31. May 2021
At the end of April, the new iOS update 14.5 was released. With the update comes the new App Tracing Transperency (ATT) feature.
The changes are intended to reduce unauthorized tracking and increase user awareness of digital privacy rights. With the new feature, users will receive push notifications asking for permission for the identifier for advertisers (IDFA) and thus for activity tracking. App developers have been able to use the identifier (IDFA) and other information to create detailed tracks of how users use their devices, including in other apps and on the web. Users must now actively give permission for apps to track their activities and sell their personal data, which includes information such as age, location, spending habits and health information to advertisers. As a result, apps can no longer track behavior across other apps installed on the device without permission. However, activity within an app can still be performed without authorization. The new feature can be enabled or disabled via “Settings” since the update. If apps do not meet the new transparency standards, they will be removed from the App Store, according to Apple.
Apple celebrates the new features as a success for data protection. Criticism from app operators, which are mainly funded by advertising revenue, followed immediately. Assuming that many users will not consent to tracking, they accuse Apple of making it difficult for companies to continue their targeted advertising. Small companies in particular would be affected. But Internet giants like Facebook will also suffer significant losses without personalized advertising.
However, what can be seen as a step in the right direction in terms of data protection, also raises antitrust concerns. This is because Apple does not use the new privacy features for its own apps, but only for third-party apps. German business groups already filed an antitrust complaint against Apple.
23. June 2020
In another update about contact tracing apps, we are going to talk about the new path of contact tracing in the United Kingdom (UK), as well as the European Data Protection Board’s (EDPB) statement in regards to the cross-border interoperability of the contact tracing apps being deployed in the European Union.
UK Contact Tracing App Update
Since starting the field tests on the NHS COVID-19 App on the Isle of Wight, the UK government has decided to change their approach towards the contact tracing model. It has been decided to abandon the centralized app model in favour of the decentralized Google/Apple alternative.
The change was brought on by technical issues and privacy challenges which surfaced during the trial period on the Isle of Wight, and in the end were direct consequences of the centralized model and important enough to motivate the change of approach.
The technical problems included issues with the background Bluetooth access, as well as operation problems in the light of cross-border interoperability. Further, the data protection risks of mission creep and a lack of transparency only urged on the of the app.
The new model is widely used throughout the European Union, and provides more data protection as well as better technical support. The only deficit in comparison with the centralized model is the lesser access to data by epidemiologists, which seems to be a trade off that the UK government is willing to take for the increase in data protection and technical compatibility.
EDPB statement on cross-border interoperability
On June 17th, 2020, the EDPB has released a statement with regards to the cross-border interoperability of contact tracing apps. The statement builds on the EDPB Guideline from 04/2020 with regards to data protection aspects of contact tracing apps, emphasising the importance of the issues presented.
The statement stems from an agreement between EU-Member states and the European Commission formed in May 2020 with regards to the basic guidelines for cross-border interoperability of contact tracing apps, as well as the newly settled technical specs for the achievement of such an interoperability.
The EDPB states key aspects that have to be kept in mind during the entirety of the project, namely transparency, legal basis, controllership, data subject’s rights, as well as data retention and minimisation rules.
Further, the statement emphasises that the sharing of data about individuals which have been diagnosed or tested positively should only be triggered by a voluntary action of the users themselves. In the end, the goal of interoperability should not be used as an argument to extend the collection of personal data further than necessary.
Overall, this type of sharing of personal data can pose an increased data protection risk to the personal data of the users, which is why it needs to be made sure that the principles set down by the GDPR are being upheld, and made sure that there is no less intrusive method to be used in the matter.