Data Protection Impact Assessment for the Corona App

97 Pages Posted: 30 Apr 2020

See all articles by Kirsten Bock

Kirsten Bock

Independent

Christian Ricardo Kühne

Independent

Rainer Mühlhoff

University of Osnabrück

Měto R. Ost

Independent

Jörg Pohle

Alexander von Humboldt Institute for Internet and Society

Rainer Rehak

WZB Berlin Social Science Center; Weizenbaum Institute for the Networked Society

Date Written: April 29, 2020

Abstract

Since SARS-CoV-2 started spreading in Europe in early 2020, there has been a strong call for technical solutions to combat or contain the pandemic, with contact tracing apps at the heart of the debates. The EU's General Daten Protection Regulation (GDPR) requires controllers to carry out a data protection impact assessment (DPIA) where their data processing is likely to result in a high risk to the rights and freedoms (Art. 35 GDPR). A DPIA is a structured risk analysis that identifies and evaluates possible consequences of data processing relevant to fundamental rights in advance and describes the measures envisaged to address these risks or expresses the inability to do so.

Based on the Standard Data Protection Model (SDM), we present a scientific DPIA which thoroughly examines three published contact tracing app designs that are considered to be the most privacy-friendly: PEPP-PT, DP-3T and a concept summarized by CCC member Linus Neumann, all of which process personal health data. We show that even a decentralized architecture involves numerous serious weaknesses and risks, including larger ones left unaddressed. We also found that none of the proposed designs operates on anonymous data or ensures proper anonymization, that informed consent would not be a legitimate legal ground for the processing, that data subjects' rights are not sufficiently safeguarded, and that no design provides for sufficient purpose-binding.

Keywords: data protection, data protection impact assessment, contact tracing app, General Data Protection Regulation, Standard Data Protection Model

Suggested Citation

Bock, Kirsten and Kühne, Christian Ricardo and Mühlhoff, Rainer and Ost, Měto R. and Pohle, Jörg and Rehak, Rainer and Rehak, Rainer, Data Protection Impact Assessment for the Corona App (April 29, 2020). Available at SSRN: https://ssrn.com/abstract=3588172 or http://dx.doi.org/10.2139/ssrn.3588172

Kirsten Bock

Independent ( email )

Rainer Mühlhoff

University of Osnabrück ( email )

Germany

Měto R. Ost

Independent ( email )

Jörg Pohle (Contact Author)

Alexander von Humboldt Institute for Internet and Society

Französische Straße 9
Berlin, 10117
Germany

HOME PAGE: http://www.hiig.de

Rainer Rehak

WZB Berlin Social Science Center ( email )

Reichpietschufer 50
D-10785 Berlin, 10785
Germany

Weizenbaum Institute for the Networked Society ( email )

Hardenbergstraße 32
D-10623 Berlin
Germany

HOME PAGE: http://https://www.weizenbaum-institut.de

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
970
Abstract Views
4,289
Rank
38,285
PlumX Metrics