The Tracking Apps Have Arrived: COVID-19 Brings Changes And Controversy To EU Privacy Philosophy

The EU and its Member States are promoting COVID-19 contact tracking or ‘tracing” apps as one of the main measures for exiting the lockdown in the next period.

In March’s EU Policy Update we shared a version of the above map available from Wikimedia. This updated map shows coronavirus outbreak density across Europe as of April 30, 2020. Maps like this use data aggregated from multiple health organizations …

In March’s EU Policy Update we shared a version of the above map available from Wikimedia. This updated map shows coronavirus outbreak density across Europe as of April 30, 2020. Maps like this use data aggregated from multiple health organizations and are enabled by developers like you. More information can be found here.

Small Business And Startup Pandemic Relief 

Governments and the EU continue to announce support measures for businesses, as part of the measures for economic recovery from the COVID-19 crisis. An updated overview of the support measures for startups across Europe can be found here. Additionally, all the funding calls launched by the Digital European Hubs related to COVID-19 are listed on the community webpage. 

Portuguese Announces €25m Safeguard For Tech Ecosystem

The latest example of such measures are those announced by the Portuguese government, which has announced a new package of measures worth €25m euros in an attempt to safeguard the country’s tech and startup ecosystem.

UK Looks To The Future With A Fund

The UK Government has announced the Future Fund, a new plan to issue convertible loans to innovative companies who are facing difficulties finding financing due to the Coronavirus outbreak. The plan will initially be open until the end of September 2020, with the possibility of an extension. The UK government is looking to invest between £125,000 and £5m in qualifying startups in the form of a convertible loan. This means that the debt will convert to equity at a discount in the next funding round. The government money will only be invested alongside private money. Additionally, only startups with a solid commercial (that have already raised £250,000 from investors over the past five years) will qualify. 

European Investment Fund And Commission Launch 

On April 8th, the European Commission launched ESCALAR (European Scale-up Action for Risk capital), a new investment approach, developed together with the European Investment Fund (EIF). The objective is “…to support venture capital and growth financing for promising companies, enabling them to scale up in Europe and help reinforce Europe’s economic and technological sovereignty.

In the release announcing the launch of ESCALAR, Thierry Breton, Commissioner for Internal Market stated, 

Commission is deploying all tools at its disposal to help companies overcome the coronavirus crisis. Today, we are strengthening our support to the many promising European companies to ensure they can continue to develop and grow in Europe. With ESCALAR, we are helping unlock significant additional private investments to support the creation of tomorrow’s market leaders.

EIF Chief Executive Alain Godar also added

Scale-ups need to find growth finance to take their businesses to the next level. ­­ By improving the financing environment, more EU scale-ups may choose to stay in Europe to continue their growth, which is even more crucial now in this time of crisis, when growth companies may need additional support from their investors. The ESCALAR Pilot can help the funds themselves to scale up, resulting in larger fund sizes, thereby supporting the EU’s late-stage venture capital and growth-focused fund ecosystems.

If you don’t speak Spanish, you may not recognize the wordplay deployed but the Commission and EIF. In Spanish, escalar is a verb meaning  “to climb.” More info can also be found on the EIF’s website here

European Commission Launches “European Startups”

The European Commission has supported the launch of a European startups platform. Positioned as a resource for policymakers, investors, journalists, and researchers as well as startup founders and their employees, the platform’s mission is “…providing macro-level trends and trusted insights for data-driven policymaking, supported by the European Commission. Our mission is to facilitate an informed conversation about what it takes to bring Europe’s startup economy to the next level through online data, research, and offline events.

The platform’s website also specifically notes the EU’s “gap” behind such Silicon Valley and China in technology leadership. The European Commission believes closing that gap “…requires a trusted and easily accessible source of intelligence that maps the whole of the EU’s tech ecosystem.

COVID-19 Hackathons

In This Corner… It’s The EUvsVirus Hackathon

The European Commission organized EUvsVirus Hackathon, a three days pan-European hackathon,  “to connect civil society, innovators, partners, and buyers across Europe to develop innovative solutions to overcome coronavirus-related challenges.” 

Hacking Plus Ultra 

The global online UltraHack “Data against COVID-19”, from 1 to 3 May, will offer the chance for up to 15 teams of students, entrepreneurs, start-ups, scale-ups, SMEs and corporates to win a total of € 15,000. The organizer, EIT Digital, could additionally consider “substantial financial support” for teams’ follow-up activities, for a period of 6 months, to fully develop and deploy their solution.

Scientists Of The World Unite! 

For you scientists out there, the European Commission has launched a data-sharing service, the COVID-18 Data Portal. The portal is for scientists to publish their coronavirus studies to “…enable the rapid collection and sharing of available research data.

