The Belgian draft law on the use of digital contact tracing applications: GDPR compliant?
Digital contact tracing applications which allow citizens to identify whether they have been in contact with a person infected with the COVID-19 virus, already exist in several countries. In Belgium, however, there is as yet no legal framework for contact tracing applications.
On 13 May 2020 the Belgian Government approved at first reading a draft bill on the use of digital contact tracing applications to prevent the further spread of the COVID-19 virus among the population (the “Bill”). On 26 May 2020 both the Belgian Data Protection Authority (“DPA”) and the Council of State issued independent advice in which they severely criticise the current set-up of the draft Bill.
In this article we summarise the provisions of the draft Bill as well as the concerns formulated by the DPA in its opinion no. 43/2020 of 26 May 2020.
1. Contract tracing applications: concept and functioning
The draft Bill explains that digital contact tracing applications (“App” or “Apps”) allow citizens to identify whether they have recently been in contact with a person infected with COVID-19. Importantly, however, such Apps (i) should not allow citizens to know who the infected person is, and (ii) do not store information on where citizens have been (location data) and neither is this information stored in a central government database.
The draft Bill also describes how such Apps should function. Summarised, the following approach would be envisaged:
- Any App user can indicate in the App that he/she is infected with COVID-19.
- As soon as this is done, Sciensano verifies the authenticity of this notification and sends an SMS to the App user for verification. Once the notification has been verified, Sciensano authorises the App to upload the secret key and the date of suspected infection to a central log list containing the secret keys of all patients infected with COVID-19. Sciensano, a public research institution in the field of public health, is the data controller for this information.
- Any smartphone on which the App is installed generates one or more unique secret keys. Based on these keys, the smartphone creates random serial numbers at regular intervals. The smartphone broadcasts these serial numbers, but also registers the serial numbers of other smartphones in its vicinity.
- Smartphones on which the App is installed regularly connect to the central log list. The smartphone verifies whether it has been in the close vicinity of smartphones of infected users in the last three weeks. If that is the case, the smartphone alerts its user.
2. Main provisions of the draft Bill
A. The DP3T-system
The draft Bill provides that the Apps should be based on the DP3T-system. An App based on the DP3T system stores only completely anonymous data on users’ smartphones, without any reference to the identity of the persons between whom the contact took place or to the exact location where the contact took place.
B. Data processing purposes and technical specifications
Article 4 of the Bill determines the purposes of the processing of personal data that will be carried out using the Apps. These are (i) confirming an App user’s COVID-19 infection (ii) warning other App users that they have during a certain period of time been in the vicinity of a person infected with COVID-19, and (iii) carrying out epidemiological research on the spread of COVID-19 on the basis of anonymised data. Note that the third purpose is optional and requires the App user’s explicit opt-in. To that end, the Bill sets out various technical specifications. The data controller’s website must give a more detailed overview of these technical specifications.
C. Voluntary nature of the Apps
Secondly, the draft Bill emphasizes that the (de-)installation and use of the Apps can take place on a voluntary basis only. No (civil or criminal) sanctions and no discriminatory act or disadvantage can be imposed in case a person does not install or use an App.
D. Information generated by the Apps and the central log list
Article 7 of the draft Bill set outs the information to be generated by the Apps (including the secret keys, the serial numbers, a time zone consisting of a date and a 6-hour part of the day during which a contact between users has taken place, as well as the distance and duration of the contact). The retention period of the data is three weeks starting from the date on which the information is generated. Additionally, an App user can voluntarily insert in the App (i) whether he/she is infected with COVID-19, and (ii) his/her telephone number.
The Bill also sets out the information to be retained in the central log list. This includes (i) the App user’s secret key(s) and (ii) the date on which the App user was presumably infected. The retention period of the data stored in the central log list is three weeks.
Furthermore, the Bill also set outs the information which can be transmitted to and retained by a central database for the third (optional) purpose of the Apps i.e. epidemiological research. In this respect, the Bill explicitly provides that the information contained in the central log list and in the central database for the epidemiological research purpose should be stored separately and cannot be combined with each other.
E. De-activation of the Apps
The Bill provides that each of the Apps will be deactivated immediately by the data controller from the day of publication of a royal decree announcing the official end of the COVID-19 epidemic.
