. health data, cannot on principle be processed (Article 9(1) GDPR) unless specific grounds apply and justify the processing (Article 9(2) GDPR, and Article 6 GDPR). Consequently, the processing by NHS X remains an exception and, as all exceptions in the law, it calls for a restrictive interpretation that colours the decisions NHS X has to take for processing.
Articles 6 and 9 GDPR allow consent as a means to justify processing. If consent is used, it must be free, informed, specific and unambiguous (Article 4(11) GDPR; Recital 43 GDPR). Consent is not free when there is an imbalance of power between the data subject (the app user) and the controller (NHS X), whereby the data subject feels s/he cannot refuse the use of the technology without fearing negative consequences. Consent for undertaking scientific research has been expressly discouraged. In addition, when relying on consent, the controller must provide for the withdrawal of consent and the ensuing deletion of the data at any given time.
For Covid-19 apps, on 4 May 2020, the ICO pointed out that the voluntary download of the app is not ‘consent’ for the purpose of the GDPR. Nevertheless, it leaves the door open to consent, mentioning that other grounds may be ‘more appropriate, such as performance of a task in the public interest (particularly where an app is developed by or on behalf of a public health authority).’ The Joint Committee on Human Rights has also pointed out that the consent model is broken.  The EU regulator has indicated as early as 16 March 2020 that consent is an unlikely ground, and that public authorities should rely on a public interest ground. The French data protection regulator on 24 April 2020 has discarded consent for the French centralised Covid-19 app, explaining instead that the public interest ground should be used (Article 6(1)(e) GDPR) as well as the public health ground (Article 9(2()(i) GDPR).  The French regulator has now welcomed the use of these grounds in the draft statutory instrument which the French Government is proposing on its Covid-19 app.
NHS X has continuously indicated that consent will be sought, presenting consent as an indicator of its commitment to privacy and the law. It is however extremely unlikely that consent can justify the processing, especially for research. The trial of the app, i.e. the live testing in the Isle of Wight, is likely to be considered as research, and therefore would fall under Article 9(2)(g) GDPR, the ground for scientific research, not under consent. NHS X seems to confuse the voluntary nature of using the app with the legal justification for processing data, despite the ICO having expressly pointed out the difference. Consequently, NHS X appears misguided as to the use of consent to justify the processing.
If consent were to be used, not only it needs to be free but also unambiguous, specific and informed. Reasonable expectations of users are here important to understand what they are consenting to. Given the context, a pandemic, expectations reasonably centre around medical research. As it transpired, the Ministry of Defence envisages to move and use the data for behavioural research. For most users, this research is not within their reasonable expectations. And therefore, consent would be negated. In addition, Recital 33 GDPR indicates that broad consent can only be tolerated as a temporary measure. Data subjects so users of the app would need to have the opportunity to provide further consent to certain defined, specific, areas of research.
The technology was initially developed to connect two devices within close range, like headphones to a computer. A new use was invented, transforming Bluetooth into a proximity tracing tool for commercial benefits. This tracing function of Bluetooth is going to be used in the Covid-19 tracing app. We think this raises security and human rights issues. The following focuses on the latter: the privacy risk and how technological solutions could help to minimise the risk.
By adopting this technology for the purpose of tracing, the re-purposing of Bluetooth has highlighted its inherent drawbacks, notably the difference in signal strength depending on the model, make, and OS system considered. This lack of standardisation obliges developers to request access to the phones’ identifying information. At present the processing of this additional information can be deemed necessary; but in the medium term, an argument can be made for standardisation of signal strength being a better alternative to fulfil the requirement of data minimisation in the GDPR. Given Android’s dominance at 75% of the smartphone market, exploring how to achieve standardisation is likely to make Bluetooth more privacy-friendly.
Furthermore, while the app does not collect location data, in an Android operating system, for the app to perform, the user has to allow access to location data in order to use Bluetooth. NHS X does not address the issue it creates by its use of Bluetooth. In effect, the app reveals a systemic and long-standing issue in the Android operating system. The design of the operating system is not privacy-friendly because the user will have to make a concerted effort to switch off location for each app, assuming this is possible for every app and that the operating system does not collect location data either. This issue has not been raised for iOS operating systems as iOS does not request access to location data for Bluetooth to function. In data protection terms, the difference between Android and iOS means that one operating system (iOS) complies with the data minimisation requirement but not the other (Android). This is privacy by design issue (Article 25, GDPR). It affects 75% of smartphone users, putting more users in a disadvantageous position. This issue is beyond the NHS X app, but it is such a fundamental element of the smartphone ecosystem that in our view, the Committee should consider directing ICO to investigate.
Exercise Cygnus conducted in October 2016 involved all major departments (including NHS), and local authorities across Britain. As we understand, it showed gaping holes in terms of preparedness, resilience and response plans. The report published by the Guardian (not yet confirmed or denied by the Department of Health and Social Care) does not seem to mention the use of digital technologies. The capability to create digital contact tracing apps already existed in 2016; the NHS was already considering apps for some specific direct care issues as part of its strategy to enhance care. This raises the question as to why the use of digital apps to support the response to the exercise was not discussed.
