COVID-19 apps in Europe violating data protection and privacy
By Thomas Vink, 3rd June 2021
To help deal with the COVID-19 pandemic, governments are developing and rolling out apps related to contact-tracing, symptom-tracking, exposure notification, and quarantine-enforcement. Many governments are not taking data protection and privacy seriously when developing and deploying these apps, and there is a risk of normalising the expanded use of invasive digital surveillance technologies.
The Civil Liberties Union for Europe are using a variety of litigation actions – freedom of information requests, data protection authority complaints, and litigation before domestic/regional courts – to stop the use of COVID-19 apps that do not respect people’s rights to privacy and data protection. They also want to use this litigation to help ensure that impact assessments are carried out in relation to such apps, and that there is more transparency around their development and use.
COVID-19 apps in Europe violating data protection and privacy
Organisation Names
Civil Liberties Union for Europe, with Access Now and member organisations across 12 EU countries
Country/Jurisdiction
Bulgaria, Belgium, Croatia, Germany, Hungary, Italy, Ireland, Lithuania, Slovenia, Spain, Sweden, and Poland
Amount Granted
EUR 37,239
Current Status
Litigation complete; partial win in some countries
Grant type
COVID-19 Litigation Fund
Description
To help deal with the COVID-19 pandemic, governments are developing and rolling out apps related to contact-tracing, symptom-tracking, exposure notification, and quarantine-enforcement. Many governments are not taking data protection and privacy seriously when developing and deploying these apps, and there is a risk of normalising the expanded use of invasive digital surveillance technologies.
The Civil Liberties Union for Europe will used variety of litigation actions – freedom of information requests, data protection authority complaints, and litigation before domestic/regional courts – to stop the use of COVID-19 apps that do not respect people’s rights to privacy and data protection. They also wanted to use this litigation to help ensure that impact assessments are carried out in relation to such apps, and that there is more transparency around their development and use.
Liberties started the project with partners in 12 EU members states but then narrowed this down to four jurisdictions where they began litigation action: Belgium, Bulgaria, Hungary and Spain.
In both Bulgaria and Spain there were rulings in favour of Liberties’ partners. In both countries the courts ruled that data protection impact assessments about the national COVID tracing apps must be shared. These rulings set an important precedent that human rights impact assessments about COVID tracing apps must be carried out and made public.
In almost all jurisdictions they assessed, Liberties noticed major issues. For example, when launching apps, governments did not consult stakeholders and watchdogs, data protection impacts assessments were not prepared or made public, source codes were not published, and the expected efficacy was too low to justify the app’s use. In June 2021, Liberties launched a knowledge hub on their website to collate information gathered so far, and to monitor and update the ongoing cases.
"Many governments are not taking data protection and privacy seriously when developing and deploying these apps"
Strategic Goal
To prevent European governments from using the COVID-19 pandemic as a pretext for normalising expanded digital surveillance technologies. To ensure citizens can access public health apps that are not unlawful or unnecessarily intrusive.