European Commission Wants Coronavirus Tracing Apps To Build In Strong Protections For Privacy — Unlike The French Government

from the essential-requirements dept

Techdirt has just written about France’s incredibly hypocritical attitude to privacy when it comes to contact tracing apps for COVID-19. The European Commission seems to be rather more consistent in this area. As well as pushing privacy legislation like the GDPR and ePrivacy Directive, it has released a series of documents designed to help EU Member States create tracing apps without compromising on citizens’ privacy. For example, on April 8, it adopted a “Recommendation to support exit strategies through mobile data and apps“, which called for “a joint toolbox towards a common coordinated approach for the use of smartphone apps that fully respect EU data protection standards”. Details followed a week later, when the European Commission announced a pan-EU toolbox for “efficient contact tracing apps to support gradual lifting of confinement measures”. A 44-page document spelled out in some detail (pdf) the “essential requirements” for national apps deployed in the region — that they should be:


approved by the national health authority;

privacy-preserving — personal data is securely encrypted; and

dismantled as soon as no longer needed.

Finally, as if to underline the importance of respecting citizens’ privacy yet further, the European Commission released another communication (pdf) providing “Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection”. The whole section on security is worth reading in full, since it offers a good summary of the current thinking on the best ways to preserve privacy with these apps:

The Commission recommends that the data should be stored on the terminal device of the individual in an encrypted form using state-of-the art cryptographic techniques. In the case that the data is stored in a central server, the access, including the administrative access, should be logged.

Proximity data should only be generated and stored on the terminal device of the individual in encrypted and pseudonymised format. In order to ensure that tracking by third parties is excluded the activation of Bluetooth should be possible without having to activate other location services.

During the collection of proximity data via [Bluetooth Low Energy communications between devices] it is preferable to create and store temporary user IDs that change regularly rather than storing the actual device ID. This measure provides additional protection against eavesdropping and tracking by hackers and therefore makes it more difficult to identify individuals.

The Commission recommends that the source code of the app should be made public and available for review.

Additional measures to secure the data processed can be envisaged notably with automatic deletion or anonymisation of the data after a certain point in time. In general, the degree of the security should match the amount and sensitivity of personal data processed.

All transmissions from the personal device to the national health authorities should be encrypted.

The contrast between this rigorous and comprehensive approach to safeguarding the rights of citizens and France’s cavalier disregard for the same, is stark. Unfortunately the Commission’s guidance is not legally binding and is likely to be ignored by the French government, which often insists on going its way, as with its terrible implementation of Article 17 of the EU Copyright Directive.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “European Commission Wants Coronavirus Tracing Apps To Build In Strong Protections For Privacy — Unlike The French Government”

Subscribe: RSS Leave a comment
PaulT (profile) says:

"French government, which often insists on going its way"

This is one of the reasons why I often mock the people who voted Brexit because they perceive the EU as some kind of dictatorship that left no leeway for local decisions. The UK, along with France and Italy, regularly did things differently to the rest of the EU and were often granted special concessions. It’s just that the EU made a handy scapegoat whenever these turned out to be bad decisions.

Federico (profile) says:

European Parliament resolution

This follows the European Parliament resolution of 2020-04-17 (HTML version:

(52) Takes note of the emergence of contact-tracing applications on mobile devices in order to warn people if they were close to an infected person, and the Commission’s recommendation to develop a common EU approach for the use of such applications; points out that any use of applications developed by national and EU authorities may not be obligatory and that the generated data are not to be stored in centralised databases, which are prone to potential risk of abuse and loss of trust and may endanger uptake throughout the Union; demands that all storage of data be decentralised, full transparency be given on (non-EU) commercial interests of developers of these applications, and that clear projections be demonstrated as regards how the use of contact tracing apps by a part of the population, in combination with specific other measures, will lead to a significantly lower number of infected people; demands that the Commission and Member States are fully transparent on the functioning of contact-tracing apps, so that people can verify both the underlying protocol for security and privacy, and check the code itself to see whether the application functions as the authorities are claiming; recommends that sunset clauses are set and the principles of data protection by design and data minimisation are fully observed;

(bold added)

Anonymous Coward says:

The French situation is actually more nuanced that what you are reporting. They actually develop a really secured protocol for contact tracing, more secured in terms of privacy that what have been proposed by Apple and Google. But its implementation can not be done using the API Apple and Google are developing. That’s why they asked for a higher access to the Bluetooth functionality.

Anonymous Coward says:

Re: Re:

If they want more access that normal app developers you can be sure that it is not for protecting user privacy.

Also, the thing with the Google/Apple protocol is that the servers cannot identify contacts, but only provide everyone with the information that allows the to determine that they are a contact. That it relies solely on self reporting, both for those who contract covid-19, and those they were in contact with. You cannot get more privacy respecting than that. (profile) says:

Remind me again ... what is the french for backdoor?

Notwithstanding the purported aims of politicians, bureaucrats, medics, clinicians, and possibly developers of a bluetooth app, it appears to me that, as a user of an ancient Motorola moto 4g/lte phone running kitkat (which has data, location, and wifi turned off), even if it could somehow determine that a passing phone carrier (possibly untested, like me) is asymptomatic, infected or recovered, how would said app phone home (wherever that is)?

Deity only knows.

Anonymous Coward says:

I have yet to find any specifics about the possible implementation(s) of such a system. Will this become mandatory? What about those who refuse. What about all those who lack a cell phone, I have read there are tracker bracelets available but will the homeless wear them?

I doubt those on the far right would be very enthusiastic about this, they may even claim it is part of the 5G/corona conspiracy or something.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...