A consortium based in Switzerland is seeking to build a COVID-19 contact-tracing app compliant with the EU’s strict data protection regulation.
The EU’s GDPR (General Data Protection Regulation) divides people into two camps. To some, the regulation offers citizens necessary protection against mass data collection. To others, GDPR is a hindrance that limits innovation and leads to startups establishing and offering their services in less strict regulatory environments.
Contact-tracing, the ability to find people who’ve been in close proximity to an individual, has been a powerful tool in the fight against the COVID-19 pandemic. Countries that have been successful in containing their national outbreaks, like South Korea and Singapore, have been aided by quickly deploying contact-tracing apps.
Singapore’s TraceTogether works by using Bluetooth to detect all the other users an individual has been in close proximity to. If that individual is then diagnosed with COVID-19, the health ministry of Singapore can access the app’s log to identify all the people that person had close contact with.
In Europe, deploying such an app is far more complex due to GDPR. Despite the challenge, the new group, named Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT), want to make a GDPR-compliant contact-tracing app.
PEPP-PT wrote in a post: “All procedures, mechanisms, standards and code at PEPP-PT is continuously monitored by our security team. In parallel, national cyber security agencies and national data protection agencies inspect all of the above line-by-line on a regular basis and sign. We have always asked and continue to motivate security activities to get in touch to review and improve our code or procedures.”
As we reported last month, Singapore is making its TraceTogether app open source to help developers around the world to build localised solutions. TraceTogether may provide a base for PEPP-PT to build a GDPR-compliant solution from.
In a manifesto (PDF), PEPP-PT highlights the urgency in developing a European contact-tracing app to avoid social and economic collapse:
“The only possibility to achieving these goals is to track physical proximity interaction and immediately isolate infected cases and quarantine their contacts.
This is the way everybody – relatively short term – can return to almost normal social and economic life.”
European countries have been among the hardest hit by the COVID-19 pandemic yet could be some of the last to deploy a vital contact-tracing app. Just last week, India launched a contact-tracing app called AarogyaSetu.
This isn’t the first time GDPR has become a hindrance in fighting the COVID-19 pandemic in Europe.
British supermarkets, for example, have been waiting for the details of 1.5 million vulnerable people isolating from coronavirus to deliver food boxes to them. However, they’ve been held up due to GDPR preventing the mass sharing of information such as people’s names, addresses, and/or emails. The UK remains subject to the bloc’s rules until the end of this year when a “transition” period ends following its Brexit decision.
