William Malcolm, director of international legal privacy at Google, speaks about the company’s COVID-19 exposure notification API, highlighting the importance of consumer trust and promoting corporate responsibility.  

As director of Google’s international legal privacy function, William Malcolm has been a key adviser in the development and launch of Apple and Google’s COVID-19 exposure notification application programming interface (API), which will be used by public health authorities and private companies to develop contact-tracing apps in multiple countries.

Since joining Google in 2011, Malcolm has helped the internet and technology company’s product and compliance teams formulate internal policies and compliance plans on a wide range of issues, including the General Data Protection Regulation (GDPR), the right to be forgotten, cloud privacy and international data transfers. Over the last few months, he and his team have been advising on the data protection considerations of the API during its development, partnering with Google’s privacy-in-data function to ensure that privacy is built into the API by design.   

Contact-tracing apps, while an effective method of combating the spread of COVID-19, have raised concerns about the use of technologies that could lead to the storing and sharing of sensitive personal data to identify infected individuals. Google and Apple’s API is built to address those concerns, and to be sufficiently flexible to ensure it is compatible with the privacy requirements of different legislation. A breakdown of global regulators’ advice on data privacy and contact tracing is available here.

The UK, Canada and Australia are among the many countries already developing apps using the API, following on from Germany and others that have them in place. Malcolm found listening to the voices across different teams and industries essential to meet the requirements of multiple jurisdictions. “We were working daily with the engineering teams to make sure that they were getting clear advice on what the legal requirements were and the expectations of the regulators, and we were making sure that we keep local authorities and data protection authorities updated,” Malcolm says. “[W]e spent a lot of time listening to the scientific community, public health authorities and data protection authorities, making sure that we took into account multiple perspectives and vantage points.”

Google and Apple prioritised user transparency and control in the design of the API, which has a number of features to protect privacy, including a decentralised storage system for data, which is not shared with either Google or Apple, and user-controlled sharing and privacy settings. These features “embody the principles of privacy-by-design, like in the General Data Protection Regulation (GDPR),” says Malcolm, but also boost consumer trust. The value of this approach extends far beyond contact tracing, offering lessons on how companies handle data more broadly.

Limiting liability and risk

Over the past few months, the Google legal team’s focus has been overseeing the development of the API to ensure data protection and privacy was built into the design of the technology. Malcolm and his team gave the engineering team daily advice on data protection legislation and the requirements set out by data protection authorities during the discussion over contact-tracing apps.

The result is a system that only stores data that is vital to the legal basis for sharing the data (contact tracing), which follows the storage limitation principle in the GDPR. Users do not share information about their location, for example. The data is stored on everyone’s individual device, known as decentralisation. Only public health authorities will process the data. Google and Apple do not come into contact with the data at all, meaning they are not ultimately responsible for it.

“Data is very much collected directly by public health authorities via their apps – obviously they decide what data they would want to collect to make that app work – but when they access our API, no data is stored on Google or on Apple. The personal data is collected by the health authority and a lot of the processing is on [the] device which maximises privacy,” Malcolm explains.

Decentralising data storage serves to reduce potential security risks because it limits the amount of data in any one place. “When matches aren’t stored centrally, that decreases the risk that anyone can access the ‘social graph’ of people’s contacts, search history, etc,” Malcolm explains.

Building consumer trust

User-facing transparency and control has been a major driver of Google’s culture and compliance strategy over the years, and Malcolm has been involved in this journey. He joined Google just as it was scaling up as a company 10 years ago, so his core priorities were “helping Google think about how the scale is built upon an existing strong foundation and ensure that they were meeting compliance obligations and meeting requirements of laws around the world.”

When representing Google to global policy-makers, Malcolm was most often asked “how do I know what Google knows about me?” As a result, Google developed a tool, called Google Activity, where users can access the information Google has about them and offers real-time control to delete the information. Boosting transparency in this way has helped build trust with users, a lesson which Malcolm has carried over to the design of the API.

Contact-tracing apps require mass adoption to be effective, so building trust with users is essential, which helped lead to the decentralised approach to storing data. “We were conscious that there has to be high levels of public trust in these solutions, and when we looked at a world design we wanted to ensure that the method that we adopt encourages users to download and install applications that were using that API,” Malcolm says.

European regulators have said the apps must be based on choice. By building measures into the design of the technology that promote user choice and awareness, Google has ensured the API aligns with data protection principles, such as those around transparency in the GDPR. There is a greater sense of control if the data is locked in the device in the individuals’ hand rather than stored in a distant, invisible space. Having privacy settings both at a device level and at an account level means users can do a privacy or security check-up.

“The user remains in control at all times because they have to enable specific data sharing in their settings and they can scale this back at any time, so really at a device level privacy is built in,” Malcolm explains. “Having a clear narrative and clear story for users so that they understand that the processing is happening on their device was really at the core of the consideration that we were thinking about.”

Compliance and culture at Google

A culture of transparency has been a huge benefit during the development of the API, because all the different teams involved on the project have similar priorities. Learning from the past has driven this, according to Malcolm who says “going back eight or ten years we made some missteps in privacy and back then I think the company learned the lesson that you are seeing today: that [transparency] focus within Google.”

Over the years, Google has faced criticism and questions about the nature of its data collection and use. In 2011, it settled with the US Federal Trade Commission over the launch of a social product called “Google Buzz,” which automatically signed up Gmail users and accessed their personal data in a manner that was deemed deceptive.  And in 2012, Google combined its privacy policies from several Google-owned websites to reflect its growing data sharing across products, which raised concerns about user consent.

Since then, Google has made changes to focus more on user-control and transparency (such as the Google Activity product).  “We have been through this process, therefore the employees of the company, such as the engineers, understand the necessity of privacy compliance. They understand users want to live in a world where they are in control of their data and understand how it is being processed,” Malcolm says.

This has produced a culture where the business teams are acutely aware of the importance of compliance, aligning their priorities with their compliance advisers.

“Quite often our engineers are pushing harder than the lawyers to ensure that the technology meets the requirements of law and meets the requirements of regulations.  There is a huge culture at Google of making sure that our technology is accountable to the user […] so it is very much the engineers and the project designers that both at a programmatic level and a cultural level are driving to get to the right outcome,” Malcolm says.

A culture like this is very hard to manufacture, and in Malcolm’s experience it requires:

  • support from company leadership (not just your friendly legal compliance team),
  • a shared sense of values that drive the organisation and a commitment to putting users first
  • giving teams a commitment to learning
  • continuously adapting the compliance programme to meet the challenges of new technology and new regulation.  

The API is now being used by multiple authorities around the world. Throughout the development of the API, Google has prioritised transparency, user-control and limiting data storage, which are lessons which extend beyond contact-tracing to how companies handle data more broadly.

Explore Lexology PRO Compliance

Lexology Pro Compliance, a unique information platform for chief compliance officers, general counsel and their teams. With a focus on anticorruption, antitrust and data protection -three core compliance areas for businesses around the world, Lexology PRO Compliance provides users with analysis, interviews, legal research, know-how materials, global comparative tools and more.

Find out more by clicking here