Europe is failing on digital contact tracing. Why privacy is not the problem and what it could learn from East Asia.

Digital contact tracing is, in essence, a form of surveillance. Users’ social interactions are monitored to identify and isolate those that came into contact with infected individuals. In Europe, where data protection laws are among the strictest in the world, privacy concerns have pushed the EU to favour contact tracing apps based on anonymous proximity detection through Bluetooth technology over GPS systems that rely on localization data. This is a sound choice. Recording user location is not only redundant but also dangerous. Even when anonymized, GPS data can betray users’ address, workplace and even religious and social habits.

But on closer inspection, the EU’s approach to contact tracing apps lacks ambition. Fundamental issues such as whether to store data on centralised servers or directly on users’ phones are left to the Member States. Backers of the latter approach argue that it offers a higher standard of technical security. Apple and Google — who are working together to provide the interface on which the decentralised storage apps will run — claim that it is deliberately designed so that neither them nor the apps’ creators can identify users. However, centralised storage does not necessarily compromise privacy: data is anonymized and the retention of information can be limited to the period necessary to contact tracing (generally 14 days). Above all, only centralised storage allows public health authorities to perform aggregated data analysis, which can be useful in anticipating new outbreaks.

Regardless of the pros and cons of each approach, the choice over where to store users data should be done according to the public interest. In this respect, it is striking that Germany’s and Italy’s decision to give up on centralised storage appears to be driven mainly by technical failures, as well as by Apple’s refusal to allow the centralised storage apps to transmit Bluetooth signals while running in the background (which would make the apps useless unless they are always kept active on screen). France and the UK, who remain committed to the centralised approach, are facing similar challenges and risk having to sacrifice the interoperability of their systems with those of the countries following the now prevailing Apple-Google standard.

Thanks to their technical know-how and dominant market positions, the tech giants can thus impose their own design of contact tracing apps, even at the cost of sacrificing functionalities useful in fighting against the epidemic. Large European countries who had initially opted for centralised storage, are progressively abandoning this solution because they can’t implement it without the assistance of Big Tech. The issue at stake, then, is not how to balance privacy and data security with public health. Anonymized data analysis for public interest purposes is perfectly compliant with European laws on data protection (the GDPR). The real problem is that European governments seem to lack the legal tools and the technical ability to impose their decisions on contact tracing, and on the use of digital tools to foster the public good at large.

In East Asia, governments have been more assertive in advancing the national interest in the digital sphere during the COVID-19 health crisis. China, in particular, is often cited as the extreme case of government use of personal data. Thanks to strides in digital identity, integration of databases, and e-payments, the Chinese contact tracing apps can integrate information from the public sector (including national mobile carriers and the transportation grid), with location and consumer data fed by Tencent and Alibaba. But the role of these two tech giants is not merely that of being a data collector for the government. They are also functional in developing the technical tools and software interface required to make contact tracing work in practice. The Chinese “Health Codes” were indeed developed at the local level by Alibaba and Tencent under the supervision of provincial authorities, and then successively integrated into a nationwide system controlled by the central government. In China, the government can thus marshall the technical know-how and market resources of Big Tech to deliver important public goods, and it can do so on its own terms.

Of course, the Chinese contact tracing system is part of a much wider effort of data gathering by the government that offers little safeguards to users’ privacy, and that can be abused to restrict civil liberties. However, a greater role of the state in cyber governance doesn’t have to rhyme with authoritarianism. Other Asian countries offer stronger guarantees in terms of data protection but don’t shy from using data, including those gathered by private actors, when the public interest is at stake.

In South Korea, the government’s power to use e-payment and localization data to track new cases or to enforce quarantine measures is strictly regulated by emergency laws. Furthermore, the democratic process provides a layer of legitimacy to any temporary curtailment of individual rights. Nonetheless, this has not prevented the Korean government from using digital tools (some no less intrusive than those used in China) to fight the COVID-19 epidemic. The Korean Centre for Disease Control can access mobile phone records, credit card payments and CCTV camera footage to trace contacts. Furthermore, quarantined individuals are monitored with a mandatory app and their location and identity can be disclosed to the public.

In Europe, digital contact tracing is one of the first attempts to add data analysis to the public policy toolbox. The fact that countries such as Germany and Italy gave up on centralised data storage because they couldn’t get the tech giants on board, has implications stretching far beyond privacy. It is a choice that could be weighed in terms of our ability to enjoy again other constitutional rights, including freedom of movement and freedom of assembly. Given the importance of this decision, it is one that should not be determined by private actors but left to the institutions that enjoy the democratic legitimacy to act in the public interest. In Europe, the question is whether these institutions are still capable of doing so.