Diverse national privacy paths for Covid-19 tracing apps

Germany’s federal government launched on 16 June a decentralised version of a tracing app designed by SAP and Deutsche Telekom. France, Switzerland, South Korea, Israel and many more countries have their own apps. Italy and Denmark have switched from a centralised to a de-centralised model.

The UK’s National Health Service had developed a model based on a Swiss company’s knowhow, had several privacy protections built-in and had consulted the UK’s Information Commissioner. But a negative factor in the trial was that the app failed to work effectively with Apple phones when they were “asleep.”

As a result, on 18 June the UK government switched from a centralised app model to a decentralised model based on the Google-Apple platform where the data resides on the mobile device. An aim is to reassure users and develop trust that their privacy is well-protected. Their data will not suffer from mission creep by being used for other purposes, for example by the police. A downside of this policy shift is that it will be more difficult for the government to monitor the trajectory of the pandemic.

Whilst the Netherlands government has failed to be clear about its app building objectives, Australia is sticking with its centralised model.

The EDPB explains the privacy law dimension

On Tuesday, 16 June, the European Data Protection Board (EDPB), the group of national DPAs in the European Economic Area, adopted a statement on the interoperability of contact tracing applications, building on their April Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 pandemic. The statement highlights some of the more important privacy principles related to tracing apps including: “transparency, legal basis, controllership, data subject rights, data retention and minimisation, information security and data accuracy.” The EDPB makes it clear that “the sharing of data about individuals that have been diagnosed or tested positively with such interoperable applications should only be triggered by a voluntary action of the user. Giving data subjects information and control will increase their trust in the solutions and their potential up-take.”

US state A-Gs enter the ring

On Tuesday 16 June, in the US, a bipartisan coalition of 39 state and territory attorneys general sent a communication to the CEOs of Apple and Google expressing appreciation for their development of the tracing app. The companies have emphasised that their app will be available only to public health authorities and can be used only if certain features to protect consumer privacy are in place, including banning the collection of geolocation data and the use of personal information for targeted advertising purposes.

But what about other apps? The bipartisan coalition wrote "Some of those apps may endanger consumers' personal information," observing that they are "particularly concerned about purportedly 'free' apps that utilize GPS tracking, contain advertisements and/or in-app purchases, and are not affiliated with any public health authority or legitimate research institution."

We expect that if such free tracing apps for commercial solicitation purposes are directed to people in the European Economic Area, consumer and human rights groups will complain to DPAs. It will then be interesting to see how the GDPR is deployed to tackle such cynical exploitation of people’s fears during the pandemic.

See Privacy aspects of Australia’s CovidSAFE contact tracing app - PL&B's first podcast