The Dutch COVID-19 tracing app: A Privacy by Design fiasco?
Winfried Tilanus, Privacy Strategist & Privacy Architect at tilanus.com explains how the Netherlands is navigating the muddy waters of privacy and app development.
Privacy by design is about making sure a system meets its goals while minimizing the (possible) negative impact on privacy. To do so, you need to know two things: the goal of the system and the privacy issues that may arise from the system. That seems straightforward, but putting this into practice is often hard. The Dutch COVID-19 contact tracing shows how this can go wrong.
Let’s go back in time. On Tuesday 7 April, much to the surprise of everybody, the Dutch Minister of Health, Hugo de Jonge, announced two mobile apps to fight COVID-19: one app to inform the public and one app for digital contact tracing to stop the spreading of the virus. On Friday, 10 April at 4pm (Good Friday afternoon), the ministry of health published a call for “digital solutions against corona”, one part of the call being explicitly for systems for “source and contact tracing”. Deadline of the call: Tuesday, 14 April, 12 noon, the first working day after Easter holidays. All submissions needed to be able to have a prototype available within two weeks. About 300 organisations submitted a proposal of which seven were selected to be judged in a public “appathon” the following weekend. During that appathon the experts concluded that none of the apps was mature enough to be even judged on their suitability and that the process of contact tracing was not defined clearly enough to build an app for it.