Skip to main content

Analysis and Constructive Criticism of the Official Data Protection Impact Assessment of the German Corona-Warn-App

Part of the Lecture Notes in Computer Science book series (LNSC,volume 13279)

Abstract

On June 15, 2020, the official data protection impact assessment (DPIA) for the German Corona-Warn-App (CWA) was made publicly available. Shortly thereafter, the app was made available for download in the app stores. However, the first version of the DPIA had significant weaknesses, as this paper argues. However since then, the quality of the official DPIA increased immensely due to interventions and interactions such as an alternative DPIA produced by external experts and extensive public discussions. To illustrate the development and improvement, the initial weaknesses of the official DPIA are documented and analyzed here. For this paper to meaningfully do this, first the purpose of a DPIA is briefly summarized. According to Article 35 of the GDPR, it consists primarily of identifying the risks to the fundamental rights and freedoms of natural persons. This paper documents at least specific methodological, technical and legal shortcomings of the initial DPIA of the CWA: 1) It only focused on the app itself, neither on the whole processing procedure nor on the infrastructure used. 2) It only briefly touched on the main data protection specific attacker, the processing organization itself. And 3) The discussion of effective safeguards to all risks including such as the ones posed by Google and Apple has only insufficiently been worked out. Finally, this paper outlines the constructive criticism and suggestions uttered, also by the authors of this paper, regarding the initial release. As of now, some of those constructive contributions have been worked into the current DPIA, such as 1) and 2), but some central ones still haven’t, such as 3). This paper aims to provide an opportunity to improve the practical knowledge and academic discourse regarding high-quality DPIAs.

Keywords

  • Data protection
  • Data protection impact assessment
  • DPIA
  • Corona apps
  • CWA
  • Digital contact tracing
  • Decentralization
  • GDPR
  • Privacy

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-031-07315-1_8
  • Chapter length: 16 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   44.99
Price excludes VAT (USA)
  • ISBN: 978-3-031-07315-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   59.99
Price excludes VAT (USA)

References

  1. RKI – Robert Koch-Institut: Corona-Warn-App: Documentation (2021). https://github.com/corona-warn-app/cwa-documentation . Accessed 2 Feb 2022

  2. Rehak, R., Kühne, C.R.: The processing goes far beyond “the app” – privacy issues of decentralized digital contact tracing using the example of the German Corona-Warn-App. In: Proceedings of 2022 IEEE 6th International Conference on Cryptography, Security and Privacy (CSP 2022) (forthcoming)

    Google Scholar 

  3. RKI – Robert Koch-Institut: (Archived) Version 1.0 of the official DPIA of the Corona-Warn-App (2020). https://web.archive.org/web/20200616232321/https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung.pdf. The current version can be found here https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung.pdf. Accessed 2 Feb 2022

  4. SDM - UAG “Standard Data Protection Model” of the AK Technik of the Independent Data Protection Supervisory Authorities of the Federation and the Länder: The Standard Data Protection Model – A method for Data Protection advising and controlling on the basis of uniform protection goals, AK Technik of the Independent Data Protection Supervisory Authorities of the Federation and the Länder (2020). https://www.datenschutzzentrum.de/uploads/sdm/SDM-Methodology_V2.0b.pdf. Accessed 2 Feb 2022

  5. Bock, K., Kühne, C.R., Mühlhoff, R., et al.: Data protection impact assessment for the corona app, 29 April 29 2020. SSRN: https://ssrn.com/abstract=3588172. Accessed 2 Feb 2022

  6. Tschohl, C., Scheichenbauer, H., Kastelitz, M., et al.: Bericht über die Datenschutz-Folgenabschätzung für die Anwendung Stopp Corona-App des Österreichischen Roten Kreuzes (OeRK), Version 2.0. vom 04.08.2020. https://www.roteskreuz.at/fileadmin/user_upload/PDF/Datenschutz/Datenschutz-Folgenabschaetzung-Bericht_OeRK_StopCoronaApp_04-08-2020_V2.0_final.pdf. Accessed 2 Feb 2022

  7. Google/Apple: Exposure Notification Framework – ENF / Googe-Apple-Exposure-Notification – GAEN (2020). https://developer.apple.com/documentation/exposurenotification and https://www.google.com/covid19/exposurenotifications/. Accessed 2 Feb 2022

  8. DP3T – Decentralized Privacy-Preserving Proximity Tracing (2020) EPFL and ETH Zurich advance digital contact tracing project. https://actu.epfl.ch/news/epfl-and-eth-zurichadvance-digital-contact-tracin/ (last visited 2/2/2022)

  9. GDPR – General Data Protection Regulation. Regulation (EU) 2016/679. https://eurlex.europa.eu/eli/reg/2016/679/oj. Accessed 2 Feb 2022

  10. Pohle, J.: Datenschutz und Technikgestaltung: Geschichte und Theorie des Datenschutzes aus informatischer Sicht und Folgerungen für die Technikgestaltung. Dissertation, Mathematisch-Naturwissenschaftliche Fakultät, Humboldt-Universität zu Berlin (2018). https://edoc.hu-berlin.de/handle/18452/19886. Accessed 2 Feb 2022

  11. Guidelines 05/2020 on consent under Regulation 2016/679. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Accessed 2 Feb 2022

  12. Rost, M.: Risks in the context of data protection/Risiken im Datenschutz. In: vorgänge – Zeitschrift für Bürgerrechte und Gesellschaftspolitik 57(1/2), 79–92 (2018). English version. https://www.maroki.de/pub/privacy/Rost_Martin_2019-02_Risk:_8types_v1.pdf. Accessed 2 Feb 2022

  13. Rost, M.: Zur Soziologie des Datenschutzes. Datenschutz und Datensicherheit - DuD 37(2), 85–91 (2013). https://doi.org/10.1007/s11623-013-0023-3

    CrossRef  Google Scholar 

  14. Steinmüller, W.: Grundfragen des Datenschutzes, Gutachten, BT-Drucksache 6/3826, German Bundestag (1972)

    Google Scholar 

  15. Article 29 Data Protection Working Party. Opinion 4/2007 on the concept of personal data. Working Paper 136 (2007). https://ec.europa.eu/justice/article29/documentation/opinion-recommendation/files/2007/wp136_en.pdf. Accessed 2 Feb 2022

  16. Felschen, C.: Geplante Corona-App soll Daten doch dezentral speichern (2020). https://www.zeit.de/digital/datenschutz/2020-04/datenschutz-corona-tracing-app-dezentrale-speicherung. Accessed 2 Feb 2022

  17. Greis, F.: Steuervorteile für Corona-App-Nutzer gefordert (2020). https://www.golem.de/news/lockerungsdebattesteuervorteile-fuer-corona-app-nutzer-gefordert-2004148137.html. Accessed 2 Feb 2022

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Rainer Rehak .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Rehak, R., Kühne, C.R., Bock, K. (2022). Analysis and Constructive Criticism of the Official Data Protection Impact Assessment of the German Corona-Warn-App. In: Gryszczyńska, A., Polański, P., Gruschka, N., Rannenberg, K., Adamczyk, M. (eds) Privacy Technologies and Policy. APF 2022. Lecture Notes in Computer Science(), vol 13279. Springer, Cham. https://doi.org/10.1007/978-3-031-07315-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-07315-1_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07314-4

  • Online ISBN: 978-3-031-07315-1

  • eBook Packages: Computer ScienceComputer Science (R0)