"It is in our hands, our responsibility": The President of the Robert Koch Institute ("RKI") Lothar Wieler is optimistic about preventing a second Corona wave. However, returning to normal life is only possible to the extent the health of everyone can be assured. The "Corona App" is supposed to provide part of the solution by warning its users after coming into contact with infected persons. The official Corona Warning App has already easily been downloaded 13 million times.  

How does the App function?

The App is based on a decentralized structure. A temporary user ID (so-called "RPI" – Rolling Proximity Identifier) is generated every few minutes and is communicated to devices nearby using Bluetooth as soon as two devices have been 1.5 meters or closer to each other for a relevant time period. The user ID is stored locally on the smartphone of the respective other user. In order to avoid the ability to trace a person, the key is newly generated every 10 to 20 minutes. Everything is also supposed to be encrypted for the purpose of security. If a person later tests positive, that person can voluntarily upload the locally stored user IDs to a central server. If the App of another user reports that one of the IDs identified during the regular reconciliation of the stored third party IDs has tested positive, the alarm is triggered.

The benefit: Contrary to using the previously discussed cell tower data, Bluetooth technology only covers the area immediately around the user and does not use sensitive location data. Furthermore, no clear names or telephone numbers are stored. The App accordingly does not store any data which would enable RKI or other users to determine the health status, identity or location of the user.  
However, some issues related to data protection law remain open.

The issue of the user's voluntary consent?

Health data such as information about the illness of a person with the Corona virus constitute a special category of personal data within the meaning of Art. 9 para. 1 General Data Protection Regulation ("GDPR") and can only be processed under the specific prerequisites in Art. 9 para. 2 GDPR. At the present time, data processing can only be based on consent of the users pursuant to Art. 9 para. 2 lit. a GDPR.  

The requirements for such a consent to be valid are set forth especially in Art. 7 GDPR, according to which the consent must be voluntarily granted. Voluntary, in turn, means that the data subject has determined in advance how the data subject will act. The user must accordingly be able to make a decision for or against using the App free of any external pressure. Whether this prerequisite is satisfied continues to be a subject of dispute because a certain pressure within society could in effect force the citizen into a situation in which the user feels an obligation to use the App. Even if such a line of argument is too remote in the view of some, in any event, lifting the prohibition on personal contact cannot be made dependent on using the App. In this situation, the citizens' freedom of movement would be made dependent on consent to data processing by the App, so that the requisite voluntary nature of the consent would no longer be assured. The same situation would apply if the App were made a prerequisite for participating in social activities, e.g. events.

Assuring the required transparency?

Furthermore, not all doubts about assuring the transparency of the data processing required under Art. 5 para. 1 lit. a GDPR have been eliminated.  
It must first be considered positive that the program code of the Corona Warning App is publicly accessible and that the Report on the Data Privacy Impact Assessment has been published, so that it is safe to assume that the requirement of transparency for the users and the public is satisfied.

However, the respective operating system in the smartphone is the platform for the App and lies outside the influence of the RKI. The Report on the Data Privacy Impact Assessment accordingly admits with regard to the Corona Warning App that Apple and Google, as the manufacturers of the operating systems, at least have a technical possibility to be able to link the data with other data by means of subsequent modifications (e.g. an advertising ID, Apple ID or a Google account). This inability of RKI to exercise influence at least leads to doubts about the requisite transparency.  

Conclusion

The current developments show that the discussion is no longer about "whether" there will be a Corona Warning App and instead only about the design and the "how" of the App. Although doubts about the voluntary nature of the consent and the required transparency of the App have not been able to be completely eliminated, it is safe to assume in general in the present time that the App will comply with data protection. The Chaos Computer Club ("CCC") has now also crowned the Corona Warning App and has no further objections.  

Tom Kleine Jäger
Frankfurt a.M.