COVID19, Vulcan Insight

Privacy concerns accompany European rollout of COVID-19 tracing apps

29 May 2020

As the bloc gradually emerges from three months of confinement, EU Member States are preparing to launch, or are in the process of developing, mobile contact tracing applications to track individuals who are infected with the Coronavirus, or alert those at risk of contracting it. Tracing apps have been touted as an indispensable tool to help interrupt the transmission chain and may also prove vital to ensuring the renewed functioning of the internal market, particularly for cross-border workers (and potentially tourists) as countries across the bloc gradually lift their confinement measures.

The new applications nevertheless come accompanied with unresolved policy concerns. On one hand, the issue of the interoperability between different applications adopted by the Member States to ensure effective EU-wide tracing. On the other, the ethics of contact tracing – specifically the right to privacy and data protection – has proved to be particularly contentious.

Recognising the potential of tracing apps, measures have been introduced in Brussels to address these concerns. Last month, the European Commission published an initial EU toolbox for the use of mobile applications for contact tracing and warning, developed together with the Member States, as part of the former’s ‘exit strategy’ to coordinate the roll-back of national confinement measures. The toolbox provides practical guidance in the implementation of contact tracing apps, in addition to specifying essential requirements, such as compliance with pre-existing EU data protection and privacy rules, and that applications should not track location data.

The Commission followed up on May 13 with interoperability guidelines for approved contact tracing mobile applications, aiming to ensure widespread voluntary take-up of national tracing apps across borders, as well as across operating systems. The guidelines affirm “the largest possible participation of EU citizens is necessary to exploit the full potential of tracing apps” but stops short of providing full technical details, instead committing “to ensure the operationalisation of interoperability as soon as possible.”

The European Parliament has also acquired a newfound purpose in addressing the ethics of contact tracing, its voice louder and more relevant when compared to other areas of the EU response to COVID-19.  In a plenary resolution adopted on April 17, MEPs affirmed that “national and EU authorities must fully comply with data protection and privacy legislation” and that “mobile location data can only be processed in compliance with the ePrivacy Directive and the General Data Protection Regulation (GDPR)”.

Parallel debates on ethics and performance are ongoing at national level, with the Member States bearing responsibility for introducing and managing contact tracing apps. In France, the government’s ‘centralised’ application (‘StopCovid’) was approved by Parliament this week, and will be available for download from next Tuesday, to coincide with the lifting of other public health restrictions. The UK also plans to deploy its own centralised application – i.e. contact matches take place on a centralised computer server – within the next fortnight.

This comes in contrast to the decentralised approach favoured by 22 Member States, including Ireland, Germany and Italy, and advocated by US tech-giants Google and Apple, which carries out matches on users’ own devices instead of a centralised database. Both the centralised and decentralised approaches have attracted criticism, with the former offering more targeted tracing, and the latter promising greater anonymity and privacy.

Beyond the Member States and the European institutions, it will ultimately be up to European citizens to voluntarily take up contact tracing apps. Trust will be a major variable in ensuring the procurement of widespread and effective data, but it is nevertheless something that has been in inconsistent supply during the pandemic. To opt-in to an initiative aimed at protecting others, Europeans must first be assured their individual privacy and data is protected. To this end, one can expect authorities and developers to face further questions over the security and design of tracing applications, the appropriate duration of data storage and how to incorporate greater transparency in the use of personal data, during the rollout of applications in the coming weeks and months.