Temporary suspension of the Norwegian Covid-19 contact tracing app

22 June 2020

Norway

The Norwegian Data Protection Authority has notified the Norwegian Institute of Public Health (NIPH) of its intention to impose a temporary ban on the processing of personal data in connection with the Smittestopp contact tracing mobile application. NIPH has nowtemporarily suspended all use of the app.

On Monday 15 June, NIPH announced that they have decided to suspend the app and erase all data until further notice, but that they will provide a formal response by 23 June, which is the date set by the Data Protection Authority. The notice entails a temporary ban on all collection of personal data by NIPH through the app.

Intervention no longer proportionate

“NIPH has chosen to suspend all collection and storage of data immediately. I hope they use the time left until 23 June well, both to document the benefits of the app and to make other necessary changes, so that they can resume use of it,” says Data Protection Authority Director-General Bjørn Erik Thon.
The basis for the notice is the Data Protection Authority’s assessment that the Smittestopp app can no longer be considered a proportionate intervention in the users’ fundamental rights to data protection.

“Smittestopp is a highly invasive measure in terms of data protection, even in these special circumstances, where our society is fighting a pandemic. We do not see the utility, given our current situation and the way the technical solution is designed and presently working,” Thon says.

Legality hinges on public benefit

Smittestopp is a digital solution for contact tracing. It can notify the user if they have been in close contact with people infected with Covid-19. By analysing anonymized and aggregated data of population movement patterns, NIPH will also evaluate infection control measures and monitor rates of transmission through society. Smittestopp collects large quantities of personal data about app users, including continuous location data and information about app users’ contact with others.

“Our notice does not mean that we can’t use technology and apps to fight this pandemic. However, the legality of Smittestopp hinges on its public benefit,” Thon says. “We have considered the solutions chosen for the Smittestopp app, the low proliferation of the app, with users accounting for approximately 14 percent of the population aged 16 and older, and the rates of infection in the general population. We have also taken into account the National Institute of Public Health’s release stating that the rate of infection is currently so low that it is difficult to validate that the app’s alerts are notifying the right people — not too many and not too few.”

Location data from GPS and Bluetooth

Currently, Smittestopp users cannot choose to provide personal data for contact tracing purposes without also agreeing to the data being used for analysis and research. These different purposes require different types of personal data. We question the lack of choice for the users. Several other European countries have developed contact tracing apps that rely solely on Bluetooth technology and that do not collect GPS-based location data. The World Health Organization (WHO) has also posted several publications related to digital proximity tracking for Covid-19 (example link).

“The European Data Protection Board has concluded that the use of location data in contact tracing is unnecessary and recommend the use of Bluetooth data only. We do not find that NIPH has sufficiently justified the need to use location data for contact tracing and await new information from NIPH on this issue,” Thon says.
Smittestopp currently only has contact tracing functionality in combination with notification in three test municipalities: Drammen, Trondheim and Tromsø.
“Also, no solution for anonymizing and aggregating data for analysis has yet been implemented.The app nevertheless continually collects personal data from all users,” Thon says.

Going forward

The Data Protection Authority has invited the National Institute of Public Health to a meeting on Friday 19 June to further discuss this matter. NIPH has until 23 June to provide a response to the order.

“There are many different things we need to discuss. The design of the request for approval and the use of GPS in contact tracing are central issues, but we also need to discuss the anonymization solution, which is not yet in place. A solution for how to handle requests for access will also be a topic for discussion. We need to see some specific changes on these important issues,” Thon says.

To read the press release in Norwegian, click here

Update: 17/08/20

The Norwegian Data Protection Authority has imposed a temporary ban on Smittestopp contact tracing mobile application.

The Norwegian Data Protection Authority has reached a decision to temporarily ban the processing of personal data using the Smittestopp contact tracing mobile application. As previously notified, we mean that Smittestopp cannot be considered a proportionate intervention in the user’s fundamental right to data protection.
The purposes of Smittestopp are contact tracing and notification of Covid-19 infection, as well as analysis of anonymous and aggregated data to evaluate the effect of infection control measures, and monitoring of the spread of infection in society. The app has collected large amounts of personal data about the people using it, including continuous registration of movements and information about the users’ contact with others.
Still several weaknesses

The Norwegian Data Protection Authority finds that the Norwegian Institute of Public Health (NIPH) has not documented the benefit of the app. We have looked at the technical solutions chosen for Smittestopp, the low level of adoption of the app (approx. 14% of the population aged 16 or above), and the spread of the infection in the population. We also find that the NIPH has not sufficiently established the necessity of using location data from GPS in contact tracing, which we find is in conflict with the principle of data minimization.

Furthermore, the Norwegian Data Protection Authority has been critical of the fact that users have not had the option to choose to share personal data for just one or several of the purposes. In June, The Norwegian Parliament reached the decision that the purposes have to be separated in the next version of the app.

The NIPH has already decided to stop the collection of personal data, and to erase the collected data. The Norwegian Data Protection Authority will continue to control any new versions of the app.

For further information, please contact the Norwegian DPA: international@datatilsynet.no

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Temporary suspension of the Norwegian Covid-19 contact tracing app

Update: 17/08/20

Icelandic SA: the municipality of Reykjavík fined ISK 2,000,000 for the use of Google Workspace for Education

Icelandic SA: the municipality of Hafnarfjörður fined EUR 18.580 for the use of Google Workspace for Education

Icelandic SA: the municipality of Reykjanesbær fined EUR 16.590 for the use of Google Workspace for Education

Icelandic SA: the municipality of Garðabær fined EUR 16 590 for the use of Google Workspace for Education

Icelandic SA: the municipality of Kópavogur fined EUR 19.907 for the use of Google Workspace for Education