1 research outputs found
Data Protection Impact Assessment for the Corona App
Since SARS-CoV-2 started spreading in Europe in early 2020, there has been a
strong call for technical solutions to combat or contain the pandemic, with
contact tracing apps at the heart of the debates. The EU's General Daten
Protection Regulation (GDPR) requires controllers to carry out a data
protection impact assessment (DPIA) where their data processing is likely to
result in a high risk to the rights and freedoms (Art. 35 GDPR). A DPIA is a
structured risk analysis that identifies and evaluates possible consequences of
data processing relevant to fundamental rights and describes the measures
envisaged to address these risks or expresses the inability to do so. Based on
the Standard Data Protection Model (SDM), we present a scientific DPIA which
thoroughly examines three published contact tracing app designs that are
considered to be the most "privacy-friendly": PEPP-PT, DP-3T and a concept
summarized by Chaos Computer Club member Linus Neumann, all of which process
personal health data. The DPIA starts with an analysis of the processing
context and some expected use cases. Then, the processing activities are
described by defining a realistic processing purpose. This is followed by the
legal assessment and threshold analysis. Finally, we analyse the weak points,
the risks and determine appropriate protective measures. We show that even
decentralized implementations involve numerous serious weaknesses and risks.
Legally, consent is unfit as legal ground hence data must be processed based on
a law. We also found that measures to realize the rights of data subjects and
affected people are not sufficient. Last but not least, we show that
anonymization must be understood as a continuous process, which aims at
separating the personal reference and is based on a mix of legal,
organizational and technical measures. All currently available proposals lack
such an explicit separation process.Comment: 97 pages, German version here: https://www.fiff.de/dsfa-coron