Afbeelding
08 apr 20
08 apr 20
Contact tracing apps: letters to Commission and EDPB

Today, Sophie in 't Veld sent letters to the Commission and European Data Protection Board, urging them to give recommendations on the use of contact tracing apps.

 

Brussels, 8 April 2020

Dear Commissioner Mr Thierry Breton,

Dear Commissioner Mr Didier Reynders,

Member State authorities are increasingly using technology in the fight against the corona pandemic. Next to analysing aggregated metadata obtained from telecom providers, Member States are now also studying the use of apps, using Bluetooth signals between mobile phones to detect users who are close enough to infect each other. In recent weeks, we note a prominent role is played by the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), an informal collective of researchers developing mechanisms in which Member States seem to be highly interested, and possibly a European standard. Yesterday, the Dutch government announced it would use such a Bluetooth application in the fight against the coronavirus.[1] Other governments, like the Polish government, apparently also encourage the use of such apps.[2] For the time being the use of these apps is on a voluntary basis, but mandatory use is explicitly not excluded by the authorities.

Considering that the technical specificities of such contact tracing apps are still unclear, and that Commission is currently assessing the use of these apps by Member States and might consider  issuing  guidelines, I have some urgent questions:

 

  • Within this PEPP-PT collective, researchers are working on two different “tracks”: one based on a decentralised mechanism (so-called DP-3T), where the creation and matching of identifiers is done on the terminal device, and where the data does not leave the device and is not stored in a cloud, accessible to authorities. The other track is based on a centralised mechanism, where the data actually does leave the device, and the creation and matching of identifiers is done in a cloud. Considering that the centralised mechanism may be prone to the risk of (later) abuse by authorities, or security deficiencies, and achieves the same goal as a decentralised mechanism, without the potential risk of abuse by authorities, or loss of trust that may endanger uptake throughout the Union, will the Commission recommend the decentralised systems as European standard, without any central cloud where data are matched and/or stored, fully in line with data protection by design and data minimisation?

  • Has the Commission been in contact with the developers of PEPP-PT? Is it aware of the two different tracks (centralised and decentralised) that the consortium is working on, and the preference  of some governments, to opt for the centralised mechanism?

  • Does the Commission agree that full transparency must be given about PEPP-PT, its members, its legal status, its objectives, funding, non-EU partners, and declarations of interest of its members?

  • Will the Commission ask Member States for a legal basis for the use of contact tracing apps?

  • Will the Commission ask Member States to demonstrate necessity and proportionality of all contact tracing apps, with clear projections that the use of such contact tracing apps, in combination with specific other measures,  will lead to a significantly lower number of infected people?

  • Will the Commission ask Member States to be fully transparent and to publish all details of all contact tracing apps used, so that people can verify both the underlying protocol for security and privacy, and check the code itself to see whether the application functions as the authorities are claiming?

  • Will the Commission make public all details of the programmes, the decision making process and contacts with stakeholders and experts relating to the aforesaid corona apps?

  • Does the Commission agree that obligatory use of contact tracing apps is contrary to our fundamental freedoms in Europe?

  • Will the Commission recommend a concrete sunset clause in national laws regulating these apps?

  • Is the Commission aware of the interest of American companies, such as Palantir, in establishing the software of these applications? Does it agree that there is a significant risk that  US government might be able to get access to data processed by any US company or company with presence in the US, through the US Cloud Act and Patriot Act?

 

Considering the rapidly evolving developments, I hope for an urgent answer from your side.

 

Kind regards,

 

Sophie in ‘t Veld

 

[1] https://www.dutchnews.nl/news/2020/04/dutch-see-apps-as-key-to-relaxing-lockdown-tracing-corona-suspects/

[2] https://www.reuters.com/article/us-health-coronavirus-poland-tech/poland-works-on-smartphone-app-to-help-stop-coronavirus-outbreak-idUSKBN21L24R

 

Andrea Jelinek

Chair of the European Data Protection Board

 

Brussels, 8 April 2020

Dear Ms Jelinek,

 

Considering the very rapidly evolving developments as regards the use of technology in the fight against the corona pandemic, I deemed it necessary to address the European Data Protection Board again, in follow-up to my letter from last week.

 

Next to analysing aggregated metadata obtained from telecom providers, Member State authorities are now also studying the use of apps, using Bluetooth signals between mobile phones to detect users who are close enough to infect each other. In recent weeks, we note a prominent role is played by the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), an informal collective of researchers developing mechanisms in which Member States seem to be highly interested, and possibly a European standard. Yesterday, the Dutch government announced it would use such a Bluetooth application in the fight against the coronavirus.[1] Other governments, like the Polish government, apparently also encourage the use of such apps.[2] For the time being the use of these apps is on a voluntary basis, but mandatory use is explicitly not excluded by the authorities.

Considering that the technical specificities of such contact tracing apps are still unclear, and that you announced yesterday that the EDPB is developing guidance on tracing tools in the context of the coronavirus outbreak, I have some urgent questions that I would request you to address in upcoming guidelines:

 

  • Within this PEPP-PT collective, researchers are working on two different “tracks”: one based on a decentralised mechanism (so-called DP-3T), where the creation and matching of identifiers is done on the terminal device, and where the data does not leave the device and is not stored in a cloud, accessible to authorities. The other track is based on a centralised mechanism, where the data actually does leave the device, and the creation and matching of identifiers is done in a cloud. Considering that the centralised mechanism may be prone to the risk of (later) abuse by authorities, or security deficiencies, and achieves the same goal as a decentralised mechanism, without the potential risk of abuse by authorities, or loss of trust that may endanger uptake throughout the Union, will the EDPB recommend the decentralised systems as European standard, without any central cloud where data are matched and/or stored, fully in line with data protection by design and data minimisation?

  • Has the EDPB been in contact with the developers of PEPP-PT? Is it aware of the two different tracks (centralised and decentralised) that the consortium is working on, and the preference of some governments, to opt for the centralised mechanism?

  • Does the EDPB agree that full transparency must be given about PEPP-PT, its members, its legal status, its objectives, funding, non-EU partners, and declarations of interest of its members?

  • Will the EDPB recommend Member States to use a solid legal basis for the use of contact tracing apps?

  • Will the EDPB recommend Member States to demonstrate necessity and proportionality of all contact tracing apps, with clear projections that the use of such contact tracing apps, in combination with specific other measures,  will lead to a significantly lower number of infected people?

  • Will the EDPB recommend Member States to be fully transparent and to publish all details of all contact tracing apps used, so that people can verify both the underlying protocol for security and privacy, and check the code itself to see whether the application functions as the authorities are claiming?

  • Does the EDPB agree that obligatory use of contact tracing apps is contrary to our fundamental freedoms in Europe?

  • Will the EDPB recommend a concrete sunset clause in national laws regulating these apps?

  • Is the EDPB aware of the interest of American companies, such as Palantir, in establishing the software of these applications? Does it agree that there is a significant risk that US government might be able to get access to data processed by any US company or company with presence in the US, through the US Cloud Act and Patriot Act?

 

Considering the rapidly evolving developments, I hope for an urgent answer from your side and for clear guidelines for the Member States and Commission.

 

Kind regards,

 

Sophie in ‘t Veld

 

[1] https://www.dutchnews.nl/news/2020/04/dutch-see-apps-as-key-to-relaxing-lockdown-tracing-corona-suspects/

[2] https://www.reuters.com/article/us-health-coronavirus-poland-tech/poland-works-on-smartphone-app-to-help-stop-coronavirus-outbreak-idUSKBN21L24R

print