The Norwegian COVID-19 contact tracing app is banned by the Data Protection Authority

GDPR in the Wake of COVID Spread: Privacy under Pressure – Part 2

Our previous blog post in this series concerned mobile phone applications under development, or already developed, in various countries for tracing the spread of COVID-19 infections. In particular the blog described the situation in Norway, and we expressed our concerns, but also our trust, in the fact that The Norwegian Data Protection Authority (‘Datatilsynet’) would be on the spot to safeguard privacy – as regulated by strict Norwegian privacy regulations.

The Norwegian Data Protection Authority — more than a watchdog

Temporary suspension of the Norwegian Covid-19 contact tracing app
The Norwegian Smittestopp app

We were right, and we are proud of the intervention by the Norwegian Data Protection Authority (NDPA), which in June banned the Norwegian COVID-19 tracker app Smittestopp. The ban illustrates NDPA’s independency, and that NDPA has legal power to enforce privacy protection when public (and private) organizations violate the law.

This power is anchored in the Personal Data Act (personopplysningsloven), the Norwegian implementation of GDPR, and the Personal Data Regulations (personopplysningsforskriften).

After evaluating the app Smittestopp as it was implemented in April this year, NDPA concluded that the app violated the privacy legislation in mainly two respects:

  1. The app was not a proportionate intervention of the user’s fundamental right to data protection.
  2. The app was in conflict with the principle of data minimization.

On June 12, The NDPA notified The Norwegian Institute of Public Health (NIPH) that the app would be banned, which was confirmed on July 6. Consequently, NIPH immediately stopped collecting data from the around 600,000 active users of the app, and deleted all stored data on their Azure server.

What the requirement for proportional intervention means

The breach of the requirement for proportional intervention concerned the expected low value of the app regarding infection tracking, due to the relatively small number of the population in the testing areas actually using the app (only 16%).

The reason for the breach of the principle of data minimization was that the app was designed to cover three different purposes:

  1. Movement tracing of individuals (for research purposes).
  2. Spread of the infection among the population.
  3. The effectiveness of infection control measures.

The NDPA was also critical to the app because it was not possible for the users to choose for which of the three purposes their data would be used.

A new app is already being planned

The government has decided to terminate further development of Smittestopp, and will instead focus on the development of a new app. After seeking advice from NIPH, the government has decided to base a new app on the Google Apple Exposure Notification (GAEN) System, or ENS, which they call “the international framework from Google and Apple” because many countries (for instance Denmark, Finland, Germany, Great Britain) are going “the GAEN way”.

Important arguments for the government’s decision are that GAEN supports digital infection tracking only (Bluetooth-based), involves no central data storage, and includes the possibility to exchange experiences and handle users’ border crossings. In the meantime the EU has implemented a recommendation for decentralized Corona tracking applications, putting GAEN “squarely in the frame“.

NIPH was given the task to specify a request for proposal in an open competition for the development assignment of the new app, and now (October 20) the Danish Netcompany is hired to do the development. Netcompany has a similar contract with the Danish health authorities, and was the only bidder (!). The new app expected to be implemented this year (2020).

The privacy debate continues

Three main issues are still being debated, and the first is technical: Is Bluetooth reliable enough? Experiences show that false positives, but also false negatives, do occur when Bluetooth is being used.

The second issue is of course privacy. Even if personal data is stored locally on the phone, notifications between phones have to be relayed through a network – so what about hacking? In addition, Trinity College in Dublin has uncovered that on Android phones, GAEN will not work unless it is sending owner and location information back to Google.

This leads to the third issue: Is it sensible to let the tech giants control a solution that involves processing very personal information? “Do Google or Apple get to tell a democratically elected government or its public health institutions what they may or may not have on an app?”

The Norwegian Data Protection Authority published a report on digital solutions for COVID-19 (‘Coronavirus’) infection tracking on September 11 this year. The report was developed by Simula Research Laboratory, who did not bid on the contract for the new GAEN-based application (arguing that they are a research institution and not a software development company).

The report “… focuses on efficiency, data privacy, technology-related risks, and effectiveness for government use. In terms of privacy and data protection, the report notes that if location data is still stored by Google, the COVID-19 app Smittestopp would be less privacy intrusive than the GAEN one.”

Conclusion

We will conclude with a quote (in our translation): “There is no perfect solution for digital infection tracking. Effective infection control and privacy stand in opposition to each other.”

For us at Runbox, privacy is priceless, and we are still wondering if the pros outweigh the cons.

Continue Reading →

Data Privacy Day

January 28th is Data Privacy Day, and was initiated by the Council of Europe in 2007. Since then, many advances to protect individuals’ right to privacy have been made.

The most important of these is the European Union’s General Data Protection Regulation (GDPR) which was implemented on May 25, 2018. Runbox has promoted data privacy for many years, anchored in Norway’s strong privacy legislation.

