As nations grapple with ways to contain the Covid-19 pandemic whilst trying to start reopening our economies, schools and borders, many government have sought to use technology as a way beat the pandemic.
In some parts of the world, ‘contact tracing’ apps have already been in place for some time whereby citizens either voluntarily or involuntarily download an app onto their smartphones, allowing the authorities to know where the clusters of virus may be, or whom the infected people may have come into contact with.
Using Bluetooth technology, several EU member states are considering rolling out the ‘contact-tracing’ app though the national governments are approaching in many different ways. Some have decided to develop an app that stores data on a central database. Other governments are in favour of a decentralised model. Some have abandoned the idea of an app to focus on other measures, like human contact tracing.
Meanwhile, tech giants Apple and Google have started to work together to propose a decentralised ‘interoperable’ solution that would allow apps to work on all their mobile devices and across borders.
The European Commission has also been trying to promote a European coordinated approach, mainly through a EU toolbox and a non-binding guidance document. The EDPB – the umbrella organisation including all national data protection authorities – has subsequently issued some guidelines.
Do we need contact-tracing apps?
Left MEPs in the European Parliament do not believe in a ‘digital solutionism’.
Governments promise to use technology as a magic wand to show that they are ‘doing something’, even if there are no clear indications about its effectiveness.
Experts strongly doubt that these apps will work. There is no evidence that they will actually help in the post-lockdown phase. And too many details on their functioning remain unknown: what happens once a person is notified by the app? Who will tell us what to do? How will they limit ‘false positives’, like between people in two contiguous rooms?
In the absence of a clear overview and of a thorough assessment of their effectiveness, the risks are too high when compared to the realistic benefits. Such technological solutions adopted during a public health crisis might only contribute to legitimise and normalise the idea that we should accept mass surveillance. Following this logic, in the future people might end up accepting privacy-invasive solutions also for other purposes.
Technology alone cannot be the solution to public health crises. Other measures are much more important during a public health crisis: widespread testing, improvement of the public health system, hiring of health staff, etc.
Left values impose extreme cautiousness on such technological solutions, which would also strengthen the position of the tech giants and would further contribute to the drifting towards an increasingly ubiquitous ‘surveillance capitalism’. Moreover, they would inevitably leave some people ‘behind’, like elderly people, or those who do not have the latest generation of smartphones. Such a discriminatory effect is far from the concept of ‘digital solidarity’ evoked by the European Data Protection Supervisor (EDPS), whereby data should be used for the benefit of all, especially the most vulnerable.
What basic safeguards against abuses do we need?
The EU has set high standards of data protection. The Commission must work to ensure that diverging national approaches do not undermine such standards. In principle, we also welcome the efforts to find a coordinated approach between member states in order to ensure the freedom of movement across borders.
However, the quest for a coordinated approach should not force all member states to roll out contact-tracing apps. There should be a democratic debate in every member state to decide on their individual development. All member states should be free to choose whether or not to develop these app or and to focus on other measures.
If member states decide, through a democratic process, to roll out contact-tracing apps, Left MEPs in the Parliament believe that the EU guidelines published by the EDP and the Commission must be respected, and some further conditions must be met.
We consider essential that:
All apps are voluntary. By no means should they be obligatory, and people who decide not to download them should not suffer from any disadvantage.
They are based on dedicated legal frameworks, created through a democratic process. If an app has already been developed, it must be verified whether it is compliant with national constitutional principles and with EU law.
They must be used only for public health purposes, and only for contact-tracing purposes. If member states choose to roll out, for example, symptoms-tracking apps, they must develop a separate app, for which there should be a different democratic debate.
They are temporary. These apps must be deactivated after the crisis, and data must be erased.
They must be fully transparent: apps must be open source, and information must be published both as regards their functioning (including the methods used to anonymise data), and the commercial interests of the private developers.
They must not collect location data. Collecting location would mean to introduce a real mass surveillance tool and would create major security and privacy risks.
Only health authorities should determine what data needs to be processed, and algorithms used in contact tracing apps should work under the strict supervision of these authorities in order to limit the occurrence of any false positives and negatives.
All storage of data must be decentral on the device: the generated data should not be stored in centralised databases, which are prone to potential risk of abuse.
Speaking on behalf of GUE/NGL, German MEP Cornelia Ernst (DIE LINKE) believes:
“I doubt that tracing apps will deliver what they promise. Contact-tracing is a very invasive technology, and we should think more than twice before using it.
“And if EU member states decide to develop and deploy such apps, they should then make sure that very strict safeguards are put in place, and that personal data never leaves the devices of the users.”