EU struggles to reconcile contact tracing with high privacy standards

Analysis

As European countries turn to apps to contain the pandemic, the EU must weigh the public health emergency against its own data protection rules. Policymakers and experts on data protection and privacy in Brussels warn that tracing and monitoring technology can undermine fundamental rights.

As individual European countries press ahead with the creation of contact tracing apps to fight the Covid-19 pandemic, the European Union has yet to find a common approach that would be in line with the regional bloc’s high data protection standards.

The European Commission has proposed to make tracing apps a key part of member states' strategies in exiting coronavirus lock-down, and officials in Brussels hope that countries will agree on standards to make apps interoperable between countries. But as of mid-April, at least twelve member states were working on tracing apps, according to a Commission document. Policymakers and experts worry that data protection rules and the right to privacy might suffer in this process.

A consortium of researchers from EU countries and Switzerland is working together on a joint system. There has recently been confusion over whether the "Pan-European Privacy-Preserving Proximity Tracing"(PEPP-PT) project favors a centralized or decentralized approach to storing individual location and movement data.

In a decentralized system, data would be accessible only on the device of the user. Google and Apple had announced a platform for smartphones that would be interoperable with a decentralized European standard. Using Bluetooth technology, tracing apps would keep a record of all devices moving in close proximity for a number of weeks. Should any of the anonymously logged contacts report an infection, people who had come close to the device would be notified.

Other apps that are being developed store data centrally on servers by public health authorities. While this can provide additional aggregate information and help authorities to locate infection hot spots, it could open up privacy risks.

Poland takes draconian measures

Meanwhile, some EU countries have put in place more strident measures to fight the virus. In Poland, the government has issued an app called "Home Quarantine" to verify the obligatory self-isolation after trips abroad. According to reports, users are required to install the app and upload pictures within 20 minutes at any time over a period of two weeks to prove their whereabouts.

In a series of interviews, policymakers and experts who work on civil liberties strongly opposed obligatory apps to control exit restrictions, such as the Polish app. "These are draconian surveillance measures that are neither necessary nor otherwise justified in a democracy," said Cornelia Ernst, an MEP with the Left group GUE/NGL. Data protection officials agree. "I can't imagine how a mandatory approach could be enforced in a liberal society," said the German Federal Data Protection Commissioner Ulrich Kelber in an online seminar hosted by the Information Technology Industry Council (ITI). "It would be ridiculous to believe you can do the same thing in Europe as you can do in China." China has relied on comprehensive surveillance during the crisis.

But even in Western Europe, some politicians are calling for tougher measures. "What is more important to us? Data protection or for people to be able to leave the house normally again? Data protection or saving lives," the Austrian Chancellor Sebastian Kurz recently asked.

Dangerous trade-offs for liberal democracies

Civil rights experts are warning of dangerous trade-offs even in liberal democracies. The left-wing MEP Ernst said it must be clear that information about the health of contact persons is particularly sensitive data. "Who, how and where this data is processed is crucial. And above all else, the data must not be used for anything else," Ernst said. Whereas the Commission does not encourage surveillance of individual citizens, even its more moderate contact tracing proposal has caused controversy.

The Commission calls for the use of contact tracing to be voluntary. Several member states including Germany and Austria have announced to follow this guideline. But in the European Parliament, the Social Democrat Birgit Sippel says it has to be made sure contact tracing really is voluntary. "If, for example, the right to leave the house or use the subway is linked to the use of an app, then we can no longer speak of a voluntary act," said Sippel, who is the rapporteur on two key files, eEvidence and ePrivacy, in the parliament's LIBE committee. The German Green MEP Alexandra Geese said the voluntary use of tracing apps is subject to certain conditions. The MEP from the Greens/EFA group has even published a catalogue of requirements on her website.

The high level of confidence in contact tracing could mean use of apps will become practically obligatory for activities like travel, warns Estelle Massé of the civil liberties NGO Access Now. "It is not easy to differentiate between voluntary and mandatory use of apps," she said.

Little thought has been given to the consequences of warnings by contact tracing apps, argued MEP Patrick Breyer, who was elected as member for the German Pirate party and has since joined the Greens/EFA group. "The apps will probably alert tens or hundreds of thousands of people who were on their way to work or shopping. It is unlikely that it will be possible for all of them to get tested. The effect will be widespread concern or even panic."

Don't mess with the GDPR

Answering these questions will be important for the EU, which has spearheaded global efforts to protect personal data and privacy. As the European Commission has reportedly postponed its long-planned review of the General Data Protection regulation, both MEPs and members of civil society insist that the pandemic should not be used as means to weaken privacy protection in the future.

Rather than weakening protections, the EU should work to strengthen privacy in new laws such as the proposed ePrivacy Regulation, said Florian Glatzner of the German Federation of Consumer Organisations (vzbv). Data protection is not an obstacle in the crisis, he argued. "On the contrary: if the level of data protection is too low, people's trust in the state and companies suffers – and with it the acceptance of measures, such as the app for tracking infection chains mentioned above."

So far, initiatives like the PEPP-PT standard illustrate that Europeans are working hard to reconcile its high privacy standards with the reality of a public health emergency. "The crisis has shown that the EU data protection regime is flexible enough to allow for the use of data during such a health crisis while preserving fundamental rights," said Estelle Massé of Access Now. However, she said that the crisis has highlighted the difficulties for data protection authorities to coordinate joint responses.

For the Green MEP Geese, the corona crisis is a chance for Europe to show its values. "We are at a crossroads. We have an opportunity to show that we can effectively manage this crisis without creating a surveillance infrastructure."

A slightly different German version of this article was published by netzpolitik.org on April 17, 2020.