In early April, the Robert Koch Institute, which is a Federal Institute on behalf of the Federal Ministry of Health, released a COVID-19-App (the “App”). The purpose of the App is to help the Government understand the spread of the virus geographically based on the likelihood of COVID-19 symptoms experienced by App users, and to better estimate the possible number of undetected COVID-19 infections.
A detailed Q&A was made available to users. Interestingly, the App is called “Corona Data Donation App” to emphasize that data is given freely by users.
The App collects data from fitness watches worn by users. Collected data includes level of activity (e.g., sleep, sport, etc.) and health data (e.g., heartrate, temperature and blood pressure). In addition, users are requested to indicate their age, weight, height, gender and postal code. The combination of the data is used to detect potential COVID-19 symptoms by using novel algorithms. Even mild cases of COVID-19 infections can, under certain circumstances, influence sleep and activity levels or an individual’s resting heartrate. The postal code of users is used to attribute the results of the analysis to a geographical area.
The App only enables the transmission of data to the Robert Koch Institute. No further data is collected.
Pseudonymous or Anonymous Data?
When installing the COVID-19-App, users are asked to consent to the processing of their personal data. Once consent is given and the App is installed, a user ID is attributed to the user. The user then specifies the manufacturer of their fitness-watch. A pseudonymous token is subsequently created by the manufacturer of the fitness watch, enabling data retrieval.
The data processed by the App is therefore not anonymous, but pseudonymous. Pseudonymization is the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information (Art. 4 no. 5 of the General Data Protection Regulation, “GDPR”). Anonymous information, on the other hand, is information which does not relate to an identified or identifiable natural person (Recital 26 of the GDPR). The user ID is thus a pseudonym because the user cannot be directly identified unless additional information (e.g., personal identifiers such as IP address, name, etc.) is provided. According to the Robert Koch Institute, using pseudonymous data is the only way to correctly assign and interpret data, even over longer periods of time. Indeed, it would be difficult to render the data processed by the App anonymous, given that the data is constantly being transferred to the Robert Koch Institute from the App. Nevertheless, the Robert Koch Institute does not collect direct personal information such as name or address at any time.
The distinction between pseudonymous and anonymous data is particularly relevant because the GDPR does not apply to anonymous information (Recital 26 of the GDPR). If it was possible to render the data processed by the App anonymous, the rules on the processing of data imposed by the GDPR would thus not apply.
Data is transmitted exclusively via TLS/SSL encrypted interfaces using a user’s individual pseudonym. The data is stored in a high-security data center in Germany certified to the highest standard (ISO27001).
The Robert Koch Institute works together with the service provider Thryve (mHealth Pioneers GmbH), with whom the App was developed. Thryve processes certain data exclusively on behalf of the Robert Koch Institute and under its supervision in accordance with the applicable data protection laws. In particular, agreements have been entered into with the service provider that meet the requirements of Art. 28 GDPR.
The App is completely free of advertising, as it is financed by the Robert Koch Institute. Data is not shared with any third parties.
Involvement of German Data Protection Authority
The Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für Den Datenschutz und die Informationsfreiheit) was involved in the development of the App, and announced that it would keep surveilling data processing through the App to determine whether the purpose of the App was being fulfilled.
Other Apps on the Horizon
European Member States, together with the Commission, are currently working on developing a toolbox for mobile applications in association with the European Data Protection Board (“EDPB”). The toolbox focuses on two dimensions:
- A pan-European coordinated approach for the use of mobile applications for empowering citizens to take effective and more targeted social distancing measures, and for warning, preventing and contact tracing; and
- A common approach for modeling and predicting the evolution of the virus through anonymized and aggregated mobile location data.
EDPB guidelines are expected soon in this regard.
While use of the App does not replace a medical examination, the App is an impressive attempt to tackle the difficult issue of undetected COVID-19 infections based on the substantive experience and scientific data held by the Robert Koch Institute. Now it is up to fitness watch users to decide to “donate” their data to contribute to the collective battle against COVID-19.
If you wish to receive periodic updates on this or other topics related to the pandemic, you can be added to our COVID-19 “Special Interest” mailing list by subscribing here. For any other legal questions related to this pandemic, please contact the Firm’s COVID-19 Core Response Team at FW-SIG-COVID-19-Core-Response-Team@mayerbrown.com.