Concerns are growing as ever-more governments explore the idea of tracking and tracing apps as a way of monitoring and slowing the spread of COVID-19. Obviously, society must use all possible means to fight the pandemic, including technology and data. But that shouldn’t mean casting aside the fundamental European values. Numerous institutions, associations, interest groups and experts have already expressed their reservations and are calling for a more rigorous app development process to ensure that those values are upheld. But what do they mean? What are ‘European values’? And how can we safeguard them?
Due to the COVID-19 crisis, a variety of mobile applications are being developed in different countries, many of them by governments and public authorities. The apps are aimed at using technology and data to slow the spread of coronavirus infection until a vaccine is widely available. Each app is slightly different. For example, certain apps are designed for the general public, while others are limited to closed user groups directed at monitoring contact in the workplace. However, they all tend to serve three general functions.
The key functionalities of a coronavirus app1:
- Monitoring the user’s health (often combined with a self-diagnosis questionnaire), informing/advising them and facilitating the organisation of medical follow-up in the case of symptoms.
- Warning the user if they have been in proximity to an infected person and advising them on appropriate action in order to break the chain of infection. This is key in both slowing the initial spread of the virus and preventing resurgence after lockdown measures are eased.
- Monitoring and enforcing the quarantine of infected people, possibly combined with features assessing their health condition during the quarantine period.
Two main challenges: adoption and trust
Generally speaking, the effectiveness of such mobile apps has not been fully evaluated, mainly due to the pressure to launch a coronavirus app as quickly as possible. In our view, success depends above all on sufficient user penetration. This presents two main challenges: adoption and trust.
For widespread adoption, firstly a high percentage of the population must be able to ‘technically adopt’, i.e. they must own a mobile device and be tech-savvy enough to use it. Secondly, a high percentage of those mobile device owners must actually download the app and consent to the processing of personal data concerning them (without subsequently withdrawing that consent).
Trust is above all the most important factor in achieving adoption. Citizens must trust that their data will be protected by appropriate security measures and used exclusively for the specified goals to which users have consented. Public health authorities should not only endorse the app but must also be able to take necessary action based on the data generated by it. This requires integration and data sharing with other systems and applications, and ideally also cross-border and cross-regional interoperability with other systems, which adds an extra dimension to the issue of data security and trust regarding how the data will be used.
Dealing with data in a ‘European way’
Clearly, the development of a national coronavirus app requiring citizens to volunteer.
their data for surveillance purposes blurs the boundaries between public health and civil liberties. Therefore, in recent weeks, various European Member States, public and private-sector institutions, experts, associations, opinion makers and trendwatchers have expressed their concerns about cybersecurity, data security and privacy. There are growing calls for coordination at EU level to focus on ‘European values’, and especially on the protection of the fundamental right to privacy and protection of personal data.
For example, in mid-April Veilig Tegen Corona, a coalition of concerned groups in the Netherlands, called for the development process of coronavirus apps to be carefully considered and above all focused on utility and necessity. The coalition has published a list of ten key criteria for such an app.
European data strategy is built on European values
Luckily the EU already has a vision for European data sharing in place that revolves around the European values: the European Data Strategy. This was developed to ensure Europe’s global competitiveness. The European Commission considers data to be an essential resource for economic growth, competitiveness, innovation, job creation and societal progress in general.
Closer examination of Veilig Tegen Corona’s ten criteria reveals that most of the concerns raised are addressed by the EU Recommendation’s principles covering privacy and data-protection aspects of use of mobile applications. In other words, these principles serve as an excellent basis for app developers to ensure sufficient safeguards against the abuse of data generated by a national/international COVID-19 app.2
How to safeguard European values
We welcome both the Veilig Tegen Corona criteria and the EU Recommendation because they echo our long-standing call for data sovereignty. People need ways to exercise their data rights. The importance of this had already started to emerge in the data economy before the COVID-19 outbreak, but the pandemic has now propelled the issue to the forefront of people’s minds and to the top of political agendas.
Thanks to the EU Data Strategy and its Recommendation, tangible, actionable and executable guidelines are now in place to enable people and organisations alike to govern their own data, putting them in charge of deciding who has access to their data and under what conditions.
We believe that data sovereignty holds the key to the success of COVID-19 apps since it provides the foundation for widespread adoption based on user trust, in line with European values.
Mariane ter Veen is director data sharing lead at the international consulting firm INNOPAY. She helps organisations to fully embrace the opportunities of the digital transactions era by adopting a more open outlook, collaborating across ecosystems and creating new value. Mariane has a wealth of experience in the domain of data sharing, both in public/private partnerships as well as helping individual organisations, and recently spearheaded the development of the logistics data-sharing scheme iSHARE.
Jim de Wolf is management consultant at the international consulting firm INNOPAY. He has a professional background in financial law, enabling full assistance in matters regarding financial law. Jim had experience in the field of compliance, PSD2, GDPR, AMLD4, licencing trajectories, scheme-building and data sharing related subjects. His expertise is based around the combination of regulatory, business and technology aspects. Within INNOPAY Jim is positioned as the legal expert and member of the licensing team.