Role of Tracking Applications in the Fight Against COVID-19 in the EU
Non-European Apps
Currently, several dozen countries around the world are using mobile applications to track the spread of SARS-CoV-2. The apps differ in the technology, functions, and scope of access to a user’s private data. In some countries, their use is compulsory while in others it is only recommended. The first to use them was China, which already in February used its advanced infrastructure in digital services (social networks, payment systems) to introduce a mandatory application with a QR code (aliPay Health Code). The system collects detailed data about the health of users and uses GPS to track their movement. Based on these data, it generates an appropriate code that authorises, for example, the user’s entrance to the subway or grocery store, or mandates they enter quarantine. In South Korea, an app that uses GPS was introduced in April only for people in quarantine. Earlier, in February, private entities created several commercial apps to track virus outbreaks in the country using publicly available data. In turn, Singapore was the first country in the world to introduce a voluntary app with a Bluetooth-based solution (a short-range communication standard). The TraceTogether application records contact with other devices through Bluetooth, informing users if they have been in close proximity to a person suspected of being infected. Later, this solution inspired the Australian COVIDSafe or the Polish ProteGO Safe apps.
Development of Tracking Apps in the EU
Member States started work independently on tracking apps in the second half of March, partly drawing on the non-European solutions. At the supranational level, the first coordinated initiative preceding a response by EU institutions was PEPP-PT (Pan-European Privacy-Preserving Proximity Tracing). Research centres and companies from seven EU countries—Austria, Belgium, Denmark, France, Germany, Italy, and Spain—and Switzerland developed application code with Bluetooth technology and centrally managed data. However, some institutions withdrew from the work in an atmosphere of conflict over the scope of data storage transparency and began work on a new, decentralised proposal. In a similar period, the Ministry of Digital Affairs in Poland created the ProteGO Safe app. While there is transparency (after the app’s introduction the ministry made the source code publicly available) but user data is administered centrally, which may not be fully secure.
The work on European solutions was slowed by the announcement by Apple and Google of a U.S. joint initiative to create an application programming interface (API, a set of principles of communication between applications) under the name Exposure Notification, supporting COVID-19 tracking applications. Since these companies jointly control about 99% of the global smartphone application market, unauthorised apps (ones not adapted to the proposed API) would be difficult for users to access. The companies presented the initiative as support for governments and aimed primarily at protecting users’ privacy. Exposure Notification is designed to secure sensitive data locally on the user’s phone. Access to information about the state of health and possible contact with infected people can be transferred to state institutions only after obtaining the consent of the user. The companies also stipulated that the data may not be used for purposes other than health protection. Shortly after Apple and Google announced the plan, several countries, including Germany, Italy, and Poland decided to adapt their applications to the new API. However, France broke away from cooperation with the digital giants because it wanted to implement a solution based on central (government) data administration.
EU Conditions and Guidelines
EU institutions responsible for data protection quickly recognised the need for developing tracking applications at the EU level as a way to help lift restrictions on inter-country movement. However, they set specific conditions. At the beginning of April, the European Data Protection Supervisor (EDPS) called for the development of a pan-European approach to tracking applications under applicable regulations (including GDPR). A similar position was adopted by the European Parliament in its resolution of 17 April. Also in April, the EC, in cooperation with the eHealth network connecting national health authorities, published a set of guidelines for Member States on the design and implementation of social contact monitoring applications. The Commission recommended that the use of an app be voluntary and its functionality approved by the national health authorities. In terms of privacy, the EC recommended encrypting user data and deactivating the app when the pandemic threat ceases. It recognised the advantages of Bluetooth over geolocation, both in terms of precision and less risk of abuse of collected data. In April, the European Data Protection Board developed its guidelines detailing the use of personal data by tracking apps, stressing the need to protect fundamental rights.
In May, the EC presented a package of guidelines and recommendations for countries regarding the progressive abolition of travel restrictions in the EU. It mentioned the use of these apps as a means of supporting the resumption of movement within the Union. It emphasized that it is necessary to create technical solutions that enable cooperation between various national tracking apps when traveling within the EU. At the same time, it emphasized that use of the apps must be voluntary. For example, the right to board an aircraft cannot be based on the condition that the passenger is using one of these apps.
Opportunities and Threats
A pan-European system of notifying users about contact with an infected person may be helpful in restoring Schengen and normalising economic activity during the pandemic. If proven effective, it would complement the work of epidemiological services, providing an accelerated warning and isolation of those potentially infected.
However, the use of tracking apps carries a number of threats. Private health data, especially if collected in one place, can be targeted by hackers. Tech experts say at least 60% of citizens must actively use an app (as well as consent to data processing), so that the tracking function can complement other preventive measures. This kind of monitoring in any case cannot cover the entire population because, depending on the country, the percentage of people who own smartphones ranges from 50% to 80%.
Perspectives
Coordinated contact-tracking applications will have limited use across the EU, in part because of the rigorous laws on the processing and protection of personal data, especially when compared with China, where the authorities use these new technologies for surveillance.
The condition of using these apps in the EU will remain respect for the principles of voluntary use and transparency. Their effectiveness will largely depend on the degree of public confidence in them, which will translate into the percentage of users.
An important aspect of implementing European tracking applications is the growing importance of Apple and Google, which have practically monopolised European work on these technological solutions. Their involvement may lead to negotiations of the provisions of the new Digital Services Act. This is a key amendment to the e-Commerce Directive, which aims to tackle the dominance of several online platforms on the digital single market through appropriate regulation. The American companies will strive to ensure that the new regulations do not translate into a sharp decline in profits.