Covid-19 & data protection in The Netherlands: contact tracing app and automated collection of location data
1. Contact tracing app
In early April the Ministry of health welfare and sport (VWS) made a public call for the development of a contact-tracing app. Out of the 660 app proposals it received (the so-called “appathon”), it selected 7, which it then asked the Dutch DPA (the Autoriteit Persoonsgegevens – AP) to assess in terms of privacy and data security. In its assessment of 20 April 2020, the AP concluded that it was impossible to properly assess the apps on their compliance with the GDPR. The reason being that the legislative framework as it stood at the time was insufficiently developed, in particular as far as who the data controller is, the specification of the purpose, and the legal basis for the processing of data are concerned. Also, because it had insufficient information about the apps themselves, the AP was not able to assess the proportionality of the measure, and in particular, it asked for more evidence on the lack of less harmful alternatives.
Since then the government seems to have changed strategy. It has published a “program of requirements” for the app to fulfil. These requirements include elements of privacy by design such as an emphasis on data minimisation, the use of the Apple and Google decentralised contact tracing technology, or the reliance upon anonymous contact codes for the communication between phones via Bluetooth. Furthermore, contact data are deleted from the phone after 14 days. On this basis, it has shifted towards an open-source strategy for the development of the app, which is now called: CoronaMelder (literally: “Corona reporter”).
However, the “program of requirements” also makes it clear that it does not contain an analysis of the legality of the project, and that such analysis should be conducted in the future on the basis of a data protection impact assessment (DPIA), which will be undertaken jointly with the AP. In other words, even if this “program of requirements” addresses some data protection issues from a technical perspective, it does not address the objections of the AP, and it therefore remains to be seen whether it will be considered legal and compliant with the data protection principles that the AP highlighted. In this regard, the responsible Minister (Hugo de Jong) is planning to issue a Bill proposal that will mark out the way the app should be used. It also remains to be seen whether it will address some of the privacy and data protection concerns.
The Dutch government has initiated various tests of the app. First, in closed environment (by the army), then on a limited number of people (30) in the Twente region (26-29 June). It subsequently resorted to a 1,500 wide population sample (1-10 July), before a planned full deployment of the app in two regions (Twente and Rotterdam-Rijnmond) (17 August). The ongoing tests were supposed to test the app’s user-friendliness, privacy and data protection compliance, and security. Even though important concerns remain concerning the latter two elements (notably because the AP still has not issued its opinion or the DPIA, and because additional security tests must be performed), the Government has nonetheless assessed the app to be fit-for-purpose, and has therefore decided for its roll-out on 1st September 2020.
2. Bill proposal: collection of traffic and location data
Next to the discussions around the tracing app, the Dutch government has now put forth a Bill proposal for a law that would essentially force telecommunication service providers to collect mobile phones meta data (location and traffic data), and to send it to the RIVM (National Institute for Public Health and the Environment), the so-called “temporary law on information transmission to the RIVM in relation to COVID-19” (“Tijdelijke wet informatieverstrekking RIVM i.v.m. COVID-19” – our translation).
This law is seen as necessary in the context of the easing of the lockdown and other corona-related measures. Given that people are gradually recovering their freedom of movement, the goal is to monitor and gather information about crowds and displacements at population level in order to measure the effects of the easing with a view of avoiding a second wave of infections.
The proposal works as follows. The service providers collect location and traffic data of mobile devices which use their services. Out of this data, the providers must infer the hourly count of total numbers of mobile phones per municipality, broken down by the derived origin (residential municipality) of the holder of the mobile phone. In order to determine the municipality of origin of the mobile phone, the service providers look at where the phone has connected most of the time on average over the past 30 days. The whole point therefore is to track the movements of populations between municipalities in order to identify potential risks of virus transmission between people. In case a revival of infections has been observed, the RIVM has at its disposal a map of where the infectious people have been. It can then inform the local health institutions.
