🤖 AI Summary
This study critically identifies systemic deficiencies in the initial Data Protection Impact Assessment (DPIA) of Germany’s Corona-Warn-App, including an overly narrow scope confined to the application layer—neglecting risks inherent in the Apple/Google Exposure Notification framework; insufficient identification of key threat actors (e.g., OS vendors, cloud providers); and superficial analysis of safeguards lacking technical feasibility validation. Method: Integrating GDPR Article 35 requirements with structured threat modeling and privacy risk identification, the study proposes a “full-stack” DPIA framework that explicitly encompasses end-to-end data processing, underlying infrastructure, and third-party dependencies. It further institutionalizes independent external expert review and public participation within the DPIA process. Contribution/Results: The framework’s core recommendations were formally adopted in subsequent official DPIA revisions, substantially enhancing transparency, comprehensiveness, and practical applicability. This work establishes a high-quality, replicable DPIA paradigm for government-led digital health applications, advancing regulatory compliance and accountability in public-sector data processing.
📝 Abstract
On June 15, 2020, the official data protection impact assessment (DPIA) for the German Corona-Warn-App (CWA) was made publicly available. Shortly thereafter, the app was made available for download in the app stores. However, the first version of the DPIA had significant weaknesses, as this paper argues. However since then, the quality of the official DPIA increased immensely due to interventions and interactions such as an alternative DPIA produced by external experts and extensive public discussions. To illustrate the development and improvement, the initial weaknesses of the official DPIA are documented and analyzed here. For this paper to meaningfully do this, first the purpose of a DPIA is briefly summarized. According to Article 35 of the GDPR, it consists primarily of identifying the risks to the fundamental rights and freedoms of natural persons. This paper documents at least specific methodological, technical and legal shortcomings of the initial DPIA of the CWA: 1) It only focused on the app itself, neither on the whole processing procedure nor on the infrastructure used. 2) It only briefly touched on the main data protection specific attacker, the processing organization itself. And 3) The discussion of effective safeguards to all risks including such as the ones posed by Google and Apple has only insufficiently been worked out. Finally, this paper outlines the constructive criticism and suggestions uttered, also by the authors of this paper, regarding the initial release. As of now, some of those constructive contributions have been worked into the current DPIA, such as 1) and 2), but some central ones still haven't, such as 3). This paper aims to provide an opportunity to improve the practical knowledge and academic discourse regarding high-quality DPIAs.