Skip to main content

Google and Apple Exposure Notifications System: Exposure Notifications or Notified Exposures?

  • Conference paper
  • First Online:
Privacy Technologies and Policy (APF 2022)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13279))

Included in the following conference series:

  • 643 Accesses


On April 2020, Google and Apple announced the launch of a joint project: a system that promised to contribute to break COVID-19 contagion chains, called Exposure Notifications (EN). Countries around the world integrated EN within their public healthcare systems. This paper provides a critical inquiry on the legal and technical architecture of EN from a data protection law (DP) point of view. It is divided in two parts. In the first part we present EN as a proximity tracking tool, along with a technical description of its implementation, and a legal assessment of the contracts established between Google, Apple and governments (or public health authorities) regarding the design of national proximity tracking applications (apps). In the second part, the findings of the first part are critically discussed in light of the concepts of ‘legal by design’ and ‘legal protection by design’, building on Mireille Hildebrandt’s work. Through this conceptual approach, we examine the DP issues implied by EN’s embeddings and discuss the extent to which its design reveals a defiance to the rule of law. This contribution reiterates that the fundamental right to the protection of personal data covers both our individuality and our collective heritage of democracy, the rule of law and fundamental rights.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions


  1. 1.

    World Health Organization [1] identifies three kinds of cases: suspected, probable and confirmed Covid-19 case.

  2. 2.

    According to the World Health Organization [2], a contact is anyone with the following exposures to a COVID-19 case, from 2 days before to 14 days after the case’s onset of illness: (1) face-to-face contact with a probable or confirmed case within 1 m and for more than 15 min; (2) direct physical contact with a probable or confirmed case; (3) direct care for a patient with probable or confirmed COVID-19 disease without using recommended personal protective equipment; or (4) other situations of contact in specific settings, whose risk is specifically assessed. (p. 2).

  3. 3.

    We did not find any contract model that regulates EN Express.

  4. 4.

    Google [8] states that Rolling Proximity Identifiers are derived from a Rolling Proximity Identifier Key, which is in turn derived from a Temporary Exposure Key and a discretized representation of time. (p. 5).

  5. 5.

    EDPB [17] and ICO [18] consider that RPIs are pseudonymous data. DP-3T [19] clarifies that their protocol does not rely on anonymous communication systems to provide its privacy properties. DP-3T has considered using an anonymous communication system to efficiently query the server, but have decided against it, based on three arguments: (i) it would increase the complexity of the system; (ii) anonymity requires a trade with latency and bandwidth overhead, not being clear what the best choice would be; (iii) security properties of the anonymous communication system must be considered and choices must be made).

  6. 6.

    Point 3. a. iii. GEN states that In providing the Service, Google has no role in determining the purposes for which, or manner in which, any personal data are processed by the App. A contrario, this means that Google denies its role as controller. Since Google provides the framework where EN operates, we can infer that Google qualifies itself as a processor. Apple indirectly qualifies itself as a processor at point 4 of AEN, by establishing that governments or developers on their behalf, as the legal entity responsible for any user data processed in connection with the use of their app, are solely responsible for complying with applicable data protection and privacy laws and regulations. Even if Gapple were mere processor, they would still have to comply with data protection law.

  7. 7.

    Points 1. a. GEN and 2.1. AEN.

  8. 8.

    Point 2.2. AEN.

  9. 9.

    The Entitlement Profile enables the use of the Exposure Notifications API (points 2.2. and 2.3. AEN).

  10. 10.

    Point 4. AEN.

  11. 11.

    Point 3 GEN and Sect. 3 of AEN.

  12. 12.

    Points 1. d GEN and 3.1. AEN.

  13. 13.

    Points 3. b. i. GEN and 3.1. AEN determine that a proximity tracking app may only collect the minimum amount of user data necessary for COVID-19 response efforts and may only be used for that purpose.

  14. 14.

    Points 3. c. i. GEN and 3.3. AEN.

  15. 15.

    Point 3.3. AEN.

  16. 16.

    Point 3. a. iii. GEN.

  17. 17.

