UCL Faculty of Laws


Enabling COVID-19 contact tracing apps that protect privacy and reduce surveillance risk

This case study is part of the 2021 REF submission in which UCL Laws was assessed as No.1 for research excellence in the UK.


In early 2020, many governments were interested in using mobile phones for tracing people who may have been exposed to a COVID-positive individual. This raised a challenge: how would this technology be designed, and how would it integrate concerns around privacy, digital and other human rights?

Dr Michael Veale, Associate Professor in Digital Rights and Regulation, provided interdisciplinary law and computing expertise on the cross-institutional DP-3T project which also involved EPFL, ETH Zürich, KU Leuven, TU Delft, CISPA (Germany), ISI Foundation (Italy), University of Porto and Oxford.

It was clear that no digital contact tracing approaches were risk-free, but that centralised systems would involve greater risks around privacy, abuse of power, and mission creep, which could damage adoption and facilitate misuse, particularly by governments with limited protection of human rights in this global pandemic. Dr Veale worked rapidly from March 2020, alongside epidemiologists, privacy and wireless engineers to bridge the technical and legal challenges of a Bluetooth tool to notify individuals who had been near others who later tested positive for COVID-19. While other groups proposed systems that could create maps and networks in the cloud of who-saw-who, the DP-3T project built one where individuals could be notified without being tracked or identifiable in technical or legal senses, using  a technical solution of rotating codes processed on-device which also functioned elegantly within data protection law. This work included technical and legal analysis of both the DP-3T protocol, alternatives that were emerging, and the creation and analysis of adaptations and extensions in a rapidly changing context. The work was done in the open, with all code and analysis released publicly. The team were constantly facilitating and acting as knowledge-brokers in heated debate and discussion in the media, governments and parliaments, and other public fora as laws and technologies were being developed around the world. 


As the advent of COVID-19 forced rapid development of contact tracing technology, and created major new questions around digital privacy and rights, the research on this technology had two broad impacts:

Globally, analysis of privacy and data protection law underpinned the rapid design of a protocol (DP-3T) for proximity tracing through smartphones which:

  • inspired Apple and Google’s approach to building decentralised proximity tracing capability into their operating systems, enabling privacy-preserving ‘contact tracing’ apps developed by national public health authorities around the world to be accessed on over 90% of smartphones;
  • has been adopted by at least 65 official national or regional COVID-19 contact tracing apps globally (December 2020); and
  • facilitated contact tracing across borders within the EU, covering 372m people.

Within the UK, analysis of legal and regulatory gaps surrounding contact tracing influenced Parliamentary scrutiny of the UK government’s approach, the outputs of campaigning organisations, and public debates, all of which led to decentralised applications adopted from the start in Scotland and Northern Ireland, pressured the UK government to abandon a centralised app for NHS England, and raised the profile of novel issues surrounding contact tracing not addressed by existing law.

Research at UCL Laws continues, funded by Fondation Botnar, into how new mobile sensors and parts of the world with fewer technical infrastructures might impact digital contact and proximity tracing, and how to best govern the overwhelming influence of platforms such as Apple and Google that have power over who can do what with the devices in everyone’s pockets.

References to the research

Carmela Troncoso et al., ‘Decentralized Privacy-Preserving Proximity Tracing’ (2020) 43 IEEE Data Eng Bull 36.

Other auxillary papers authored collectively and published openly under ‘The DP-3T Project’, including “Privacy and Security Attacks on Digital Proximity Tracing Systems” and “Decentralised Privacy-Preserving Proximity Tracing: Overview of Data Protection and Security

Michael Veale, ‘Sovereignty, privacy and contact tracing protocols’ in Linnet Taylor, Gargi Sharma, Aaron Martin and Shazade Jameson (eds.), Data Justice and COVID-19: Global Perspectives (Meatspace Press 2020).

Lilian Edwards, Michael Veale et al., ‘The Coronavirus (Safeguards) Bill 2020’ (2020)