🤖 AI Summary
This paper identifies systemic privacy risks in decentralized digital contact-tracing systems—exemplified by Germany’s Corona-Warn-App (CWA)—under the GDPR. Using the Standard Data Protection Model (SDM), it conducts the first structured Data Protection Impact Assessment (DPIA) to rigorously evaluate compliance of decentralized architectures. The analysis reveals that current implementations fail to achieve genuine anonymization, enabling re-identification of users; rely on invalid legal bases, as informed consent does not satisfy GDPR requirements for lawful processing; and harbor persistent high-risk vulnerabilities previously undetected or unremediated. Beyond application-specific flaws, the study uncovers cross-app privacy spillovers and fundamental rights infringements. It proposes a privacy-by-design framework centered on data minimization, strengthened anonymization techniques, and alternative lawful bases—offering both a reusable methodological paradigm and empirically grounded guidance for privacy-respectful public health technologies. (149 words)
📝 Abstract
Since SARS-CoV-2 started spreading in Europe in early 2020, there has been a strong call for technical solutions to combat or contain the pandemic, with contact tracing apps at the heart of the debates. The EU’s General Data Protection Regulation (GDPR) requires controllers to carry out a data protection impact assessment (DPIA) where their data processing is likely to result in a high risk to the rights and freedoms (Art. 35 GDPR). A DPIA is a structured risk analysis that identifies and evaluates possible consequences of data processing relevant to fundamental rights in advance and describes the measures envisaged to address these risks or expresses the inability to do so.Based on the Standard Data Protection Model (SDM), we present the results of a scientific and methodologically clear DPIA. It shows that even a decentralized architecture involves numerous serious weaknesses and risks, including larger ones still left unaddressed in current implementations. It also found that none of the proposed designs operates on anonymous data or ensures proper anonymisation. It also showed that informed consent would not be a legitimate legal ground for the processing. For all points where data subjects’ rights are still not sufficiently safeguarded, we briefly outline solutions.