    Points 3. b., i-vi GEN.

  18. 18.

    AEN contemplates several similar dispositions, such as the data to be collected, transmitted, or accessed (points 3.2., 3.3., 3.4.); the use of third-party analytics and retention period (point 3.4.); purpose, the legal basis of processing and disclosure rules (point 3.1.). It furthermore prohibits processing location data; any form of data association or correlation and the access to personally identifiable information, unless otherwise agreed by Apple (points 3.2.; 3.3 AEN).

  19. 19.

    Paul Ricœur [33] calls it productive distantiation.

  20. 20.

    EDPB [17] hypothesises about the eventual need of processing additional data, in which case such (additional) information should remain on the user terminal and only be processed when strictly necessary and with his prior and specific consent (para. 44, p. 9).

  21. 21.

    By using the term legality, we are invoking the meaning stated in [46].

  22. 22.

    World Health Organization homepage [50] explicitly states that transparency and explainability apply to the operation of apps and application programming interfaces (APIs) of COVID-19 proximity tracking technologies. (p. 3).

  23. 23.

    Each ExposureWindow instance represents up to 30 min of exposure information. As a result, longer exposures to a particular key might be split into multiple 30-min blocks.

  24. 24.

    By using the word manual, we are adopting Google’s [53] terminology. This should not be taken as implying automation absence, as risk score calculation remains an automated process. We suspect that by manual, Google means that health authorities have (more) control of the risk scoring method.

  25. 25.

    Each DailySummary contains the ExposureSummaryData for a particular day. The ExposureSummaryData takes into account the highest risk score, looking at all ExposureWindows aggregated into the summary; a sum of the risk scores and a sum of the weighted durations for all ExposureWindows.

  26. 26.

    Google [53] provides an example of how to manually compute the risk score, which considers three factors: (i) weighted minutes-at-attenuation; (ii) infectiousness weight (available only for v1.6 and later); (iii) report type weight. The method exemplified by Google iterates through the list of ExposureWindow objects retrieved from the API. For each ExposureWindow, it calculates the risk score based on how many seconds a person (i.e., the device) has been within close distance of someone (i.e., another device) that reported a case. The resulting window score is added to the corresponding day score. The result is a map of dates with user exposures, measured in seconds. The code uses a filter to remove days with less than 15 min of relevant exposure. Such method computes the risk score similarly to how the Exposure Notifications system computes daily summaries. The method iterates over the different ScanInstance objects (corresponding to a few seconds during which a beacon with the diagnosis key causing this exposure was observed) and calculates the score based on the duration of the scan and the multiplier values associated with attenuation, report type, and infectiousness.

  27. 27.

    The epithet suzerain, used as metaphor in this context, intends to stress Gapple’s lack of institutional framework, infused by an idea of personal power (in the case, concentration of power in certain categories of private entities). I took inspiration from Mireille Hildebrandt [55].


  1. Word Health Organization homepage: COVID-19 Case definition, 16 December 2020. Accessed 26 Jan 2022

  2. Word Health Organization homepage: Contact tracing in the context of COVID-19, Interim guidance, 10 May 2021. Accessed 26 Jan 2022

  3. Word Health Organization homepage: Contact tracing in the context of COVID-19, Interim guidance, 1 February 2021. Accessed 26 Jan 2022

  4. Word Health Organization homepage: Considerations for quarantine of contacts of COVID-19 cases Interim guidance, 25 June 2021. Accessed 26 Jan 2022

  5. Google homepage: Exposure Notification, Frequently Asked Questions, Preliminary – Subject to Modification and Extension v1.0, April 2020. Accessed 26 Jan 2022

  6. Apple homepage: Supporting Exposure Notifications Express. Accessed 26 Jan 2022

  7. Google homepage: Exposure Notifications Frequently Asked Questions Preliminary – Subject to Modification and Extension v. 1.2, September 2020. Accessed 26 Jan 2022

