Contact Tracing Apps and Privacy
India’s Contact Tracing App
Early this year, the app Aarogya Setu was launched in India. It was required by the Indian government to be used by public and private employees alike. Concerns and criticism has arisen on how this type of app can invade a person’s privacy. The Aarogya Setu app uses Bluetooth and location data to let the user know whether they have come into contact with a person who was found COVID-19 positive. All the data collected by the app is shared with the Indian government. According to the CEO of India’s IT ministry the app uses factors like proximity and how recent the contact was to determine the probability of a person’s risk of infection. Due to the convenience offered by the app, it has already been mandated by employers and by India’s Prime Minister, Narendra Modi. However, former Indian Supreme Court judge BN Srikrishna opined that the use of the app was utterly illegal as no law allows its use.
The app allows authorities to upload the collected information to a government-owned and operated server. The developers claim that user data is anonymized once they register for the app; however this claim is questioned by some groups due to previous actions by the government, which may have betrayed a disregard for people’s right to privacy. Moreover, the app, when compared to similar apps, is not open source, preventing an audit for any security flaws it may carry. This has led to the success of persons hacking into the app to prevent it from using their personal data or from even functioning at all.
Contact Tracing Apps in the Philippines
The Inter-Agency Task Force for the management of emerging infectious diseases (IATF) has recommended the StaySafe.ph app as the contact tracing app in the Philippines.The Department of Health (DOH) has also welcomed the development of other apps like Citizen’s Logistics and Early Assessment Report tool (CLEAR) and MyEGuard. StaySafe.ph remains to be the official contact tracing app utilized by the DOH, although it has faced similar criticism to India’s contact tracing app.
The developers of StaySafe.ph claim that user data is deleted every thirty (30) days. However, some critics show concern over the type of permissions the app asks for, such as permission for the use of Bluetooth and the location data of the phone. The app has been submitted for audit to the National Privacy Commission (NPC). The NPC has yet to issue a statement on the matter.
Contact Tracing and the Data Privacy Act
Time and again, the Data Privacy Act has been used as a tool to argue against Contact Tracing, resulting in the NPC issuing a Bulletin to remind the public that the claim is false. The NPC has previously placed guidelines as to proper handling of personal data for the purpose of contact tracing. The guiding principles behind data collection in contact tracing are: (1) proportionality of the data collected; (2) transparency of the purpose; (3) use of the information for said purpose; (4) use of reasonable and appropriate safeguards for the data; and (5) retaining the data only for a limited time. The NPC has stated in its guidelines that these principles apply not only to physical means of collecting data but also to electronic means.
So would contact tracing apps be deemed illegal in the Philippines? Not per se, as long as the guidelines set forth by the NPC are followed by the app in question.