Covid-19 has truly proven to challenge the perseverance and durability of our society, more importantly, it has triggered an unprecedented innovative boom as a result of meeting our needs and addressing novel issues. A key debate originating since the spark of global lockdowns in March 2020 has been on how to best manage the infection rate and thereby terminating the virus gradually.
To address this, besides the age-old methods such as social distancing and isolation, digital tracing applications utilising a proximity system that would notify smartphone users of potential contamination by the virus have been introduced. This further evolved into the concept of Digital Immunity Passports (DIP) which is an application that manages an individual’s Covid-19 related test results and health certificates. The DIP model which is generally favoured leans towards a decentralised system of data collection wherein only the data owner is able to use or share his data which is end-to-end encrypted as the data is only federated on a mobile device. In this post, we will focus on the continuation of the tracing debate, specifically, discussing the use of DIP and whether domestic and international usage of the DIP would face challenges in Privacy law and other areas.
The decentralised system DIPs have been lauded by the airlines industry and also by countries such as Chile and Germany and Italy. In November 2020, after the three known vaccines, i.e. Pfizer, Modena and Oxford-AstraZeneca reported more than 90% efficacy of their vaccines, the International Air Transport Association immediately made an announcement that its DIP is in the final phase of development, implying that it should be utilised to revive air travel. The CommonPass Project (which collaborates with the World Economic Forum) also has a DIP model that is designed to streamline vaccine information across borders. DIPs are marketed as a global standardisation that is necessary to help society move away from costly and difficult social distancing and blanket isolation measures. While DIP may succeed in certain parts of the globe, some governments fail to deliver a confident and robust system on account of public trust. One of the main concerns being in how such data is used (‘mission/feature creep’) and protected (decentralised or centralised data collection, ‘sunset provisions’ etc.).
In the UK particularly, we have seen and can compare both the centralised and decentralised systems used in tracing. Evidently, the latter (Google-Apple tracing system based on the principles of the DP-3T protocol) was more successful because of its privacy-friendly model and has replaced the government’s centralised system since autumn 2020.[1] The tussle between the need to assist public healthcare while not compromising privacy as it lies at the heart of these two models. While in theory, DIPs are presented as privacy-friendly, however a wide spread utilisation of the DIP may also pose other issues such as infringing upon human and civil rights.[2]
Domestically, the UK’s prime minister, Boris Johnson, has in February 2021 announced that the government will not introduce any domestic vaccine passports, and instead rely on mass vaccination and rapid lateral flow testing. The vaccine minister, Nadhim Zahawi, has also expressed that the use of domestic vaccine passports would be ‘wrong’, as it may very well lead to discrimination for those who cannot and will not take the jab.[3] Although, this is merely a public stance, as the government does not explicitly prohibit the private use of immunity passports and instead emphasises to companies that wants to use vaccination passports to make sure it still abides with discrimination and privacy law. For example, law firms and other large companies are considering mandatory vaccinations of its existing and future employees by amending existing employment contracts and/or including such a clause in future ones. This would require them to disclose sensitive medical data and open up the risk for possible discrimination claims if they cannot get vaccinated because of a pregnancy, religious beliefs or certain health conditions.[4]
Furthermore, in order to use the DIP effectively, in which you can take the DIP to travel and be used internationally, there would also be a need for international collaboration and consensus. The first question to ask ourselves then is which vaccine(s) (if any) would be considered reliable enough to reach international consensus? Politically, this may raise certain issues (for example, states have denied the same vaccines that many others have accepted, such as the Swiss regulator denying the AstraZeneca vaccine[5]). Practically too, while countries are actively developing vaccines, no vaccine is a forerunner in providing complete immunity and therefore the certainty of DIP may be non-existent and arguably ineffective.
From a legal and technical perspective, if a centralised database system would be applied to the DIP, the data that is transferred internationally has to adhere to data transfer regulation, which may complicate matters particularly in regard to data leaving the EU which is under the protection of the GDPR. In terms of the GDPR, the decentralised database system (which is key to the coveted DIP) is consistent with the data minimisation and collection for purpose rule. This favours very strongly for the DIP. In a decentralised system, the data is locally stored on the device and remains fully anonymous without the need for third party interference. For the foregoing reasons, the decentralised system is immutable, yet some argue that it may not be successfully lobbied since governments lose the right to observe and track data for certain public health policy measures and businesses do not stand to make a profit from such models as the data is not harvested centrally. Alternatively, in the centralised system, which has (identifiable) data collated at one point; while it is seamless for government surveillance, it would result in massive data mining by companies which would ultimately lead to abuse and misuse of data.
In conclusion, the guiding principles of vaccines is to facilitate and not impose restrictions on those who refuse to take them. Therefore, primarily, on the basis of possible discrimination of those who cannot or refuse to vaccinate themselves, there is a strong case to avoid the use of DIPs. On the other hand, since the social distancing and isolation measures are a cost to society, the economy, our mental wellbeing, the utilitarian approach may be to gradually return to ‘normal’ day-to-day life as much as possible, through decentralised DIPs.
After all, utilisation of the DIP should be treated as an interim measure until the virus is fully contained and/or the vaccination is successful and as such, deviating from the most privacy-preserving option may be permissible with appropriate safeguards such as ‘sunset’ mechanisms. Whichever way adopted, it is sure to set a precedent for future pandemics and should therefore be decided upon in that respect.
[1] Leo Kelion, ‘UK virus-tracing app switches to Apple-Google model’ BBC (London, 18 June 2020) <https://www.bbc.co.uk/news/technology-53095336> (Accessed 18 Feb 2021).
[2] Chris Hicks*, David Butler*, Carsten Maple, Jon Crowcroft. SecureABC: Secure AntiBody Certificates for COVID-19. CoRR, abs/2005.11833. 2020. <https://www.turing.ac.uk/research/publications/secureabc-secure-antibody-certificates-covid-19> (paper currently under review) (Accessed 18 Feb 2021).
[3] Kate Beioley, George Parker, Delphine Strauss, Alice Hancock and Siddharth Venkataramakrishnan, ‘UK companies look to make Covid-19 vaccinations mandatory’ Financial Times (London, 16 February 2021) <https://www.ft.com/content/965dfaf0-f070-4dae-93a6-28bedbdb75da> (Accessed 18 Feb 2021).
[4] ibid.
[5] Sam Jones and Donato Paolo Mancini, ‘Swiss medical regulator rejects Oxford/AstraZeneca Covid vaccine’ Financial Times (London, 3 February 2021) <https://www.ft.com/content/a6a6d64c-a337-4af4-9525-d194571c7887> (Accessed 18 Feb 2021).