F. Access to the central log list
Finally, Article 11 of the Bill provides that the data controller, with respect to the processing of the information contained in the central log list (and the central database for epidemiological research), must provide a strict and adequate user and access management procedure.
3. The DPA’s opinion of 26 May 2020: a substantial revision of the draft Bill is required
As briefly mentioned above, the DPA has serious concerns regarding the set-up of the draft Bill. The issues raised by the DPA mainly concern the risk of re-identification of persons infected with COVID-19.
A. Necessity of contact tracing apps
The DPA remarks that the legislator should first demonstrate whether having contact tracing Apps (which will process sensitive personal data) is necessary and appropriate in view of the management of the deconfinement. This analysis should be sufficiently documented before any App is made available to the public.
B. The DP3T system and the functioning of the Apps
The DPA repeatedly expresses its concerns regarding the risk that persons infected with COVID-19 could be (re)-identified. Not all risks in this respect are eliminated, in particular (i) the risk of a person being able to determine who infected him/her, or (ii) the location of infected persons. Additional guarantees and risk mitigation strategies should be implemented at the level of the Apps in order to further reduce the re-identification risk.
C. Sciensano as data controller
The DPA’s concerns regarding the abovementioned (re-)identification risk also relate to the appointment of Sciensano as data controller. Through another bill, Sciensano has in fact already been appointed as data controller for another large database of persons that are infected with COVID-19. These databases may however not be combined and should not be managed by the same persons.
Furthermore, it should be specified (i) whether it is Sciensano or another entity that will decide which Apps will be used and made available to the public, and (ii) that Sciensano will take responsibility for verifying and ensuring that the Apps that will be offered to the public comply with all applicable legal specifications.
D. Purposes of processing and measures relating to the data minimisation principle
The DPA criticises several aspects regarding the purposes of the processing as set out in Article 4 of the draft Bill. The DPA, among other things, recommends deleting the third purpose regarding epidemiological research.
E. Definition of important concepts and transparency
The DPA adds that in order to improve the readability of the Bill and the predictability of the processing that will result from the use of the Apps, definitions of important concepts (e.g. “contact tracing”, “user”, “risk contact”, “authorization code”, secret key”, “non-personalized temporary serial number”) should be included in the text of the Bill.
The DPA also specifically emphasises that in order to enhance the confidence of potential users, they must be clearly informed about the way in which the Apps will operate (regarding data processing and data exchange), as well as about its concrete and operational purposes.
The DPA’s concerns regarding the risk of re-identification also relate to the use of users’ telephone number, which the DPA calls “the weak link” in the system. The DPA therefore recommends taking several measures in order to mitigate this risk.
F. Civil or criminal sanctions for violation of voluntary nature of the App
The DPA underlines the voluntary nature of the Apps. Therefore, civil or criminal sanctions should be imposed if access to certain goods or services were to be made conditional upon the use of an App.
G. De-activation of the Apps
Article 9 §3 of the draft Bill provides that the Apps will be deactivated as soon as a Royal Decree proclaiming the end of the epidemic is published in the Belgian State Gazette. Given that it is possible that Apps may no longer be necessary before that time, the DPA considers that the Bill should specify the term by which the App should be automatically deactivated, with the possibility for the competent minister to extend this term.
The concerns raised by the DPA, combined with the concerns raised by the Council of State in its opinion of 26 May 2020 (relating, among other things, to risks associated with ‘false positive’ and ‘false negative’ notifications, and the need for the federal government to respect the exclusive competences of the regional governments in the sphere of preventive healthcare), have caused a significant delay in the discussions regarding the draft Bill.
Limited amendments have been introduced to meet some of these concerns. Meanwhile, time continues to pass, and the momentum may be lost. On the other hand, the right to privacy is a fundamental right from which the Parliament should not lightly deviate – not even in crisis situations.
At the same time, comparable initiatives are launched at regional level (as suggested by the Council of State) and an inter-regional framework collaboration agreement for the set-up of contact tracing applications is being discussed. These initiatives do however need to be able to rely on a solid legal framework as well, which is currently non-existent.
This article has been last updated on 18 June 2020.
Stéphanie De SmedtCounsel Attorney at Law
Stéphanie De Smedt, attorney at law, is a member of the Litigation & Risk Management practice group in our Brussels office. She is head for Belgium of the IP/IT Team, the Data Protection Team and the Life Sciences Team.T: +32 2 773 23 77 E: [email protected]