  8. Google homepage: Exposure Notification Cryptography Specification Preliminary, April 2020. Accessed 29 Jan 2022

  9. Google homepage: Exposure Notifications API. Accessed 16 Jan 2022

  10. Hoepman, J-H.: A Critique of the Google Apple Exposure Notification (GAEN) Framework, 12 January 2021. Accessed 22 Jan 2022

  11. Leith, D., Farrell, S.: Contact tracing app privacy: what data is shared by Europe’s GAEN contact tracing apps, 18 July 2020. Accessed 29 Sept 2020

  12. Google homepage: Privacy Preserving Contact Tracing Protocol. Accessed 29 Jan 2022

  13. Bunnie Studios (blog): On Contact Tracing and Hardware Tokens (Bunnie studios), May 2020. Accessed 29 Jan 2022

  14. WeHealth homepage. Accessed 16 Jan 2022

  15. National Health Service homepage: Guidance NHS COVID-19 app: anonymization, definitions and user data journeys, 1 October 2020. Accessed 16 Jan 2022

  16. Bradford, L., Aboy, M., Liddell, K.: COVID-19 contact tracing apps: a stress test for privacy, the GDPR, and data protection regimes. J. Law Biosci. 7(1), 1–21 (2020).

  17. EDPB: Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak, 21 April 2020

    Google Scholar 

  18. ICO: COVID-19 contact tracing: data protection expectations on app development, 4 May 2020

    Google Scholar 

  19. DP-3T: Clarified anonymous communication question, posted by Carmela Troncoso on Github, 7 April 2020. Accessed 31 Mar 2022

  20. Google COVID-19 Exposure Notifications Service Additional Terms. Revised 4 May 2020. Accessed 26 Mar 2022

  21. Apple Exposure Notification APIs Addendum to the Apple Developer Program License Agreement. Revised 4 May 2020. Accessed 26 Mar 2022

  22. EDPB: Guidelines 07/2020 on the concepts of controller and processor in the GDPR (Version 1.0), 2 September 2020

    Google Scholar 

  23. Article 29 Working Party: Opinion 1/2010 on the concepts of “controller” and “processor”, (WP 169), 16 February 2010

    Google Scholar 

  24. Belgian Data Protection Authority, Decision on the merits 21/2022 on case number DOS-2019-01377 (Unofficial translation from Dutch), 2 February 2022. Accessed 4 Jan 2022

  25. C-25/17 Jehovan todistajat (ECLI:EU:C:2018:551) (2018)

    Google Scholar 

  26. C-210/16 Wirtschaftsakademie (ECLI:EU:C:2018:388) (2018)

    Google Scholar 

  27. C-40/17 Fashion ID (ECLI:EU:C:2019:629) (2019)

    Google Scholar 

  28. Lippe, P., Katz, D., Jackson, D.: Legal by design: a new paradigm for handling complexity in banking regulation and elsewhere in law. Oregon Law Rev. 93(4), 833–852 (2015)

    Google Scholar 

  29. Hildebrandt, M.: Law for Computer Scientists and Other Folk. OUP (2020)

    Google Scholar 

  30. Hildebrandt, M.: Legal and technological normativity: more (and less) than twin sisters. Techné: Res. Philos. Technol. 12(3), 169–183 (2008)

    Google Scholar 

  31. Brownsword, R.: Technological management and the rule of law. Law Innov. Technol. 8(1), 100–140 (2016).

  32. Hildebrandt, M.: Smart Technologies and the End(s) of Law. Edward Elgar Publishing, Cheltenham (2015)

    Google Scholar 

  33. Ricœur, P.: Speaking and writing. In: Interpretation Theory: Discourse and the Surplus of Meaning, pp. 25–44. Texas University Press (1976)

    Google Scholar 

  34. Ricœur, P.: The model of the text: meaningful action considered as text. In: New Literary History, vol. 5, no. 1, pp. 91–117. What Is Literature? The Johns Hopkins University Press (1973).

