Coronavirus contact tracing apps lead to significant privacy issues that have been addressed by the European data protection board.
The European approach to Coronavirus contact tracing Apps
Following a request for consultation from the European Commission, the European Data Protection Board adopted a letter concerning the European Commission’s draft Guidance on apps supporting the fight against the COVID-19 pandemic. This guidance complements the EU common toolbox for the use of technology and data to combat and exit from the COVID-19 crisis.
Key takeaways on the privacy issues relating to Coronavirus contact tracing apps
The position of the European data protection board on Coronavirus contact tracing apps can be summarized as follows
- no one-size-fits-all solution applies but envisaged technical solutions need to be examined in detail, on a case-by-case basis in consultation with data protection authorities;
- the development of the coronavirus contact tracing apps should take into account privacy by design and privacy by default mechanisms, and the source code should be made publicly available for the widest possible scrutiny by the scientific community;
- the EDPB strongly supports the European Commission’s proposal for voluntary adoption of such apps, a choice that should be made by individuals as a token of collective responsibility;
- the mere fact that the use of the Coronavirus contact tracing takes place voluntarily does not mean that the processing of personal data by public authorities necessarily shall be based on the consent. The enactment of national laws, promoting the voluntary use of the app without any negative consequence for the individuals not using it, could be a legal basis for the use of the apps. And in their view, it appears that the most relevant legal basis for the processing is the necessity for the performance of a task for public interest;
- Coronavirus contact tracing apps do not require location tracking of individuals users. Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimization. Also, doing so would create significant security and privacy risks;
- the primary function of such apps is to discover events (contacts with positive persons), such events can be stored both at the local level (within the device of the user) and centralized level; according to the EDPB the decentralized solution is more in line with the minimization principle;
- Coronavirus contact tracing apps are not social platforms for spreading social alarm. A mechanism should ensure that whenever a person is declared as COVID-19 positive, the information entered in the app is correct since this may trigger notifications to other people concerning the fact that they have been exposed; and
- once this crisis is over, such an emergency system should not remain in use, and as a general rule, the collected data should be erased or anonymized.
My personal views on the topic
There has been maybe too much debate on Coronavirus contact tracing apps on how South Korea was great in using it and limiting the spread of the virus. But the situation in South Korea when the app was adopted was different, and South Korea is very different from Europe.
In all the largest European countries, we have over 100,000 coronavirus cases, while in South Korea, they recently reached 10,000 cases. Also, South Korea is a very advanced country from a technological perspective where even old generations are very accustomed to technology. On the contrary, old generations of some European countries do not yet have a mobile phone, and the average age of infected people in Italy, for instance, is 79 years.
Besides, if the adoption of the app is discretional, we risk that a limited number of people will adopt it, also because some regions and cities already adopted a similar app. Once Governments launch their app, the population will get confused and will not deal with multiple apps.
And the risk is further increased since private companies are launching coronavirus contact tracking apps, which will collect a large number of health-related data, and it is not clear what will happen to such data once the emergency is over.
I believe that it is too late to rely on this technology, and if we think that it is the right choice, it shall be compulsory for the whole population.
On a similar topic, you can find interesting the article “Are your Coronavirus checks privacy compliant?“.