Contact Tracking… And Privacy

The Parliament Resolution

On April 17, the European Parliament issued a resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences. It demanded, “…that the Commission and Member States
are fully transparent on the functioning of contact-tracing apps so that people can verify both the underlying protocol for security and privacy, and check the code itself to see whether the application functions as the authorities are claiming; recommends that sunset clauses are set and the principles of data protection by design and data minimisation are fully observed.

Tools For Everyone, Courtesy Of The Commission

The European Commission fully recognizes the role of technology in tackling the coronavirus crisis and its effects. It stepped in and, on April 8th, published a Common Union Toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data and guidance on the development of new apps that support the fight against coronavirus in relation to data protection.

Commissioner Thierry Breton Looks To CEOs For Respect Of EU Values And Efficiency

After the announcement of the Apple|Google COVID-19 contact tracing common project, the Internal Market Commissioner Thierry Breton held video meetings with both Google and Apple’s CEOs. He emphasized that “tracking apps development and interoperability need to fully respect the EU’s values and privacy”. He also had a video meeting with YouTube’s CEO, Susan Wojcicki, “on the platform’s initiatives to promote responsible behaviour during the coronavirus crisis and prevent Internet congestion”. The Commissioner’s intervention occurred in the context of certain government’s requests for easing the rules and technical obstacles that are delaying the deployment of their tracking applications. France, in particular, insisted that Apple’s iOS prevents contact-tracing apps using Bluetooth technology from running constantly in the background if that data is going to be moved off of the device. It is to be noted that this limit is designed to protect users’ privacy.

The EDPS And The EDPB Issue Letters And Guidelines

The European Data Protection Supervisor (EDPS) was among the first to comment and sent an open letter to the European Commission. Then, the European Data Protection Board (EDPB) issued its Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. The recommendation for the governments that are opting for a centralized approach is to ensure that data processed in the cloud should be kept to the “bare minimum.” Also, EDPB underlined that apps’ source code be made publicly available and that data protection impact assessments be carried out before the apps are adopted.

The Dutch Draw The Line On Privacy

The Dutch data protection authority said that it’s ‘not possible’ to anonymize telecom location data. The Dutch government held a hackathon, but afterward, the data protection authority and the government’s main lawyer stated that none of the projects were able to demonstrate that their apps would respect privacy adequately. On top of that, news broke that one of the apps, a candidate for Belgium too, had already suffered a data breach.

UK Moves Forward With “Large Scale” Tracking

The UK Biometrics Commissioner issued a statement on the use of symptom tracking applications, digital contact tracing applications, and digital immunity certificates. Against all warnings, the U.K. government is determined to introduce contact tracing on a “large scale”. 

The Irish Data Protection Commission Leaves Note  

The Irish Data Protection Commission has published a report on cookies and tracking technologies, accompanied by a Guidance Note.  The Report presents the results of an investigation conducted between August – December 2019, on 38 websites. The main conclusion of the Irish DPA is that “all of the sites continue to have compliance issues, ranging from minor to serious.”

To Centralize or Decentralize. That Is The Question.

There’s a fierce debate around the main European solution developed by a consortium of researchers and experts, the  Privacy-Preserving Proximity Tracing (PEPP-PT) and a decentralized solution, called DP-3T, which was initially part of the PEPP-PT project and was later excluded. The story of the dispute between the developers of these solutions is making the headlines in Europe and beyond. The debate is interlinked with concerns related to the risk of mass surveillance conducted by governments.

Global Scientists Plea For Decentralized Contact Tracing

A Joint Statement on Contact Tracing signed by over 300 scientists and researchers from 25 countries made a plea in favor of the decentralized app model.

A group of six German organisations, including the hacker collective Chaos Computer Club, sent an open letter to the Head of Chancellery, Helge Braun, asking to re-evaluate the government plans for a contact tracking app. They insist that such apps “must be based on a transparent concept, available as open-source, avoid storing data centrally and protect the anonymity of users as good as possible”.

Germany Moves For Decentralization

A joint statement of the Chancellery Minister Helge Braun and Health Minister Jens Spahn, on April 26th, indicated that Germany would, in the end, adopt a “decentralised” approach. Two days later, the Government announced that Deutsche Telekom and SAP will be the main parties involved in the development of the app.

Renew Organizes Webinar Between Regulators And Experts

There are plenty of online conversations these days in Europe on COVID-19 contact tracing applications. If interested, our suggestion is a very interesting and informative webinar, which was recently organized by the Renew political group of the European Parliament. Besides policymakers and regulators, experts in the field of health, technology, and privacy, including representatives of Google and Apple, discussed the practical and privacy aspects of using such apps. It pretty much summarizes all the issues and responses of both public and private relevant actors. 

Researchers Look To Test Tracking App Effectiveness

A group of European researchers developed a project to test the effectiveness of contact-tracing apps, ASSOCC – Agent-based Social Simulation of the Coronavirus Crisis. They provide “a tool to experiment and evaluate possible interventions and their combined effects”, with the aim “to help explore possible different paths ahead of this pandemic”.

