New Infographic Illustrates Key Aspects of Location Data

Today, the Future of Privacy Forum (FPF) published an infographic, “The World of Geolocation Data” that outlines how location data is generated from mobile devices, who has access to it, and factors to consider in evaluating privacy risks. Data from our mobile devices, including smartphones and fitness trackers, can serve as a proxy for where we are located over time, revealing intimate information about individuals and groups.

“During the COVID-19 pandemic, many are interested in employing both location data and proximity signals from smartphones to track the spread of the virus and measure adherence to social distancing guidelines,” said Stacey Gray, FPF Senior Counsel. “We’re helping policymakers and public health officials understand location data so they can make proactive, knowledgeable choices about the use of this sensitive information.”

The infographic shows how mobile devices interpret signals from Wi-Fi and Bluetooth networks, cell towers, and GPS satellites to pinpoint their location, as well as how that data is analyzed by the mobile operating system to provide precise measurement to mobile apps upon request. The graphic describes the different entities that are able to access, use, or share various types of location data, including cell phone carriers, mobile apps and app partners, and downstream recipients. Finally, the graphic describes the factors that make location data more or less risky including persistence and frequency, precision, accuracy, known or sensitive locations, and the use of de-identifying technologies. 

Stacey Gray, Senior Counsel at FPF and the author of the infographic, will host a webinar to help policymakers better understand the complicated ecosystem for device location data on Tuesday, June 2nd at 12 PM EDT. The webinar will include an expanded discussion of the infographic, will answer questions about evaluating and mitigating risks in real-world location datasets, and will feature technical and legal experts, including Shane Wiley, CPO of Cuebiq; Kara Selke, VP of Commercial Development and Privacy at Streetlight Data; as well as Chelsey Colbert, Policy Counsel at FPF and Dr. Rob van Eijk, FPF’s Managing Director for Europe. To register for the event, click here.

Other recently-published resources from FPF related to privacy and the coronavirus pandemic include: 

The full list of FPF’s privacy and pandemics resources can be accessed on the FPF website at fpf.org/privacy-and-pandemics.

About FPF

The Future of Privacy Forum (FPF) is a non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting fpf.org. 

Understanding the "World of Geolocation Data"

How is location data generated from mobile devices, who gets access to it, and how? As debates over companies and public health authorities using device data to address the current global pandemic continue, it is more important than ever for policymakers and regulators to understand the practical basics of how mobile operating systems work, how apps request access to information, and how location datasets can be more or less risky or revealing for individuals and groups. Today, Future of Privacy Forum released a new infographic, “The World of Geolocation Data” that explores these issues.

In this infographic, we demonstrate how mobile devices, such as smartphones, interpret signals from their surroundings – including GPS satellites, cell towers, Wi-Fi networks, and Bluetooth – to generate a precise location measurement (latitude and longitude). This measurement is provided by the mobile operating system to mobile apps through a Location Services API when they request it and receive the user’s permission. As a result, apps must comply with the technical and policy controls set by the mobile operating systems, such as App Store Policies.

Many different entities (including, but not limited to mobile apps) provide location features or use location data for a variety of other purposes. Different entities are subject to different restrictions, such as public commitments, privacy policies, contracts and licensing agreements, user controls, app store policies, and sector-specific laws (such as telecommunications laws for mobile carriers). In addition, broadly applicable privacy and consumer protection laws will generally apply to all commercial entities, such as the California Consumer Privacy Act, or the Federal Trade Commission Act (FTC Act).

Finally, in addition to legal and policy controls, location datasets can be technically modified to further mitigate risks to individuals and groups. Some of those practical mitigation steps might include:

Download the Infographic

Future of Privacy Forum Partners with Dublin City University

Today, the Future of Privacy Forum (FPF) and Dublin City University (DCU) have announced a new partnership that will see them host joint conferences and workshops, collaborate on research projects, develop resources for policymakers, and pursue applications for research opportunities together over the next three years.

“Partnering with DCU will allow us to collaborate with some of the world’s leading experts on AI and other innovative technologies to ensure data protection, privacy and ethics remain a priority for research and new products.,” said Jules Polonetsky, CEO of the Future of Privacy Forum. “FPF is expanding its presence in Ireland because individuals in the US and EU share common values about both privacy and data protection challenges as well as the opportunities data enables to make our lives better.”

DCU is home to some of the leading AI-focused research and scholarship programs in Ireland. DCU is a lead university for the Science Foundation Ireland ADAPT program, and hosts the consortium leadership for the INSIGHT research centre, two of the largest government funded AI and tech-focused development programs.

“Our partnership with the Future of Privacy Forum will be a valuable asset as DCU helps craft the strategy to keep Ireland a global leader in developing artificial intelligence and other technologies,” said Professor Lisa Looney, Executive Dean of the Faculty of Engineering and Computing at DCU. “Leaders in government and in industry respect FPF for its expertise on the best approaches to balance individual privacy and the benefits of new technology applications.”

FPF will be partnering with DCU on a proposal for a SFI Industry-Academia project on data governance with tech platforms and SFI research centers across Ireland. FPF and The Faculty of Engineering and Computing also plan to engage in joint research via EU funding, student projects and national funding like SFI ADAPT and INSIGHT research centers. Engineering and Computing launched a campus-wide Ethics and Privacy week event this year and will work with FPF to make this an annual event and extend its reach to undergraduates across all disciplines as well as the DCU research community.

FPF has built strong partnerships across Europe through its convening and trainings for policymakers and regulators. To learn more about FPF’s EU work, head to fpf.org/eu.

CONTACT

Nat Wood

[email protected]

(410) 507-7898

About FPF

The Future of Privacy Forum (FPF) is a non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting fpf.org. 

About Dublin City University

DCU is Ireland’s fastest growing university. It has seen its student population increase by 50% in the past five years, to over 17,500 students. It has forged a reputation as Ireland’s university of enterprise, through its strong, active links with academic, research, and industry partners both at home and overseas.

DCU has five faculties incorporating 23 schools spread across three academic campuses, located in Glasnevin and Drumcondra, on the Northside of Dublin City. 

DCU develops highly sought-after, well-rounded graduates who are ready for the workforce and eager to apply their knowledge and skills in a broad range of settings. For more information, please visit www.dcu.ie

FPF CEO: Will I Install an Exposure Notification App? Thoughts on the Apple-Google API

As a privacy expert, if my local health department develops a mobile app for people with a COVID diagnosis to alert anyone they were near, will I use it?

Yes, I will. And I will urge friends, neighbors and colleagues to download such an app. I have an immuno-compromised family member in my household. I am also lucky to live one block from my senior citizen in-laws. If a health department app can inform me that I am possibly at risk, I can take measures to keep them safe from me. I want that app to be built with privacy protections in place, collecting only the data needed and deleting it as soon as possible. Today, Apple and Google have launched new capabilities for health department apps, with strict technical privacy restrictions to try to provide these apps with the ability to scan for nearby devices and to delete data in 30 days.

In my home state of Maryland, Governor Hogan is seeking to quadruple the current staffing to 1,000 state employees and outside contractors supporting manual contact tracing, but hiring and training will take time. Contact tracing relies on interviewing people about who they may have come into contact with recently and then painstakingly finding contact information needed to contact everyone of those potentially exposed individuals. It also relies on people to accurately remember all of their interactions. Can you remember the people you stood next to on the long line at the grocery store last week?

Should my health department offer an app to supplement this process? I hope they will look closely at the way apps have been used by health departments for exposure notification around the world and decide whether it would be a useful supplement to the human contact tracing effort they are setting up.

In an ideal world, we would have a national response that deployed hundreds of thousands of human contact tracers, so that use of an app would be a very minor supplemental option. Exposure notification apps would be tested for efficacy in a careful controlled study. The CDC would be working with the WHO to advise based on the results of studies of the app efforts in Singapore, Israel, Hong Kong, South Korea and elsewhere. We might learn if they are helpful and what data they need. Do health department apps need precise location, despite the risks of revealing the private activities of individuals? Can the apps rely solely on information from Bluetooth about proximity to nearby phones to be effective? Are the apps effective if they are voluntary and work in a decentralized manner? What is the risk of abuse of data collected in countries without strong data protection legislation or countries with dangerous human rights records? But we do not live in a perfect world, and timely preventive measures can save lives today.

I realize that the data may be imprecise, untested, imperfect. I will look to my reasonably competent health department for guidance. I realize I am privileged in this regard. If I get an alert, I can work from home and be paid. I can err on the side of safety out of caution. Many can not. I realize that not everyone has a smartphone, so this is not a service that all can benefit from, but it is one of the most widely adopted technologies in the world. I hope we can find ways to ensure everyone can have access and that we can address economic and racial disparities.

