Tracing Apps, Privacy, and Protection of Personal Information


Kaori Ishii
Professor, Faculty of Global Informatics, Chuo University
Areas of Specialization: Information Law

Release of COCOA

On June 19, 2020, the Ministry of Health, Labour and Welfare (MHLW) released COCOA, a new COVID-19 contact confirmation app(1). The name COCOA is an acronym taken from COVID-19 Contact-Confirming Application. The app has been downloaded about 5,310,000 times as of 5:00 PM on July 3, 2020. By ascertaining the possibility of contact with an individual who has tested positive for COVID-19, the app makes it possible to quickly receive support (such as undergoing examinations, etc.) from public health centers. By increasing the number of people who use the app, it is expected that the spread of infection will be prevented. On July 3, 2020, the MHLW started issuing the processing numbers required for infected individuals to register for the application. The outline of COCOA is explained as follows, where a mechanism for securing privacy has been adopted(2).

・COCOA uses the proximity communication function (Bluetooth) of smartphones to detect contact with another smartphone in close proximity (15 or more minutes within approx. 1 meter).
・Information on proximity is encrypted and recorded only on the individual smartphone. The information is automatically invalidated after 14 days have passed. The record does not leave the device for any external destination.
・COCOA does not collect names, telephone numbers, e-mail addresses, or any other information that can be used to identify an individual.
・COCOA does not use or record GPS or any other location information.
・Users can stop using the app at any time. Deleting the app also deletes records for the past 14 days.
・Even if an individual tests positive, registration for the app is not compulsory. Consent from the user is a prerequisite for registering on the app. This is done voluntarily.

MHLW illustrates the system outline of COCOA as follows. The notification server records the fact of positive testing and the processing number. The app has a mechanism to notify the app users regarding the possibility of proximity. Information on infected individuals is encrypted and will be deleted after notification.
(Source) "Regarding the COVID-19 Contact-Confirming Application (COCOA)," Office of the
Secretariat in the Anti-COVID-19 Tech Team of Cabinet Secretariat, and Novel Coronavirus
Response Headquarters of MHLW (as of June 19, 2020)
(https://www.mhlw.go.jp/content/10900000/000641655.pdf), p. 1

Conditions in other countries

From around the time that the Singaporean government began distributing TraceTogether on March 20, 2020, contact-confirming apps have spread to each country. Based on the above explanation by MHLW, the Japanese app COCOA is classified into the category with the lowest impact on privacy.
(Source) "Trends, etc., in Each Country for Implementation of Contact-Confirming Apps," Office of
the Secretariat in the Anti-COVID-19 Tech Team (as of May 8, 2020)
(https://cio.go.jp/sites/default/files/uploads/documents/techteam_20200508_02.pdf), p. 1
In China, where the app has the largest impact on privacy, individuals are required to present a QR code indicating their health status in red, yellow, or green when using facilities such as railway stations, airports, and commercial facilities. The app was developed by the Alibaba Group and Tencent. Use of the app is not compulsory; however, since presentation of the app is required on a daily basis, it is basically essential for living in China. When registering for the app, the user inputs his or her ID number and smartphone number. The app is managed on a local government unit basis. The local government links the GPS location information, surveillance camera information, medical treatment data, etc., to ascertain the infection status. In addition to the countries listed in Figure 2, South Korea, Taiwan, Hong Kong, Thailand, and Malaysia are examples of countries and regions that use location information(3).

(3) Naoki Matsuda, Medical Examination Information in Tracing Apps--China's COVID-19 Measures and Heightened Surveillance, The Nikkei (Digital Edition) (June 8, 2020).

Concept of Personal Information and Data Protection

On May 1, 2020, prior to the release of COCOA, the Personal Information Protection Commission announced the "Personal Information Protection Commission's View on Effective Use of Contact Tracing App to Help Deal with Coronavirus Disease (COVID-19)(4)." This document was intended to balance the demand for securing the rights and interests of individuals related to personal information with the demand for use in public policy to prevent infectious diseases. The document states that careful consideration should be given to the following: ① voluntary use of the app based on the judgment (consent) of the individual after conveying sufficient and specific information on the contents of the app to the individual; ② obtaining trust from the user by ensuring transparency of app operation and implementing appropriate safety management measures; ③ specifically verifying the possibility of personal information applicable to each app and each company in regards to the information acquired by business operators involved in the app; and ④ taking appropriate measures (identification of the purpose of use, consent from the person, restriction on unnecessary data acquisition and provision, erasure of unnecessary data without delay, data safety management system, complaint reception system, etc.) in the event that the Act on the Protection of Personal Information is applied.

The European Union (EU) is known for having established strict personal information protection systems such as the General Data Protection Regulation (GDPR) (5). The EU has already published various documents in regards to contact-confirming apps (6). In particular, in terms of the relationship with data protection, the European Data Protection Board (EDPB) adopted the "Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak" on April 21, 2020(7).

The handling of location information is governed by the ePrivacy Directive(8). There are two types of location information: information which is collected by mobile communication carriers, etc., in the process of providing services and information which is collected by apps of information society service providers. Both types of information are subject to the rules of the Directive. In particular, the confidentiality of communication (Article 5-3 of the Directive) is applied to the collection of information from terminals. Member states must guarantee that saving information on the device of the subscriber or user, or accessing information that has already been saved is permitted only when the subscriber or user consents to said saving or accessing after receiving easy-to-understand and comprehensive information.

The ePrivacy Directive also requires that you have a lawful basis per the GDPR for using contact tracing apps. EDPB has taken the position that use of the app should be voluntary. Here, "voluntary" means that the user takes the initiative to use the app for each purpose. In particular, it implies that no disadvantage is incurred even if an individual decides not to use the app or is not able to use the app.

