How GDPR rules still apply to coronavirus contact-tracing apps

Register now

Compliance and enforcement of the General Data Protection Regulation was a significant task to begin with, but the second anniversary of the data security law in the European Union went head-to-head with a new obstacle — how COVID-19 contact-tracing applications can operate without breaking the rules.

In addition to Apple and Google delivering smartphone apps that would alert users that they are near a person infected by the virus, various other government agencies and businesses are developing that type of technology to address the pandemic's spread.

Even before contact tracing began, European countries were declaring states of emergency, thus putting aside GDPR regulations and leaving consumer privacy supporters wary about what it all means.

For now, most contact tracing apps in Europe comply with GDPR data storage guidelines, but many other apps are being developed that will also need to take data privacy into account.

Contact-tracing apps need information about an individual and, under GDPR, the consumer should know how that data is going to be used and stored. In the European Union, the answer generally has to be that data is stored in compliance with GDPR and used only for the purpose of the health emergency and not for other marketing or business uses.

An usher wears a protective face mask in the hemicycle of the European Parliament in Brussels, Belgium, on Wednesday, May 27, 2020.

There's no conflict between the use of contact tracing apps for COVID-19 and meeting GDPR requirements, per se, because the GDPR requirements allow for use of data to combat cross-border threats or epidemics, said Lucas Wojcik, chief information security officer for Berlin-based Productsup.

"It's not a question of how these contact tracing apps should be used, but more about how they should be designed to store and process personal information for that purpose," said Wojcik, whose company helps clients with digital content transformations, GDPR compliance and information security.

From that standpoint, the issue is more about how GDPR affects the development of contact tracing applications, as opposed to how COVID-19 testing has affected GDPR standards.

GDPR's slippery slope

At its core, GDPR is about consumer protection and rights, forcing companies to store personal information and payment credentials in a safe manner while also allowing consumers to know where and how it is stored. More importantly, the data should not be stored at all unless the consumer agrees. In that manner, GDPR is unique to European consumers.

Pseudonymization of data, or storing parts of an individual's information in separate files, is a major GDPR rule that emphasizes data not be held all in one place at one time.

It was established that way on the premise that hackers get into a network one system at a time, and the longer they are engaged in trying to navigate through multiple defenses and systems and not locating full tracts of information, the more likely they will be exposed and cut off.

GDPR implementation has been easier said than done for many European and U.S. countries that have European customers. It has proven to be a major task for businesses and merchants, with many struggling to comply within its first year of existence. At the end of GDPR's first year, as many as 80% of companies were still in various phases of compliance, with more than 20% being in the phase of not having addressed the data issue yet.

Coronavirus has had its effect in the wake of GDPR's second anniversary, leaving the impression that Europe's attention has turned to fighting the virus while GDPR compliance and levying non-compliance fines softened in the process.

Privacy by design is key

As contact tracing helps address the pandemic, it is going to be important for those applications to take GDPR into account from the start, which most in the European Union so far have been able to do, Wojcik said.

"One important aspect is privacy by design, which basically means that whenever you are collecting, storing or processing personal information, you should ensure that the principles of the GDPR are already reflected within the architecture and design of the application itself," Wojcik said.

As an app is developed, it should be built to not store any more information than is needed, he added.

In addition, the companies or agencies supporting pandemic apps have to keep transparency at the forefront. Transparency in matters of privacy builds trust, Wojcik said, and a consumer should have the option to accept or decline the privacy terms.

"That way, you won't have this conflict of interest between the GDPR and COVID security measures being taken by states or private organizations," he added.

All apps not created equal

It's a significant concern, even more so in other regions rather than Europe at this time, said Ron van Wezel, a Netherlands-based senior analyst with Aite Group.

"Here in the Netherlands, and I am sure in other EU countries, too, the governments have initiated programs with vendors to develop tracking apps to trace people who were potentially exposed to the virus," van Wezel said.

"However, unlike in Asia, data protection and privacy are still important and the apps must meet the GDPR requirements," he added. "Generally speaking, governments abide with the law and consumer rights are being respected."

While Apple and Google have data encryption technology at work in their pandemic apps, and the experience in developing security apps and complying with regulations across the globe, not all companies and not all global markets have that background.

A COVID-19 tracing application could operate through a Bluetooth signal or geo-location software from device-to-device to inform a person they are close to someone with COVID-19, or at least someone using the app who has input the information that they were infected.

Either technology allows the developer to establish storage of data on a central server, or to choose to simply limit data storage to the local device, Productsup's Wojcik said.

"Using Bluetooth technology is less privacy-invasive than storing geo-location data," he added.

Much in the same way Bluetooth works through retail store beacons, the technology is based on transmitting and receiving identifiers to or from other contact tracing app users located within signal proximity, which generally does not call for storage about precise location or movement of the user as is common in geo-location.

However, most contact tracing apps in the EU have a decentralized approach to storage, Wojcik said, meaning the personal data is collected from individual devices like smartphones as opposed to being on a central server.

It all points to the development of COVID-19 tracing apps with a heavy emphasis on data security.

"The privacy design of an application or solution should always be on top of the layer of other security controls," Wojcik noted. "With the data you collect, what is the purpose and where do you store it? That should be known."

For reprint and licensing requests for this article, click here.