There is no avoiding the subject of data protection, even in – or rather due to – the current COVID-19 crisis. In order to prevent the virus’ spread, many different measures are being debated, which inevitably lead to the question as to what extend special situations like the current one may lead to restrictions of data protection regulations.
In this context, data protection authorities, governments and consumer organisations worldwide are discussing the possible development of a so-called “Corona-App” intended to help identify infected persons and their contacts in order to prevent a further spread of the virus. In Austria, the “Stopp-Corona” App has been on the market since the end of March and is being used by about 200,000 people. On Tuesday, 7 April 2020, the pan-European project PEPP-PT will be presented, which could possibly be used as a core software for so-called tracing apps by as soon as 15 April.
Thanks to a similar app, Asian countries like Taiwan and South Korea have supposedly managed to largely contain the virus’ spread. Would such an app therefore be a practical possibility, possibly resulting in the end of curfews and putting economic life back on track sooner? Many medical experts, among them Germany’s best-known virologist, Professor Dr. Christian Drosten, are answering the question of effectiveness with a clear yes, considering the example of Asian countries. From a legal point of view, the answer must be: It depends.
The question whether such a Corona-App, which would inevitably have to use private data, would be legal comes down to a careful consideration of the opposite legal positions. Firstly, there is health protection, which is in the interest of the general public. An app should make it possible to notify high risk contacts of a person infected with the Coronavirus, which would allow them to go into quarantine and prevent further infections. The infection curve would be flattened further. Secondly, there are the civil liberties of individual, mainly healthy persons. To what extend does the protection of health and life – a protection obligation of the state under constitutional law – justify an infringement of the right to informational self-determination, which is also protected by German Constitution?
One such result of the deliberation process between general interest and individual freedoms it the data protection law. That law only allows the use of personal data (which is protected based on the right to informational self-determination) under clearly defined conditions. Whether these conditions for an infringement have been met must be decided separately in each individual case – including the “Corona case”. That decision is based primarily on the way a Corona-App would be developed, and especially what personal data would be required.
The executive director of the Federation of German Consumer Organisations (Bundesverband der Verbraucherzentralen und Verbraucherverbände –
Verbraucherzentrale Bundesverband e.V. (vzbv)) names five abstract conditions: A Corona-App would have to be voluntary, suitable, necessary, proportionate and the storage of the data would have to be limited in time.
The law does not offer a clear answer either: Article 1 (f) of the European General Data Protection Regulation (GDPR) principally allows the processing of such personal data where it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party” – as long as the interests, fundamental rights or freedoms of the person affected do not prevail. Once again, the necessity of careful consideration must be pointed out.
In an official statement on the processing of personal data in the context of Corona, the European Data Protection Board stated that restrictions of data protection are principally possible for the purpose of health protection. Yet even in extreme situations like the current one, the least intrusive measure must be chosen. Regarding the development of a Corona-App, this means specifically: Before traffic, location and contact data of individuals could be gathered – as is happening to some extent in China in the wake of mobile tracking – ways to collect data anonymously should be explored.
After all, it is not important for the containment of the virus to know, where an infected person was, neither must a third party know to whom exactly the person had contact. It is only important that the contact persons themselves would know that (any) person they had contact with could have possibly infected them, thus allowing them to take appropriate measures.
Exactly this approach is used by the PEPP-PT project (Pan European Privacy Protection Proximity Tracing), where a pan-European team of about 130 members from 17 institutions such as the Berlin-based Fraunhofer Heinrich Hertz Institute and the Technical University of Dresden is developing an alternative concept to the tracking technology used in Asia. By using a special Bluetooth technology, they intend to record anonymously (“Temp-IDs”) when a person was in close proximity of another. In cases of official confirmed infections and under the condition that the infected person consents to it, the anonymous Temp-ID could be used to notify any persons who were in proximity to the infected person, telling them that they have been (at some time and somewhere) close to (any) infected person. The use of the app would be strictly voluntary and no location data, movement profile or contact information would be processed. In addition, the project’s development was supported by the Federal Data Protection Officer, the Federal Office for Information Security and the Robert Koch Institute. This constitutes a promising approach from a perspective of data protection law.
If the app delivers on its promises – protection from infection while adhering to the strict European data protection regulations – it could serve both the effectiveness of such a technology as well as the lawfulness. Considering in particular the restrictions on other civil liberties such as the freedom of movement and economic freedom, such a development would be preferable. Whether the statutory conditions are actually met can only be answered with certainty when the announced app has been completed.
M +49 173 612 7892