A lack of trust in contact tracing apps has been one of the principal reasons for the technology’s relative failure in the European Union. Privacy fears have dissuaded many from using them and their effect in fighting the pandemic has been minimal – they have only been able to track 5% of cases in Europe. 

Yet are privacy fears really justified? No, they are not. The vast majority of European apps guarantee that data remains in the mobile phones of its users at all times and that users remain anonymous. In other words: even if they wanted to, governments would not be able to access the private information of their citizens.

They are also unable to track movement, as track and trace apps do not use GPS but Bluetooth – each app generates a random daily code that serves to identify the mobile it comes into contact with, keeping contact registered. 

Curiously, data collection was the first cause of friction between Member States when trying to come to a consensus on how to develop these apps and the dearth of clear communication around the apps’ functioning or a general lack of trust in governments meant that many citizens were concerned about its implementation. 

A European protocol was hamstrung from within

China fired the starting pistol on contact tracing when it brought out its ‘health codes’ in February 2020. Developed by Alibaba and Tencent, this technology monitored movements and symptoms reported by users, assigning them a red, yellow or green code based on how close they had come into contact with the virus. The app was a success but came at a cost to the privacy of Chinese citizens, who saw the state keeping information such as their location, their contacts and their health. 

Europe began to realise the need to develop an app of their own only a month later , just as it began to lose the battle against the virus. Privacy and digital rights were much higher up the agenda. From the beginning, the debate was centred on how to collect and store data. 

There were two models suggested: the centralised model and the decentralised model. The centralised model would hold information away from users’ mobile phones in servers controlled by the state and app developers. This option presented greater risks in terms of personal data leaks though it would also afford epidemiologists greater information on the evolution of the pandemic and combine digital tracing with manual tracing. Germany and France were in favour of this system. 

The decentralised model proposed that data should be stored locally in telephones and that it should only be shared with authorities if the user wished to notify them that they had the virus. The decentralised model also did not breach General Data Protection Regulation, a plus point that tipped the balance in its favour. 

Therefore, on 3rd April 2020, a consortium made up of different European academic and research organisations published the DP3T Protocol , a document that paved the way for a “secure and decentralised contact tracing system that maintains user privacy”.

Its authors were, in reality, a spin-off from a much larger consortium formed of 130 specialists from Austria, Belgium, Denmark, France, Germany, Italy, Switzerland and Spain who were unable to agree on which data collection system to adopt, known as PEPP-PT . Therefore, the first attempt at a unified European protocol was broken, feeble and soon Apple and Google would deliver a hammer blow. 

Big tech takes the reins

Only a few days later, it became clear that by the end of May we would see Google/Apple’s Exposure Notification System , better known as GAEN, “a joint venture by Apple and Google to provide the principal functionality for Android apps to alert users to a possible exposure to confirmed cases of Covid-19”. Similar to DP3T, GAEN allowed for a more efficient app, with direct access to their operating system. 

Soon Austria, Switzerland and Germany took a side and announced that they would use the technology provided by Apple and Google. Countries were terrified of developing an app that would then have compatibility issues and appear outdated after arguing against the decentralised model. The United Kingdom, which decided to use a centralised app, also had to subsequently fix its own app and launch a second version using the GAEN model. 

The European Union, which was not able to coordinate app development due to its lack of powers over health and social care within Member States, was worried that it would be left with a mosaic of apps that were not interoperable and, therefore, encouraged Member States to adhere to the new proposal. 

France, which wanted to take control of data due to its concerns about sovereignty , was the big exception in the EU and continued with a model of centralised app that it finally implemented. Hungary also employed a centralised model to an extent, though Budapest initially negotiated the development of the app with a North Macedonian company that it no longer works with. 

Bulgaria also stands out, as it also accepted a proposal from a private company. In this case, however, Bulgaria focused on geolocalisation of cases rather than contact tracing with its ViruSafe app so that it could map out infection hotspots. As well as sharing your location – a voluntary act that was crucial to the correct working of the app – users had to enter personal data such as age and pre-existing conditions. All this, combined with the fact that the Bulgarian government were allowed to share personal data with “authorised authorities ” without specifying which authorities these were, meant that there was little public trust in ViruSafe. 

From a unified protocol to European homogenisation 

Months afterwards in October 2020, when most European capitals had developed their own contact tracing apps, the European Commission launched its initiative to homogenise technologies developed at a national level: the European bridge to interoperability, which allowed apps to register contacts between any European user irrespective of national borders. Member States were generally in favour of it  – except for France, of course. 

In order to bake in data protection rights, Brussels also made it a requirement that the apps only keep contact data for fourteen days . 

Thus the data of millions of European citizens who responded to the call to download the app en masse now stayed on their mobiles. Even when notifying of a positive test or if that positive test was stored on a centralised server, the private information would remain private thanks to data protection standards that apply to the European Commission as much as they do to Apple and Google. 

In other countries, users are not so well-protected, like in Singapore, where the government made data collected through contact tracing available to the police . And in the European Union, the current reticence of its citizens to use these apps contrasts with the ease with which they surrender their data to private companies  – during the entire pandemic Google has published detailed information on community movement . 

Meanwhile, in the public sector, the debate around data protection divided Member States and probably delayed the introduction of these apps, though this hesitancy did put one thing above all others: the right of all Europeans to privacy.