An international privacy sweep has found that all participating data protection authorities (DPAs) have been actively involved in assessing the privacy implications of COVID-19 solutions and initiatives. Compliance and enforcement action was taken in a limited number of jurisdictions.
Twenty DPAs from Europe, the Americas, Oceania, Asia, and the Middle East participated in the annual sweep in 2021, coordinated by New Zealand’s Office of the Privacy Commissioner.
Organisations have shown significant awareness of the privacy risks associated with these solutions and have set clear rules around the treatment of the personal information involved.
Responses to the sweep indicated that DPAs’ primary focus was COVID-19 contact tracing mobile apps, although other initiatives included electronic wristbands, COVID-19 vaccine registers, and national border registers.
Findings
Almost all responding jurisdictions have a COVID-19 contact tracing mobile app using Bluetooth technology. These alert users if they have been near another app user who tests positive for coronavirus, and whether they have visited a venue around the same time as another person who was reported as positive.
Most health authorities carried out privacy impact assessments (PIAs) and engaged their local DPA at an early stage of project development to mitigate identified privacy risks. A key concern was the identification of individuals from personal information collected by contact tracing apps and the retention of personal information collected.
DPAs recommended some of the following good practices: that personal information should be stored locally on users’ devices rather than on centralised servers; and that personal information collected to fight against COVID-19 should be securely destroyed as soon as reasonably practicable once it is no longer needed.
Several DPAs undertook compliance and enforcement actions in response to complaints received. All DPAs produced educational materials relating to privacy issues arising from COVID-19 health measures.
Background
The aim of the 2020-21 GPEN Sweep is to understand how privacy considerations have been taken into account by the organisations responsible for various COVID-19 solutions and initiatives. It also captured the level of engagement DPAs have had with those organisations in their jurisdiction (whether via assessments of contact tracing apps or any other public or private sector initiative).
The sweep explored how the global DPA community engaged with local governments to identify and understand risks associated with COVID-19 initiatives, including making recommendations to improve compliance with privacy and data protection laws, and undertaking enforcement action where necessary. The sweep also sought to understand what, if any, enforcement action DPAs might use, and what education and outreach activities DPAs conducted.
The Global Privacy Enforcement Network (GPEN) was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border co-operation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of over 70 privacy enforcement authorities over 40 jurisdictions around the world.