Data protection of ‘corona apps’ insufficiently clear, Dutch Personal Data Authority says


Many EU Member States are currently designing their national ‘corona apps’, which will be used for the purpose of contact tracing, a means to monitor the spread of COVID-19. Last week, the Commission published an EU toolbox for the use of mobile applications for contact tracing and warning, which included a guidance to ensure full data protection standards of contact tracing apps.

The Netherlands is one of the countries trying to strike a balance between on the one hand, public health, and on the other hand, personal data protection. The Dutch Ministry for Health, Welfare and Sport has worked on the selection of an appropriate corona app, and presented seven potential candidates to the Autoriteit Persoonsgegevens (AP), the Dutch Personal Data Authority. The AP, however, sent the Dutch policymakers back to the drawing board as the provided information on the apps was insufficient to make an informed decision on the privacy sensitivity of the apps.

The presented framework fails to answer some fundamental questions. It is currently unclear who will be responsible for the processing of personal data: will this be a private party, a healthcare party or the government? Apart from that, it would still be unclear how the proposal for an application is linked to other release measures. Experts say that the effectiveness and functioning of a corona application really depends on the other measures it is combined with.

This lack of information makes it impossible to make a proportionality assessment of the introduction of a corona application, as the privacy impact and effectiveness of the application matter for the decision to choose an application over other alternative measures. The Dutch case shows the complex choices European governments will have to face during the coming weeks, as they try to find their way out of the current lockdown measures.