Successful tracing apps depend on trust built on privacy values

Privacy is now at the centre of public consciousness and policy making as each national government tackles the Covid-19 pandemic in its own way. 

Earlier this week, Germany’s federal government launched a decentralised version of a tracing app designed by SAP and Deutsche Telekom. France, Switzerland, South Korea, Israel and many more countries have their own apps. Italy and Denmark have switched from a centralised to a de-centralised model. 

The UK’s National Health Service had developed a model based on a Swiss company’s knowhow, had several privacy protections built-in and had consulted the UK’s Information Commissioner. But a negative factor in the trial was that the app failed to work effectively with Apple phones when they were “asleep.” 

As a result, just yesterday, Thursday 18 June, the UK government switched from a centralised app model to a decentralised model based on the Google-Apple platform where the data resides on the mobile device. An aim is to reassure users and develop trust that their privacy is well-protected. Their data will not suffer from mission creep by being used for other purposes, for example by the police. A downside of this policy shift is that it will be more difficult for the government to monitor the trajectory of the pandemic.

Whilst the Netherlands government has failed to be clear about its app building objectives (p.12), Australia is sticking with its centralised model.

Privacy Path - Privacy Laws & Business podcast

In our first episode Professor Graham Greenleaf, Asia Pacific Editor, discusses the privacy aspects of Australia’s COVIDSafe voluntary contact tracing app with Stewart Dresner, Publisher; Helena Wootton, Data Lawyer and PL&B Correspondent. Producer: Tom Cooper, Deputy Editor.

Listen now

The privacy law dimension

On Tuesday this week, the European Data Protection Board (EDPB), the group of national DPAs in the European Economic Area, adopted a statement on the interoperability of contact tracing applications, building on their April Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 pandemic. The statement highlights some of the more important privacy principles related to tracing apps including: “transparency, legal basis, controllership, data subject rights, data retention and minimisation, information security and data accuracy.” The EDPB makes it clear that “the sharing of data about individuals that have been diagnosed or tested positively with such interoperable applications should only be triggered by a voluntary action of the user. Giving data subjects information and control will increase their trust in the solutions and their potential up-take.” 

The United States

On Tuesday 16 June, in the US, a bipartisan coalition of 39 state and territory attorneys general sent a communication to the CEOs of Apple and Google expressing appreciation for their development of the tracing app. The companies have emphasised that their app will be available only to public health authorities and can be used only if certain features to protect consumer privacy are in place, including banning the collection of geolocation data and the use of personal information for targeted advertising purposes.

But what about other apps? The bipartisan coalition wrote "Some of those apps may endanger consumers' personal information," observing that they are "particularly concerned about purportedly 'free' apps that utilize GPS tracking, contain advertisements and/or in-app purchases, and are not affiliated with any public health authority or legitimate research institution."

Does a regulatory regime depend on fines?

Most DPAs consider education and persuasion to be part of their mission but will impose proportionate fines when they consider it necessary as a last resort.

In this June edition, we report on fines for a range of privacy related regulatory and competition offences in nine countries: Belgium, Canada, Finland,  Germany, Greece, Ireland, the Netherlands, Sweden, and Turkey. Companies fined include major names, such as PWC and Amazon. 

Data Protection Officers and Privacy Managers tell me that while they do not want their own organisation to be fined, the fact that the regulators or the courts impose fines on other organisations is a very good way of attracting the attention of their top management to the regulatory and reputational issues. 

While not every country would want the complex fining formula developed over the last year in Germany, the factors which the DPAs should take into account are relevant everywhere. Even when a fine is controversial and will be appealed, as in Belgium, they help define the parameters of acceptable data protection business norms.


Stewart Dresner, Publisher

International Report 165

Lead stories:

Australia’s ‘COVIDSafe’ law for a voluntary contact tracing app

Can other countries learn from Australia’s app law? By Professor Graham Greenleaf and Dr. Katharine Kemp, UNSW Australia provisions.

What is the future for marketing and legitimate interest?

As the Netherlands tennis association is fined €525,000 for sharing the personal data of its members with sponsors, Géraldine Proust of FEDMA reflects on the DPA’s new interpretation.

Click for full contents list