Impact assessments must be undertaken to assess the efficacy of coronavirus contact tracing apps before their deployment in order to safeguard users, the Standing Committee of European Doctors (CPME) has said.
The call comes as the UK Department of Health provoked privacy concerns on Monday (20 July), admitting that their contact tracing application violates the EU’s General Data Protection Regulation (GDPR).
In a recent newsletter, the CPME voiced their concerns over the use of digital contact tracing applications citing “unauthorised access to health data, abuse of data collection and a repurposing or gradual widening of the use of the app beyond the purpose for which it was originally created” as risks which must be adequately addressed.
In terms of conducting impact assessments of the apps to ensure compliance with EU data protection legislation, Sara Roda, EU Senior Policy Advisor at the CPME, believes that member states don’t have any excuses.
“An impact assessment contributes to informed decision-making and protection of personal data as well as of societal concerns,” she told EURACTIV, adding that such assessments “should start before the processing of personal data begins – before the deployment of the app – and it should be revisited periodically” once new relevant information becomes available.
The GDPR gives powers to privacy authorities across the EU to enforce fines of up to 4% of global revenue or €20 million, whichever is higher.
The largest fine to date has been the French data protection authority’s €50 million penalty against Google in 2019 for a lack of transparency.
‘Unlawful’ UK tracing application
CPME also stressed that contact tracing apps must meet the essential requirements issued by the European Commission, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), which have called for a common EU approach, compliance with EU data protection law and cross-border interoperability.
Despite this, the UK data tracing application has already been found to be in breach of EU data protection laws, with the UK Department of Health conceding that was launched without conducting an impact assessment on privacy, the BBC reported on Monday (20 July).
As such, privacy campaigners say the initiative has been unlawful since it began on 28 May and are now threatening to force the government to conduct a data protection impact assessment, a requirement under the GDPR.
Speaking to BBC, Education Secretary Gavin Williamson said that in “no way has [there] been a breach of any of the data that has been stored,” stressing that there was a need to get the track and trace application “up and running at incredible speed,” despite violating the EU’s data protection legislation.
In terms of the rapidity with which EU member states across the bloc have rolled out their coronavirus apps, Sara Roda highlighted that “the European Commission, the EDPS and the EDPB acted quite quickly to try to obviate these concerns”, adding that she hopes that if an app is failing to comply with the GDPR, “this is identified at national and EU instances, and appropriate action is taken by national data protection authorities”.
Roda also highlighted concerns specifically about Poland and Slovakia, saying that there are reports that these countries intend to store data beyond the EDPS and EDPB recommendations.
“There needs to be an independent entity that monitors the progressive implementation and usage of the apps by public health authorities. This should be the role of national data protection authorities,” she said.
Edited by Samuel Stolton