I vote, donate and actively campaign for candidates who I hope will work to make society more just. I have served in government at the city, state and federal level and have been elected to office and have been appointed to office. But in an imperfect world and during an emergency, we all need to make the most ethical decision with the facts at hand. Relying on such apps is in my view a potentially helpful supplemental safety measure that fills a gap created by the current challenges.

Let’s turn to what Apple and Google should be doing to support local health departments. First, let’s note that Apple and Google haven’t invented the idea of using a phone for exposure notification or contact tracing during this pandemic. Health departments in countries that moved quickly to respond to the outbreak quickly commissioned apps that used the mobile phone location services, and sometimes Bluetooth capabilities and promoted them to their local populations. But it turns out that due to privacy settings and power limitations, mobile phones aren’t the most effective tool for the highly precise information collection needed for tracing. These privacy protections have been baked deep into the devices operating system, due to years of work to prevent misuse by human rights abusing governments, stalkers and criminals and by advertisers and marketers.

Another current interoperability problem that the Google-Apple API will solve for is that existing exposure notification apps are often not interoperable with each other. If a person downloads an app from one public health authority but then comes into contact with a user of an app from another jurisdiction, the apps often will not recognize one another. However, all apps using the Apple-Google API will recognize one another. This type of scalability is essential to enable effective notifications, thereby beginning to enable society to cautiously reopen.

These are the limitations that public health authorities are facing in developing apps. The apps that have launched to date have usually relied on asking users to opt in to sharing their location, revealing precise location data can reveal intimate information – where you’re going, where you’ve been, your character, interests, habits, religion, political inclinations.

So health departments began looking to Google and Apple to give them better access to the limited bluetooth APIs currently available. Remarkably, for two competitors who rarely cooperate, Apple and Google partnered on providing a new API that allows background sending and receiving of rotating Bluetooth identifiers. This gives apps access to new information that they couldn’t get before, but with limits to how it can be accessed or used. Only health departments will be approved to use this new API, to limit the sending of fake signals. Health departments are not sent information about individual users, as the app and device handles the communications locally.

Apple and Google did not create an app. It’s an API, which means a technical method for apps to get information off of the device. Public health authorities will create the apps that use this information, and be responsible for how it is communicated and how users receive alerts and what those alerts say. Public health authorities will have options to determine who should be alerted based on Bluetooth signal strength and time period of proximity to trigger an alert.

Now here is where it gets complicated. Some health departments want to use the new API and also collect location data, creating a risk that users can be identified. Some health departments want to create centralized databases to help them track and analyze the data collected. These health departments want Google and Apple to change their APIs and terms of use for the apps to allow collection of more personal data from users. But any changes made to the API or terms will affect users in every country in the world, creating risks that governments could misuse the API for law enforcement or for human rights abuses. Some privacy advocates think that even the current limited to Bluetooth apps can create a security risk. Some think that local democratic governments should set the privacy rules, not tech companies. Most average users will have a difficult time understanding the important differences between location and proximity. There is some truth to everyone one of these points, and no option that doesn’t have some downside.

But, if you are like me, and you want to protect those around you by being able to get and share these alerts, with minimal risk to privacy, health department apps that use the new API should be able to provide an additional tool in the effort to re-open society as we fight the pandemic.

For more privacy and data protection resources related to COVID-19, click here.

FPF Honors UC-Irvine/Lumos Labs Partnership with First-Ever Award for Research Data Stewardship

Click here to view the Call for Nominations for the 2021 FPF Award for Research Data Stewardship.

Click here to watch a recording of the 2020 FPF Award for Research Data Stewardship virtual awards event.

University of California Irvine (UCI) Professor of Cognitive Science Mark Steyvers and Lumos Labs – the parent company behind Lumosity, a popular online brain-training game website – are the winners of the first-ever Award for Research Data Stewardship from the Future of Privacy Forum (FPF). The award-winning collaboration between Professor Steyvers and Lumos Labs employed privacy techniques to transform data on user play into innovative cognitive science research. The annual FPF Award for Research Data Stewardship is supported by the Alfred P. Sloan Foundation, a not-for-profit grantmaking institution that supports high-quality, impartial scientific research and institutions. 

Lumosity supplied de-identified data on users’ response time and accuracy from one Lumosity game to researchers interested in identifying how people flexibly and efficiently adapt their behavior in response to changing contexts, otherwise known as task switching. In order to ensure that the data sharing project minimized potential privacy risks, both the parties took a number of steps, including: 

“Independent research on consumer data collected by private companies holds the keys to addressing many of the challenges facing our society today, but it must be done in a way that protects individual privacy,” said Jules Polonetsky, CEO of the Future of Privacy Forum. “The COVID-19 pandemic has highlighted the urgency of promoting privacy-protective means of conducting research. That’s exactly what we’re doing by honoring Professor Steyvers and Lumos Labs as the winners of the Award for Research Data Stewardship.”

Nominees for the Award for Research Data Stewardship were judged based on their adherence to privacy protection in the data sharing process, the quality of the data handling process, and the company’s commitment to supporting academic research. Nominations were reviewed by a jury of experts comprised of academic and industry thought leaders, including representatives from FPF, leading foundations, academics, and industry leaders. Establishing data protections for corporate-academic data sharing is increasingly important as governments, healthcare institutions, and researchers aim to obtain and deploy consumer data to track the spread of the coronavirus, deliver emergency supplies, target travel restrictions and quarantines, and develop vaccines and cures. 

The partnership between Lumos Labs and Professor Steyvers was created through the Human Cognition Project (HCP), which is an online platform that was made to facilitate large-scale, collaborative research studies led by independent academic and clinical researchers. Over the last decade, the HCP has supported over 100 collaborators from universities and organizations, resulting in more than 40 peer-reviewed publications. 

“The Human Cognition Project as a whole, and the collaboration with Professor Steyvers in particular, demonstrates our commitment to sharing our data with academic researchers in a manner that respects individual privacy,” said Bob Schafer, General Manager of Lumos Labs. “Protecting the individual privacy of our users while using data and research to make the world a better place is at the heart of what we do at Lumos Labs.”

“The research collaboration with Lumos Labs enabled me to access the right data, without fear of compromising individual privacy,” said Mark Steyvers, Professor at University of California Irvine. “Through the Human Cognition Project, I was able to access large-scale data sets that enabled more extensive and precise investigations of human learning than is typically achievable conducting tests in a laboratory.” 

The partnership resulted in the publication of research in a leading journal that advances the research field’s understanding of an important cognitive function – task switching – and the impact of practice. The partnership has also provided resources and tools to the larger research community to promote transparency and reproducibility of results and has democratized this type of “big data” approach to the cognitive sciences. 

In addition to the award winners, FPF announced several nominated projects that earned honorable mentions, including: 

Learn more about the project, including best practices for future data sharing collaborations on the FPF website.

CONTACT

Nat Wood

[email protected]

(410) 507-7898

Newly Released COVID-19 Privacy Bills Would Regulate Pandemic-Related Data

By Pollyanna Sanderson (Policy Counsel), Stacey Gray (Senior Policy Counsel) & Katelyn Ringrose (Christopher Wolf Diversity Law Fellow)

Yesterday afternoon, leading House and Senate Democrats introduced the Public Health Emergency Privacy Act. The Democratic-led bill, which was introduced by Senators Blumenthal and Warner, as well as Representatives Eshoo, Schakowsky and DelBene, follows the May 10th introduction of a similar COVID-19 data protection bill by leading Senate Republicans. Although the bills are similarly broad in scope and substantively robust, they contain a few important differences. 

Both the Democratic-led and the Republican-led COVID-19 privacy bills introduced so far are motivated by an urgent need to build public trust in the use of personal data to address the current pandemic. For example, recent research shows a marked lack of trust among the American population when it comes to their digital privacy amid the COVID-19 pandemic.

Below, we summarize the Public Health Emergency Privacy Act’s (1) scope of covered data and entities; (2) legal requirements; and (3) a few key differences from its Republican counterpart. 

BROAD SCOPE OF COVERED DATA

The Democratic-led Public Health Emergency Privacy Act would create new substantive obligations for a broad range of covered entities processing data to address COVID-19–both public and private, including non-profits and employers with respect to data collected about their employees. 

The Act would apply to:

LEGAL REQUIREMENTS

The Act contains a variety of blanket prohibitions (such as a prohibition on using COVID-19 data for commercial purposes), as well as a few affirmative obligations (such as reporting) on companies, non-profits, and other covered entities.