One type of lawful basis per the GDPR is "consent" (Article 6-1-(a) of the GDPR). However, due to the imbalance in power relations between public institutions and individuals, it has been interpreted that meeting the requirement of "consent" is not easy(9). Contact tracing apps provided by public institutions do not necessarily have to be based on consent, and can rely on other lawful basis. Specifically, the Article 6-1-(e) of the GDPR states that if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, the processing shall be lawful. At that time, the processing purpose must be in accordance with EU law or the national law of the member states, be compatible with the public interest, and be in balance with the lawful purpose it seeks (Article 6-3 of the GDPR).

In the GDPR, the EDPB shows specific functional requirements for contact tracing apps. According to the GDPR, requirements include ①minimizing the data to be processed, ② the data disclosed by an app must include only a unique and pseudonym identifier that is generated by the app and is distinct to the app, and that identifier must be periodically updated, ③ a centralized or decentralized approach can be implemented provided that appropriate security measures are taken, ④ the server of the contact tracing system gathers only the contact history or pseudonym identifier of the infected person, retains this information only for the period needed to notify the user of the possibility of infection, but does not attempt to identify the individual which may be infected, ⑤ when additional information processing is required to establish a global contact tracing method, the additional information should remain on the user terminal and is only processed when truly necessary and only with prior and individual consents from the user, ⑥ cutting-edge encryption technology must be implemented, ⑦ proper identification must be performed to report infected persons, and ⑧ the controller must provide clear and explicit notification for the link used to download the nation's official contact tracing app.

(4) Personal Information Protection Commission, Personal Information Protection Commission's View on Effective Use of Contact Tracing App to Help Deal with Coronavirus Disease (COVID-19), (May 1, 2020) (https://www.ppc.go.jp/files/pdf/20200501_houdou.pdf).
(5) Parliament and Council Regulation 2016/679, 2016 O.J.(L 119)1-88 (EU).
(6) European Commission, Communication from the Commission Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection 2020/C 124 I/01, 2020 O.J. (C 124I) 1-9 (EU),
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020XC0417(08); European Commission, Commission Recommendation of 8.4.2020 on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data (Apr. 8, 2020), https://ec.europa.eu/info/sites/info/files/recommendation_on_apps_for_contact_tracing_4.pdf.
(7) European Data Protection Board, Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (Adopted on Apr. 21, 2020),
(8) Parliament and Council Directive 2002/58, 2002 O.J. L (201) 37-47(EU),amended by Parliament and Council Directive 2009/136, 2009 O.J. L (337)11- 36(EU).
(9) GDPR Preamble (section (43)).

Balance with public interest

It can be said that COCOA gives a high degree of consideration to the protection of privacy and personal information even when judging in accordance with the aforementioned EDPB guidelines. It is possible to track an individual if the location information is ascertained, and the integrated management of information on a central server poses a danger of a surveillance society. Such a policy is not adopted in Japan, whereas there is no guarantee that the usage rate will increase to the extent that the effects of the application can be demonstrated. According to the White Paper on Information and Communications (published by the Ministry of Internal Affairs and Communications), survey results revealed that the rate of smartphone ownership by individuals is only about 65%(10). Moreover, the app is strictly limited to an arbitrary mechanism based on the consent of the individual, even in the case of registering an infected person whose positive result has been confirmed. The number of people infected with COVID-19 fluctuates every day, and it is possible that the number of infected people will increase explosively in the future. Nevertheless, the effect of the contact-confirming app is expected to be limited at this point in time, so users should view the app as one means for preventing the spread of infection.

The issues to be considered in relation to privacy and protection of personal information are the extent to which a mechanism based on consent should be maintained, and the extent to which the use of personal information with public interest should be allowed without consent from individuals. Consent is a convenient method for legalization, but there are doubts regarding its effectiveness. For example, it is possible that consent might actually have been given under duress, that the subject of consent is too broad, or that a considerable period of time has passed since the consent was obtained. Conversely, since the contact-confirming app is designed for the benefit of public health, it is meaningless unless the app is widely used. The GDPR imposes strict requirements on consent and takes a cautious position in regards to excessive reliance on consent. Conversely, the GDPR provides a way for public institutions to process personal data in order to execute their duties by seeking legal grounds. Even in Japan, in order to achieve the purpose of the app--that is, effective control of infection--it is necessary to discuss from a broad perspective the extent to which we should legally permit the use of personal information that has a public interest.

(10) Ministry of Internal Affairs and Communications: (1) ICT device ownership of 1. Internet usage trends of Section 2. ICT Service Usage Trends, White Paper on Information and Communications (Year2019)
Kaori Ishii
Professor, Faculty of Global Informatics, Chuo University
Areas of Specialization: Information Law

Kaori Ishii was born in Kobe City, Hyogo Prefecture in 1974.
In November 1996, she passed the bar examination (secondary).
In March 1997, she graduated from the Division of Law in the Faculty of Law, Tokyo Metropolitan University.
In March 2007, she completed the Doctoral Program in the International Business Transaction Law Course in the Graduate School of Law, Chuo University (a PhD in law).
Since November 2004, she has held positions including Research Assistant, Assistant Professor, Instructor, and Associate Professor in the Institute of Information Security, as well as Associate Professor in the Faculty of Library, Information and Media Science, University of Tsukuba.
She currently serves as Professor in the Faculty of Global Informatics, Chuo University.

Her main written works include Doctrine and Current Issues of Laws on the Protection of Personal Information: From the Historical Development and International Viewpoints on Privacy Rights, (Keisoshobo, 2008),
Revised Version of the Present and the Future of Laws on the Protection of Personal Information: The World Surroundings and the Future Prospect in Japan, (Keisoshobo, 2017),
EU Data Protection Laws, (Keisoshobo, 2020) and more.