While the numbers of infected and vaccinated persons are on the rise, we wonder why the Republic of Serbia still lacks the smartphone application for tracing contacts with infected persons.
The launching of this application entitled “Covtakt” was announced in August 2020 and its commissioning was expected soon after. However, this did not happen, while the public was left to wonder whether the launching was given up or it was simply delayed.
According to the Oxford University research, digital contact tracing could slow or even stop coronavirus transmission. The first applications for contact tracing and citizen warning were available in the first months of the pandemic and they were aimed at protection of citizens’ health, while also serving as an important tool for crisis management and planning of epidemiologic measures.
The application of new technologies for health purposes is no novelty, but privacy risks that are by default entailed by application of such technologies are no novelty either. This is why these applications need to fulfil strict requirements with regard to personal data protection, particularly having in mind that the health information are considered as special types of personal data in terms of Article 54 of the Law on Personal Data Protection and their processing is only exceptionally permitted.
What do we know about Covtakt app?
Just like in other cases, Covtakt was technically developed by the state, i.e. the Office for Information Technologies and eGovernment of the Government of Serbia. As announced, the data controller would in this particular case be the Institute for Public Health Batut.
Fundamental principles that the app should be based upon are voluntary nature – which means that its application is not mandatory i.e. anyone can choose to install it on their phone and delete it at any moment, and solidarity – which means that the success of the app depends on citizens’ readiness to install it, since it requires that more than 60% of population uses it to be worthwhile.
The application is designed to work on basis of Bluetooth technology instead of tracking the phone location. If two persons who installed the application were in contact for more than 15 minutes, the application will notify them if any of them is infected with the coronavirus in the following 14 days and register that information in the application. The identity of the infected person would not be disclosed to the receiver of notification, which is certainly a good solution because such information is not necessary for achieving the contact tracing purpose.
Based on the above, one could say that Covtakt was developed, at least in part, in accordance with the European Commission recommendations enacted back in April 2020, which are based on the following principles:
- Installation and use of contact tracing and warning applications should be exclusively voluntary;
- The principle of data minimization – only the data necessary for service provision shall be collected and nothing more than that;
- The applications should use proximity data on basis of Bluetooth technology;
- The tracing app should not require or use location information;
- Contact tracing applications should not trace moving of persons;
- Data should not be stored longer than necessary – 14 days;
- Data should be protected by state-of-the-art techniques, including encryption;
- The apps should be deactivated as soon as the pandemic is over.
What we still don’t know about Covtakt is whether the data protection impact assessment has been implemented or planned, considering that it is mandatory for processing of special types of data by virtue of Article 54, para. 4, item 2) of the Law on Personal Data Protection.
Data collected through contact tracing apps being used for other purposes – the example of Singapore
Singapore was among the first states to start using the contact-tracing apps. “TraceTogether” is the app installed and used by 80% of Singapore population of around 6 million people.
Although it was initially announced that the data would be used exclusively for fight against coronavirus, at the beginning of January 2021 a news was published claiming that police can access the data collected through the app and that such data were used for investigating [at least] one murder.
Naturally, such actions caused concerns about citizens’ privacy, however Singapore did not give up the use of data in police investigations. Soon afterwards, it was decided that the data collected through this app can be used for investigating several serious crimes, including strict penalties for unauthorised use of data. It remains to be seen how the state would abide by the new self-imposed limitations, like the first ones it enacted.
(Ab)use of data and their processing for other purposes by responsible authorities should not represent grounds for not using the new technologies for allowed purposes in the future, however it does signal a need for stricter control of application of personal data protection rules and a need for active role of independent supervisory authority in the field of personal data protection.
This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.
By Ivana Ruzicic, Managing Partner, PR Legal