Covered entities would be prohibited from:

Covered entities would be required to: 

The Act includes a broad research exemption for public health or scientific research associated with COVID-19 when such research is carried out by a public health authority, nonprofit organization, or an institute of higher education. Furthermore, the Act would not prohibit research, development, manufacturing, or the distribution of COVID-19 related drugs or vaccines

The Act does not preempt state laws, and includes a private right of action with tiered remedies according to whether the violation is negligent ($100-$1,000), or reckless, willful or intentional ($500-$5000).

COMPARISON TO SENATE REPUBLICANS’ COVID-19 PRIVACY BILL

Last week, Senator Roger Wicker, the Republican Chairman of the Senate Commerce Committee, introduced a similarly broad privacy bill with leading Senate Republicans, the COVID-19 Consumer Data Protection Act of 2020

The two bills contain many similarities, including a requirement that covered entities obtain “affirmative express consent” to collect or process COVID-19 data, a requirement for recurring deletion, and a data minimization requirement that data should not be collected beyond what is necessary and proportionate to public health needs. 

We observe a few key differences between the Republican-led bill and this week’s Democratic-led bill:

As noted, there are some significant differences between these two proposals. We expect additional bills to emerge, as additional legislators set forward ideas to address COVID data issues, including some that may be more narrowly tailored to specific use cases. And, as the HR Policy Association recently pointed out, hundreds of current local labor and employment laws and regulations are currently applicable to COVID-related activities.   

In an op-ed this week calling for legislation, Commissioner Christine Wilson quoted the words of Samuel Johnson: “When a man knows he is to be hanged in a fortnight, it concentrates his mind wonderfully.” We hope the pressure to pass legislation during this crisis can bridge the political divides in Congress, but we also hope legislators appreciate the ongoing urgency of broad comprehensive data protection legislation.

FPF Charts DPAs’ Priorities and Focus Areas for the Next Decade

The Future of Privacy Forum (FPF) today released a white paper, New Decade, New Priorities: A summary of twelve European Data Protection Authorities’ strategic and operational plans for 2020 and beyond, that provides guidance on the priorities and focus areas that are considered top concerns amongst European Data Protection Authorities (DPAs) for the 2020s and beyond. 

DPAs across the European Union (EU) are in a unique position to shape the future of digital services and how they impact individuals and societies both through their outstanding enforcement powers and through their policymaking. To address the complexities of digital services and individual rights in the new decade and beyond, several DPAs have published strategic and operational plans, and have set new data protection policy goals to meet these challenges head-on. 

Co-authors Charlotte Kress, Rob van Eijk, and Gabriela Zanfir-Fortuna of FPF reviewed twelve publicly available strategic plans, roadmaps, and outlines to identify the top priorities and focus areas of DPAs during the coming decade and beyond. The authors also reviewed recently-released DPA guidance regarding COVID-19.

Their findings indicate that both the local DPAs and the EDPB are concentrating on guidelines for the consistent application of the GDPR, which aligns with ongoing harmonization efforts across the EU and the European Economic Area (EEA), aiming to:

  1. clarify how (relatively) recent technologies and business practices should operate under the GDPR;
  2. prepare for the implications and proliferation of newer technologies, such as artificial intelligence and automated decision-making; and
  3. protect those most vulnerable to the risks of data use practices such as data profiling.

National DPAs identified key topic areas as focus points for enforcement actions arising from DPAs’ “own motion,” such as advertising & marketing, health, and banking & finance. In addition, DPAs’ strategies most commonly enumerated policy-related topics such as artificial intelligence and children & youth privacy.

The summary of findings is a vital resource for understanding how European data protection and privacy law, enforcement, and policy will take shape in the years to come. The inclusion of COVID-related strategies and priorities provides a holistic view of what has become the new, unexpected focus area of DPAs across the continent.   

Read the Full Report Here

Artificial Intelligence and the COVID-19 Pandemic

By Brenda Leong and Dr. Sara Jordan

Machine learning-based technologies are playing a substantial role in the response to the COVID-19 pandemic. Experts are using machine learning to study the virus, test potential treatments, diagnose individuals, analyze the public health impacts, and more. Below, we describe some of the leading efforts and identify data protection and ethical issues related to machine learning and COVID-19, with a particular focus on apps directed to health care professionals that leverage audio-visual data, text analysis, chatbots, and sensors. Based on our analysis, we recommend that AI app developers:

 

Contents:

I. Overview

II. Analysis of COVID-19 Apps for Health Practitioners

I. Overview

As reported by the National Institute of Health in partnership with several other agencies at a workshop in July 2019,

“Machine Intelligence (MI) is rapidly becoming an important approach across biomedical discovery, clinical research, medical diagnostics/devices, and precision medicine. Such tools can uncover new possibilities for researchers, physicians, and patients, allowing them to make more informed decisions and achieve better outcomes. When deployed in healthcare settings, these approaches have the potential to enhance efficiency and effectiveness of the health research and care ecosystem, and ultimately improve quality of patient care.”

Now – with the development of the pandemic resulting from the spread of the coronavirus (COVID-19), medical providers, institutions, and commercial developers are all considering whether and how to apply machine learning to confront the threat of this current crisis.

AI, some of which is based on machine learning, is being incorporated into the first lines of defense in the pandemic. Leading epidemiologists insist that we can only succeed in projecting the spread of the virus, and thus take steps to combat this crisis if we: 1) know who has the disease; 2) study the data to reliably predict who is likely to get it; 3) and use existing data to inform the resource and supply chain  in the short and long terms. From triage at hospitals, scanning faces to check temperatures, or seeking to track the spread using individual data, various organizations are using machine learning based algorithms with a variety of levels of complexity or sophistication.

In  general, effective AI can either replicate what humans can do faster and more consistently (look at CCTV cameras, detect faces, read CT scans and identify ‘findings’ of pneumonia that radiologists can otherwise also find) or these systems can do things that humans can’t do (such as rapidly comb through thousands of chemical compounds to identify promising drug candidates). As the disease spreads, we see medical researchers around the world rushing to make sense of available data – facing the need to try to complete reliable analysis in a timeframe to be useful to others. In a recent paper, Artificial Intelligence Distinguishes COVID-19 from Community Acquired Pneumonia on Chest CT, a group of Chinese doctors took the data from the first months of the outbreak there to attempt a model that could provide automatic and accurate detection of COVID-19 using chest CTs. Their goal in the study was to develop a fully automatic framework to detect COVID-19 using only these regular chest scans and to evaluate its performance. Their study concluded that a deep learning model can accurately detect COVID-19 and differentiate it from other lung diseases. Others have pushed back against these claims, however, with concerns that this AI system learning was over fit to COVID-19 data subjects, although still an impressive feat given speed and circumstance, and likely a useful tool to a more measured degree.

Researchers from Carnegie Mellon considered an early version of COVID Voice Detector, an app that would analyze a user’s voice to detect an infection. Although since put on hiatus, this proposed application demonstrated the variety of “out of the box” ways diagnosis are being addressed. The app assigns a score to each voice sample based on similarities to voices of those diagnosed with COVID-19. If implemented, the app will be dependent on crowdsourcing through collecting training data via voice samples from both healthy and infected individuals. By analyzing the voice beyond what the human ear can hear, it would identify vocal biomarkers that will enable the healthcare community to get insights on the symptoms and hopefully the onset of the COVID-19 virus. The app works by using Artificial Intelligence to analyze and to correlate the voice with the symptoms of the COVID-19. Then an alert is triggered describing early symptoms and describing ways to monitor at home using only a smartphone.

Machine learning can also help expedite the drug development process, provide insight into which current antivirals might provide benefits, forecast infection rates, and help screen patients faster. Canadian start up, BlueDot, first identified the emergence of COVID-19 by citing an increase in pneumonia cases in Wuhan using a ML natural language processing program which monitored global health care reports and news outlets.

Many of these new and expedited applications are possible because of the compilations springing up of lists of datasets and use cases of machine learning applied to coronavirus. Consideration of these datasets and analyses points out the importance of incorporating review and involvement from scientists, such as biologists, chemists, and other appropriate specialists so that the integration of data is done competently (asking the right questions, designed to solve the actual problems) and also to ensure that outcomes not to contribute to the false information springing up around pandemic conversations (i.e. gargling hot water – turns out, is not helpful).

Ethical implications abound as well. This emergency is creating real life examples of commonly posed challenges to AI systems. Should AI help make life-or-death decisions in the coronavirus fight? Chinese researchers say they have developed an AI tool that can assist doctors in triaging Covid-19 patients. It analyses blood samples to predict comparable survival rates. But this raises the complex questions about whether survivability/treatability should be a deciding factor in triage prioritization.  Likewise with questions about the age of the patient, a doctor’s intuition, or how to design a formula that incorporates and weights several such factors. It is possible that AI can assist in the steps of this even if not used as the final determinor – that is, help identify quickly which markers (in blood, for example) correlate most to survival rates, or seriousness of condition, and so on.