Page 5 of 5
 EDPB, "Guidelines 05/2020 on consent under Regulation 2016/679. Version 1.0," (May 4, 2020). https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf; replacing, Article 29 Working Party, "Guidelines on consent under Regulation 2016/679. WP 259 rev.01," (2018). The same points were made in 2007 for consent for the processing of health data under the Directive, Article 29 Working Party, "Working Document on the processing of personal data relating to health in electronic health records (EHR). WP 131," (2007); ICO, Guidance on GDPR, Consent, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/consent/what-is-valid-consent/#what2.
 EDPB “Guidelines 05/2020 on consent under Regulations 2016/679” pp28-30; Article 29 WP, WP 259, pp27-28; ICO, Guidance on GDPR
 ICO, "COVID-19 Contact tracing: data protection expectations on app development," (May 4, 2020). https://ico.org.uk/media/for-organisations/documents/2617676/ico-contact-tracing-recommendations.pdf.
 ICO, "COVID-19 Contact tracing: data protection expectations on app development.", 6;; Article 9 GDPR see ICO, Guidance on GDPR, accessed 14 May 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/
 Joint Committee on Human Rights, "Oral evidence (virtual proceeding): The Government’s response to Covid-19: human rights implications”, HC 265, Questions 1-9, (April 20, 2020), Q4, p12 referring to Joint Committee on Human Rights, "The Right to Privacy and the Digital Revolution" (2019) https://publications.parliament.uk/pa/jt201919/jtselect/jtrights/122/122.pdf.
 EDPB, "Statement of the EDPB Chair on the processing of personal data in the context of the COVID-19 outbreak," (March 16, 2020). https://edpb.europa.eu/news/news/2020/statement-edpb-chair-processing-personal-data-context-covid-19-outbreak_pt.
 The French app uses a centralised approach as the UK one, CNIL, "Délibération n° 2020-046 du 24 avril 2020 portant avis sur un projet d’application mobile dénommée « StopCovid »," (April 24, 2020), French only, 5-6, https://www.cnil.fr/sites/default/files/atoms/files/deliberation_du_24_avril_2020_portant_avis_sur_un_projet_dapplication_mobile_stopcovid.pdf.
 Délibération n° 2020-056 du 25 mai 2020 portant avis sur un projet de décret relatif à l’application mobile dénommée « StopCovid » (demande d’avis n° 20008032), French only, p4, https://www.cnil.fr/sites/default/files/atoms/files/deliberation-2020-056-25-mai-2020-avis-projet-decret-application-stopcovid.pdf.
 House of Commons Science and Technoogy Committee, "Oral evidence: UK Science, Research and Technology Capability and Influence in Global Disease Outbreaks,” HC 136, Q 326, 340, 341, 364, 366; Joint Committee on Human Rights, "Oral evidence (virtual proceeding): The Government’s response to Covid-19: human rights implications”, HC 265, Q17; NHS X, Data Protection Impact Assessment. NHS COVID-19 App PILOT LIVE RELEASE Isle of Wight. (06 May 2020) <https://faq.covid19.nhs.uk/DPIA%20COVID-19%20App%20PILOT%20LIVE%20RELEASE%20Isle%20of%20Wight%20Version%201.0.pdf> at page 22
 ICO, "COVID-19 Contact tracing: data protection expectations on app development," 6.
 Corfield G, 'UK's Ministry of Defence: We'll harvest and anonymise private COVID-19 apps' tracing data by handing it to 'behavioural science' arm', The Register (May 20, 2020) https://www.theregister.co.uk/2020/05/20/mod_covid_19_app_data_anonymising/.
 See EDPB, "Guidelines 05/2020 on consent under Regulation 2016/679. Version 1.0,"
 Kwet M, 'In Stores, Secret Bluetooth Surveillance Tracks Your Every Move ' The New York Times (June 14, 2019) https://www.nytimes.com/interactive/2019/06/14/opinion/bluetooth-wireless-tracking-privacy.html; as acknowledged in Culnane C and Teague V, Security analysis of the UK NHS COVID-19 App (2020) at https://github.com/vteague/contactTracing/blob/master/blog/2020-05-19UKContactTracing.md#Disclosure-policy.
 Github, NHS X covid-19 app, issues 16, 26 and 32, at https://github.com/nhsx/COVID-19-app-Android-BETA; Ian Levy, NHS Covid-10 app security: two weeks on (2020) at https://www.ncsc.gov.uk/blog-post/nhs-covid-19-app-security-two-weeks-on.
 NHS X, FAQ. Why do Android phones require users to turn on location? (2020) at https://faq.covid19.nhs.uk/article/KA-01037/en-us.
 See the projects outlined in House of Commons Library, Briefing Paper. Patient health records: Access, sharing and confidentiality. SN07103 (2020) May 15, 2020.