European Commission Wants Coronavirus Tracing Apps To Build In Strong Protections For Privacy -- Unlike The French Government

from the essential-requirements dept

Techdirt has just written about France's incredibly hypocritical attitude to privacy when it comes to contact tracing apps for COVID-19. The European Commission seems to be rather more consistent in this area. As well as pushing privacy legislation like the GDPR and ePrivacy Directive, it has released a series of documents designed to help EU Member States create tracing apps without compromising on citizens' privacy. For example, on April 8, it adopted a "Recommendation to support exit strategies through mobile data and apps", which called for "a joint toolbox towards a common coordinated approach for the use of smartphone apps that fully respect EU data protection standards". Details followed a week later, when the European Commission announced a pan-EU toolbox for "efficient contact tracing apps to support gradual lifting of confinement measures". A 44-page document spelled out in some detail (pdf) the "essential requirements" for national apps deployed in the region -- that they should be:

voluntary;

approved by the national health authority;

privacy-preserving -- personal data is securely encrypted; and

dismantled as soon as no longer needed.

Finally, as if to underline the importance of respecting citizens' privacy yet further, the European Commission released another communication (pdf) providing "Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection". The whole section on security is worth reading in full, since it offers a good summary of the current thinking on the best ways to preserve privacy with these apps:

The Commission recommends that the data should be stored on the terminal device of the individual in an encrypted form using state-of-the art cryptographic techniques. In the case that the data is stored in a central server, the access, including the administrative access, should be logged.

Proximity data should only be generated and stored on the terminal device of the individual in encrypted and pseudonymised format. In order to ensure that tracking by third parties is excluded the activation of Bluetooth should be possible without having to activate other location services.

During the collection of proximity data via [Bluetooth Low Energy communications between devices] it is preferable to create and store temporary user IDs that change regularly rather than storing the actual device ID. This measure provides additional protection against eavesdropping and tracking by hackers and therefore makes it more difficult to identify individuals.

The Commission recommends that the source code of the app should be made public and available for review.

Additional measures to secure the data processed can be envisaged notably with automatic deletion or anonymisation of the data after a certain point in time. In general, the degree of the security should match the amount and sensitivity of personal data processed.

All transmissions from the personal device to the national health authorities should be encrypted.

The contrast between this rigorous and comprehensive approach to safeguarding the rights of citizens and France's cavalier disregard for the same, is stark. Unfortunately the Commission's guidance is not legally binding and is likely to be ignored by the French government, which often insists on going its way, as with its terrible implementation of Article 17 of the EU Copyright Directive.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: contact tracing, covid-19, eprivacy directive, eu, france, gdpr, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 24 Apr 2020 @ 7:48pm

    Doesn't seem like something that can easily be made voluntary

    reply to this | link to this | view in chronology ]

  • icon
    PaulT (profile), 25 Apr 2020 @ 1:26am

    "French government, which often insists on going its way"

    This is one of the reasons why I often mock the people who voted Brexit because they perceive the EU as some kind of dictatorship that left no leeway for local decisions. The UK, along with France and Italy, regularly did things differently to the rest of the EU and were often granted special concessions. It's just that the EU made a handy scapegoat whenever these turned out to be bad decisions.

    reply to this | link to this | view in chronology ]

  • icon
    Federico (profile), 25 Apr 2020 @ 1:41am

    European Parliament resolution

    This follows the European Parliament resolution of 2020-04-17 https://www.europarl.europa.eu/doceo/document/TA-9-2020-0054_EN.pdf (HTML version:

    (52) Takes note of the emergence of contact-tracing applications on mobile devices in order to warn people if they were close to an infected person, and the Commission’s recommendation to develop a common EU approach for the use of such applications; points out that any use of applications developed by national and EU authorities may not be obligatory and that the generated data are not to be stored in centralised databases, which are prone to potential risk of abuse and loss of trust and may endanger uptake throughout the Union; demands that all storage of data be decentralised, full transparency be given on (non-EU) commercial interests of developers of these applications, and that clear projections be demonstrated as regards how the use of contact tracing apps by a part of the population, in combination with specific other measures, will lead to a significantly lower number of infected people; demands that the Commission and Member States are fully transparent on the functioning of contact-tracing apps, so that people can verify both the underlying protocol for security and privacy, and check the code itself to see whether the application functions as the authorities are claiming; recommends that sunset clauses are set and the principles of data protection by design and data minimisation are fully observed;

    (bold added)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Apr 2020 @ 2:14am

    Google and Apple have been lobbying, or someone has been following their proposals.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Apr 2020 @ 6:21am

    The French situation is actually more nuanced that what you are reporting. They actually develop a really secured protocol for contact tracing, more secured in terms of privacy that what have been proposed by Apple and Google. But its implementation can not be done using the API Apple and Google are developing. That's why they asked for a higher access to the Bluetooth functionality.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Apr 2020 @ 6:51am

      Re:

      If they want more access that normal app developers you can be sure that it is not for protecting user privacy.

      Also, the thing with the Google/Apple protocol is that the servers cannot identify contacts, but only provide everyone with the information that allows the to determine that they are a contact. That it relies solely on self reporting, both for those who contract covid-19, and those they were in contact with. You cannot get more privacy respecting than that.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Apr 2020 @ 9:17am

      Re:

      Access to what?

      reply to this | link to this | view in chronology ]

  • icon
    127.0.0.1 (profile), 25 Apr 2020 @ 8:19am

    Remind me again ... what is the french for backdoor?

    Notwithstanding the purported aims of politicians, bureaucrats, medics, clinicians, and possibly developers of a bluetooth app, it appears to me that, as a user of an ancient Motorola moto 4g/lte phone running kitkat (which has data, location, and wifi turned off), even if it could somehow determine that a passing phone carrier (possibly untested, like me) is asymptomatic, infected or recovered, how would said app phone home (wherever that is)?

    Deity only knows.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2020 @ 6:28am

      Re: Remind me again ... what is the french for backdoor?

      Remind me again ... what is the french for backdoor?

      Surprise buttsecks?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Apr 2020 @ 11:17am

    I have yet to find any specifics about the possible implementation(s) of such a system. Will this become mandatory? What about those who refuse. What about all those who lack a cell phone, I have read there are tracker bracelets available but will the homeless wear them?

    I doubt those on the far right would be very enthusiastic about this, they may even claim it is part of the 5G/corona conspiracy or something.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Apr 2020 @ 6:51am

      Re: trust your betters

      relax,

      The expert technocrats/bureaucrats/politicians in government (French or otherwise) will handle everything for you -- that's why we have rulers in the first place.

      Do as you are told, pay your taxes, and do not fret or complain.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.