GDPR in the Wake of COVID Spread: Privacy under Pressure – Part 2
Our previous blog post in this series concerned mobile phone applications under development, or already developed, in various countries for tracing the spread of COVID-19 infections. In particular the blog described the situation in Norway, and we expressed our concerns, but also our trust, in the fact that The Norwegian Data Protection Authority (‘Datatilsynet’) would be on the spot to safeguard privacy – as regulated by strictNorwegian privacy regulations.
The Norwegian Data Protection Authority — more than a watchdog
We were right, and we are proud of the intervention by the Norwegian Data Protection Authority (NDPA), which in June banned the Norwegian COVID-19 tracker app Smittestopp. The ban illustrates NDPA’s independency, and that NDPA has legal power to enforce privacy protection when public (and private) organizations violate the law.
This power is anchored in the Personal Data Act (personopplysningsloven), the Norwegian implementation of GDPR, and the Personal Data Regulations (personopplysningsforskriften).
After evaluating the app Smittestopp as it was implemented in April this year, NDPA concluded that the app violated the privacy legislation in mainly two respects:
The app was not a proportionate intervention of the user’s fundamental right to data protection.
The app was in conflict with the principle of data minimization.
On June 12, The NDPA notified The Norwegian Institute of Public Health (NIPH) that the app would be banned, which was confirmed on July 6. Consequently, NIPH immediately stopped collecting data from the around 600,000 active users of the app, and deleted all stored data on their Azure server.
What the requirement for proportional intervention means
The breach of the requirement for proportional intervention concerned the expected low value of the app regarding infection tracking, due to the relatively small number of the population in the testing areas actually using the app (only 16%).
The reason for the breach of the principle of data minimization was that the app was designed to cover three different purposes:
Movement tracing of individuals (for research purposes).
Spread of the infection among the population.
The effectiveness of infection control measures.
The NDPA was also critical to the app because it was not possible for the users to choose for which of the three purposes their data would be used.
A new app is already being planned
The government has decided to terminate further development of Smittestopp, and will instead focus on the development of a new app. After seeking advice from NIPH, the government has decided to base a new app on the Google Apple Exposure Notification (GAEN) System, or ENS, which they call “the international framework from Google and Apple” because many countries (for instance Denmark, Finland, Germany, Great Britain) are going “the GAEN way”.
Important arguments for the government’s decision are that GAEN supports digital infection tracking only (Bluetooth-based), involves no central data storage, and includes the possibility to exchange experiences and handle users’ border crossings. In the meantime the EU has implemented a recommendation for decentralized Corona tracking applications, putting GAEN “squarely in the frame“.
NIPH was given the task to specify a request for proposal in an open competition for the development assignment of the new app, and now (October 20) the Danish Netcompany is hired to do the development. Netcompany has a similar contract with the Danish health authorities, and was the only bidder (!). The new app expected to be implemented this year (2020).
The privacy debate continues
Three main issues are still being debated, and the first is technical: Is Bluetooth reliable enough? Experiences show that false positives, but also false negatives, do occur when Bluetooth is being used.
The second issue is of course privacy. Even if personal data is stored locally on the phone, notifications between phones have to be relayed through a network – so what about hacking? In addition, Trinity College in Dublin has uncovered that on Android phones, GAEN will not work unless it is sending owner and location information back to Google.
The report “… focuses on efficiency, data privacy, technology-related risks, and effectiveness for government use. In terms of privacy and data protection, the report notes that if location data is still stored by Google, the COVID-19 app Smittestopp would be less privacy intrusive than the GAEN one.”
We will conclude with a quote (in our translation): “There is no perfect solution for digital infection tracking. Effective infection control and privacy stand in opposition to each other.”
For us at Runbox, privacy is priceless, and we are still wondering if the pros outweigh the cons.
On October 12, 2000 the Runbox email service was officially launched, on an Internet that was quite different from what we are used to today.
Initially, Runbox was a basic email forwarding service with a permanent @runbox.com email address. The original idea was to eliminate the need for email users to inform their contacts about a new email address when they changed schools or work places.
We soon expanded the Runbox service with a custom made Webmail interface, and offered a whopping 100 MB storage space. This was substantial compared to the 2 MB offered by Hotmail, who was the market leader at the time.
At that time Runbox was a free service, and the offering brought international attention and a large number of users. We then expanded with POP, SMTP, and IMAP access, email retrieval and filtering management, file storage, and support for email domains and domain hosting.
In 2012 we were once again at the forefront by strengthening the security and privacy aspects of our services following the surveillance revelations especially in the US.
Since those early years we have founded a new employee-owned company, continued hardening the security and privacy of our services, and built new partnerships and new server infrastructures, while broadening the foundation of our operations to embrace strong environmental and ethical principles, a diverse and dedicated team, a global customer base, and an inclusive virtual organization.
Now we are hard at work making Runbox 7 the fastest webmail app on the planet. In a world that is experiencing several global crises simultaneously we are increasingly focusing on features that facilitate global interconnectedness, telecommuting, and remote work by making our service more people and activity centric.
In an uncertain future one thing is for sure: Runbox will reinforce our mission to help people communicate better, more efficiently, and in a more organized way.
To demonstrate this we celebrate our 20th anniversary by doubling the subscription time on all Runbox products and renewals free of charge through October.
This means that when you purchase a subscription or add-on you get 2 years for the price of 1 year!
Proceed to our Product page right away to take advantage of this offer.
Thank you to all the customers who have supported us through the years — here’s to the next 20!
The additional subscription time will be applied automatically upon subscribing.
All initial subscriptions come with a full 60-day money back guarantee.
Hosted domains and other third party purchases are exempt.