Government Corona apps: what about privacy and security?

The administration plans to use a corona app to map which individuals have been near possible corona patients. This will allow any new infections to be quickly detected and quarantined.[1] Sensitive data, both location data and health data (whether someone is infected), will be processed through the app. Last weekend, a number of corona apps were presented.

The first reports on this are not positive. The Personal Data Authority (AP) already announced that the presented corona apps are insufficiently elaborated to be able to assess whether they sufficiently safeguard the privacy of users and whether these apps are secure enough. According to the AP, for example, it is not clearly defined who is responsible for processing the data through the apps and it is not mentioned whether this is part of a package of measures. The AP believes that the design and operation of the corona apps depends on the other corona measures that are put in place and the corona app should not stand alone (i.e., be the only measure to detect infections).

Can the government just create a corona app and what about (ensuring) privacy when you use that app?

Anonymity

We previously wrote a blog about the possibility of processing location data. In that blog, we concluded that the government should preferably use anonymized location data, but that it is difficult to keep location data completely anonymous.

If, in addition, health data is processed by the app, it does not make things any easier as far as privacy is concerned. In principle, health data may not be processed unless an exception can be designated for it in the law. Another possible basis for processing health data could be consent of the users. In that context, however, it is important that the use of the app may not be made mandatory, otherwise consent has not been freely given and that basis can no longer be invoked.

However, the corona apps claim that all data is anonymized. In that case, the General Data Protection Regulation (AVG) does not apply and location and health data may be processed by the government. However, it is by no means clear whether anonymity can really be guaranteed with those apps. After all, in that case the use of the app must not be traceable, even indirectly, to individuals. That can become tricky if you receive a signal on the app that an infected person is walking in your neighborhood and only one person is present there at that moment.

Moreover, during the installation and exchange phase of the app, health data must still be processed from the user to determine whether or not that person is infected. This cannot be done anonymously; after all, the app needs the health data of a particular individual to be of use. This will generally require the user's consent. In the subsequent phases, where the user is informed about possible contact with an infected person on the basis of pseudonymized data (including location data), the government may be able to use the AVG in combination with the Public Health Act (Wpg) as a processing basis."[2]

Safe?

If a processing basis can be identified at all, or if the data is processed completely anonymously, the follow-up question is what about the security of the corona app. Experts were already highly critical of the security of the apps presented yesterday.

All of the apps presented use Bluetooth. When using them, non-infected persons may also be registered, for example because their equipment connects to other equipment located within a certain distance (for example, through glass or through a wall). Also, an infected person's equipment may not be in the same place (temporarily), for example if the equipment is at home or someone else is using the equipment. None of the apps presented could adequately overcome this problem.

Last weekend, one of the apps was even found to have a data breach. According to the developer of that app, that was related to the time pressure under which they had to develop the app.

In short

So corona apps do not seem (for now) secure enough. It is also insufficiently clear whether privacy can be guaranteed when using such an app.

The use of a corona app is a far-reaching tool. When so much is still unclear about how it works, who is responsible for it and what measures exist alongside the apps, it is difficult to assess whether the use of the corona app is proportionate to the purpose to be served; namely, detecting new infections. Perhaps that goal can also be achieved in a way that does not violate privacy to such a degree.

And does a corona app make sense if not everyone uses the app? Are we then required to use the corona app? But if the basis consent is used, then it cannot be required, because in that case the consent has not been freely given. What about elderly people who do not use smartphones?

We have not yet received answers to all these questions from the cabinet. What will happen next with the corona app is as yet unclear. Perhaps we will hear more tonight. To be continued!

[1] I will leave out the apps that the government wants to use for contacting a doctor in this blog.

[2] Article 9, second paragraph, introductory phrase and point i, AVG joins Article 6, first paragraph, introductory phrase and point e, AVG joins Article 6, first paragraph, introductory phrase and point c, Public Health Act.