Ada Lovelace Sees “No Evidence” To Deploy Contact Tracing

The Ada Lovelace Institute in the UK published a review of evidence on the technical considerations and societal implications of using technology to transition from the COVID-19 crisis, which concludes that “there is no evidence to support the immediate deployment of digital contact tracing or immunity certification”.

Port Of Antwerp To Track Workers

In Belgium, the Antwerp port is testing a tracking solution developed by a local technology company, using wristbands to ensure social distancing for their workers. 

Commission Requests Data On COVID Scams From Online Platforms

The EU Commissioner for Justice (rule of law and consumer protection), Didier Reynders, has sent another letter to large online platforms, like Amazon, Facebook, Google, eBay or Rakuten, asking them to send to the Commission “regular updates on measures to combat COVID-19 scams, which can help “to quantify issues at stake & develop further advice for EU consumers.”

France’s Top Data Regulator Wants To Know How You Feel About Kids Online

Finally, while not contact tracing, but impactful privacy policy, the French data protection regulator is seeking the public’s views on kid’s rights online. The deadline for contributions is June 1st.


Europe Wants To Put Labels On AI 

A group of German researchers and standardization experts has released a detailed proposal for labeling the “trustworthiness” of AI systems, similarly with the eco-labeling on washing-machines. Instead of assessing how much energy a washing machine uses or how much noise it makes, an AI label would rank the trustworthiness of AI technology in six categories including justice, environmental sustainability, accountability, transparency, privacy, and reliability. This proposal complements the vision of the German Data Ethics Commission on the five-layered control system for all algorithmic systems, on which we previously took a critical position. 

European Commission Wants Your Thoughts On The German AI Labeling Proposal 

The German AI labeling proposal seems to be highly appreciated in the context of future regulations to be proposed at the EU level, which is going in the direction of the risk-based approach. The European Commission wants to hear from AI developers and deployers on its proposals to regulate AI contained in the White Paper on AI. The deadline for the consultation was extended until 14 June 2020  (midnight Brussels time). Whether you are contributing or not to the EU consultation, please let us know your thoughts on this and especially your concerns on how this kind of rules might affect your work.


Bad Actors Impact
Heightened During Crisis

The Prague Airport and Czech hospitals were targeted by cyberattacks on their IT networks, confirming warnings by the national cybersecurity watchdog of likely attempts to harm the country’s infrastructure. Early in the month, the WHO (headquartered in Geneva) also reported that hackers under the direction of the Iranian government attempted to gain access to official’s email accounts. The US has also shown concerns about cyber threats like these during the pandemic. In mid-March, the US HHS (Department Of Health and Human Services) was hit by such an incident. 

New ENISA Tools Look To Map And Bolster International Security Standards

The EU Agency for Cybersecurity (ENISA) published a tool to map international security standards to interdependencies indicators contributing to the NIS Directive (Article 3). The objective of the NIS itself is to establish a common and converged level of security in network and information systems for the EU. ENISA states that:

By using this tool, security experts may:

  1. Describe the interdependencies among OES and DSP in a straightforward  and comprehensive manner;

  2. Easily identify risk assessment practices for the evaluation of the potential impact of interdependencies;

  3. Define good practices for assessing interdependencies stemming from international standards and frameworks.

CERT-EU Gives Cyber Guidance

The Computer Emergency Response Team for the EU Institutions, bodies, and agencies (CERT-EU) has also issued Cyber Security Guidance in the context of the coronavirus outbreak.

Avatar photo

By Karina Nimară

Director of EU Policy and Head of Brussels Office - Karina previously served as Legal Advisor and Internal Market attaché at the Permanent Representation of Romania to the EU. Prior to her work with the Romanian diplomatic mission, Karina spent ten years in European Union affairs within the Romanian Government. While there she coordinated, inter alia, the process for transposition and implementation of EU legislation. Karina holds a law degree and specializes in EU law and policies. Based in the Alliance’s Brussels office, she's a tech enthusiast, enjoying the dawn of the Age of Artificial Intelligence. Other than robots, she's fascinated with cats and owls.

Related Content

Developers Alliance Joins Call for EU Policymakers to Swiftly Adopt the Extension of the Interim ePrivacy Derogation

Developers Alliance Joins Call for EU Policymakers to Swiftly Adopt the Extension of the Interim ePrivacy Derogation

Developers Alliance’s Reaction to the Political Agreement on the New EU Law on Liability for Defective Products

Developers Alliance’s Reaction to the Political Agreement on the New EU Law on Liability for Defective Products

A Busy Regulatory End of the Year in Europe 

A Busy Regulatory End of the Year in Europe 

Join the Alliance. Protect your interests.

©2020 Developers Alliance All Rights Reserved.