Will the Proposed Dutch Coronavirus Apps Mess with Data Privacy?
Solving for the coronavirus problem has been erratic at best, sending companies, governments, and individuals alike into different kinds of tailspins. As we learn these difficult lessons, it’s important to keep a clear head about what’s worked and what’s inadvertently made things worse than before.
The Dutch government has held a press conference in which they discussed two apps that would trace those with the virus. We’ll look at how the apps work and whether they’ll do more harm than good.
The Nature of the Apps
April 28 is the day the Dutch government is planning to lift their coronavirus restrictions, allowing people to come together (and get back to work). However, they’re not simply planning to release the public and hope for the best. To control for the spread of the virus, officials have proposed new tracker apps that will collect people’s personal medical information for later use.
There are two possible apps to track suspects with two different strategies:
- Strategy One: Alert people who come in contact with someone who has the virus so they can take action.
- Strategy Two: Put potential suspects in touch with medical doctors, giving them more control over how they manage their health.
The government is considering making use of these apps mandatory, which could lead to a faster return to normal. As April 28 rapidly approaches though, it’s still unclear how the Dutch government will enable and enforce these solutions. What is clear is that the rollout will be overseen by the Dutch data protection authority (AP).
No one is denying the fact that COVID-19 has caused our priorities to shift due to the unprecedented events that have taken place. While pandemics may be nothing new, the technology we have today is. Tracking people through technology — even when it’s meant to promote public health — can have serious consequences that we’re not prepared for.
Of course, the problem is that no one really has the time to thoroughly debate the merits of each strategy, especially not when the economy is threatening to turn into a total freefall. Still, if you’re an employer who’s concerned about keeping your employee’s personal data from the wrong eyes, it helps to understand why privacy standards can’t be abandoned in the chaos of a crisis.
Maintaining the Rules
Privacy experts have reiterated the rules for security for these apps: data can only be shared if the user has granted express permission or if the data is properly anonymized. If tracking people in close proximity, it can only alert the user that there’s someone in the area who has the virus as opposed to telling you the name or identifying details of the person.
Those who oversee the Dutch government have stated that they’ll be checking data points very carefully to ensure that these laws haven’t been violated. It’s worth noting that these apps are usually received well by the public. When people have accurate information, they can make more informed decisions regarding their health. What people may not know though is that Dutch hospital security has been woefully lacking at absolute best.
Cyber Security in Dutch Hospitals
It’s clear that the Dutch government wants to help their people, but perhaps they need to look into the general security of their cyber infrastructure more to determine if they can reasonably promote user privacy.
Cybersprint, an analytics organization that looks into online vulnerabilities, released a study in 2019 showing that some Dutch hospitals were more vulnerable to hacking attacks. In the study, the organization investigated the top 10 largest hospitals, as well as smaller hospitals and academic facilities.
Investigators found glaring security errors, including technology still set to factory defaults that could be accessed by anyone. They also found outdated software that could be breached by anyone from a malicious dark web criminal to a bored teenager. In fact, half of the biggest hospitals in The Netherlands hadn’t updated their software.
Surprisingly, it was the smaller hospitals that tended to be the most diligent in updating their software, perhaps because there was less of it to keep track of. Where smaller hospitals failed was in their website configuration, opening the door for hackers to breach the hospital’s online records.
When nearly a third of all data leaks reported to watchdog organizations are healthcare-related, the Dutch government needs to consider just how in-demand this information is, and what it can mean when it gets out. Exposing sensitive information raises questions about the very rights of people in a society, and it puts the Dutch government at risk of setting a dangerous precedent during perilous times.
GDPR and the Coronavirus
In July of 2019, the Haga Hospital was fined €460,000 by the Dutch data protection authority for violating General Data Protection Regulation (GDPR) policies. This was prompted by the fact that 85 employees were granted access to the medical records of a Dutch-TV reality star.
In addition to the hefty fine, Haga Hospital was also required to update their patient security files under the threat of being fined an additional €100,000 every two weeks if they failed to do so. It’s one incident that reveals a much larger structural problem that needs to be addressed before people begin sharing their information with a hastily constructed proximity app.
Launching an app of this magnitude without violating GDPR laws is going to take time. If you’re planning a much smaller version of what the Dutch government is planning, a Data Protection Impact Assessment conducted early on can go a long way to revealing vulnerabilities that you may not have considered.
PrivIQ is committed to giving our customers 360° software that both anticipates and accounts for both current and emerging threats. There’s no way to over-comply right now in terms of privacy, especially at a time like this. When information is the gateway to solving this pandemic, everyone needs to be careful about how that information is both collected and shared.