In the middle ages people frantically looked for ways to stop the Black Death, which would kill up to half the population. Bloodletting was recommended, prayer, bloodletting and boil-lancing, or resorting to magic herbs. Jews and heretics were used as scapegoats, and persecuted. Social distancing was applied before the term was coined, and the rich city-state of Venice introduced quarantine: keeping foreign sailors in separation for forty days, to make sure they would not carry the disease into town.
In the 21st century our epidemiological knowledge has advanced spectacularly (though it has not completely eradicated scapegoating, superstition and disinformation), but we are still grappling to find a response to this new plague that will allow us to continue our daily lives as much as possible.
The new miracle remedy is the “Contact Tracing App”. Politicians go all excited and starry eyed over the app, as an easy answer to the difficult dilemma on their plate: how to fight the pandemic without killing the economy and our way of life in the process?
A contact tracing app may indeed be a very useful tool in the pandemic control toolkit. But it is no magic wand. An app in itself will not stop the pandemic. And it is not without risks.
1. The value of a contact tracing app depends on the other elements of the strategy. This is for epidemiologists to determine. For example testing, rigorous social distancing and hygiene, and developing a vaccine. But also the minimum required take up (estimated around 60%) and the equal spread among population groups, like the vulnerable group of elderly people, who generally use no smart phones.
2. The introduction of 27 national apps will do nothing to ease the restrictions on freedom of movement within the EU. At the very least harmonisation and interconnectivity must be assured. But even better would be a single European app, that would allow us to open the borders and travel freely again.
3. The GDPR and other privacy and data protection laws allow for the right to privacy and data protection to be restricted, provided it is”necessary and proportionate”. That test depends on the value of the app, as described in the first point.
4. The choice of system is key. A decentralised system where matching takes place on your device, or a centralised system where matching is done in the cloud? Both systems present risks of abuse and hacking, but the centralised system surely presents the greater risk of function creep and abuse by authorities.
5. It would run counter to European values to make the use of such an app mandatory. But even if it is voluntary, there is a great risk that downloading the app will become quasi-mandatory, as a precondition to enter the workplace, school, the gym or a department store. Or by giving people the choice only between using the app and house calls by the police or an obligation to report (as in the Polish system). The risk of stigmatisation is very real. There must be a zero tolerance policy towards such practices, with hefty fines for breaches.
6. The measures must be temporary, for the duration of the pandemic only. The problem is that it may well take several years before we get the pandemic under control. The risk of the apps becoming a permanent feature is huge, and the risk of function creep even bigger. In addition, judicial scrutiny and legal remedies are weaker during the state of emergency.
7. The choice of provider matters. Contact data, medical data, and possibly location data are very sensitive data that should never be accessible to actors outside our own EU jurisdiction. We have to be very cautious with providers which would, for example, fall under the US CLOUD Act, or under Chinese authority. The fact that some governments are negotiating contracts with a company which is connected to the NSA/CIA, to the Trump campaign, and to the Cambridge-Analytica scandal, is alarming. We should also be extremly aware of the risk of non-EU actors abusing the app system to spread disinformation, or false signals about the spread of the virus.
8. Any app that gets the green light from governments, should be fully GDPR compliant. Respecting our privacy and keeping our data completely safe. DPAs should get all the capacity they need to immediately pull faulty and non-compliant apps, and crack-down on GDPR violations.
9. The introduction of such schemes must be evidence-based. There must be full transparency on the decision making process, including the consideration determining the choice for provider and for the specific system. All people and organisations involved in the decision making process, must issue a declaration of interest. And the technical specificities must be made public, like the use of open source.
10. The value and possible success of the use of contact tracing apps will rely entirely on trust. If citizens do not trust the system, they will not use it. And trust can only be gained if the app meets all the criteria mentioned under the previous nine points.