Similar ethical and practical considerations arise when considering whether AI can responsibly provide medical assistance at an individual level? What if people ask a digital  assistant or go online to a chatbot from a provider, insurer, or other platform?

Hospitals, public health agencies, and commercial health companies are seeking accessible ways to screen patients – such as online symptom checkers, which could allow them to screen themselves – for signs of COVID-19. The question is whether these AI-based access points can both keep healthy people from inundating emergency rooms while still protecting those who need care? There is an important risk/benefit analysis to provide useful care to patients, while not being overly exclusive or allowing the spread of harmful misinformation? Amazon announced that Alexa can now assist users in determining whether they might have contracted the virus by asking a series of questions related to travel history, symptoms, and possible exposure to COVID-19. Alexa also offers advice to users based on the Center for Disease Control (CDC) recommendations. Other features include singing a 20-second song to help time how long people should wash their hands.

The emergence of AI/ML in medicine also creates regulatory challenges, such as which medical AI/ML-based products should be reviewed as medical devices or services, and what evidence should be required to permit marketing for AI/ML-based software as a medical device (SaMD). The U.S. Food and Drug Administration recently proposed a discussion paper to address some of these issues, and a Nature.com paper responded by arguing that evaluation should be focused on assessing whole systems rather than individual ML-based products.

Finally, AR (augmented reality) and VR (virtual reality) technology are other AI-based systems that aim to provide services for COVID-19 patients and educate others. One example is USA Today’s “Flatten the Curve: A Week in Social Distancing” AR app. The app accesses the device camera and overlays an AR city onto a blank surface. The user addresses situations moving through a city and must choose between two options to learn how to maximize effective social distancing.

Other AR/VR platforms provide for COVID-19 patients to engage in group therapy. XR Health recently announced a VR telehealth support group, virtually bringing together COVID-19-positive patients along with medical professionals. The team behind XR Health hopes the VR experience will improve on traditional teleconferencing to increase the therapeutic benefits of interaction, encouraging patients to share personal experiences and emotions.

Political and structural responses:

The White House announced the launch of the COVID-19 High Performance Computing Consortium with the goal to advance the pace of scientific discovery by funding research proposals with this aim.

Meanwhile, Stanford University is hosting COVID-19 and AI: A Virtual Conference to address this public health crisis by convening experts to advance the understanding of the virus and its impact on society, not just AI applications in diagnostics and treatment, and forecasting of the spread of the virus, but also information and disinformation, and the broader impact of pandemics on economies, culture, government, and human behavior.  C3.ai, an AI company based in California, recently founded a research consortium called the C3.ai Digital Transformation Institute including leading academic institutions, Microsoft, and C3.ai with the goal of tackling challenges posed by COVID-19 using AI. Strategies might include tracking the spread of the virus, predicting its evolution, repurposing and developing new drugs, and fighting future outbreaks.

As a further shared resource, there are numerous tracking resources on AI and COVID19 on Github, Google’s data science competition platform Kaggle, and the COIVD-19 Open Research Dataset (CORD-19) — created in collaboration of Microsoft, the Allen Institute for AI, National Institutes of Health (NIH), and the White House Office of Science and Technology (OSTP) — contain news reports, research studies, available data sets, and more.

II. Analysis of COVID-19 Apps for Health Practitioners

Healthcare practitioners, from physicians to radiology technicians, are grappling with the practical difficulties of working under the high stress, resource constrained, environment brought about by the COVID-19 pandemic.  Calls by practitioners and concerned politicians focus on the need for both low-tech solutions (e.g., face masks), conventional technologies (e.g., ventilators), and high-tech tools (e.g., AI enabled rapid triage) to help these workers protect themselves and serve their patients. A range of existing high-tech tools, specifically those using artificial intelligence, are already part of the landscape of tools available to practitioners.  What are some of those AI tools? And what forms of artificial intelligence power them?

We review below some of the apps and tools available to healthcare practitioners, some of which were already deployed prior to the pandemic,  but are now described as having new capabilities based upon COVID-19 data use.

Voice Data

Suki is an “AI- powered voice assistant” used by physicians to record and auto-complete clinical notes, whether for patients suspected of COVID-19 disease or for ordinary clinic visits. Suki is described as powered by AI and machine learning, specifically natural language processing, which enables the system to  “understand the context of the doctor’s practice and learn the doctor’s preferences. Suki determines intent and accurately selects from similar terms”.  Because Suki data is highly sensitive, being derived from clinical interactions and health records, the data is described as “encrypted in-transit and at-rest with modern ciphers and maximum strength cryptography. Real time analysis is conducted to detect anomalies or suspicious software behavior, to protect against breaches”. Based upon information available on their website, Suki “is currently free to all Urgent Care, Hospitalists, Critical Care, pop up & triage clinics and locum physician assignments until May 31”.

Kara, a product for iPhones produced by Saykara, is another form of physician voice enabled assistant that has recently been augmented with COVID-19 specific uses and availability. Described by some as Alexa for doctors”, this voice to text app automates the process of updating medical records in real time, interfacing with multiple charting systems (e.g., EPIC). This “ambient” system, “listens, interpreting conversations with patients, so you (physician) can enter a room, treat the patient and be done charting”.  Within the context of the COVID-19 pandemic, Kara has been recently described as “test-piloting the solution” specifically designed to accommodate the charting of remote patient encounters (e.g., telehealth).  Improving charting during telemedicine encounters may improve the quality and granularity of health data available for novel and normal medicine. Kara is also available for limited free use by contacting the company.

EPIC, the electronic health records giant, has a similar voice enabled virtual assistant with new information allowing for monitoring of COVID-19 patients specifically. EPIC has notably partnered with app developers to create symptom apps and to share its EHR data with a select group of organizations striving to improve AI and other data-driven COVID-19 responses.

Other Audio Data

Eko, is an “AI powered stethoscope”. Eko’s cardiac products use deep neural networks to differentiate between normal and abnormal sounds produced by blood flow through the heart.  Likewise, neural networks built upon extensive databases of labeled echocardiogram (ECG aka EKG) data detect abnormal heart rhythms.  The otherwise conventional tool of a stethoscope has been embedded with learning systems to ingest and analyze heart and lung sounds to ensure effective monitoring of cardiopulmonary function in patients using telemedicine functions.  On the front lines, Eko is a product that offers practitioners directly treating patients a suite of products that allow for “wireless auscultation” of the heart and/or lungs. This allows practitioners wearing significant amounts of protective equipment the ability to listen to their patients at a distance.

Building audio data based AI tools is also bringing in startups, such as Cough for the Cure, who are developing tools to score individuals’ likelihood of suffering COVID-19 disease based upon the sounds of their cough. A similar tool is being developed by Coughvid. If developed, such a tool might help practitioners engage in more accurate triage of patients who present with cough as a symptom.

Video

Whether the use of thermal-scanning face cameras count as use of video data could be debated. The Care.ai suite of “autonomous monitoring sensors for healthcare” use computer vision tools, including facial recognition (and emotion and intention detection), to support an “always on” platform for monitoring patients’ status, practitioner-patient engagement, behaviors and events pertinent to regulatory compliance, and building administrative data records.  This suite of sensor tools is now leveraging thermal scanning capability to “look for fevers, sweating, and discoloration”.  The specific AI tools used to interpret thermal imaging and how this does or does not integrate into the neural-network driven data that is a normal part of the Care.ai suite of tools is not obvious, however.

Image

The initial discussion of the power of AI for addressing COVID-19 diagnostics arose from the powerful uses of AI when analyzing radiological data in China. Deep learning techniques were used to analyze x-rays, Computed Tomography (CT), Magnetic Resonance Imaging (MRI), and Positron Emission Technology (PET) scans, to identify lesions or speed image interpretation time. English language reporting of similar efforts to develop neural networking techniques, such as convolutional neural networks, for image recognition are appearing at increasing frequency on venues such as Radiology.

Development of deep learning to improve speed and accuracy in interpretation of diagnostic imaging, such as chest x-rays for patients with suspected pneumonia, is accelerating through innovations by companies such as behold.ai.  Behold.ai used deep learning to develop their “red dot” algorithm to create heatmaps identifying areas of concern for superimposition onto chest x-rays. Behold.ai posits that it’s “red dot algorithm trained on over 30,000 CXRs with detailed annotations from certified radiologists” catalyzes interpretation, comprehension, and action based upon images.

BioMind AI, already identified as using deep learning for classification of lesions in the brain, uses neural network models to perform image segmentation, reconstruction of images, and automated reporting of recommendations based on interpretation of images.

