COVID-19: Finally a Toolbox for Developers of Geolocalisation Applications

Last week the European Union’s eHealth Network and the Office of the Privacy Commission of Canada published their respective guidelines for the use of location-based tracking (“geolocalisation”) applications to help reduce the spread of the COVID-19 virus.

Danielle Miller Olofsson has authored this article.

These applications are built upon the positioning technology such as GPS or Bluetooth found in many if not all mobile communication devices.

Both the Canadian Framework and the European Toolbox promote similar principles such as collection, use, and storage limitation as well as transparency and security. But whereas the Framework remains unhelpfully general in its recommendations, the European Toolbox provides a more comprehensive roadmap, complete with a check the box tables, to assist various stakeholders in the development and implementation of geolocation technology in the fight against COVID-19.

In the absence of specific guidelines from Canadian authorities, and given their recent promises to bring Canadian data protection legislation more in line with that of Europe Canadian developers of geolocalisation technology aimed at reducing the spread of Covid-19 would do well to apply the Toolbox requirements, some of the most relevant of which are discussed below.

Accuracy

The Toolbox highlights the importance of accurate technology – a requirement that is all the more essential given that decisions public authorities make based on the information generated by geolocalisation technology can potentially violate human rights. For example the European document states that physical proximity should be recorded accurately and that an accuracy of 0.5 metre is required.

Consent

The technology must be developed around a consent-based model for data processing that is to say that the person whose geolocation data is being collected must consent to the collection and subsequent processing of their data.

Transparency

Developers are encouraged to openly publish their technological specifications and source codes for the applications they develop so as to maximise re-use, interoperability, auditability and security.

Security

The Toolbox specifies that data must be deleted as soon as it has served its purpose. Proximity data should only be stored on the devise so as to prevent tracking and should not be used in any way that could stigmatise a human being.

The Toolbox also provides guidance on encryption and pseudomisation as well as numerous other matters that developers must consider along with other stakeholders such as public health authorities, the European Centre for Disease Prevention and Control or the World Health Organization.

For further information on either the Toolbox or the Framework and how they apply to a specific application please contact BCF’s Data Protection Group.