Privacy and data protection aspects of COVID-19 tracing and warning apps - Chapter 2

Because tracing and warning apps are inherently a risk for individual privacy, it is difficult for each country to develop their own application from scratch. For this reason, many countries have opted to make use of the ‘Exposure Notification System’ (ENS) developed in a collaboration between Google and Apple, which is, according to the two tech giants, designed to respect user privacy and security. Google and Apple have already made clear that the use of their ENS is conditional on a few requirements. Firstly, only one application per country may have access to the ENS in order to prevent fragmentation and improve the uptake and use of a single app. Secondly, users must give explicit consent to receive notifications, and they must be able to give consent before a positive test result and unique identifiers are shared with government authorities. Thirdly, the apps must also adopt a data minimization and purpose limitation approach, with the sole purpose being COVID-19 response efforts. Lastly, Google and Apple state that apps may not collect and share the precise location of the users. In the end, developers are allowed to follow their own approach, as long as the above mentioned requirements are satisfied.

As opposed to a centralized approach to COVID-19 tracing, which could present serious privacy risks (e.g. function creep), some authors have proposed a decentralized solution based on the ‘Decentralized Privacy-Preserving Proximity Tracing’ (DP-3T) protocol. Such a decentralized approach is also backed by Google and Apple through their ENS, which they have made available to national authorities. The main benefit of this approach is that personal data is not stored on a central server, but rather stored locally on the users’ device. The KRAKEN project also follows this approach by enabling self-sovereign identity management and user-centric access control to personal data. This allows users to control their own personal data without relying on a central entity, while contributing to individual privacy and acceptance of the platform.

The Data Protection Authorities (DPA’s) of some countries, such as the Netherlands, have already expressed a positive opinion on the use of their national COVID-19 tracing and warning app. Nonetheless, the Dutch DPA also formulated some concerns related to the specific implementation of the app:

1. Clear arrangements with Google and Apple are necessary due to the processing of sensitive personal data (e.g. health data).
2. Legislation must stipulate: the competences of authorities to process personal data, the fact that privacy is guaranteed, and that the use of the app is completely voluntary (e.g. not mandated by an employer).
3. The servers and storage of personal data must be properly managed and secured.

In May, the Dutch DPA also published a document (in Dutch) listing functional and non-functional requirements for COVID-19 tracing and warning apps.