Data protection during COVID-19: Can we reconcile data protection and infection protection in Europe at all?

“Corona Data Donation” or “Pepp PT” — Apps that currently challenge data protection regulations in Europe

In the fight against the coronavirus, the examination and evaluation of health data have become indispensable. Figures that currently accompany us daily are the number of infected, deceased, convalescents, but also data on how many more people an infected person infects on average. The development of these figures determines the decisions of federal politics and thus our daily life. For weeks now, drastic interventions in our basic rights through curfews, contact bans, and business closures have determined our daily lives. A relaxation of these measures? There will only be a relaxation when the numbers allow it. Despite three-week initial restrictions, only slow successes have been seen so far. Simply relying on the consequences of these restrictions does not seem sufficient. Many voices are currently being raised in favor of an additional evaluation of mobile movement data to contain the spread of the virus and minimize the sources of infection.

Using personal mobile data in Europe to track COVID-19 infected people and to help stop the spread of the disease is currently being discussed

At the same time, data protectionists are alarmed and point out the far-reaching consequences of such movement tracking. I discussed why this topic should be considered comprehensively with trainee lawyer Daniela Tussing who works part-time in a data protection company.

1. What obstacles do you see concerning data protection when tracking personal mobile phone data to better trace sources of infection especially in times of crisis?
The tracking of personal data is generally a very controversial topic. Particularly in this current situation, where the tracking of sources of infection is concerned, it is important to ensure that all the requirements of the European General Data Protection Regulation (GDPR) are observed when processing such data. Tracking must above all be legitimate, i.e. the processing must be based on a legal basis. However, the technical implementation also plays a major role here, as data security must be observed in connection with tracking. It is also important, however, to limit such measures to the time of infection, and in particular to check at any time whether the measures are still proportionate and when they must end.

Other countries have already successfully helped to keep the curve flat by tracking motion data.

Many cite South Korea as a model country, as the spread of the virus there could be contained early on without sending the country into a drastic lockdown. This was made possible by tracking data from credit cards and mobile phones that have come into contact with infected people. In general, South Korea is considered one of the most digitalized countries in the world,where nowadays almost all payments are cashless. The large number of 4G or 5G radio masts, which document the location of mobile phones at all times, as well as a network of surveillance cameras in public spaces also enable comprehensive tracking.

Many cite South Korea as a model country, as the spread of the virus there could be contained early on without sending the country into a drastic lockdown. - medudoc

Israel even goes one step further and, in addition to GPS data, also collects smartphone data, which measures movement, acceleration or light conditions, information about which WIFI network or Bluetooth device was close by. This enables the secret service to gain deep insights into the privacy of everyone in Israel — far beyond the location queries of smartphones.

2. Why are such measures for tracking people not possible here in Europe?
That’s much too sweeping a denial. There are already other forms of tracking people’s movement here in Europe. Take a look e.g. at various apps that track sports activities, such as jogging or counting steps. In general, however, we have a much higher requirements here in Europe. On the one hand, we have the General Data Protection Regulation and, on the other hand, here in Germany, we also have our fundamental rights based on the constitution (Grundgesetz), which must be observed. Measures may only be taken if they are proportionate: Speak is there a legitimate purpose for the measure? Are there appropriate means to achieve that purpose? Are the measures really necessary, that is, are there not perhaps milder means that are equally effective? Finally, within the framework of proportionality, a balance must be struck between the various interests.

3. EU Justice Commissioner Věra Jourová believes that two principles are important when using applications that track the movement of people during these critical times: Citizens must participate voluntarily and the apps may only be used in times of crisis. But Europe’s strict data protection laws do not forbid the use of such apps. Do you share this view or do you think that other principles are missing?
Basically yes. Voluntariness is very important. Especially when considering the consent as a legal basis, consent must be given voluntary by the data subject. As well as the mentioned limitation to this time of crisis. But a limitation to the crisis period alone is not enough. Even in times of crisis, this should not apply without restriction. During the whole process, it must always be checked whether the tracking measures are still proportionate. This is where the problems lie.

These two principles are exactly what the recently presented app “Corona Data Donation” of the Robert Koch Institut fulfills.

This App is not the much-discussed tracking app, as it only gives additional information about where and how fast the coronavirus is spreading in Germany. It works only in combination with fitness wristbands and smartwatches from different manufacturers. Using pseudonymized data, the app can detect a corona infection and record its geographical spread. The fitness tracker data would be transmitted from the smartphone to servers running in Germany in encrypted form. The information is stored under a pseudonym — a long sequence of letters and numbers. Thanks to the app, the RKI would at no time know personal information such as the user’s name or address. Neither would it request location data.

