How can you find out more about the spread of the corona virus in the population without spying on it? The Robert Koch Institute wanted to do this balancing act with its “Corona Data Donation” app. But has it succeeded? We asked the Hamburg data protection officer.
The approach is promising at first: The data is only collected from people who voluntarily install the app. In order not to be able to clearly assign the data to the population, the app should pseudonymize the data, i.e. separate it from the person. To ensure that no conclusions can be drawn about the person from the very personal data such as age, gender and height, the values are also rounded to five-point steps. This should make it possible to work with the data without being able to assign it. Find out more here.
Highly sensitive data
But what about data protection? “If data is made available voluntarily, the design of the declaration of consent is crucial for data protection conformity,” explain Martin Schremm, spokesman for the Hamburg data protection officer. Since the Federal Data Protection Officer was involved in the development, it can be assumed that this was taken into account. However, the term data donation is angry. After all, unlike donations in kind, the donor retains the right to his data. “Among other things, the legally regulated right of withdrawal continues to ensure sovereignty with regard to data processing.”
The queried data is highly sensitive. In addition to personal information, the app also accesses fitness trackers and can – depending on the device – also call up pulse, sleep quality and even body temperature. Otherwise, this data is in great demand. “There are many possible misuse scenarios for health data. In particular, fitness data in the event of a data leak or its publication on the Internet are also of interest to insurance companies which they could use to determine risk-adjusted tariffs,” said the data protection experts. “The security of the data is therefore very important.”
No promise verification possible
It is not verifiable whether the data is really only saved in a pseudonymous form as promised by the RKI. “The source code of the app has not been made public. In this respect, at least from a technical point of view, it is not yet possible to make a clear statement about the Corona app.” Only if the methods used were transparent would Schremm personally make his data available. “With a view to the common good purpose, I would definitely consider that.”
Germans don’t have to worry about being forced to take part. “In Germany, there is currently no adequate legal basis for tracking people’s health or fitness data to determine suspected cases of infection,” the data protectionists reassure them. “In view of the constitutional principles, in particular proportionality, the creation of such a legal basis by the federal legislature seems hardly conceivable.”