Techdirt has just written about France’s incredibly hypocritical attitude to privacy when it comes to contact tracing apps for COVID-19. The European Commission seems to be rather more consistent in this area. As well as pushing privacy legislation like the GDPR and ePrivacy Directive, it has released a series of documents designed to help EU Member States create tracing apps without compromising on citizens’ privacy. For example, on April 8, it adopted a “Recommendation to support exit strategies through mobile data and apps”, which called for “a joint toolbox towards a common coordinated approach for the use of smartphone apps that fully respect EU data protection standards”. Details followed a week later, when the European Commission announced a pan-EU toolbox for “efficient contact tracing apps to support gradual lifting of confinement measures”. A 44-page document spelled out in some detail (pdf) the “essential requirements” for national apps deployed in the region — that they should be:
approved by the national health authority;
privacy-preserving — personal data is securely encrypted; and
dismantled as soon as no longer needed.
Finally, as if to underline the importance of respecting citizens’ privacy yet further, the European Commission released another communication (pdf) providing “Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection”. The whole section on security is worth reading in full, since it offers a good summary of the current thinking on the best ways to preserve privacy with these apps:
The Commission recommends that the data should be stored on the terminal device of the individual in an encrypted form using state-of-the art cryptographic techniques. In the case that the data is stored in a central server, the access, including the administrative access, should be logged.
Proximity data should only be generated and stored on the terminal device of the individual in encrypted and pseudonymised format. In order to ensure that tracking by third parties is excluded the activation of Bluetooth should be possible without having to activate other location services.
During the collection of proximity data via [Bluetooth Low Energy communications between devices] it is preferable to create and store temporary user IDs that change regularly rather than storing the actual device ID. This measure provides additional protection against eavesdropping and tracking by hackers and therefore makes it more difficult to identify individuals.
The Commission recommends that the source code of the app should be made public and available for review.
Additional measures to secure the data processed can be envisaged notably with automatic deletion or anonymisation of the data after a certain point in time. In general, the degree of the security should match the amount and sensitivity of personal data processed.
All transmissions from the personal device to the national health authorities should be encrypted.
The contrast between this rigorous and comprehensive approach to safeguarding the rights of citizens and France’s cavalier disregard for the same, is stark. Unfortunately the Commission’s guidance is not legally binding and is likely to be ignored by the French government, which often insists on going its way, as with its terrible implementation of Article 17 of the EU Copyright Directive.
Follow me @glynmoody on Twitter, Diaspora, or Mastodon.