Four U.K.-based privacy lawyers said in a written legal opinion that the National Health Service's plan to reject a system designed by Apple and Google and build their own platform to track those carrying the disease through Bluetooth technology on their cellphones could breach parts of the European Convention on Human Rights and the General Data Protection Regulation, the E.U.'s stiff privacy regime.
Contact-tracing smartphone apps — a digital form of a practice that has long been used to track the spread of infectious diseases — are meant to alert people if they have come into close contact with someone who has been diagnosed. The joint initiative unveiled by Apple and Google last month is designed to store the logs of people whom users have been in contact remotely on their personal devices, in a "decentralized" process.
The NHS' plan, on the other hand, would store such data on a centralized server overseen by the government, NHS officials told the U.K. Parliament last week.
Matthew Gould, the CEO of NHS' digital user experience agency, NHSX, promised in an April 24 blog post that all of app users' data will remain anonymous, unless they choose to divulge extra information to the government "to help us identify hotspots and trends." NHS officials have also defended their soon-to-be launched "centralized" COVID-19 tracing app as allowing authorities to analyze data in ways that are not possible under "decentralized" systems, making the app more effective.
But the industry attorneys — Matthew Ryder QC and Edward Craven of Matrix Chambers, Gayatri Sarathy of Blackstone Chambers and Ravi Naik of the data rights law firm AWO — claimed Monday that the centralized approach raises serious privacy concerns.
"We consider that the decentralised systems … are likely to be in accordance with the law, proportionate and necessary," the attorneys wrote in a 65-page legal opinion. "In contrast, a centralised system would result in a significantly greater interference with users' privacy and require greater justification."
The attorneys wrote that "it seems inevitable" that the centralized COVID-19 tracking systems would present risks that the anonymous collected data could be combined with other information to potentially re-identify users. Such risks threaten Article 8 of the European Convention on Human Rights, which provides a right to respect for one's "private and family life," the lawyers claimed.
The U.K. government has also announced plans to allow public health authorities and private companies to share data to help fight the pandemic, the attorneys wrote. But such plans "currently lack sufficient clarity and detail" to comply with the principles laid out in Article 5 of the GDPR, including a promise to only collect data for specific and legitimate purposes, the legal opinion reads.
Monday's opinion comes after the U.K.'s privacy watchdog last month gave the Google-Apple tracking technology an early blessing, saying that the plan "aligned with the principles" of U.K. privacy law, including by mandating by design that only necessary information about specific people is collected.
An NHS representative did not immediately respond to a request for comment sent after business hours on Monday.
--Additional reporting by Allison Grande. Editing by Michael Watanabe.
For a reprint of this article, please contact reprints@law360.com.