"Corona apps" are being developed with the speed of light. In the mean time, crucial questions about purpose and necessity remain unanswered, creating the impression that our rights and freedoms are insufficiently regarded. Will the Dutch Data Protection Authority succeed in bringing to light the much-needed clarity?
The Ministry of Health is hastily exploring the possibilities of the deployment of a corona app. With a very short deadline, organisations were asked to present a working app, and a decision was to be made within a couple of days. The ministry is like a bull in a china shop, but keeps insisting that privacy will be respected. The haste with which this process has been set up has lead to grave concerns about a lack of diligence. And diligence is necessary when it comes to measures like these that substantially infringe on our rights and freedoms.
All eyes on the Dutch DPA
Luckily there's a data protection authority tasked with assessing the measures: Autoriteit Persoonsgegevens. The Dutch DPA announced that it will closely examine the corona appsRead the AP's announcement in Dutch here. that are being considered by the government. "If an app chosen by the government doesn't meet the requirements set out by privacy law, the AP can forbid the government to deploy the app."
Interestingly, the DPA emphasizes it will assess the characteristics of the apps in question: how much data is being collected, security, and the risk that data falls into the wrong hands. Of course those are important aspects, but even more important is the question if such an app is desirable at all. Is the measure proportionate taking into account the infringements on the rights and freedoms of people? Is there an expectation that the app will really contribute to a solution? And to which problem exactly? These are questions that need more than vague answers. Before the DPA dives into the specifics of these apps, we need more clarity on the fundamentals.
What is it exactly that we're doing?
Autoriteit Persoonsgegevens can take an example from its colleagues at the German DPA: "For an evaluation based on data protection law, I currently don't have enough information regarding the question if the app and the procedure it foresees, are suitable to accomplish the desired goal, and if the goals can actually be accomplished", says Urlich KelberRead the German statement on ZDF's website., the German DPA. According to Kelber, he is unable to evaluate until more information is provided. That puts a temporary halt to Germany's plans, and requires the government to take a step back in order to ask the question: What is it exactly that we're doing? And not a moment too late, because badly thought through solutions can cause more harm than good.
DPA: remain critical!
While crisis teams are rolling out emergency measures one after another, the DPA needs to look to the future. She needs to perform a critical assessment, with both the short-term and long-term effects in mind. Particularly in times of crisis, it's important to regard the importance of fundamental rights and safeguard our democratic, free society and the rule of law. The DPA has an essential role to play.