Groeten uit Nederland!

While COVID-19 is keeping us at home in a "smart lockdown," it has been a very interesting two weeks for privacy here in the Low Countries.

Like most other governments, the Dutch government has put its hopes on a contact tracing app to help the country out of the lockdown. The government recently issued a market consultation for a contact tracing app. Just three days later, it received 176 proposals. After a first selection, 63 apps made it to the long list. On 16 April, a group of experts, including privacy and security experts, selected a short list. Those seven apps were submitted to an "appathon" in which 70 experts from various backgrounds, including me, reviewed the apps.

The entire event was live broadcasted on YouTube. At the same time, KPMG performed a penetration test on the apps, and the Dutch data protection authority and the state advocate law firm reviewed the apps on compliance with the GDPR. The conclusions of this incredible effort were fairly dramatic. Several influential privacy and security experts who were involved in the first round publicly distanced themselves from the shortlist. KPMG found vulnerabilities in every app. The state advocate concluded that no app met the requirements of the GDPR. The experts involved were not enthusiastic either. And the Dutch DPA said it could not make any conclusions because of a lack of information.

On the following Wednesday, the Parliament held a roundtable about the need for an app with NGOs and experts, all of which, for various reasons, advised against the app. My personal contribution before Parliament as an expert on privacy and data protection law consisted of three main elements:

  • Although the government required the app to be “GDPR-compliant,” the government had so far failed to specify the exact purpose of the app, making it impossible to advise on an app’s compliance with the GDPR.
  • If data quality would be too low, whether because of the technology used (Bluetooth) or because not enough people would be using the app, the invasion of privacy could not be justified.
  • The app would need specific legislation to avoid discrimination and stigmatization of infected persons and people that according to the app have been in contact with them. This should not be left to the vague rules of Articles 5 and 6 of the GDPR and to the outcome of DPIAs. Also, such legislation should have a sunset clause to avoid the app from becoming a permanent surveillance tool.

I also pointed to the paradoxical conclusion that the most privacy-friendly app, i.e., one that does not rely on a central server and does not share data without the user’s consent, could leave the app unprotected by the GDPR because of the personal use exception. After all, it would be difficult to argue that the public health authorities would be the controller for the data processed by the app in the user’s phone if they don’t have control over the phone and the app does not push the contact data out to a central server.

As the discussion about a contact tracing app in the Netherlands is not yet over, we will see how it will all play out.

By the way, while I write these notes, the Dutch DPA published its decision to fine a company 725.000 euros for unlawfully processing employee fingerprint data for security and attendance purposes. It’s the highest fine by the Dutch DPA to date. 

Stay safe!