The success of these technologies is based on trust in the tool, processing and protection of the data collected, according to the Association for Data Protection in Luxembourg.
Photo: Renaud Le Squeren, Partner at DSM Avocats à la Cour and administrator at APDL / Credits © DSM Avocats à la Cour
Do the Covid tracking applications respect the fundamental principles of personal data protection? Emma Goodwin and Renaud Le Squeren, two administrators of the Association for Data Protection in Luxembourg (APDL) bring elements of answers on the subject.
The objective of these apps? To facilitate the information of individuals who have been in contact with a person who has tested positive for the coronavirus and accelerate their care.
“This is the first time these types of tools are being used to try to help slow down a pandemic. From this point of view, this is a real technological breakthrough,” says Emma Goodwin, IT and cyber security expert at Cyberfinit.
European initiatives aim to detect new sources of infection as early as possible to limit the spread of Covid-19, and fall into two groups: contact tracking applications that use wireless proximity technology (such as low-power Bluetooth) and applications that share location via GPS or relay antenna, she says.
The European Commission has not failed to specify how these tracking technologies are to be used: “It has given its consent for contact tracking applications, but rejects the collection of location data, which is incompatible with the General Data Protection Regulation (GDPR),” says Renaud Le Squeren, Partner and Attorney at Law at DSM Avocat à la Cour.
“The centralized hosting mode is potentially vulnerable to cyber attacks.”
“According to the e-Privacy Directive and the GDPR, location data is considered personal data and therefore within the scope of the GDPR, regardless of the technology with which contacts are traced.”
Other conditions issued by Brussels: the project leaders must be either institutions or public authorities; the applications must be downloaded and used on a voluntary, anonymous basis and across national borders; and the tool must be automatically deactivated for all users as soon as the health crisis justifies it is over.
The protection in question
Several countries have already adopted their own tool. Luxembourg, for its part, has chosen MAELA, the teleconsultation platform and patient monitoring tool.
“It allows remote medical monitoring of all patients whose Covid tests have been positive. In concrete terms, the person concerned is registered in the national system directly – and not on a voluntary basis – by the hospital at the time of his discharge, or by the health inspectorate after receiving positive results from the laboratory,” explains Renaud Le Squeren.
“The person concerned must then answer a questionnaire every two days for two weeks, to assess the patient’s state of health, identify needs and possibly provide care in the event of a worsening of the patient’s condition”.
Another country, another tool, the French StopCovid application is based on volunteering and the use of anonymized data. It identifies via Bluetooth the phones of people who have been in contact (less than 1 meter and more than 15 minutes) with an individual declared contaminated.
For the APDL, the tool has raised serious questions about respect for the protection of personal data. The association notes first of all that the confidentiality of the geolocation of people had not been sufficiently explained: “On Android phones, Bluetooth also activates the positioning of people,” says Renaud Le Squeren. “However, the French government has confirmed that geolocation data will not be saved or used.
France has favored the use of central servers based in Europe and controlled by the health authorities. “This centralized hosting mode is also potentially vulnerable to cyber attacks,” warns APDL. According to the association, the authorities could also have relied on the decentralized approach, which provides that the information necessary for the operation of the service remains stored directly on users’ smartphones and circulates between them when necessary.
The legal expert also considers the data retention period appropriate: the application was supposed to keep the data related to its implementation for six months after the end of the health emergency, contrary to the recommendations of Brussels. The proximity histories of people diagnosed as positive were to be kept for 15 days.
Other biases: the relay antennas were not precise enough to determine the exact proximity of two telephones. The Bluetooth device also crossed the walls, so the app could not distinguish between people present in the same space as the infected individual and those in other rooms.
Mixed results, for the moment
Generally, the tool has not been as successful as expected: “since its launch on June 2, only 2.3 million people have downloaded the application in France,” recalls the non-profit organization.
“As this was the first time that such an application had been deployed, the implementation methods were completely new and gave rise to debates: these tools generate data that could be diverted from their purpose,” Renaud Le Squeren summarizes.
“The added value of traceability applications has yet to be demonstrated.”
However, according to him, “the tool must be promoted such that it reassures citizens. With the guarantees given by the States, compliance with the GDPR seems assured”.
TousAntiCovid, which replaced StopCovid on October 22nd, should be more interactive while keeping the same technical basis, believes Renaud Le Squeren: “The application will provide more general information, on the mode of circulation of the virus, the barrier actions to adopt, the addresses of the test centers. It will also have a QR code, to allow the user to scan the places where they are located, such as stores or restaurants. Users will also be able to access more accurate monitoring of the locations of the epidemic around them”.
More broadly in Europe, the implementation of tracking technologies has so far produced mixed results according to APDL. Its administrators note that few people have downloaded the digital tool, for example for fear of losing their jobs or having to report their attendance at meetings (union or political) that were supposed to remain confidential.
Towards greater trust
“The added value of traceability applications has yet to be demonstrated,” concludes Emma Goodwin. “No proven scientific studies have been able to prove that these tools can reduce the transmission of the virus”.
For the auditor, the success of these technologies rests on a double condition: on one hand, it aims to give confidence in the security and the application itself, and to alternatively encourage downloading and ensure its proper use; on the other hand, it aims to reduce fear – particularly among the elderly – of the use and subsequent processing of the data collected.
Created in October 2013, the Association for Data Protection in Luxembourg (APDL) aims to “promote contacts and exchanges of experience and ideas and to be a meeting place for all natural persons who regularly practice law, economics, engineering or scientific and technical research in relation to questions and issues related to the processing of personal data”. It has 150 members.
Within the framework of the Cybersecurity Week Luxembourg 2020, it organized a webinar dedicated to Covid-19 tracking applications and personal data.
Renaud Le Squeren is an attorney at law and head of the Digital division at DSM Avocats à la Cour. He is specialized in new technologies and the digital transition.
Emma Goodwin is an auditor, consultant and IT trainer at Cyberfinit. Her areas of expertise include internal audit, IT controls and cybersecurity.