On Monday 15 June, NIPH announced that they have decided to suspend the app and erase all data until further notice, but that they will provide a formal response by 23 June, which is the date set by the Data Protection Authority. Our notice entails a temporary ban on all collection of personal data by NIPH through the app.
Intervention no longer proportionate
“NIPH has chosen to suspend all collection and storage of data immediately. I hope they use the time left until 23 June well, both to document the benefits of the app and to make other necessary changes, so that they can resume use of it,” says Data Protection Authority Director-General Bjørn Erik Thon.
The basis for the notice is the Data Protection Authority’s assessment that the Smittestopp app can no longer be considered a proportionate intervention in the users’ fundamental rights to data protection.
“Smittestopp is a highly invasive measure in terms of data protection, even in these special circumstances, where our society is fighting a pandemic. We do not see the utility, given our current situation and the way the technical solution is designed and presently working,” Thon says.
Legality hinges on public benefit
Smittestopp is a digital solution for contact tracing. It can notify the user if they have been in close contact with people infected with Covid-19. By analysing anonymized and aggregated data of population movement patterns, NIPH will also evaluate infection control measures and monitor rates of transmission through society. Smittestopp collects large quantities of personal data about app users, including continuous location data and information about app users’ contact with others.
“Our notice does not mean that we can’t use technology and apps to fight this pandemic. However, the legality of Smittestopp hinges on its public benefit,” Thon says. “We have considered the solutions chosen for the Smittestopp app, the low proliferation of the app, with users accounting for approximately 14 percent of the population aged 16 and older, and the rates of infection in the general population. We have also taken into account the National Institute of Public Health’s release stating that the rate of infection is currently so low that it is difficult to validate that the app’s alerts are notifying the right people — not too many and not too few.”
Location data from GPS and Bluetooth
Currently, Smittestopp users cannot choose to provide personal data for contact tracing purposes without also agreeing to the data being used for analysis and research. These different purposes require different types of personal data. We question the lack of choice for the users. Several other European countries have developed contact tracing apps that rely solely on Bluetooth technology and that do not collect GPS-based location data. The World Health Organization (WHO) has also posted several publications related to digital proximity tracking for Covid-19 (example link).
“The European Data Protection Board has concluded that the use of location data in contact tracing is unnecessary and recommend the use of Bluetooth data only. We do not find that NIPH has sufficiently justified the need to use location data for contact tracing and await new information from NIPH on this issue,” Thon says.
Smittestopp currently only has contact tracing functionality in combination with notification in three test municipalities: Drammen, Trondheim and Tromsø.
“Also, no solution for anonymizing and aggregating data for analysis has yet been implemented.The app nevertheless continually collects personal data from all users,” Thon says.
Going forward
The Data Protection Authority has invited the National Institute of Public Health to a meeting on Friday 19 June to further discuss this matter. NIPH has until 23 June to provide a response to the order.
“There are many different things we need to discuss. The design of the request for approval and the use of GPS in contact tracing are central issues, but we also need to discuss the anonymization solution, which is not yet in place. A solution for how to handle requests for access will also be a topic for discussion. We need to see some specific changes on these important issues,” Thon says.