International human rights law and Australia’s COVIDSafe app – Anthony Hallal

COVID-19 has brought the importance of public health into sharp focus.  The need to protect Australia’s health system by slowing the spread of the virus has been emphasised as the key to surviving the pandemic.  To that end, governments in every Australian jurisdiction have implemented a suite of directions, orders and determinations that restrict the activity of individuals and businesses in various ways.  

These restrictions have generally succeeded in reducing the prevalence of COVID-19 in Australia to date.  Consideration is now being given to lifting the restrictions.  However, doing so comes with a substantial risk that COVID-19 transmissions will spike.  To address that risk, the Australian Government has introduced the COVIDSafe app – a tool to identify and contain COVID-19 outbreaks by making contact tracing faster and more effective.

This article considers Australia’s obligations under international human rights law in the context of the COVIDSafe app.  

How the COVIDSafe app works

When users download the app onto their device, they are provided with an explanation of how the app works.  That explanation contains links to the app’s privacy policy and the Department of Health’s website where further information is available.  Users are then asked to consent to the Australian Department of Health collecting:

  • Their registration information to allow contact tracing by State and Territory health officials; and
  • Their contact information from other COVIDSafe users who test positive for COVID-19.  

If consent is granted, users are prompted to register by providing their full name (or a pseudonym), their age range, their postcode and their mobile number.  A unique encrypted reference code is then created for the user.

The COVIDSafe app recognises other nearby devices that have the app installed and Bluetooth enabled.  When the app recognises another device, it notes the date, time, distance and duration of the contact and the other user’s reference code.  That data is encrypted and stored securely on both users’ devices for 21 days (a timeframe that accounts for the COVID-19 incubation period and the time it takes to be tested). 

In the event that a user tests positive to COVID-19, they are asked to consent to uploading their encrypted contact data from the app to a secure information storage system (called the National COVIDSafe Data Store).  If consent is granted, then State and Territory health officials can use the uploaded contact data captured by the app to support their usual contact tracing and to notify other users that they may have been exposed, without naming the infected person.

The response to COVID-19 must be consistent with all of Australia’s human rights obligations

The COVIDSafe app is part of a response to a crisis that unequivocally agitates the human right to the enjoyment of the highest attainable standard of health.  That right is recognised principally in Article 12 of the International Covenant on Economic, Social and Cultural Rights (ICESCR).  Article 12.2(c) clarifies that the steps to be taken to achieve the full realisation of this right include those necessary for the ‘prevention, treatment and control of epidemic, endemic, occupational and other diseases’.  The Committee on Economic, Social and Cultural Rights (CESCR) has confirmed in General Comment No. 14 at [44] that the obligation to take measures to prevent, treat and control epidemic and endemic diseases is ‘of comparable priority’ to the core obligations arising from Article 12. The CESCR further commented at [16] that in Article 12.2(c) of the ICESCR:

The control of diseases refers to States’ individual and joint efforts to, inter alia, make available relevant technologies, using and improving epidemiological surveillance and data collection on a disaggregated basis, the implementation or enhancement of immunization programmes and other strategies of infectious disease control.

In that regard, it is likely that the rollout of the COVIDSafe app is itself consistent with some of Australia’s human rights obligations. 

However, States’ responses to COVID-19 must be consistent with all of their obligations under international human rights law.  As the CESCR recently observed at [3] in a statement on the COVID-19 pandemic:

This pandemic is essentially a global health threat.  Nevertheless, it has multiple implications for the enjoyment of civil and political rights because some of the measures taken by States to combat it impose severe restrictions on the freedom of movement and on other rights.  Thus, it is essential that the measures adopted by States to combat this pandemic are reasonable and proportionate to ensure protection of all human rights.

Accordingly, measures must be put in place to ensure that the COVIDSafe app, and the collection, use, disclosure and storage of its data, is consistent with all of Australia’s human rights obligations.  That includes the obligation to ensure that individuals have access to an effective remedy in the event of a violation. 

Ensuring consistency with international human rights law

The human right that has received the greatest attention following the announcement of the COVIDSafe app is the right to not be subjected to arbitrary or unlawful interference with privacy, recognised in Article 17 of the International Covenant on Civil and Political Rights (ICCPR). 

This human right to privacy is plainly concerned with the COVIDSafe app and the collection, use, disclosure and storage of data.  However, it is worth noting that the right to privacy under the ICCPR does not proscribe the collection of personal data altogether.  Consequently, in its Concluding Observations on Hungary in 2010, the Human Rights Committee (HRC) observed that:

 …the protection afforded to personal data should not hinder the legitimate collection of data that would facilitate the monitoring and evaluation of programmes that have a bearing on the implementation of the [ICCPR].  

