EU Quest for COVID-19 Apps, A Blow to GDPR and Digital Sovereignty
The COVID-19 crisis led to an acceleration of digital solutions to track and monitor the spread of the virus, including the rollout of contact tracing apps by various countries. Some saw in these efforts an opportunity for the EU to create its own homegrown infrastructure without having to cede its “digital sovereignty” to U.S. tech companies, while demonstrating that stringent privacy standards are a winning comparative advantage. Unfortunately, these attempts have fallen short and revealed that the EU’s own data protection and privacy rules are in fact working against its efforts to tackle the virus, calling into question its broader digital strategy.
EU countries wasted time and resources scrambling to build a homegrown platform for mobile contact tracing apps, before realizing they were better off working with non-EU tech providers. In April, a scientific community launched the Pan-European Privacy-Preserving Proximity Tracing platform (PEPP-PT), a coalition led by Germany’s Fraunhofer Heinrich Hertz Institute to create standards for the development of interoperable contact tracing apps that would be fully compliant with EU’s data protection standards. Unfortunately, disappointment soon followed as the project failed to meet its expectations. PEPP-PT quickly faced difficulties and controversies, caused by a significant lack of clarity around the project, and a centralized protocol which lacked transparency and would be susceptible to misuse. The consortium split, some of its members pulled out, and institutions initially supportive of PEPP-PT eventually abandoned it. Germany announced it would withdraw its support to PEPP-PT. The country is now backing Apple and Google’s partnership on Bluetooth APIs whose coronavirus tracing technology offers a decentralized approach for data storage—in line with the European Commission’s expressed preferences.
In addition, EU countries’ attempts to build mobile contact tracing apps and use data to track the pandemic are constrained by their own actions. The EU’s stringent data protection rules, which restrict organizations from collecting, sharing and using data, have hampered the bloc’s response to the COVID-19 crisis. In addition, the GDPR has failed to increase consumer trust in Internet services which will make it more difficult to convince Europeans to use mobile contact tracing tools. Finally, while European governments have accused U.S. tech companies of collecting too much data, they now realize this data can benefit the public. Indeed, in some cases, the private sector is now doing more to protect consumer data than European governments. For example, Apple and Google have refused calls from the UK’s National Health Service to modify features in its mobile operating systems designed to protect consumer privacy. And governments such as France and Germany have found themselves asking both companies to relax their privacy rules on contact tracing and to turn off privacy protections, going against years of EU rhetoric casting tech companies as the privacy villains and arguing that privacy is a fundamental human right.
The approach of some EU governments to contact tracing has reversed the privacy debate, and revealed that, after all, regulating privacy in Europe was at least in part about domesticating U.S. tech companies rather than about protecting consumers. What was once seen as intrusive, such as collecting location and health data, are now part of Europe’s containment plans to tackle COVID-19. As EU countries are tripping over their data protection shoelaces, the EU should realize that its rules are limiting its ability to develop the right infrastructure and lead to increased fragmentation. What’s more, pontificating on digital sovereignty as a means to establish its independence from U.S. tech companies is counterproductive. Instead, Europe should focus on digital transformation by investing in the talent and technology necessary to emerge from the pandemic crisis more competitive and resilient, and with a regulatory environment that strikes a better balance between the individual benefits of privacy and the collective benefits of gathering and sharing data.
Image credit: Pixabay