Investigation into App Cuidar Finds no Evidence of Breach

Investigation into App Cuidar Finds no Evidence of Breach

The Argentine Directorate of Personal Data investigated, sua sponte, how the app known as “Cuidarworks and concluded that there is no evidence that the app may be in breach of the Data Protection Law.

October 21, 2020
Investigation into App Cuidar Finds no Evidence of Breach

On July 23, 2020, the Agency of Access to Public Information, through the National Directorate of Personal Data (the “NDPD”), reported the findings of a sua sponte investigation into the Subsecretariat of Open Government and the Secretariat of Public Innovation where it concluded that there is no evidence that the app in any way breaches Personal Data Protection Law No. 25,326 (the “Data Protection Law”).

The investigation was sparked by the implementation of “App Cuidar” (the “app,” whose name in Spanish plays on the word “care”) which, on the one hand, aims to prevent the spread of COVID-19 through self-diagnosis and immediate medical assistance and, on the other hand, is a tool for processing the Unique Certificate to Circulate (the “Certificate,” which is an authorization to circulate between jurisdictions). The report delves into different matters like the lawfulness of the processing of personal data, such as the legal basis for data collection, security principles, data quality principles, retention periods, and international transfers, among others. Among the different matters covered in the report, we highlight the ones listed below.

Security and User ID Validation. According to the NPDP, the user ID validation mechanisms implemented by the app are adequate and in compliance with the security principle in section 9 of the Data Protection Law. However, the NPDP underscored that, to validate individuals’ identities, the app prompts them to type in their ID numbers jointly with their procedural numbers. Recalling that, in 2019, a security breach in the Ministry of Domestic Affairs’ systems resulted in unauthorized access to the IDs of thousands of Argentine citizens, it recommends implementing a different method to verify user identities.

In addition, after listing the app’s security measures, the NDPD suggested implementing the security measures recommended under Resolution No. 47/2018. Lastly, it stressed the importance of regularly reviewing those measures.

Proportionality Principle. According to the NDPD, the proportionality principle implies that controllers should not process more data than that necessary to the purpose ─meaning that it must not exceed the scope of the intended ends.

In that regard, and taking into account the app’s two purposes (to help users assess their symptoms and to process the Certificate they need to circulate between jurisdictions), the NPDP deemed that the processing of symptoms consistent with COVID-19, as well as the user’s location and telephone number, are proportionate for the purpose of evaluating whether or not that user could be infected and, if so, to connect the user to the health authorities. However, with regards to the Certificate, the NPDP held that collecting the user’s telephone number, email address, vehicular make and model and the barcode associated with their Unique Certificate of Disability is disproportionate for the issuance of the Certificate to Circulate.

Submission of Data to Law Forces. With regards to the Certificate, the NPDP held that the submission of personal data to law enforcement agencies is legal and proportionate under the Data Protection Law, provided that the data does not exceed the purpose of traffic control.

Lastly, the NPDP highlighted that the app does not monitor user geolocation in real time; and, if it did, thorough assessment and legal justification would be required.