Nevertheless, Article 17 imposes various obligations on States that are of relevance to the COVIDSafe app.  For example, the HRC has commented in General Comment No. 16 at [10] that:

The gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law.  Effective measures have to be taken by States to ensure that information concerning a person’s private life does not reach the hands of persons who are not authorized by law to receive, process and use it, and is never used for purposes incompatible with the [ICCPR].  In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes.  Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files…

Establishing that any interference with privacy is neither ‘unlawful’ nor ‘arbitrary’ will be crucial to ensuring consistency with Australia’s obligations under the ICCPR.  

Provided that the COVIDSafe app and its collected data is regulated by a sufficiently accessible and precise law, any interference with privacy will not be ‘unlawful’ in the sense contemplated by the ICCPR.  It is arguable that the Health Minister’s relevant Determination under the Biosecurity Act 2015 (Cth) is sufficient to satisfy this legality requirement as a matter of international human rights law.  In any event, legislation will soon be introduced to establish a statutory framework for the COVIDSafe app.  Introducing legislation will insulate the safeguards contained in the Health Minister’s Determination from unilateral amendment or repeal by the executive.  Although a draft of that legislation has been released, it has not yet been considered in Parliament at time of writing, and it is subject to change before enactment.

Given the likelihood that the privacy consequences of the COVIDSafe app will not be ‘unlawful’, the  central question from a human rights perspective will be whether any interference with privacy is ‘arbitrary’.  In General Comment No. 16, the HRC commented at [4] that:

The introduction of the concept of arbitrariness is intended to guarantee that even interference provided for by law should be in accordance with the provisions, aims and objectives of the [ICCPR] and should be, in any event, reasonable in the particular circumstances.  

In Toonen v Australiathe HRC confirmed at [8.3] that it ‘interprets the requirement of reasonableness to imply that any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case’.  Accordingly, the privacy implications of the COVIDSafe app and the collection, use, disclosure and storage of its data must be reasonable, necessary and proportionate to its intended aims of protecting public health and the rights of others. 

Furthermore, Article 17.2 of the ICCPR specifies that everyone has the right to the protection of the law against arbitrary or unlawful interferences with their privacy.  As the UN High Commissioner for Human Rights suggested at [37] in their report on the right to privacy in the digital age‘[t]he “protection of the law” must be given life through effective procedural safeguards, including effective, adequately resourced institutional arrangements’.  In its Concluding Observations on Sweden in 2009, the HRC observed at [18] that:

The State party should take all appropriate measures to ensure that the gathering, storage and use of personal data not be subject to any abuses, not be used for purposes contrary to the [ICCPR], and be consistent with obligations under article 17 of the [ICCPR].  To that effect, the State party should guarantee that the processing and gathering of information be subject to review and supervision by an independent body with the necessary guarantees of impartiality and effectiveness.

Accordingly, all aspects of the collection, use, disclosure and storage of COVIDSafe app data should be subject to independent oversight.  The Office of the Australian Information Commissioner is likely to play a central role in that regard.

The COVIDSafe app is also likely to enliven human rights obligations beyond those relating to health and privacy.  For example, it is arguable that contracting COVID-19 itself gives rise to an attribute that is protected from discrimination under international human rights law (as is the case under Australia’s domestic disability discrimination legislation).  In SC v Brazil, the Committee on the Rights of Persons with Disabilities noted at [6.3] that:

The Committee considers that the difference between illness and disability is a difference of degree and not a difference of kind.  A health impairment which initially is conceived of as illness can develop into an impairment in the context of disability as a consequence of its duration or its chronicity.  

If contracting COVID-19 does give rise to a protected attribute under international human rights law, then States will be obligated to take steps to protect individuals with that attribute from discrimination by private persons.  That obligation will be of relevance whenever the identity of a COVIDSafe user becomes ascertainable.  For example, although users who test positive for COVID-19 are not explicitly identified to those who have been in contact with them during the notification process, identification may sometimes be possible in practice where notified users have been in contact with very few other people.  That gives rise to a risk of discrimination, for example, where the notified person is an employer or landlord of the infected user.  Australia’s existing anti-discrimination framework would be relevant in determining whether the State’s obligation to protect individuals from discrimination is satisfied in such circumstances.

Ultimately, the COVIDSafe app, and the collection, use, disclosure and storage of its data, is capable of remaining consistent with Australia’s obligations under international human rights law.  However, care is required when establishing the app’s legislative framework and beyond to secure that outcome.

Anthony Hallal is a Lawyer at Hall & Wilcox, a Teaching Associate with the Law Faculty at Monash University, and an Assistant Editor of the ILA Reporter.  He is also on the Executive Management Committee at Australian Lawyers for Human Rights.  Anthony holds a Master of Laws (LLM) in Transnational Law from King’s College London, a Bachelor of Laws (LLB) from Monash University, and a Bachelor of Arts in Human Rights Theory from Monash University.  The views expressed in this article are those of the author.