Data Protection Impact Assessment for the Corona App

Abstract

Since SARS-CoV-2 started spreading in Europe in early 2020, there has been a strong call for technical solutions to combat or contain the pandemic, with contact tracing apps at the heart of the debates. The EU's General Daten Protection Regulation (GDPR) requires controllers to carry out a data protection impact assessment (DPIA) where their data processing is likely to result in a high risk to the rights and freedoms (Art. 35 GDPR). A DPIA is a structured risk analysis that identifies and evaluates possible consequences of data processing relevant to fundamental rights in advance and describes the measures envisaged to address these risks or expresses the inability to do so. Based on the Standard Data Protection Model (SDM), we present a scientific DPIA which thoroughly examines three published contact tracing app designs that are considered to be the most privacy-friendly: PEPP-PT, DP-3T and a concept summarized by CCC member Linus Neumann, all of which process personal health data. We show that even a decentralized architecture involves numerous serious weaknesses and risks, including larger ones left unaddressed. We also found that none of the proposed designs operates on anonymous data or ensures proper anonymization, that informed consent would not be a legitimate legal ground for the processing, that data subjects' rights are not sufficiently safeguarded, and that no design provides for sufficient purpose-binding.