GDPR "inadequate" to protect against contact-tracing privacy risks

Parliamentarians have called for the government to adopt urgent legislation to protect UK citizens' privacy when they download a widely-touted contact-tracing app.

Existing laws and frameworks are unfit-for-purpose, according to the chair of the Joint Committee on Human Rights Harriet Harman MP, whose cross-party panel of MPs and Lords have examined plans to introduce contact-tracing technology.

GDPR is "wholly inadequate", the Labour veteran has claimed, because the consent-based model of data protection doesn't lend itself to an entirely new area of data harvesting that the processes involved in powering contact-tracing demand.

The committee, as a result, has produced its own draft Bill for the government to consider, establishing a framework that safeguards user data specifically with regards to any contact-tracing software introduced.

“We did a report before the last election looking at the protection of data in the digital age,” Harman told journalists during a conference call. “We heard evidence that even those people who were gathering the data didn’t have full sightlines all the way through to know what was being gathered.”

“We found the current system for data protection wholly inadequate even for the gathering of data that was at that point being carried out. This is a wholly new area of data collection and therefore we need not the failed mish-mash of protections that currently exist, we need a new, bespoke bill.

Currently, data protection and privacy guarantees are offered based on a spread between GDPR, the Data Protection Act 2018, case law on privacy, and principles outlined in the European Convention on Human Rights. The setup amounts to “tangled law” that never envisaged anything amounting to the contact-tracing technology about to be rolled out.

The MP was also critical of the health secretary Matt Hancock who hasn’t yet responded to the committee’s request for the government to consider the legislation, despite suggesting in a letter that individuals would be given assurances their data is safe. A letter, Harman added, does not equate with legal protections.

The contact tracing app is voluntary but requires a certain proportion of the public to download it in order to be effective in controlling the spread of the virus, thought to be between 60-80%. Implementing legislation to guarantee safeguards against any potential breach of privacy would go some way toward reassuring the public against potential data misuse.

Regardless of whether the app being developed pursues a centralised or decentralised model, the Bill would outline specifically the purpose of gathering data for contact-tracing, who can access the data, and also ensure the deletion of data once the system is no longer needed.

The Bill would also introduce a contract-tracing Tsar that would oversee complaints. That function has traditionally been exercised by the Information Commissioner’s Office (ICO), although Harman insists the data regulator is not well-equipped to handle the legality of any contact-tracing system. This is due to a fundamental flaw in the way the ICO was established.

“The way we set up the Information Commissioner is we gave the office responsibility both to advice but also to enforce, and actually, that can be bordering on conflict of interest,” the committee chair continued.

“Because if you’ve been advising, which the Information Commissioner has been, about the setup of the system, then you kind of are vested in it, and you need a clean pair of eyes to actually look at it.”

Since the government first revealed its intentions to develop a contact-tracing app, organisations have lined up to voice their concerns over the potential for privacy infringements, particularly with regards to the centralised model.

Amnesty International, for example, recently expressed concern that the government may be planning to route private data through a central database, which would open the door to “pervasive state surveillance”.

The claim that GDPR is unfit-for-purpose to protect against contact-tracing privacy risks has been made almost two years since the toughest data protection laws to date came into force.

Since its implementation, despite the promise of hefty fines for data protection violations, very little has been collected and few cases have reached conclusion. This is despite mounting complaints, especially on the doorstep of the Irish Data Protection Commission (DPC) and even ‘intentions to fine’ issued by the ICO against BA and Marriot for data breaches in 2018.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.