Mobile Contact Tracing Apps
Amid the COVID-19 pandemic, a number of Member States have begun to assess the potential of digital solutions, as key elements of their national crisis management strategy. To this end, EU Commission has already published Recommendations and Guidance for the development of a common EU approach for the use of contact tracing apps and mobile data, to support the gradual relaxation of containment measures across Europe. Taking into consideration privacy and data protection implications and risks, arising from the use of such apps, the Commission articulates the key principles for the use of contact tracing apps as regards the lawfulness of apps’ installation, data minimisation, purpose limitation and data security principles.
Following the foregoing initiatives of the Commission, the EU eHealth Network has developed a common EU toolbox for the development and use of such apps, which sets outs the essential requirements for national apps and cross-border interoperability. The Toolbox delineates specific technical functionalities and robust cybersecurity measures to be incorporated into apps, for the mitigation of data-breach risks and the security of large-volume sensitive personal data. Most importantly, the Toolbox suggests the development of common EU interoperability protocols that can enable functionalities of national apps be performed and safeguard the right to privacy and data protection, regardless of the device’s location. National authorities shall exchange infection-related data, collected via the apps, by means of backend solutions.
Implementations for tracing apps can adopt either a centralised or a decentralized approach. Although according to the European Data Protection Board (EDPB), the decentralised solution aligns more with data minimization principle, both approaches bear certain advantages and disadvantages and should be accompanied by appropriate security features. However, discrepancies between Member States’ approach may give rise to interoperability issues. Certain States (e.g. UK, France, Norway) have so far opted for a centralised solution, providing national health authorities with greater data and control, while other countries (e.g. Germany, Italy, Austria etc), have endorsed Apple-Google protocol. Hence, before the app development, due consideration should be given concerning both concepts, conducting thorough assessment on the subsequent effects on data protection, privacy and other individual rights, as the EDPB has highlighted in its 4/2020 Guidelines.
German privacy case against Facebook referred to the Court of Justice of the European Union
The case concerns a lawsuit against Facebook submitted by the Federation of German Consumer Organisations, regarding the operators of online games, provided to users via Facebook’s App Center. According to the allegation, the game operators were allowed (by Facebook) to unlawfully collect personal data of users playing their games. In particular, by playing the game, the user automatically agreed the sharing of its personal data, contrary to the GDPR mandate for clear and transparent information requests. The rule of the lower court was in favour of the Federation of the German Consumer Organisations, but the Facebook has appealed the decision. However, the Federal Court referred the case to the European Court of Justice, requiring further clarification on the applicable law and the standing rights under GDPR.
Apple’s Siri privacy concerns
Although last year the Irish Data Protection Commission (DPC) had received a complaint on Apple’s Siri voice recordings, the issue has arisen again. Following the claims from the former contractor of Apple, implying the lack of enforcement when it comes to big technological companies, the criticism over the DPC’s enforcement grows further. Apart from the strong pressure that the Irish Authority faces, by handling 20 major cross-border cases, the DPC’s Deputy has stated that the Authority has followed up with Apple and awaits for its responses. The former contractor of Apple, has revealed that those doing quality grading for Siri, were overhearing sensitive personal data of the users, such as medical data. In August, though, Apple ceased human review of Siri and switched the audio review into an opt-in process.