Covid tracing apps: a comparison of different approaches
Back to Communications Law Committee publications
As the global community struggled to contain the Covid-19 pandemic throughout 2020, various international governments incorporated new data-driven technologies within their suite of regulatory tools to reduce the spread of the coronavirus.
Governments developed or supported the roll out of mobile apps designed to supplement manual contact tracing efforts by identifying users exposed to an infectious Covid-19 case. International variations of the mobile apps include Australia’s COVIDSafe, Belgium’s Coronalert, Bulgaria’s Virusafe, Chile’s Coronapp, Denmark’s Smittestop, Finland’s Koronavilkku, Ghana’s GH COVID-19 Tracker, Italy’s Immuni, the Netherlands’ CoronaMelda, Singapore’s TraceTogether and the UK’s NHS App. Various US states also created their own versions, for example California’s CA Notify and Virginia’s COVIDWise.
Generally, the apps operate in the background of a user’s phone and electronically exchange an individual reference code with other app users nearby – a ‘digital handshake’. The app then stores the reference code, together with the distance between the users and the length of their contact. If a user tests positive for Covid-19, the data collected from that user’s app may be used to alert other users who may have been in contact with the positive case while they were infectious.
In addition to automating some aspects of the contact tracing process, use of the mobile apps enables the identification of strangers with whom an infected person may have had contact in public areas, such as supermarkets or on public transport, but who would otherwise be uncontactable by manual tracing efforts.
Variations between applications
While each of the apps are functionally similar, there are many technical and operational distinctions between models. Most of the apps – including in Australia, Belgium, Denmark, Finland, Italy and the UK – use Bluetooth signals to exchange the individual reference codes in order to avoid locational tracking of users; whereas the Chilean model operates using GPS technology.
In Singapore, the government distributed, for free, a physical token (the TraceTogether Token) to all Singaporean residents to ensure that individuals without a smart phone (for example, the elderly and younger children) also had access to the app. Like the app, the TraceTogether Token functions using Bluetooth technology, with contacts stored on the device until the user gives consent to share their data with the health authority.
There are also substantial differences between the data storage methods in each country. In Australia, Italy and Singapore, the data recorded by the app is stored on local servers, rather than to the specific personal device as is the case in the Netherlands and UK.
In April 2020, Google and Apple developed their own application programming interface (API) – the Exposure Notification system – built within the iOS and android operating systems to enable digital contact tracing via background Bluetooth operations. In most countries, the Covid tracing app was built around the Google and Apple system, with Australia being one of the sole jurisdictions to develop its own independent system.
Generally, it is not mandatory to download the apps, with populations adopting the apps on a voluntary basis. However, in Singapore, there are certain populations and certain locations where the use of the app (or token) is compulsory. Migrant workers are required to download the app or use the token as a condition of their work permit. In some venues, such as workplaces, schools and restaurants, use of the app or token is also required.
A work in progress: amendments were made to address a variety of issues
Many governments were responsive to privacy and data security concerns raised by users and data protection authorities. The Ghanaian GH COVID-19 Tracker was reviewed and re-developed to address community concern that it collected more user data than was necessary for its purposes, as well as to rectify integrity issues that enabled users to make data entries on behalf of other persons.
Similarly, developers of the Dutch app, CoronaMelda, responded to advice from the Data Protection Authority and eliminated government use of anonymised traffic data for the purposes of overseeing public movement during lockdown. The Data Protection Authority had raised concerns that there was a danger the datasets could be re-identified posing a risk to users’ privacy.
In the UK, the first iteration of the NHS App was ultimately abandoned due to functionality issues which prevented it from recognising more than four per cent of nearby iOS users and 75 per cent of nearby Android users. The technical specifications differ substantially between the current and former iterations with some UK commentators attributing the more accurate recognition of nearby users to the use of the Google-Apple API in the current iteration. Storage methods also differ between the two models, with records of user contact now stored on each user’s personal device rather than on a centralised server (to address privacy concerns).
