What does COVID-19 reveal about our privacy engineering capabilities?

Thomas Zerdick, Head of Technology and Privacy

IPEN workshops bring together privacy experts and engineers from public authorities, industry, academia and civil society to discuss relevant challenges and developments for the technological implementation of data protection and privacy.


A public debate about the privacy and data protection characteristics about a wide spread IT system or application is not a frequent experience. In the past, such discussions came up mainly after some serious flaws were revealed, or after a sever security incident affected many people.

The public discussion about specific privacy features for a new application, which was only in the early phases of development, was a completely new phenomenon. This happened in the spring of 2020, when several groups of researchers spoke about possible privacy safeguards of Corona Tracing Apps, and their concerns and suggestions found a broad echo, even in general media.

At the time, the main focus of the public discussion was on an architectural choice, with different privacy implications: centralised or decentralised storage of the information about encounters between users of the app, to be used to accelerate and improve contact tracing, once one of the users had been tested positive for SARS-CoV2. Subsequently, the huge majority of contact tracing apps deployed at country level in the EU opted for the decentralised model. Nearly all of them decided to rely on a framework provided by the leading mobile OS providers, Google and Apple. The EDPS summarised the discussions and the technological options in its TechDispatch 1/2020.

For an IPEN webinar - which took place about six months after the public debate on contact tracing architectures and protocols, and four months after the roll-out of the first apps - we wanted to explore how privacy engineering has found its place in the development of these apps and whether the promoted approach has affected the state of the art in data protection by design and default. Was the development of corona tracing apps a major breakthrough for the implementation of technological safeguards and privacy controls? Did developers find privacy engineering methods and tools sufficiently mature to address all the issues they became aware of? Were data protection authorities (DPA) satisfied with the solutions the developers implemented? Which of the potential data protection risks could be addressed properly and where did significant risks remain without appropriate response?

At the webinar, we heard developers who had worked on the apps in Switzerland, Italy and Portugal, and colleagues from the data protection supervisory authorities in Norway, the Netherlands and Portugal. The European Commission offered information about a project to allow interchange of exposure information across borders between participating EU Member States, the necessary connection between a shared exposure notification framework and national infrastructures for distributing information on individual tests.

The presentations by the developers illustrated that the choice of an architecture that favours the control of individuals over their personal data is an important step to protect this data, but it is only one step, and many others are needed. Among the risks that developers were aiming to address is traffic analysis: if only mobile apps for which a positive test result is recorded provide uploads to the central database, observing which mobile devices send such updates would reveal which users have a positive test result. In addition, the practical implementation of the decentralised architecture requires many design decisions, which can affect the actual protection of users.

We also learned that the data protection authorities were not always satisfied with the technical solutions presented to them. Some countries had started with approaches that did not pay sufficient attention to the risks to individuals’ rights, and the DPA had to intervene so that a better development path was chosen. Also in other cases, DPAs were not always fully satisfied with the risk assessment and the mitigation approaches chosen by the developers, and were advocating for stronger and more effective measures.

All in all, it appears that the webinar allowed us to get an informative snapshot on the state of privacy engineering in a very high profile, risk-loaded case. It is encouraging to see that developers are indeed capable of paying attention to privacy risks and rights of individuals, but at the same time, there are immense challenges to develop science and practice of privacy engineering. Data protection authorities appeared to be willing and prepared to enforce the controllers’ obligations to data protection by design and by default, while further harmonisation and capacity building will require additional efforts.

The webinar focused on the technological issues and did not aim to discuss contact tracing as an epidemiological tool as such, as well as the wider use of information technology for public health. Of course, all related questions were present in the minds of participants, and reflected in the discussion at the event. Addressing these questions will be an objective for future events. The EDPS is working together with other DPAs and EU institutions, and will keep organising public events on such issues.

Outside of our webinar, the discussion about Corona tracing apps keeps going on, and a new phase has begun, as the second wave of infections has apparently not been stopped by the app. While clearly some of the expectations of the apps were exaggerated and impossible to match in reality, their effectiveness may be improved. Those demanding “less data protection” in future apps are clearly going in the wrong direction. From all reactions, it appears that the biggest inhibitor to wide uptake and use of tracing apps is the lack of trust in their confidentiality. Further undermining this trust will have a negative effect. On the contrary, improving the privacy features and increasing transparency about the risks and benefits of the apps may help to make them more useful in the coming months, in which it will still be necessary to identify and break the chain of infection.

We will continue to follow the development of privacy engineering in this and other domains, and we will work with our colleagues from other data protection authorities, as well as researchers and developers to observe the progress in the state of the art of data protection by default and by design. The recently published EDPB guidelines provide another benchmark, but there is still some way to go.

The video recordings and speakers' presentations are available for each session on the IPEN webpage.