An overarching European tracking solution is currently being developed under the name of “Pan European Privacy-Protecting Proximity Tracing”, Pepp-PT for short.

Behind it is an international team of more than 130 scientists and IT experts. The system is a counter-project to the partly repressive and invasive approaches of other countries. Instead of collecting masses of sensitive location data, monitoring users or putting infected people in a digital corona pillory, Pepp-PT is supposed to be completely voluntary and data protection-friendly. Using Bluetooth radio technology, the apps scan the environment and record which other smartphones are within range — provided, however, that their owners also use an app based on the Pepp PT system. If two devices come closer than two meters, the apps store the temporary ID of the other phone. The data initially remains encrypted on the smartphone, and no one can access it. This results in a list of IDs on the smartphone behind which people are hidden who you may have infected yourself or from whom you may have received viruses. Anyone who is sick with Covid-19 sends the ID list, which has been stored locally up to now, to a central server. Then the contact persons receive an automatic push notification on their smartphone and are asked to be tested. The IDs contain a country code, so the system works across borders.

4.How questionable are applications such as Corona data donation or Pepp-PT concerning European data protection laws?
As already mentioned, we need a legitimation, i.e. an appropriate legal basis, for the use of the application. If the app takes the consent of the user as legal basis, this consent must be informed and voluntary. Also there a multiple questions attached to this question which need to be answered first:

  • How is data deletion ensured?
  • What types of personal data are involved? Anonymized data are generally not covered by the GDPR. When processing pseudonymized data, it is necessary to comply with the provisions of the GDPR.
  • Is it perhaps sensitive health data?
  • Is it processed solely for health protection?
  • Where does the data flow?
  • Is the transfer secured accordingly?

App developers have to ask themselves all these and more questions and must take respective measures to ensure the safety of the data.

5. Can data protection and infection protection be reconciled at all?
This can neither be generally affirmed nor denied. Again it depends: Infection protection is only used in exceptional circumstances and must be compatible with high requirements. Compatibility is possible if there is a legal basis and if it is carefully weighed up. Again we must look at the proportionality.

medudoc: Can data protection and infection protection be reconciled at all?

6. In general, the issue of data protection in the healthcare sector has been the subject of lengthy debate for years. From the introduction of an electronic patient file to the telemedical treatment of patients.What should digital health startups have on their screens in terms of data protection?
Data protection should already be technically integrated when a new data processing procedure is developed (privacy by design) and factory settings should be designed in a data protection-friendly way from the very beginning (privacy by default). In other words, experts in the field should be consulted as early as the development of new technologies such as apps or the like to find out the essential points.
Following questions must be checked in advance:

  • Does the GDPR even apply?
  • Do we have health data, which as sensitive data are subject to particularly high protection?
  • Do we have a legal basis?
  • Are there appropriate technical and organizational measures to guarantee data security?

The discussion is very hot right now: one must seek professional data protection advice.

7. We at medudoc also have to deal with the subject of data protection. Before any medical intervention, patients must be informed and educated individually by their doctor. We digitize and personalize this process by accessing patient information and turning these into an individualized educational video for the upcoming medical procedure. What challenges do you see concerning data protection at medudoc?
The existence of health data as a special category of personal data is subject to a higher level of protection. The legitimization through a legal basis for the processing. Consent must always be taken into account, as this must be given informatively and voluntarily, but at the same time can be revoked at any time. Also, the data must be appropriately secured by the technical implementation to prevent possible misuse. It is recommended to get a consultation by an experienced DPO who has already been active in the health care sector.

Data protection and infection protection can be reconciled during crisis situations if respective measures are met.

We see that it is legally possible in Europe to use applications that help to limit the spread of the virus in times of crisis by tracking people’s movements. However, before such an application is used, it must be checked whether there is an extraordinary proportionality that allows such an intervention in the private sphere of citizens. Voluntariness, an exclusive use in times of crisis as well as a possible termination of data sharing at any time must be basic requirements for tracking applications.

About the author:

Mona Ciotta is working as Strategic Business Development Manager at the digital health start-up “medudoc” in Berlin. Coming from a digital marketing background she is now working on bridging the digital gap of evolved patient expectations, arbitrary regulations and economical pressured healthcare providers like hospitals and doctors. Through video animation, medudoc digitizes, automates and standardizes the analog and tedious practice of patient education before a medical intervention. You can contact her via mail ( and LinkedIn.

  About the interview partner:

Daniela Tussing, LL.M (Exeter) is a trainee lawyer at OLG Saarbrücken, currently in here civil station at the District Court Saarbrücken and is working part-time in a data protection company. She is passionate about media law and data protection. During her law studies she focused on IT law and data protection and intends to pursue a legal career in these areas. You can contact her via XING or LinkedIn.