Given the type of data at stake, the law is seen as a modification of the telecommunication Act, which implements the e-privacy Directive. More in particular, given that this type of processing purpose for traffic and location data is not foreseen by the Telecommunications Act, the Bill proposal is explicitly constructed as a restriction of the rights and principles as provided in Art. 15 of the e-privacy Directive, and Art. 23 GDPR. The e-privacy Directive does not contain the ground of public health as a legitimate aim justifying the restrictions, but Art. 23 GDPR does. This regime of exception is therefore grounded into Art. 6c of the Public health Act (Wet Publiek Gezondheid).
A first version of the Bill was sent to the AP along with the accompanying DPIA on 13 May 2020. In an opinion of 19 May 2020, the AP criticized the proposal on various grounds. The modification of the Telecommunications law was meant to be permanent in case of new pandemic cases in the future. Furthermore, the AP also criticised the lack of precise definition and delineation concerning the purpose of collection, the type of data to be collected, and the modalities of processing. The AP criticised the lack of adequate justification concerning the proportionality of the law, and in particular concerning the existence of a pressing social need. Finally, the AP also criticised the lack of procedural safeguards (parliamentary, judicial or independent administrative body), especially given the large discretion awarded to the government in this first draft.
The second Bill proposal of 29 May 2020 addresses these various criticisms. The law would now be a temporary one, being in force for only one year. The purpose has been specified, and so have the modalities of processing: the proposal defines in detail the pseudonymisation requirements, as well as the safeguards to ensure that the data processed by the RIVM are anonymous statistics (in particular prohibition of sharing the data with third parties in light of the Breyer judgment, prohibition of aggregation if there are fewer than 15 mobile devices to avoid reidentification, limits to hourly measurements). The pressing social need is further justified (an example is given, and the need for this type of epidemiological data is re-emphasised). Finally, the law is submitted to parliamentary control in the form of an assessment of its effectiveness and fitness for purpose after 6 months.
The AP has indicated that it will review the second Bill proposal, but it has not done so yet. However, and even though the opinion is still missing, the proposal is proving to be controversial and is encountering various hurdles. This is unsurprising given that the proposal as it stands provides for an intensive surveillance regime of population movements linked to people’s municipality of residence. Leaving aside the question as to whether the data that the RIVM receives are truly anonymised, this type of measures present high risks to the fundamental rights and freedoms of individuals. For instance, the proposal is now in the hands of the Dutch House of Representatives(“Tweede Kamer”), which has refused the government’s request to adopt the Bill before the summer. Telecommunication service providers also have their doubts. They ask that better safeguards be enshrined in the Bill, in particular as far as the necessity of the measure is concerned, and as far as the anonymisation process is concerned. As things stand, the anonymisation process is insufficiently specified in the law, and therefore it is unclear to the telecom providers whether it will perform as well as advertised by the government.
In an interview in the national press, the chairman of the AP has strongly criticised the proposal too. He agreed with the telecom providers on the issue of anonymity, arguing that the anonymisation measures should be defined in the law with “razor sharp” precision. Given the extremely sensitive nature of the data at stake, any re-identification of the data has very important privacy risks (e.g., law enforcement authorities being able to use the data and determine who took part in a demonstration). In that regard, the safeguards for the security of data is insufficiently demonstrated. This can be linked among others to the one-year storage duration, which is completely excessive according to him, and which renders the data vulnerable to hacking attempts or data leaks. The data should be deleted as soon as they have been used. Furthermore, the necessity of such drastic measures is not demonstrated according to him. They would be justified in cases where a pandemic is truly overwhelming, but not in the context of the easing of the lockdown measures. Given all these shortcomings, the AP Chairman warns that in case the law is not modified, the AP might contest its lawfulness before the Courts.
As things stand, both projects are still surrounded with important legal doubts. Yet, the Dutch government has shown its willingness to go forward in any case. The next months will tell us whether some of the key measures of the Dutch strategy against the Coronavirus are based on what appears to be illegal methods, or whether the legal discussion will move forward, and possibly answer some of the key hanging legal questions such as that of the necessity of the means and the absence of less harmful alternatives in the gathering of epidemiological data.