Update (April 19 3:13 pm): The resolution was passed in the European Parliament with 395 votes in favour, 171 against, and 128 abstentions on April 17. As we had expected, the resolution was adopted without any changes to the clauses about contact tracing apps and misinformation. However, the adopted text adds a new paragraph (§55) that acknowledged the “particularly acute and worsening financial situation in the media, especially news media across the EU” and pointed out that “free, independent and sufficiently funded media are instrumental for a functioning democracy and for ensuring that citizens are well informed throughout this crisis”.

Today, the European Parliament will discuss a Bill that demands proof of concept on how use of contact tracing apps by a part of population, in combination with other specific measures, will actually lead to a lower number of infections. The Bill also demands that all storage of data generated through such apps be decentralised, and developers and countries be absolutely transparent about the code and allow independent audits of such apps. Through this Bill (and potential Resolution), there’s a lot that developers of Indian government’s contact tracing app, Aarogya Setu, can learn and implement (more on that below).

This Bill deals with EU’s larger coordinated action “to combat the COVID-19 pandemic and its consequences”, and has dealt with contact tracing apps in the section titled “Protecting democracy, rule of law and fundamental rights”. The Bill has been proposed by four members of European Parliament on behalf of 499 members. The European Parliament has 705 members. Since this Bill has a clear majority, it could go directly to vote at the discretion of the president of the European Parliament under Rule 132 (5) of the Procedure of the European Parliament. Since none of the 80 proposed amendments to the Bill deal with contact tracing apps, it is likely that these sections will be passed by the Parliament as they are.

Proposed regulation of contact tracing apps

  • Installation of contact tracing apps should not be made mandatory
  • All storage of data must be decentralised as centralised databases “are prone to potential risk of abuse and loss of trust and may endanger uptake throughout the app”
  • Complete transparency on non-EU commercial interests of developers of these apps
  • These apps should have sunset clauses, that is, definite expiry dates, and abide by principles of data protection by design and data minimisation.
  • European Commission and member states must be fully transparent about how the apps function so that people can conduct independent security and privacy audits on the “underlying protocol” to ensure that the apps function as the authorities claim.
  • There must be full oversight by data protection authorities (DPA).
  • National and EU authorities must fully comply with data protection and privacy legislation, and national DPA oversight and guidance.
  • Mobile location data must only be processed in compliance with the ePrivacy Directive and the GDPR.

Dealing with misinformation, anonymised telecom data

To deal with misinformation, the Bill has proposed that EU establish a European information source in all official languages. European Centre for Disease Prevention and Control (ECDC) should be in charge of coordinating and aligning member nations’ data to improve quality and comparability. It has also proposed that social media companies should take proactive and necessary measures “to stop disinformation and hate speech regarding the coronavirus”.

The Bill has only “taken note” of the European Commission’s plan to call on “telecoms providers to hand over anonymised and aggregated data in order to limit the spread of the coronavirus, of national tracking programmes already in force” without suggesting any measures to ensure adherence to the GDPR or to principles of data minimisation.

Lessons for Aarogya Setu: MediaNama’s take

Since the government of India released its own contact tracing app, Aarogya Setu, on April 2, it has been shrouded in secrecy. Despite being developed as a public-private partnership (PPP), the government has not been forthcoming about who the private developers are, what kind of a partnership has been struck, and how the app came to be. Government resources are perhaps better diverted to proven methods such as manually tracing people’s movement history, and procuring testing kits and PPE kits for healthcare workers, instead of developing disproportionate, privacy-eroding technologies with no proof of concept and aggressively advertising them.

Despite that, the European Parliament makes some sound suggestions and here’s how Aarogya Setu can implement them:

  1. Don’t make the app mandatory: The app has already been made mandatory for employees of Prasar Bharati and Central Armed Police Forces (CAPF). Despite the Ministry of Home Affairs only “encouraging” that the app be downloaded, this kind of piecemeal approach to mandate the app’s use suggests that soon all government employees and civil servants will be forced to download the app. Since the app has already announced that e-passes for movement will soon be introduced, fundamental rights could be conditionally offered only to citizens who download the app. Needless to say, all of this is unnecessary and violative of people’s rights.
  2. Don’t store data on a centralised server: As per the app’s privacy policy, all personal information is hashed to a unique digital ID (DiD) and uploaded to a government server. That is unnecessary. The authorities don’t need to upload the users’ personal information to the server if they can be identified and contacted using the DiD.
  3. Operate transparently: Since this app has been developed through a public-private partnership, details of who the private partners are must be made publicly available.
  4. Allow independent audits of the code: Aarogya Setu’s Terms of Service explicitly forbid reverse-engineering, making this app, that is expected to be ideally used by 1.3 billion people, a black box. Independent security audits will help iron out the chinks in the app, and make it more robust from a privacy perspective.
  5. Introduce sunset clauses: As we had discussed in our analysis of Aarogya Setu’s privacy policy, neither the Terms of Service, nor the privacy policy, mention that this is a temporary app meant to be used only for contact tracing during the COVID-19 pandemic.
  6. Abide by data protection by design and data minimisation: In the absence of a data protection law in India, the developers of Aarogya Setu, of their own volition, must err on the side of data protection and data minimisation. This means that the app should be used only for the sole purpose of contact tracing. Tacking on extra features, such as UPI payments to PM CARES fund, e-pass registration, etc. is unnecessary and an excuse for collecting more data. Also, the app needs clearer data retention and deletion policies where it needs to clarify whether uninstalling the app means all data, including DiD, related to the individual is deleted from the app, other users’ devices and the government server.

***Update (April 19 3:13 pm): Updated with passage of the Bill. Headline updated accordingly. Originally published on April 16, 2020 at 12:38 pm.