EU consortium led by Germany’s Fraunhofer Heinrich Hertz Institute for telecoms (HHI) release software code that can be used to create apps that will help track transmission chains of COVID-19. The Pan-European Privacy Preserving Proximity Tracing (“PEPP-PT”) project comprises more than 130 members across eight European countries, including scientists, technologists, and experts.
The PEPP-PT project has published a manifesto explaining its intention to create “well-tested proximity tracking technologies” that national authorities can use to create their own COVID-19 apps. According to the manifesto, these technologies ensure “secure data anonymization” and “cross border interoperability”. The apps concerned would inform users, based on the phone’s Bluetooth signals, whether they have been in the proximity of a person who was tested positive for COVID-19.
National public authorities developing apps on the basis of this software remain free to decide how to inform persons that have been in contact with someone who has tested positive. The PEPP-PT website states that national cyber security agencies and national data protection agencies will assess the apps that are created using the code released by the PEPP-PT. EU Commissioner Thierry Breton indicated that the European Commission is also investigating whether an app using the PEPP-PT software would be compliant with “EU values”, reflecting the privacy concerns associated with such apps.
Several Member States have been considering using apps in the fight against COVID-19 (e.g., Ireland and Germany). Polish authorities, for example, have developed an app that individuals who tested positive for COVID-19, and are in quarantine, can voluntary use to prove that they remain in quarantine (i.e., by sending selfies with their location to the authorities), as an alternative to receiving police visits.
COVID-19 Apps and Websites
Since the start of the COVID-19 crisis in Europe, private and public entities have begun releasing COVID-19 related apps. In response, some EU Supervisory Authorities have issued statements in relation to such apps:
The Belgian Supervisory Authority provided brief guidance to developers of COVID-19 apps (and websites). It clarifies the expected standard of anonymity and, in particular, it states that IP addresses should always be considered as personal data. It also distinguishes apps offered by healthcare providers and other health apps. In the latter case, the apps should provide at the time of set up, and before any personal data is collected or shared, all the information required by Article 13 of the GDPR. According to the statement, “at the end of the use of the application”, all personal data should be deleted.
The Italian Supervisory Authority states that it “would have no objection” to an app managed by public authorities that tracks persons who tested positive with COVID-19 and people who have come into contact with such persons, provided the app complies with data protection law.
The German Supervisory Authority of Rhineland-Palatinate states that an app that tracks the transmission of COVID-19 using Bluetooth technology “is possible”, provided it complies with data protection law. The statement lists various criteria that, in the opinion of the authority, are decisive in order to comply with data protection law. In particular, the authority notes that use of the app should be voluntary, the purposes for processing the data be limited, that pseudonymization techniques are applied to the data and that the data be deleted if there is no longer a risk of infection.
The Slovenian Supervisory Authority issued a statement about the website https://covid-19-stats.si/, which allowed individuals to report and record their COVID-19 symptoms, provide information about the symptoms, indicate the number of family members in the individual’s household, record the date symptoms were first detected, and the individual’s phone number and residential information. Despite claiming that it only collected anonymized data, the authority’s investigation revealed that the data was only encrypted and not anonymized and therefore did not comply with the GDPR. As a result, the website announced that it has deleted its database and is looking into how to provide this service in a GDPR-compliant manner. The same authority issued a statement on the use of geolocation data to fight COVID-19, which states that this is only possible in exceptional circumstances and provided appropriate safeguards are in place.
The Spanish Supervisory Authority states that only public authorities have the authority to process personal data to control the epidemic. This includes collecting data in order to offer self-assessment tools and the collection of geolocation data for creating maps of high/low risk areas, or to control whether individuals who have tested positive comply with quarantine restrictions. Private entities may only process personal data pursuant to the instructions of the public health authorities.
In general, the statements released by EU Supervisory Authorities so far suggest that the use of apps or websites by public authorities to track the spreading of COVID-19 will be allowed, provided they comply with the principles found in EU data protection laws. By contrast, regulators appear far more skeptical that private-sector bodies should be deploying and using such apps or websites. CCRES will continue to monitor these developments closely.
From the Pan-European Privacy-Preserving Proximity Tracing web site:
Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) makes it possible to interrupt new chains of SARS-CoV-2 transmission rapidly and effectively by informing potentially exposed people. We are a large and inclusive European team. We provide standards, technology, and services to countries and developers. We embrace a fully privacy-preserving approach. We build on well-tested, fully implemented proximity measurement and scalable backend service. We enable tracing of infection chains across national borders.
PEPP-PT was created to assist national initiatives by supplying ready-to-use, well-tested, and properly assessed mechanisms and standards, as well as support for interoperability, outreach, and operation when needed.
The PEPP-PT mechanisms will have these core features:
Well-tested and established procedures for proximity measurement on popular mobile operating systems and devices.
Enforcement of data protection, anonymization, GDPR compliance, and security.
International interoperability to support tracing local infection chains even if a chain spans multiple PEPP-PT participating countries.
Scalable backend architecture and technology that can be deployed with local IT infrastructure.
Certification service to test and ensure local implementations use the PEPP-PT mechanisms in a secure and interoperable manner.
Our reference implementation is available under the Mozilla License Agreement.
To find out more about the additional services we offer to support infrastructure and installation campaigns to enable country-specific applications, please download our Manifesto.
The virus has spread quickly and knows no political boundaries. To bring it under control, we must act in the same manner; speed and international cooperation are essential to protect health, privacy, and the economy.
We invite all countries to participate and use what we have to offer. We are stronger together against SARS-CoV-2. Please contact us if you are interested in using our services or contributing.
We are establishing a partner management team to help you get going quickly.
As a partner, you will:
… have access to our services and mechanisms.
… have access to our documentation and the source code of a reference implementation.
… take part in the inter-country exchange that will make our lives global again.
… provide feedback on the technical design.
… encourage your country to support PEPP-PT development and deployment.
… obtain certification for your implementation through PEPP-PT and thus inherit our privacy and security certifications and credentials.
… provide your national cyber-security, data protection, and health agencies with a solution that saves the effort of building certified services from scratch.
… receive planning and financial aid for installation and trust campaigns in your country.
… receive planning and execution aid for integrating PEPP-PT into your country’s strategy.
You can either implement PEPP-PT directly using the provided app/trust service reference implementation and add country-specific aspects
Integrate PEPP-PT technology into an existing solution through the modules in our services.
Please get in touch.
We welcome you on board.
WHO WE ARE
PEPP-PT is an organization that will be incorporated as a non-profit in Switzerland. PEPP-PT was created to provide a solution to this crisis that adheres to strong European privacy and data protection laws and principles. The PEPP-PT technical mechanisms and standards fully protect privacy while taking advantage of the possibilities of digital technology to maximize the speed and real-time capability of national pandemic responses. Our goal is to make this technology available to all countries, managers of infectious disease responses, and developers as quickly and seamlessly as possible.
The PEPP-PT team, which as of 31st March 2020, has more than 130 members across eight European countries, includes scientists, technologists, and experts from well-known international research institutions and companies. We have expertise in communication, psychology, epidemiology, proximity tracing, security, privacy, encryption, data protection, application development, scalable systems, supercomputing infrastructure, and artificial intelligence.