Sunday

25th Jul 2021

Opinion

Contact-tracing apps: a major test for privacy in Europe

  • The common European approach isn't exactly going to plan. France has asked Apple to dismantle privacy protections to establish a centralised app. Austria and Switzerland have opted for decentralised models (Photo: Omar Prestwich)

With a third of the world under lockdown in an attempt to curb the spread of the coronavirus, governments are exploring technological solutions to help ease current restrictions on movement.

Contact tracing apps are the tech tool of the moment, yet without proper scrutiny, these tools have the potential to fundamentally alter the future of privacy and other human rights. In tackling the pandemic, we must avoid Europe sleepwalking into a permanent expanded surveillance state.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

The European Commission guidelines on contact tracing, published last week are a starting point for states to avoid such a path.

Developed by EU states with the commission, they contain guidance for member states navigating new methods of data collection in a public health crisis, while reminding them of their existing human rights obligations.

This 'common European approach' of standard-setting and oversight, if rolled out properly, could help foster movement of people between EU member states and stimulate economic growth.

Rights in times of crisis

The proposals state that apps must be in line with the GDPR – a call that EU data regulators say that is not only possible, but necessary.

While there are some limited exemptions for business-as-usual GDPR processing in a public health crisis, this is not a free pass for states to ignore existing legal requirements.

International human rights law still applies, and any interference with privacy must still be lawful, necessary and proportionate. Amnesty and over 100 other rights groups have laid out some conditions states must meet when introducing increased digital surveillance to address the pandemic.

The EU guidelines promote human rights and data collection principles – encouraging a laudable light-touch approach from states, recommending that any apps are voluntary and quickly dismantled once the crisis has passed. But there is a deep confusion and contradiction running through these proposals that sets alarm bells ringing.

Decentralised apps for privacy

The guidelines launched with a headline recommendation for decentralised contact-tracing apps – the kind that will apparently be provided for by Apple and Google – which give far less access to personal data to government agencies, and are the right choice when it comes to protecting privacy and other human rights.

Yet this recommendation is fast undermined by discussion of the 'limitations' arising from a privacy-first approach.

These are guidelines only and contact tracing apps can vary hugely in terms of function and design but the proposals at times seem to advocate for apps that not only connect to a centralised government database, but to allow for a networked pan-European database.

This would be a firm step in the wrong direction for human rights. It would open the door for states to access phenomenal new amounts of sensitive information, opportunities to cross-reference previously unlinked data – not just nationally, but internationally – which grants governments vast new powers to discriminate based on this information.

Contact tracing apps must be limited in scope, with a clearly defined purpose and constraints. There is so much opportunity for mission creep here, with states collecting data 'just in case' or attempting to merge information with existing databases.

Any contact tracing app must be subject to rigorous and regular review by independent data protection authorities to ensure that app use is in line with human rights and data protection laws and standards.

While they propose only voluntary applications, the guidelines highlight that to be effective, apps should be adopted by over half of the population of member states.

One can only hope that states understand this to be an indicator of the limits of contact tracing apps, rather than an encouragement to push on their populations. In South Korea, the contact tracing programme being held up as an example of good practice, people are mandated to give over extensive amounts of data, a significant concern for human rights.

The EU commission must clarify that to protect human rights, any contact tracing apps must be decentralised in approach. To avoid state overreach the guidelines must make explicit what data may be collected under what circumstances, where and how it may be stored and, crucially, what data collection and practices are out of bounds.

There is slightly more clarity from EU data regulators now on red lines for contact tracing app data collection, but to what extent are states listening?

The common European approach isn't exactly going to plan. France has asked Apple to dismantle privacy protections to establish a centralised app. Austria and Switzerland have today opted for decentralised models.

The Netherlands hosted a rollercoaster 'app-athon' competition which has thankfully realised the complexity of such an undertaking and concluded that more time is needed, following interventions from Amnesty and others.

In order for this technology to work, the public need to trust that it's in their interest to use it.

We need to know that any creators, operators and reviewers are acting in our best interests and will protect our human rights both during and beyond the crisis. Particularly during times of emergency we cannot assume that states will do the right thing – we need transparency at every step of the way.

It's still unclear to what extent contact tracing apps can ease pressure on healthcare systems. They are merely one tool that states can use to manage this pandemic, but these apps must be seen in daylight, with all their limitations and flaws, and must never be rolled out at the cost of human rights.

Author bio

Anna Bacciarelli is a reseracher for Amnesty International on artificial intelligence and big data.

Disclaimer

The views expressed in this opinion piece are the author's, not those of EUobserver.

Coronavirus exposes lack of common data approach

The enormous differences between coronavirus cases reported worldwide raise questions on how countries are tracking their outbreaks - or even deliberately underreporting them.

Experts push decentralised Covid19 apps to gain trust

A decentralised approach to coronavirus contact-tracing apps is starting to gain ground in the privacy debate within the EU and beyond - especially after centralised solutions are reported to pose a risk for fundamental rights.

Investigation

EU agencies tested monitoring data on refugees

As debate around the issue of contact-tracing grows, the Bureau of Investigative Journalism reveals that the new science of predicting and monitoring population movements is already here – and EU agencies have been testing it on refugees and migrants.

Vestager pushes tracing apps as key for summer holidays

The commissioner for the digital portfolio, Margrethe Vestager, warned that "without the technology, it will be very difficult to open [society] to the degree that we all want" - since new outbreaks might surge back until there is a vaccine.

News in Brief

  1. Macron changes phone after Pegasus spyware revelations
  2. Italy to impose 'vaccinated-only' entry on indoor entertainment
  3. EU 'will not renegotiate' Irish protocol
  4. Brussels migrants end hunger strike
  5. Elderly EU nationals in UK-status limbo after missed deadline
  6. WHO: 11bn doses needed to reach global vaccination target
  7. EU to share 200m Covid vaccine doses by end of 2021
  8. Spain ends outdoor mask-wearing despite surge

Ukraine - Zelensky's authoritarian turn?

President Volodymyr Zelensky has begun his third year mired in mid-term unpopularity with a poll showing only 21.8 percent of Ukrainians would vote to re-elect him. More than half would prefer him not even to run for a second term.

Why the EU delay on supply chains? Corporate lobbying

EU legislation to clean up supply chains and corporate governance has been delayed after fierce industry lobbying. Voluntary commitments have repeatedly failed, now it is time for decisive regulatory action.

Stakeholders' Highlights

  1. Nordic Council of MinistersNineteen demands by Nordic young people to save biodiversity
  2. Nordic Council of MinistersSustainable public procurement is an effective way to achieve global goals
  3. Nordic Council of MinistersNordic Council enters into formal relations with European Parliament
  4. Nordic Council of MinistersWomen more active in violent extremist circles than first assumed
  5. Nordic Council of MinistersDigitalisation can help us pick up the green pace
  6. Nordic Council of MinistersCOVID19 is a wake-up call in the fight against antibiotic resistance

Latest News

  1. Far left and right MEPs less critical of China and Russia
  2. Why is offshore wind the 'Cinderella' of EU climate policy?
  3. Open letter from 30 embassies ahead of Budapest Pride
  4. Orbán counters EU by calling referendum on anti-LGBTI law
  5. Why aren't EU's CSDP missions working?
  6. Romania most keen to join eurozone
  7. Slovenia risks court over EU anti-graft office
  8. Sweden's gang and gun violence sets politicians bickering

Join EUobserver

Support quality EU news

Join us