Norway’s health authority says it will pause data collection and delete all collected data after country’s data regulator says the app is too invasive
Norway’s health authority has said it will stop uploading data from the country’s Covid-19 contact tracing app, following a warning from the country’s data protection agency (DPA) that the app is too invasive of privacy.
Norway’s Institute of Public Health (FHI) said it would stop data uploads from Tuesday and would delete all the information held in its databases “as soon as possible”.
Norway’s Datatilsynet data agency, on Friday issued a warning that the smartphone app Smittestopp (“infection stop”) was in contravention of European data protection rules.
FHI director Camilla Stoltenberg said the agency does not agree with the DPA’s assessment but would comply even though doing so would “weaken” the country’s Covid-19 preparedness.
“The pandemic is not over,” Stoltenberg said in a statement. “We have no immunity in the population, no vaccine, and no effective treatment. Without the Smittestopp app, we will be less equipped to prevent new outbreaks that may occur locally or nationally.”
The app, launched in April, was one of the first to begin operating in Europe.
It was developed prior to the release of EU guidelines that advised authorities not to implement location tracking for contact tracing apps, but instead to use “proximity data”.
Contact tracing apps keep an anonymised record of whom the user comes into contact with. If one of those contacts is later diagnosed with Covid-19, the user can be notified and take appropriate action.
Such tools are intended to complement human contact-tracing resources as a means to limit the spread of the novel coronavirus.
Italy’s Immuni app, for instance, which started limited operations in the country earlier this month and began a nationwide roll-out on Monday, sent out its first alerts last week.
Authorities in Liguria, in northern Italy, said the app was used to alert the contacts of three people who tested positive for Covid-19.
Most countries’ contact tracing apps use Bluetooth signals to determine when a user spends a significant amount of time in proximity to another individual running a compatible app.
But Smittestopp also collected anonymised GPS-based location data, in order to help health authorities track the spread of infections.
The app is currently being used by just under 600,000 people out of Norway’s 5.4 million inhabitants.
The DPA said that Norway’s low infection rate, and the relatively low take-up of the app, meant the personal data it collected was disproportionate to its purpose.
“We believe that the FHI has not demonstrated that it is strictly necessary to use location data for infection detection,” said Datatilsynet director Bjørn Erik Thon in a statement.
The DPA said it was also concerned that users were unable to choose to have their data used only for contact-tracing purposes, and not for research purposes, in contravention of EU data rules around purpose limitation.
The data agency said another objection involved the way the FHI was aggregating and anonymising data, with there being difficulties in making such information fully anonymous.
The latter two issues relate to the fact that the FHI opted for a “centralised” app infrastructure in which data is processed on a government server.
“Decentralised” apps, such as those using a framework developed by Apple and Google, give the government minimal access to data, with contact-matching taking place on devices.
The FHI advised users to disable the app, but not to remove it, so that it can be easily reactivated if the agency is able to reach a deal with the DPA.