  35. Gadamer, H.-G.: Truth-and-Method, Second, Revised Edition Translation revised by Joel Weinsheimer and Donald G. Mars, Continuum (2004)

    Google Scholar 

  36. Fish, S.: Is There a Text in This Class? The Authority of Interpretive Communities. Harvard University Press (1980)

    Google Scholar 

  37. Hildebrandt, M.: Text-driven jurisdiction in cyberspace. In: Keynote Hart Workshop–New Perspectives on Jurisdiction and the Criminal Law, April 2021

    Google Scholar 

  38. GitHub homepage. Accessed 18 Mar 2022

  39. Gürses, S.: Can you engineer privacy?. Commun. ACM 57(8) (2014).

  40. Danezis, G., Gürses, S.: A critical review of 10 years of Privacy, 1–16, August 2010. Accessed 21 Mar 2022

  41. Danezis, G.: Distributed ledgers: what is so interesting about them? Conspicuous chatter (blog), 27 September 2018. Accessed 21 Mar 2022

  42. Hoepman, J.-H.: Privacy design strategies (extended abstract). In: 6th Annual Privacy Law Scholars Conference, Berkeley, June 2013

    Google Scholar 

  43. Hoepman, J.-H.: Privacy is Hard and Seven Other Myths – Achieving Privacy Through Careful Design. MIT (2021)

    Google Scholar 

  44. Veale, M., Binns, R., Ausloos, J.: When data protection by design and data subject rights clash. Int. Data Privacy Law 8(2), 105–123 (2018).

  45. Hildebrandt, M.: Law as computation in the era of artificial legal intelligence: speaking law to the power of statistics. Univ. Toronto Law J. 68(Supplement 1), 12–35 (2018).

  46. Hildebrandt, M.: Legal protection by design. Objections and refutations. Legisprudence 5(2), 223–248 (2011).

  47. Hildebrandt, M.: Radbruch’s Rechtsstaat and Schmitt’s legal order: Legalism, Legality and the Institution of Law. New Hist. Jurisprud. Hist. Anal. Law 2(1), 42–63 (2015)

    Google Scholar 

  48. Waldron, J.: The Rule of law and the importance of procedure. In: Nomos 50, 3–31 (2011)

    Google Scholar 

  49. Diver, L.: Digisprudence: the design of legitimate code. Law Innov. Technol. 13(2), 325–364 (2021).

  50. Word Health Organization homepage: Ethical considerations to guide the use of digital proximity tracking technologies for COVID-19 contact tracing (Interim guidance), 28 May 2020, Accessed 29 Jan 2022

  51. Article 29 Working Party: Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (WP 251), 6 February 2018

    Google Scholar 

  52. Coronalert Privacy statement. Accessed 19 Mar 2022

  53. Google homepage: Define meaningful exposures. Accessed 22 Jan 2022

  54. Latour, B.: An Inquiry to the Modes of Existence – An Anthropology of the Moderns, Translated by Catherine Porter. Harvard University Press, Cambridge (2013)

    Google Scholar 

  55. Dworkin, R.: Reply to Paul Ricœur. Ratio Juris 7(3) 287–290 (1994)

    Google Scholar 

  56. Radbruch, G.: Legal philosophy. In: Legal Philosophies of Lask, Radbruch, and Dabin. Wilk, K., (trans.). Harvard University Press (1950)

    Google Scholar 

  57. Hildebrandt, M.: Origins of the criminal law: punitive interventions before sovereignty. In: Dubber, M.D. (ed.) Foundational Texts in Modern Criminal Law, pp. 219–238. Ch. 11. Oxford University Press (2014).

Download references


I would like to express my deepest appreciation to Jaap-Henk Hoepman (Radboud University Nijmegen, University of Groningen) for his invaluable contribution in making a technical review of this paper, pointing out aspects that eluded me, which has majorly improved its technical rigor and soundness.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Tatiana Duarte .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Duarte, T. (2022). Google and Apple Exposure Notifications System: Exposure Notifications or Notified Exposures?. In: Gryszczyńska, A., Polański, P., Gruschka, N., Rannenberg, K., Adamczyk, M. (eds) Privacy Technologies and Policy. APF 2022. Lecture Notes in Computer Science(), vol 13279. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07314-4

  • Online ISBN: 978-3-031-07315-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics