Following the Covic-19 outbreak that started almost a year ago, governments decided to implement different public health restrictions to help fighting the spread of the virus. From the mandatory wearing of masks to the curfew that has been established in most European countries, these rules have not ceased to further expand. While these measures might have some beneficial outcomes, others argue that the sanitary crisis does not justify the suspension of our liberties. Now that these regulations have started to be lifted in some countries, the safety of this progressive removal has been accompanied by the emergence of new technologies under the form of contact tracing apps.[1] But what does this entail for our privacy?

First of all, it is important to explain the goal of these apps. Indeed, they were created with the aim to track and trace users that have been infected with the Coronavirus to inform via Bluetooth other users if they have been in contact with the person infected and guide them through the steps they might have to take.[2] Based on consent given by the users downloading the app, they are controlled by an anti-abuse clause that prohibits their mandatory use. Although the 7 selected apps do not require any name or personal information and claim to send random Bluetooth codes to operate anonymously, it is doubtful that their access to data entirely respects privacy laws. For instance, in 2020 already, privacy experts studied the different apps and deemed none of them compliant. The blurred information provided by each of these apps and their lack of clarity were assessed as insufficient. Accordingly, problems of accuracy were mentioned regarding the conveyance of the waves used by a Bluetooth network.[3] The DDPA (Dutch Data Protection Authority) already identified the same issues when reviewing the draft bill of the Temporary Act Notification-application Covid-19 that amended the Dutch Telecommunication Act and gave extensive powers over people’s telecommunication data to the National Institute for Health and Environment.[4] Them keeping data on a centralized server, although for no more than 14 days also raised concern since its access is not only reserved to the data controller (Minister of Health and the Welfare and Sport and the Regional Public Health Authorities) but also by the controller of the backend server, that is CIBG and KPN, a private company.[5] This is where things get a little more complicated privacy-wise. Citizens are worried about their data being used by the government, but what if the real danger was the use of their data by private organizations? Indeed, whereas the DDPA was quite satisfied by the CoronaMelder app, that is to say the main app used in the Netherlands, its biggest worry for privacy issues concerned the Google Apple Exposure Notification Framework, in other words, the software that allows for the use of applications such as CoronaMelder. It seems very unclear whether Google and Apple do access to the data shared by users in the app and therefore the DDPA advised the Minister of Health to establish an agreement with Google and Apple to ensure the safety of people’s personal data from these organizations.[6]

The conclusion that can be drawn from this analysis is that Corona apps are not completely on point regarding privacy laws. Their unclear access to data and their lack of transparency indeed challenges their compliance on the legal perspective. But what if the real danger was coming from data access and storing by private organizations? As it stands, the Dutch government should urge to find an agreement with the relevant organizations to enforce the prohibition of those companies to access and share people’s data.

[1] Contact tracing apps in the Netherlands: A new world for data privacy, December 2020, retrieved from <>

[2] CoronaMelder app preview, retrieved from <>

[3] “None of seven proposed corona apps meets privacy criteria, says legal advisor”, Dutch News, April 2020, retrieved from <>

[4] Contact tracing apps in the Netherlands, A new world for data privacy, December 2020, p.1, retrieved from <>

[5] Ibid, p.3

[6] Ibid, p.2