At Runbox, which is located in the privacy bastion Norway, we believe that privacy is an intrinsic right and that data privacy should be promoted every day of the year.

Your data is safe in the privacy bastion of Norway

We’re pleased that Data Privacy Day highlights this important cause. Many who use the Internet and email services in particular may think they have nothing to hide, not realizing that their data may be analyzed and exploited by corporations and nation states in ways they aren’t aware of and can’t control.

While threats to online privacy around the world are real and must be addressed, we should not be overly alarmed or exaggerate the problem. Therefore we take the opportunity to calmly provide an overview of Norway’s and Runbox’ implementation of data privacy protection.

Norway enforces strong privacy legislation

First of all, Norway has enacted strong legislation regulating the collection, storage, and processing of personal data, mainly in The Personal Data Act.

The first version of Norway’s Personal Data Act was implemented as early as 1978. This was a result of the pioneering work provided by the Department of Private Law at the University of Oslo, where one of the first academic teams within IT and privacy worldwide was established in 1970.

Additionally, the Norwegian Data Protection Authority, an independent authority, facilitates protection of individuals from violation of their right to privacy through processing of their personal data.

For an overview of privacy related regulations in the US, in Europe, and in Norway, and describes how Runbox applies the strong Norwegian privacy regulations in our operations, see this article: Email Privacy Regulations

Runbox enforces a strong Privacy Policy

The Runbox Privacy Policy is the main policy document regulating the privacy protection of account information, account content, and other user data registered via our services.

If you haven’t reviewed our Privacy Policy yet we strongly encourage you to do so as it describes how data are collected and processed while using Runbox, explains what your rights are as a user, and helps you understand what your options are with regards to your privacy.

Runbox is transparent

Runbox believes in transparency and we provide an overview of requests for disclosure of individual customer data that we have received directly from authorities and others.

Our Transparency Report is available online to ensure that Runbox is fully transparent about any disclosure of user data.

Runbox is GDPR compliant

Runbox spent 4 years planning and implementing EU’s General Data Protection Regulation, starting the process as early as 2014.

We divided the activities implementing the GDPR in Runbox into 3 main areas:

  • Internal policies and procedures
  • Partners and contractors
  • Protection of users’ rights

This blog post describes how we did it: GDPR and Updates to our Terms and Policies

Runbox' GDPR Implementation

More information

For more information about Runbox’ commitment to data privacy, we recommend reviewing the Runbox Privacy Commitment.

Continue Reading →

“Drop Gmail, Outlook, and iCloud: Norwegian challenger clearly best on privacy”

Runbox is hailed in a major Norwegian news outlet for providing superior privacy protection.

The article is based on a study by Vienna University of Business and Economics, which compares Runbox to 4 other major email services.

Gmail is slammed in the same article for its poor default privacy settings and a pattern of privacy violations.

Comparison of email providersIn the study, Runbox scores high in all categories:

  • Informational Control: 7/7
  • Decisional Control: 7/7
  • Behavioral Control: 6/7
  • Privacy Friendly Defaults: 7/7
  • Technology Paternalism: 5/7
  • Privacy By Design: 6/7
  • Service Appeal: 5/7

At Runbox we are very happy with this increasing focus on privacy, which supports our long-held privacy commitment and our work on compliancy with EU’s General Data Protection Regulation.

The full digi.no article (in Norwegian) can be seen below in PDF format.

Dropp Gmail, Outlook og Icloud- Norsk u...rer klart best på personvern - Digi.no

Continue Reading →

New Terms of Service and Privacy Policy in effect

As announced one month ago, our new Terms of Service and Privacy Policy implementing the European Union’s General Data Protection Regulation (GDPR) take effect today.

The GDPR is a set of regulations declaring that the individual should have control over their personal data by specifying how such data may be collected, processed, and stored.

Important principles include that personal data must be processed lawfully, for legitimate purposes, and with explicit consent from the user.

Runbox’ privacy commitment

Runbox has always been committed to the privacy of our users, and the GDPR principles are now fully integrated into our Privacy Policy. It provides a comprehensive overview of the policies that govern your privacy as a Runbox user, and describes in an accessible way the types of data Runbox collects in order to responsibly and reliably operate an email service.

It also lays out how user data are processed and stored, how they are being protected, and what rights you have as a user of our services.

To find out more about our GDPR implementation, please see our previous blog post GDPR and Updates to our Terms and Policies.

Review the new terms and policies

If you haven’t already done so we ask that you review the revised terms and policies now, and invite you to contact us with any questions or concerns.

If you are already a Runbox user or customer you have already actively consented to our Terms of Service when registering a Runbox account, and you do not need to consent again now to the new version.

As a new Runbox user you will have the opportunity to consent to the terms and policies when registering your account.

Continue Reading →