Text

While deep learning for images helps speed diagnostics on the basis of imaging, laboratory tests continue to be a significant component to COVID-19 diagnostics. As described by Surgisphere, developer of the QuartzClinical healthcare data analytics platform, has developed a “decision support tool” using a “machine learning model” that uses “three common laboratory tests to identify patients likely to have coronavirus infection”. This tool leverages increases amount of data sharing collaboration between healthcare systems to increase the sample size of COVID-19 patients.

JVion is a clinical AI platform built on the concept of modeling individual patient’s proximity to known risks which are approximated with “The Eigen Sphere engine” or “an n-dimensional space upon which millions of patients are mapped against tens-of-thousands of Eigen Spheres. Each Eigen Sphere comprises patients who clinically and/or behaviorally demonstrate similarities”. The JVion COVID Community Vulnerability Map uses multiple forms of data, including de-identified patient records, Census information, population statistics, and socioeconomic data (e.g., access to employment), to create a community level view for “identification of the populations at risk”. Unlike other AI tools that use neural networks or are built for diagnosis and treatment of individual patients, JVion’s suite of tools is built for reduction of patient and community risks based upon mathematical modeling incorporated into the background of other predictive modeling.

Similar mapping technology built upon uses of GIS data from multiple sources, such as Esri, HERE, Garmin, and USGS, and county level data, Definitive Healthcare built a mapping tool to identify the number of licensed and staffed hospital beds available. This healthcare data analytics company does not promise to use AI tools, but incorporates many of the sources of data already used by others who do make explicit claims to their uses of AI. Qventus, provides similar bed capacity mapping resources to track the available hospital infrastructure capacity.  Qventus also offers an analytics dashboard to assist in COVID-19 planning.

ChatBots

Microsoft Azure is the backbone of the new CDC COVID-19 chatbot, Clara. Using the customizability of Microsoft’s healthcare bot service, the CDC built this widely available chat bot for individuals to use when making decisions regarding their pursuit of additional healthcare services for diagnosis or treatment of COVID-19. Other health systems, such as Providence, are using Microsofts tools to build chat bots for individuals to understand their own risk and, if needed, to connect them to providers.  Whether powered by Azure or other platforms, the quality of COVID-19 chatbots is reported to be uneven, possibly due to the fast pace of the data streams used to train them.

Another conversation-engine based application, developed by Curai, uses text data to help patients understand and explain their symptoms, and physicians to understand patients. Using NLP, deep learning, and knowledge base tools, Curai tools help patients and practitioners interact in both telemedicine and direct contact environments.

Sensors

Biofourmis, known from early discussions of COVID-19 monitoring in Hong Kong, re-tooled its Biovitals Sentinel platform and its Everion biosensor to help monitor patients under home quarantine. This suite of sensors, “including optical, temperature, electrodermal, accelerometer and barometer” forms the major components of the Biovitals Sentinel dashboard platform.

Ouraring is a biosensor that is being used in a limited study for tracking of healthcare workers biometric data.  In the on-going study, Ouraring users are responding to symptom surveys to determine whether biometric data can help to “identify patterns that could predict onset, progression, and recovery in future cases of COVID-19.”

While not designed for monitoring of healthcare workers specifically, Scripps Research is conducting research to determine if any of the many wearable devices that monitor health data, such as heart rate, can be used to predict or monitor COVID-19 infections.

What should AI app developers do to respond to the COVID-19 pandemic

Responding to the needs of healthcare practitioners during the COVID-19 pandemic is undeniably a whole-community effort.  What can individuals who are working in the AI space do to help healthcare practitioners? What AI tools can others, such as the manufacturing community, use to help healthcare workers now?

Responding to calls from policy experts, even the White House, data scientists, machine learning experts, and artificial intelligence experts, are gathering as a community to derive new insights for guiding drug development, diagnostic apps, contact tracing, information production and tracking, and more.  The COVID-19 pandemic is also prompting AI startups to pivot towards building products to meet patient and practitioner needs.  Engaging with Kaggle competitions and other competitions, such as drug discovery competitions, working with epidemiologists, physicians, and other relevant domain experts is the most obvious way to help those on the sharp end of the pandemic.

However, there are more “ordinary” things that AI/ML experts can do right now while waiting for optimal partnership opportunities.  In brief, these are:

  1. Improve FAIRness of the data
  2. Code check the apps
  3. Validate the models of existing systems
  4. Improve confidence in recommendations

AI/ML and other data experts know well that the quality of any system built is predicated on the quality of the data.  In the context of COVID-19, where data in general is relatively limited and there are only a few trusted repositories, such as the CDC Collection, C3.ai’s data lake, WHO’s research database, CORD-19, Go.Data, the SAS GitHub repository, or the Functional Genomics Platform, finding the material to build systems can be a serious challenge.  While synthetic data may be useful for this space, more baseline efforts to improve data should be revisited.  As data experts and others, such as the National Academies pointed out repeatedly in 2018 and 2019, the lack of quality, interoperable, FAIR, and ethically reusable data, holds back the performance of AI systems in health. Improving the quality of the metadata attached to COVID relevant data sets is the task for organizations such as GO FAIR’s VODAN or CEDAR. Interfacing with these specific initiatives is one way to help but, improving the FAIRness of data sources generally, the utility of which is not yet known, is also an area in which data experts can help.

The rush to build applications for COVID-19 response and preparedness may increase the number of products that may be beautiful but ultimately not useful.  Some performance problems may be due to developers striving to jump over the quotidian tasks of code checking to launch their applications.  Detecting those performance problems will require both openness of the code used to power the systems, and open use of human and machine code analysis tools to find and de-bug programs.  Of interest to those specifically curious to help evaluate the utility of some of the AI products described above, is that there were no obvious pointers to code (e.g. GitHub) or supporting AI/ML research (i.e., via PubMed) for these products (Curai being an exception).

Model validation is an ongoing task for performance tracking of any learning system.  Validating any model is difficult, but validating models with low amounts of data (training or testing) of varying quality, changing numbers of relevant parameters and changing performance expectations, is a challenging task. Validating the usefulness of the output of a model for the end users is also another important validation task.

Across the globe, individuals and groups are grappling for actionable recommendations.  One way that AI/ML experts are helping researchers to improve confidence in their hypotheses is by participation in Kaggle competitions to use NLP to build literature reviews for research development.  Specific to development of resources for front-line practitioners, the degree of confidence that a practitioner should have in the recommendation produced by a learning system emerges through use in a setting where recommendations lead to positive outcomes.  However, aggregating the success rate of a particular app to understand how wide a confidence interval should be attached to a recommendation statement is an on-going challenge.

European Union’s Data-Based Policy Against the Pandemic, Explained

Benefitting from a mature and largely harmonized data protection legal framework, the European Union and its Member States are taking policymaking steps towards a pan-European approach to enlisting data and technology against the spread of COVID-19 and to support the gradual restarting of the economy. Here is an overview of key recent events essential to understand EU’s data-based approach against the pandemic:

This report will further look closer to each of these guidelines, opinions, recommendations, resolutions, to analyze what are the solutions for processing personal data through contact tracing apps or the creation of heat maps based on mobility data in support of lifting the COVID-19 containment measures in the EU, and their data protection implications (see Table 1 for a list of relevant documents, in chronological order). This contribution looks solely at EU-level policy, which will trickle down to national level. The responses of national data protection authorities will be analyzed in a second part. It is important to keep in mind that the EDPB acts as a liant between EU level/agreed-upon data protection policy and national implementation. 

 

1. Preamble: Scientists were here first

Before the calls and guidelines of policymakers at EU level favoring a pan-European approach, scientists and researchers across Europe (from several EU Member States, but also from Switzerland and the UK) were the first ones that rallied to propose a pan-European technical solution for contact tracing apps, at the end of March, initially as part of a broader pan-European project (in the meantime, the broader project seems to lose partners and support due to lack of transparency, including about its original conveners, and differences among scientists on whether centralized or decentralized solutions are preferable). 

A lot of attention is now paid to one protocol developed initially under that umbrella but which became independent: the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol. This protocol was developed by ‘over 25 scientists and academic researchers from across Europe’ and ‘it was also scrutinized and improved by the wider community’ after being published. The DP-3T project is ‘an open protocol for COVID-19 proximity tracing using Bluetooth Low Energy functionality on mobile devices that ensures personal data and computation stays entirely on an individual’s phone’ (a decentralized solution). The protocol is being implemented in a ‘soon-to-be-released, open-sourced app and server’. Its data protection and security claims are scrutinized and open to feedback on GitHub

Apple and Google announced a joint program early on in this debate that supports the creation of infrastructure on their platforms suited for the decentralized approach to contact tracing, leaving a centralized approach with few technical options for implementation. 