Legislative framework and legal difficulties
In most countries, the use of tracing apps and other Covid-19 related data technology required the enactment of specific regulation to authorise the collection and use of personal data. Pre-existing legislative frameworks were insufficient to confer such data-collecting capabilities on governments.
For example, the Dutch parliament, in consultation with the Data Protection Authority, sought to confirm the legality of the app under the General Data Protection Regulation through the introduction of a new legal basis for the collection and processing of personal data.
Legal difficulties have arisen in other jurisdictions where the legal basis for the governments’ data collection and processing has been less clear. In Bulgaria, despite the implementation of a Covid-specific legislative framework for the collection and processing of personal information, the government’s use of telecommunications traffic data was ultimately prohibited by the Constitutional Court. The traffic data was originally collected to monitor and enforce compliance with mandatory isolation requirements and could be accessed by the police and government ministers without a warrant – though, where a court later determined the access to be unlawful, the data was required to be deleted within 24 hours. Despite the endorsement of the local Data Protection Authority, the Constitutional Court prohibited this practice, finding that the extent of data collection was disproportionate in the circumstances.
Similarly, Denmark had initially used aggregated mobile data to track public compliance with social distancing requirements. The practice has since been discontinued. However, concerns have been raised that the collection and processing of such data was without a legal basis.
Less transparency about the legality of the app’s operation has, in some countries, undermined public trust in the app. This has resulted in fewer downloads, limiting the effectiveness of the app. In Chile, for example, there are concerns regarding the lack of clear basis for data collection and, in some circumstances, concerns that data is collected and processed for purposes which exceed the consent given by users. The app also permits users to enter sensitive health data on behalf of third parties which may occur without their knowledge or consent. Less than one per cent of the Chilean public have downloaded the app.
Even in countries where the app has faced fewer legal doubts, public confidence has been difficult to secure. In Australia less than 30 per cent of the population has downloaded COVIDSafe and only 16 per cent and 17 per cent of the Italian and Danish populations have downloaded Immuni and Smittestop, respectively. The generally low take-up of the tracing apps is reflected in other jurisdictions worldwide, with few countries – including Iceland and Ireland – successfully achieving downloads from more than 40 per cent of the population. In late 2020, Singapore achieved a 70 per cent adoption rate. Two notable explanations for this success are the distribution of the TraceTogether Tokens to provide access for residents who are not digitally connected and the active steps taken by the government to facilitate community engagement and transparency. The Singaporean government organised a public ‘tear down’ of the technology to increase public trust in the technology. Non-government tech experts and open-source advocates were invited to ‘tear down’ the mobile app and token technology to publicly verify that it would only function as set out by the government. The differing success, in legality, public trust and functionality between emerging Covid-related data technologies, emphasises a need for clear communication to incentivise user participation and confidence, particularly with regard to the app’s technical operation, privacy, data security and, importantly, the specific benefits to individual users.
More information on different jurisdictions
For more information about the use of mobile apps in different jurisdictions, see here.
Thank you to the following firms for assisting in providing input into this survey:
Australia: Angela Flannery, Holding Redlich
Belgium: Laurent De Muyter and Lucie Fournier, Jones Day
Bulgaria: Violetta Kunze and Milka Ivanova, Djingov, Gouginski, Kyutchukov & Velichkov
Chile: Alfonso Silva, Carey
Denmark: Kristian Storgaard and Torben Waage, Kromann Reumert
Finland: Jukka-Pekka Joensuu, Eversheds
Ghana: Desmond Israel, Nsiah Akuetteh & Co
Italy: Vittorio Noseda, Nctm
Singapore: Chung Nian Lam, Wong Partnership
The Netherlands: Berend van der Eijk, Bird & Bird
United Kingdom: Simon Persoff and Ben Marshall, Clifford Chance
United States: Samuel L Feder, Jenner & Block
Back to Communications Law Committee publications