DPA: Privacy of coronavirus app users not yet sufficiently guaranteed
The privacy of users of the Dutch ‘CoronaMelder’ contact tracing app is still not sufficiently guaranteed. The Dutch Data Protection Authority (DPA) believes that the health minister should make agreements with Google and Apple about the app’s software, that legislation should be put in place to properly regulate the use of the app, and that it should be made clear that the app’s servers are secure. The DPA advises the government not to roll out the app until these steps have been taken.
DPA chairman Aleid Wolfsen says that the DPA is positive about the development of the app in itself. ‘The app has clearly been designed with privacy as a priority. There are all kinds of technical safeguards, such as data traffic encryption and random codes to prevent malicious parties from reading data traffic.’
App does not function in isolation
The app does not function in isolation, however. It is dependent on other technical components and on legislation. ‘And that’s what we’re concerned about,’ says Mr Wolfsen. ‘The app is not only what you see on your screen, but also the underlying Google and Apple technology, as well as the servers you send your data to. The app is part of a larger system. And privacy must be ensured across the system as a whole, not just in the app.’
Agreements with Google and Apple needed
The DPA’s main concern relates to the Exposure Notification System (ENS) developed by Apple and Google. This is the software in Android and iOS mobile operating systems that enables the app to function as intended. ‘It is not clear to the DPA if these two US tech giants can obtain users’ data via the combination of the ENS and the operating system and, if so, what happens to the data. And this is about health data; highly sensitive data from large numbers of people,’ Mr Wolfsen notes. ‘That’s worrying. The government has to make clear agreements with Google and Apple before rolling out the app. And the DPA should be able to check that everything is as it should be. That’s not the case at present.’
Grounded in legislation
Given the extensive and all-encompassing impact of the app, the most logical way of regulating it is with legislation. This legislation should provide a legal basis for the Minister of Health, Welfare and Sport to process the relevant data and should also include privacy guarantees.
‘The legislation, Mr Wolfsen says, ‘should also state, for example, that you can decide for yourself whether you want to use the app. This means that you cannot be refused entry to bars and restaurants if you do not have the app on your phone. And that your employer cannot force you to use the app.’
Back-end security
The priority in the DPA’s advisory opinion is that the back-end of the app – meaning everything that happens on the app’s servers – should be well regulated: ‘It wasn’t clear until this evening who will be managing back-end security,’ says Wolfsen. ‘We still don’t know how that party has set it up. We need to know for sure that the security in place is solid. Only then can the app be used.’
The DPA sent its advisory opinion to the Ministry of Health, Welfare an Sport on 6 August 2020. It is up to the minister to decide whether to follow the DPA’s advice.