Officials from Switzerland (non-EU, but ‘associated country’), Austria (EU) and Estonia (EU) announced they plan to implement the DP-3T protocol. But other Member States, like France (who even called for Apple and Google to modify their decentralized framework) and Italy (where the debate is still ongoing), are pushing for a different architecture of a national contact tracing app, based on centralization of information, mimicking the real life contact tracing that is conducted by public health authorities and relies on centralization and identification of all contacts a person that tested positive recalls of having been in touch with. These decisions are currently being taken at national level, with the debate shifting every day. 

 

2. The European Data Protection Supervisor: Early call for Digital Solidarity in the EU

EDPS’ first call for a European approach to rely on data to fight the pandemic came in the Comments the institution issued on March 25 in response to a consultation from the European Commission on a proposal to rely on telecommunications data, shared by service providers, to monitor the spread of COVID-19. The EDPS called for ‘an urgent establishment of a coordinated European approach to handle the emergency in the most efficient, effective and compliant way possible’, considering that fragmentation at national level may stay in the way of effectiveness. The EDPS also pointed out in the Comments that ‘data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics.’

As for the safeguards proposed for the use of telecommunications data, they focused on transparency about the data sets to be made available by telecommunications service providers and how will they be used; anonymization to the extent possible, and aggregation of data; contractual accountability for all third parties that will process the data; limitation of access rights to authorized experts in spatial epidemiology, data protection and data science; strict retention limitation – ‘the data obtained from mobile operators would be deleted as soon as the current emergency comes to an end.’   

On April 6, the European Data Protection Supervisor, Wojciech Wiewiórowski, doubled down on the European approach against the pandemic and issued a public message for EU Digital Solidarity. He recalled that ‘big data means big responsibility’ and pointed out that responsibility also means ‘we should not hesitate to act when it is necessary. There is also responsibility for not using the tools we have in our hands to fight the pandemic.’ 

Wiewiórowski called for a pan-European model of a COVID-19 mobile application, ‘coordinated at EU level.’ ‘Legality, transparency and proportionality are essential’, the Supervisor added. 

There are four key safeguards the EDPS proposes so the data-based solutions to counter the effects of the pandemic are compliant with data protection law: the measures are temporary – ‘they are not here to stay after the crisis’; ‘Their purposes are limited – we know what we are doing’; ‘Access to the data is limited – we know who is doing what’; and ‘We know what we will do both with results of our operations and with raw data used in the process’ – which seems to refer to justifiable necessity of such measures

 

3. The European Commission: Recommendation for a common approach to contact tracing apps and eHealth Network’s Toolbox

On April 8, the European Commission published a Recommendation on ‘a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data’. This Recommendation set up a process for developing a common approach within the EU to use digital means to address this crisis, referred to as a Toolbox.

3.1. The Recommendation: Build a common Toolbox, a fragmented approach will not be effective

In this early document, the Commission acknowledged that ‘digital technologies and data have a valuable role to play in combating the COVID-19 crisis, given that many people in Europe are connected to the internet via mobile devices.’ It also pointed out that ‘a fragmented and uncoordinated approach risks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing serious harm to the single market and to fundamental rights and freedoms.’ Therefore, the Commission considers that a pan-European approach is necessary both for the economy – preserving the single market, and for a coherent fundamental rights approach across the EU. 

The Commission enumerated several factors that would render these applications effective, such as user penetration, public trust that the data will be protected by appropriate data protection and security measures, integration and data sharing with other systems and applications, cross-border and cross-regional interoperability with other systems. According to the Commission, interoperability between applications is recommended, as well as the possibility of national health authorities supervising infection transmission chains to be able to ‘exchange interoperable information about users that have tested positive with other Member States or regions in order to address cross-border transmission chains.’

In addition to a pan-European approach for mobile apps designed to fight  the pandemic, the Recommendation also pushes for ‘a common scheme for using anonymized and aggregated data on mobility of populations’, specifically in order to:

According to the Commission, ‘respect for all fundamental rights, notably privacy as well as data protection, the prevention of surveillance and stigmatization’ should be ‘paramount throughout  the process’. To this end, three key principles are laid out. The proposed Toolbox should:

  1. Strictly apply the purpose limitation principle (‘ensure that the personal data are not used for any other purposes such as law enforcement or commercial purposes’);
  2. Ensure regular review of the technical solutions proposed and ‘set appropriate sunset clauses’;
  3. Ensure that ‘the processing is effectively terminated and the personal data concerned irreversibly destroyed’, unless their scientific values for research outweighs the impact on the rights concerned. Any such further processing  should be done ‘on the advice of ethics boards and data protection authorities’. 

Further recommendations are made for each of the two envisaged scenarios involving data – mobile apps and the use of aggregated telecommunications data. The Commission does not express any preference for a specific architecture of contact tracing apps (centralized v. decentralized). Importantly, this Recommendation highlights the key role DPAs play: ‘consultation with data protection authorities … is essential to ensure that personal data is processed lawfully and that the rights of the individuals concerned are respected.’ 

3.2. The Common Toolbox: adopted by the eHealth Network and pushed against tech solutionism

Version 1 of the Common EU Toolbox called for in this Recommendation was developed at incredible speed and it was published a week later, on April 15. The Toolbox was adopted by the ‘eHealth Network’ which is a voluntary network1 that provides a platform of Member States’ competent authorities dealing with digital health. Enlisting the support of Member States for a pan-European approach of relying on data to fight the pandemic is essential. This is because the European Union does not have exclusive competence on health matters. Primary responsibility for health protection and, in particular, healthcare systems continues to lie with the Member States.2

The document solely focuses on mobile apps for contact tracing. As opposed to most recent policy documents in this area, it also contains an explanation of what contact tracing means during an epidemic or pandemic and it details how it is usually carried out manually, by public health authorities: ‘This is a time-consuming process where cases are interviewed in order to determine who they remember being in contact with from 48 hours before symptom onset and up to the point of self-isolation and diagnosis. (…) Such manual processes rely on the patient’s memory and obviously cannot trace individuals who have been in contact with the patient but who are unknown to him/her.’ Nonetheless, the eHealth Network is clear in its recommendation that mobile apps should be complemented by manual contact tracing, which will ‘continue to play an important role, in particular for those, such as elderly or disabled persons, who could be more vulnerable to infection but less likely to have a mobile phone or have access to these applications’. 

The Toolbox was built by taking the position that both centralized and decentralized solutions can be relied on, without a preference being expressed for either, and with advantages and shortcomings of both being laid out in the document. For the decentralized option, the Toolbox notes that ‘this approach would considerably reduce the risks to privacy as close contacts would not be directly identifiable and this option would thereby enhance the attractiveness of the application’, but in this case public health authorities would not have ‘access to any anonymised and aggregated information on social distancing, on the effectiveness of the app or on the potential diffusion of the virus’ and ‘this information can be important to manage the exit of the crisis’. The centralized option described in the Toolbox presupposes that ‘users cannot be directly identified’ through the data stored in the backend server,  which are ‘arbitrary identifiers generated by the app’. According to the eHealth Network, ‘the advantage is that the data stored in the server can be anonymised by aggregation and further used by public authorities as a source of important aggregated information on the intensity of contacts in the population, on the effectiveness of the app in tracing and alerting contacts and on the aggregated number of people that could potentially develop symptoms.’ 

The Toolbox concludes that ‘none of the above two options includes storing of unnecessary personal information’. However, it alerts developers that centralized solutions which do involve ‘directly-identifiable data on every person downloading the app’ that is held centrally by public health authorities, ‘would have major disadvantage, as noted by the EDPB in its response to consultation on Commission draft guidance on data protection and tracing apps.’

Compared to other guidelines, there is more detailed focus in this Toolbox on the epidemiological relevance of any technological solution proposed. As such, apps should be following national legislation and international guidance ‘that defines which contacts should be followed up and what the management of these contacts should be’ under the coordination of public health authorities. 

The Toolbox sets out various relevant parameters to enable a coordinated development and use of ‘officially recognized contact tracing applications and the monitoring of their performances.’ It provides a detailed list of baseline requirements and functionalities that should be taken into account (see Annex I of the document), which have been ‘identified collectively by Member State authorities who are considering the launch of an app to support contact tracing.’ In eHealth Network’s view, the essential requirements for national apps are that they should be:

 

4. Joint Statement of the Presidents of the Commission and the Council: EU Exit Strategy Roadmap enlists data as key to lifting confinement 

European Commission’s President, Ursula von der Leyen, and the President of the European Council, Charles Michel, co-signed a Joint European Roadmap towards lifting COVID-19 containment measures, on April 15, which sets out recommendations to Member States with the goal of preserving public health while gradually lifting containment measures to restart community life and the economy. This Roadmap contains principles that should guide the Member States and the EU in their exit strategy and a set of seven recommended measures. The first two of these seven measures rely on using data.

The first recommended measure is to ‘gather data and develop a robust system of reporting’. By this, the Roadmap means ‘gathering and sharing of data at national and subnational level by public health authorities in a harmonised way on the spread of the virus, the characteristics of infected and recovered persons and their potential direct contacts’. Recognizing that reporting only cases that are known to health authorities is not enough (they ‘may only represent the tip of the iceberg’), the document refers to both ‘social media and mobile network operators’ as being in the position to ‘offer a wealth of data on mobility, social interactions, as well as voluntary reports of mild disease cases (e.g. via participatory surveillance) and/or indirect early signals of disease spread (e.g. searches/posts on unusual symptoms).’ 

The Roadmap refers to anonymizing and aggregating such data before being used, and offers the Joint Research Center and the European Center for Disease Control as centralizing bodies for this data collection and for conducting modelling work. This is interesting, since this is the only instance where social media data is being brought to the discussion among the different EU-level policymaking sources. On the other hand, telecommunications data has been enlisted early on in the pandemic to offer an EU-wide window into how individuals are moving during lockdowns, following a push initiated by Thierry Breton, the commissioner for the internal market (see also Section 2 of this report).    

The second recommended measure is to ‘create a framework for contact tracing and warning with the use of mobile apps which respect data privacy’. According to the signatories of the Joint Statement, contact tracing apps are ‘particularly relevant in the phase of lifting containment measures’. Because they can ‘help interrupt infection chains and reduce the risk of further transmission’, contact tracing apps ‘should be an important element in the strategies put in place by Member States’, as long as they complement other measures, including increased testing capacities. In fact, the third recommended measures in the document is expanding testing capacity and harmonising testing methodologies. As for the mobile apps, it is recommended in the Exit Strategy that they are voluntary and that ‘national health authorities should be involved in the design of the system.’ 

The safeguards proposed are a mix of technical safeguards – anonymization and aggregation of data, no tracking of users; and governance safeguards – transparency and expiration ‘as soon as the COVID-19 crisis is over’, with a recommendation to erase any remaining data at that time and have the apps being deactivated. According to the document, ‘confidence in these applications and their respect of privacy and data protection are paramount to their success and effectiveness.’ The document refers to the earlier Recommendation made by the Commission to set up the framework for a data protection centered contact tracing app and to guidance by the Commission on how such apps can be respectful of data protection law. However, the Roadmap omits to include the crucial role that Data Protection Authorities and their pan-EU body, the European Data Protection Board, will have in ensuring contact tracing apps, if deployed, are fully respectful of the rights and freedoms of individuals by complying with data protection law requirements.  

Finally, the Presidents of the Commission and the Council state that a pan-EU reference app, or at least interoperability and sharing of results between contact tracing apps at EU level, ‘allows a more effective warning of people concerned and a more efficient public health policy follow-up’. Indeed, the lack of a pan-EU approach to deploying and relying on contact tracing apps would risk enderanging the freedom of movement which is so central to the EU. 

5. The European Commission: Data protection guidance on apps to support the fight against COVID-19

To complement the features recommended in the Toolbox for contact tracing apps by the eHealth Network, the Commission published separately, on April 16, data protection guidance for apps to support the fight against COVID-19. This abundance of data protection guidance may be confusing for app developers and for the public authorities wanting to implement apps, considering that both the EDPS and the EDPB have been very active in giving input, following their specific mandate. In fact, the Commission includes as the last point in its guidance the fact that DPAs ‘should be fully involved and consulted in the context of the development of the app and they should keep its deployment under review.’

One interesting nuance is that the Commission includes in the scope of its analysis several variations of mobile apps that could potentially be useful in the fight against the pandemic: apps that provide accurate information to individuals about the COVID-19 pandemic; that provide questionnaires for self-assessment and for guidance to individuals (symptom checker functionality); that provide contact tracing and warning functionality; and that provide a communication forum between patients and doctors in situation of self isolation or where further diagnosis and treatment advice is provided (increased use of telemedicine). 

This guidance identifies and details ten elements that ensure ‘a trustful and accountable use of apps’:

The Guidelines do not specifically recommend a centralized or decentralized approach to contact tracing apps, but they do highlight that ‘the decentralised solution is more in line with the minimisation principle’. This specification was included in the letter the EDPB sent to the Commission in response to a consultation on this draft guidance. The Commission also states that ‘health authorities should have access only to proximity data from the device of an infected person so that they are able to contact people at risk of infection.’ This would mean that proximity data ‘will be available to the health authorities only after the infected person (after having been tested) proactively shares these data with them.’ 

 

6. The European Parliament: A Resolution on EU coordinated action to combat the COVID-19 pandemic

The European Parliament adopted on April 17 a Resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences, where it recalled that ‘solidarity among the Member States is not an option but a Treaty obligation and forms part of the European values’ and it sanctioned the lack of coordination and solidarity among Member States at the beginning of the pandemic. The Resolution is broad in scope and it looks beyond an immediate exit strategy, by tackling issues related to longer term public health goals, solutions to overcome the economic and social consequences and recommendations to protect democracy, rule of law and fundamental rights. Under this latter headline, the Resolution includes specific references to relying on telecommunications data and on contact tracing applications in a way that is congruent with fundamental rights.

The Parliament took a stance unequivocally in favor of decentralized contact tracing apps, as opposed to centralized apps, and it pushed for transparency and demonstrable necessity of these apps. It used strong wording and noted that it ‘demands that all storage of data be decentralised, full transparency be given on (non-EU) commercial interests of developers of these applications, and that clear projections be demonstrated as regards how the use of contact tracing apps by a part of the population, in combination with specific other measures, will lead to a significantly lower number of infected people.’ In its Resolution, the Parliament also asked for the code of contact tracing apps to be public and recommended that ‘sunset clauses are set and the principles of data protection by design and data minimisation are fully observed’. 

While recommending a pan-European approach to the use of contact tracing apps, the Parliament also acknowledged these initiatives seem to be primarily national at this point. Therefore, it called for both the Commission and the Member States ‘to publish the details of these schemes and allow for public scrutiny and full oversight by data protection authorities’. As opposed to the Roadmap published by the Presidents of the Commission and the Council, the European Parliament not only acknowledged the key role DPAs play, but called for their full oversight and urged ‘national and EU authorities’ to fully comply with both data protection and privacy legislation, as well as ‘national DPA oversight and guidance’. 

 

7. The European Data Protection Board: Ample guidance on enlisting data against the spread of the COVID-19 pandemic 

In an extraordinary step, at the beginning of April the EDPB converted its monthly plenary meetings into weekly plenary meetings, to respond to the urgency of measures proposed across the EU to rely on personal data in the fight against the COVID-19 pandemic. On April 21, it adopted two sets of Guidelines which are essential to inform the responses at national level, one focused on the use of location data and contact tracing tools, and the other one on the processing of health data for research purposes in the context of the COVID-19 pandemic.

The Guidelines of the EDPB are very important from two points of view. First, they represent the agreed position of all national DPAs, which are the only administrative entities that have competence to enforce the GDPR and the Law Enforcement Directive at national level, both against government bodies and private organizations. Second, they are capable of ensuring a harmonized approach across the EU, at a time when national governments prefer to act by themselves, contributing thus decisively to a pan-European approach of the data-based response to the COVID-19 pandemic. 

7.1. Processing of health data for research purposes

Starting from the premise that ‘the GDPR is a broad piece of legislation and provides for several provisions that allow to handle the processing of personal data for the purpose of scientific research connected to the COVID-19 pandemic in compliance with the fundamental rights to privacy and personal data protection’, the EDPB published guidance to support compliant scientific research involving health data. Here are some of the key points:

  1. Research on personal (health) data which consists in the use of data directly collected for the purpose of scientific studies (“primary use”). 
  2. Research on personal (health) data which consists of the further processing of data initially collected for another purpose (“secondary use”).’
7.2. Location data, ‘notoriously difficult to anonymize’

In the guidance on location data and contact tracing apps, the EDPB expresses its firm belief that ‘when processing of personal data is necessary for managing the COVID-19 pandemic, data protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures’. It also clearly calls for ‘a common European approach in response to the current crisis’, or to ‘at least put in place an interoperable framework’, considering that ‘the virus knows no borders’. 

The EDPB recalls that ‘the general principles of effectiveness, necessity and proportionality must guide any measure adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19’. This is a call for any data-based solutions to be grounded in actual needs of authorities to manage the pandemic. ‘Such applications need to be a part of a comprehensive public health strategy to fight the pandemic, including, inter alia, testing and subsequent manual contact tracing for the purpose of doubt removal’.

When discussing the processing of location data, the EDPB points out that there are two principal sources of such data available for modelling the spread of the virus and the overall effectiveness of confinement measures: location data collected by electronic communication service providers (such as mobile telecommunication operators) in the course of the provision of their service and location data collected by information society service providers’ applications whose functionality requires the use of such data.

Accessing or collecting location data from both these sources falls under the provisions of the ePrivacy Directive. As such, location data collected from electronic communication providers may only be processed under the conditions of Articles 6 and 9 of the ePrivacy Directive. This means that the location data ‘can only be transmitted to authorities or other third parties if they have been anonymised by the provider or, for data indicating the geographic position of the terminal equipment of a user, which are not traffic data, with the prior consent of the users’. As for collecting location data and other information directly from the terminal equipment (device) of a user, Article 5(3) of the ePrivacy Directive is applicable. As such, ‘the storing of information on the user’s device or gaining access to the information already stored is allowed only if:

(i) the user has given consent;

(ii) the storage and/or access is strictly necessary for the information society service explicitly requested by the user.’

The EDPB stopped short of giving some examples on what type of services in the context of COVID-19 can argue they need access to location data because it is strictly necessary to provide the service. 

The guidelines point out that derogations to these rules are possible only ‘when they constitute a necessary, appropriate and proportionate measure within a democratic society for certain objectives’, according to Article 15 of the ePrivacy Directive. However, these exceptions can only be adopted if they concern national security, defence, public security and the prosecution of criminal offenses. In addition, according to existing case-law of the CJEU interpreting Article 15, all these areas ‘constitute activities of the State or of State authorities unrelated to the fields of activity of individuals’ (Case C-275/06 Promusicae). This seems to indicate that exceptions can be applicable only if the controllers are public authorities and if Member States can justify they concern one of the areas enumerated, such as public security.

The EDPB established that after the location data has been accessed in compliance with Article 5(3) ePrivacy, they can be further processed only on the basis of additional consent or on the basis of a Union or Member State law which constitutes a necessary  and  proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) GDPR. Even though technically organizations could rely on the fact that further processing of location data for modelling purposes to combat the pandemic is compatible with the original purpose of accessing the data, the EDPB considers that further processing on the basis of a compatibility test according to Article 6(4) GDPR is not possible in these cases where original access is obtained under the conditions of the ePrivacy Directive, since it would undermine the data protection standard of the ePrivacy Directive, as explained in the earlier Guidelines on Connected Vehicles.3  

The EDPB advises that preference should always be given to the processing of anonymized data rather than personal data, but cautions that location data ‘are known to be notoriously difficult to anonymize’, since ‘mobility traces of individuals are inherently highly correlated and unique’ and ‘they can be vulnerable to re-identification attempts under certain circumstances.’ The EDPB further states that ‘data cannot be anonymized on their own, meaning that only datasets as a whole may or may not be made anonymous’. To highlight this point, it is further argued that ‘any intervention ona single data pattern (by means of encryption, or any other mathematical transformations) can at best be considered a pseudonymisation.’ 

The EDPB also proposes a test to evaluate the robustness of anonymization, which relies on three criteria:

‘(i) singling-out (isolating an individual in a larger group based on the data); 

(ii) linkability (linking together two records  concerning the same individual); and 

(iii) inference (deducing, with significant probability, unknown information about an individual).’

7.3. Contact tracing: the door was kept open for both centralized and decentralized apps

With regard to contact tracing apps, the EDPB points out from the outset that ‘the systematic and large scale monitoring of location and/or contacts between natural persons is a grave intrusion into their privacy.’ This is why ‘it can only be legitimised by relying on a voluntary adoption by the users’. The EDPB continues with a series of recommendations:

In its closing remarks, the EDPB showed that ‘data and digital technologies can be key components in the fight against COVID-19’, but it also warned against the ‘ratchet effect: ‘It is our responsibility to ensure that every measure taken in these extraordinary circumstances are necessary, limited in time, of minimal extent and subject to periodic and genuine review as well as to scientific evaluation.’ The EDPB added that one should not have to choose between an efficient response to the current crisis and the protection of our fundamental rights. ‘We can achieve both, and moreover data protection principles can play a very important role in the fight against the virus’.

 

8. Conclusion

The EU took advantage of its mature data protection legal framework and acted rapidly to outline the possibility of a pan-European approach to support the fight against the pandemic with data, be it under the guise of mobility data for heat maps and modelling, health data for research purposes or proximity data for contact tracing, while ensuring fundamental rights and freedoms remain protected. The push for a pan-European approach, which was sparked by scientists working across borders to build a protocol for a contact tracing app that is privacy preserving, seems to be successful, even if not entirely. Several Member States already announced they will implement the same decentralized protocol for a contact tracing app (Estonia, Austria, but also Switzerland as associated country to the EU), with others, like Germany and Italy, considering now a decentralized approach to contact tracing after having initially announced plans for a centralized approach.

Developments at national level, at least in the Member States of the EU, will be ultimately influenced by EU policy. Even if public health is primarily a regulatory area where national governments lead – with the EU just complementing policies, data protection is an area where the EU has been granted powers to lead the rulemaking (see Article 16 of the Treaty on the Functioning of the European Union). Be it a decentralized or centralized approach to contact tracing, or any of the other necessary uses of personal data for modelling or research in the context of the COVID-19 pandemic, they will all need to follow data protection rules and principles, as provided by EU law.

  

Table 1. List of EU policy documents and guidance in relation to COVID-19 and data protection
Date Institution Resource
March 19, 2020 European Data Protection Board Statement on the processing of personal data in the context of the COVID-19 outbreak
March 25, 2020 European Data Protection Supervisor Monitoring Spread of COVID-19 Comments to DG JUST on its plan to use mobility data
April 6, 2020 European Data Protection Supervisor EU Digital Solidarity: a call for a pan-European approach against the pandemic
April 8, 2020 European Commission (DG CONNECT) COMMISSION RECOMMENDATION of 8.4.2020 on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data
April 14, 2020 European Data Protection Board Letter to Olivier Micol (European Commission, DG JUST) on the draft Guidance on Apps supporting the fight against COVID 19 in relation to data protection
April 15, 2020 eHealth Network Mobile applications to support contact tracing in the EU’s fight against COVID-19 Common EU Toolbox for Member States 
April 15, 2020 Ursula von der Leyen (President of the Commission) Charles Michel (President of the Council) Joint European Roadmap towards lifting COVID-19 containment measures
April 16, 2020 European Commission (DG JUST) COMMUNICATION FROM THE COMMISSION Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection
April 17, 2020 European Parliament EU coordinated action to combat the COVID-19 pandemic and its consequences European Parliament resolution of 17 April 2020 on EU coordinated action to combat the COVID-19 pandemic and its consequences (2020/2616(RSP))
April 21, 2020 European Data Protection Board Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak
April 21, 2020 European Data Protection Board Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak 
Footnotes

1 Set up under article 14 of Directive 2011/24/EU.

2 European Parliament, Factsheets on the European Union: Public Health, available at https://www.europarl.europa.eu/factsheets/en/sheet/49/public-health, retrieved on April 27, 2020.

3 EDPB, Guidelines 1/2020 on Processing personal data in the context of connected vehicles and mobility related applications, available at https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-12020-processing-personal-data-context_en, retrieved on April 30, 2020.

FPF Submits Comments to NIH on the NIH-Wide Strategic Plan for Fiscal Years 2021-2025

Earlier this month, the Future of Privacy Forum (FPF) submitted comments to the National Institutes of Health (NIH) on the NIH-Wide Strategic Plan covering fiscal years 2021-2025. In the letter, Health Policy Counsel Rachele Hendricks-Sturrup and Artificial Intelligence Policy Counsel Sara Jordan propose the addition of a cross-cutting theme to NIH’s strategic plan as well as opportunities for collaboration between the two organizations.

Overall, FPF prompts the NIH to: 

  1. Consider “balancing health data privacy with data access and use” as an additional cross-cutting theme. By adding this additional cross-cutting theme, a balance might be achieved between the NIH’s drive to advance health and preserving the privacy of individuals who offer their data for the development of new medical procedures, products, pharmaceuticals, and devices.
  2. Support research resources and infrastructure with ethical review models. In particular, the NIH should consider adopting or working with FPF to refine our ethical review tools, which could help the NIH identify, consider, and mitigate privacy risks raised by the terms of use and re-use of data held in the NIH repositories; and
  3. Foster a culture of good scientific stewardship around consent to data use. Consent may be an appropriate mechanism for protecting the privacy and data rights of research participants in many cases, but not in all cases, especially given that health data is no longer exclusively generated or processed by health care providers and insurers.

Read the Full Letter