Skip to main content
SpringerLink
Log in

Analysis and Constructive Criticism of the Official Data Protection Impact Assessment of the German Corona-Warn-App

  • Conference paper
  • First Online:
Book cover Privacy Technologies and Policy (APF 2022)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13279))

Included in the following conference series:

Abstract

On June 15, 2020, the official data protection impact assessment (DPIA) for the German Corona-Warn-App (CWA) was made publicly available. Shortly thereafter, the app was made available for download in the app stores. However, the first version of the DPIA had significant weaknesses, as this paper argues. However since then, the quality of the official DPIA increased immensely due to interventions and interactions such as an alternative DPIA produced by external experts and extensive public discussions. To illustrate the development and improvement, the initial weaknesses of the official DPIA are documented and analyzed here. For this paper to meaningfully do this, first the purpose of a DPIA is briefly summarized. According to Article 35 of the GDPR, it consists primarily of identifying the risks to the fundamental rights and freedoms of natural persons. This paper documents at least specific methodological, technical and legal shortcomings of the initial DPIA of the CWA: 1) It only focused on the app itself, neither on the whole processing procedure nor on the infrastructure used. 2) It only briefly touched on the main data protection specific attacker, the processing organization itself. And 3) The discussion of effective safeguards to all risks including such as the ones posed by Google and Apple has only insufficiently been worked out. Finally, this paper outlines the constructive criticism and suggestions uttered, also by the authors of this paper, regarding the initial release. As of now, some of those constructive contributions have been worked into the current DPIA, such as 1) and 2), but some central ones still haven’t, such as 3). This paper aims to provide an opportunity to improve the practical knowledge and academic discourse regarding high-quality DPIAs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. RKI – Robert Koch-Institut: Corona-Warn-App: Documentation (2021). https://github.com/corona-warn-app/cwa-documentation . Accessed 2 Feb 2022

  2. Rehak, R., Kühne, C.R.: The processing goes far beyond “the app” – privacy issues of decentralized digital contact tracing using the example of the German Corona-Warn-App. In: Proceedings of 2022 IEEE 6th International Conference on Cryptography, Security and Privacy (CSP 2022) (forthcoming)

    Google Scholar 

  3. RKI – Robert Koch-Institut: (Archived) Version 1.0 of the official DPIA of the Corona-Warn-App (2020). https://web.archive.org/web/20200616232321/https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung.pdf. The current version can be found here https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung.pdf. Accessed 2 Feb 2022

  4. SDM - UAG “Standard Data Protection Model” of the AK Technik of the Independent Data Protection Supervisory Authorities of the Federation and the Länder: The Standard Data Protection Model – A method for Data Protection advising and controlling on the basis of uniform protection goals, AK Technik of the Independent Data Protection Supervisory Authorities of the Federation and the Länder (2020). https://www.datenschutzzentrum.de/uploads/sdm/SDM-Methodology_V2.0b.pdf. Accessed 2 Feb 2022

  5. Bock, K., Kühne, C.R., Mühlhoff, R., et al.: Data protection impact assessment for the corona app, 29 April 29 2020. SSRN: https://ssrn.com/abstract=3588172. Accessed 2 Feb 2022

  6. Tschohl, C., Scheichenbauer, H., Kastelitz, M., et al.: Bericht über die Datenschutz-Folgenabschätzung für die Anwendung Stopp Corona-App des Österreichischen Roten Kreuzes (OeRK), Version 2.0. vom 04.08.2020. https://www.roteskreuz.at/fileadmin/user_upload/PDF/Datenschutz/Datenschutz-Folgenabschaetzung-Bericht_OeRK_StopCoronaApp_04-08-2020_V2.0_final.pdf. Accessed 2 Feb 2022

  7. Google/Apple: Exposure Notification Framework – ENF / Googe-Apple-Exposure-Notification – GAEN (2020). https://developer.apple.com/documentation/exposurenotification and https://www.google.com/covid19/exposurenotifications/. Accessed 2 Feb 2022

  8. DP3T – Decentralized Privacy-Preserving Proximity Tracing (2020) EPFL and ETH Zurich advance digital contact tracing project. https://actu.epfl.ch/news/epfl-and-eth-zurichadvance-digital-contact-tracin/ (last visited 2/2/2022)

  9. GDPR – General Data Protection Regulation. Regulation (EU) 2016/679. https://eurlex.europa.eu/eli/reg/2016/679/oj. Accessed 2 Feb 2022

  10. Pohle, J.: Datenschutz und Technikgestaltung: Geschichte und Theorie des Datenschutzes aus informatischer Sicht und Folgerungen für die Technikgestaltung. Dissertation, Mathematisch-Naturwissenschaftliche Fakultät, Humboldt-Universität zu Berlin (2018). https://edoc.hu-berlin.de/handle/18452/19886. Accessed 2 Feb 2022

  11. Guidelines 05/2020 on consent under Regulation 2016/679. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Accessed 2 Feb 2022

  12. Rost, M.: Risks in the context of data protection/Risiken im Datenschutz. In: vorgänge – Zeitschrift für Bürgerrechte und Gesellschaftspolitik 57(1/2), 79–92 (2018). English version. https://www.maroki.de/pub/privacy/Rost_Martin_2019-02_Risk:_8types_v1.pdf. Accessed 2 Feb 2022

  13. Rost, M.: Zur Soziologie des Datenschutzes. Datenschutz und Datensicherheit - DuD 37(2), 85–91 (2013). https://doi.org/10.1007/s11623-013-0023-3

    Article  Google Scholar 

  14. Steinmüller, W.: Grundfragen des Datenschutzes, Gutachten, BT-Drucksache 6/3826, German Bundestag (1972)

    Google Scholar 

  15. Article 29 Data Protection Working Party. Opinion 4/2007 on the concept of personal data. Working Paper 136 (2007). https://ec.europa.eu/justice/article29/documentation/opinion-recommendation/files/2007/wp136_en.pdf. Accessed 2 Feb 2022

  16. Felschen, C.: Geplante Corona-App soll Daten doch dezentral speichern (2020). https://www.zeit.de/digital/datenschutz/2020-04/datenschutz-corona-tracing-app-dezentrale-speicherung. Accessed 2 Feb 2022

  17. Greis, F.: Steuervorteile für Corona-App-Nutzer gefordert (2020). https://www.golem.de/news/lockerungsdebattesteuervorteile-fuer-corona-app-nutzer-gefordert-2004148137.html. Accessed 2 Feb 2022

Download references

Author information

Authors and Affiliations

  1. Weizenbaum Institute for the Networked Society, Hardenbergstraße 32, 10623, Berlin, Germany

    Rainer Rehak

  2. Forum Computer Scientists for Peace and Societal Responsibility, Goetheplatz 4, 28203, Bremen, Germany

    Christian R. Kühne

  3. Independent Centre for Privacy Protection Schleswig-Holstein (ICPP), Postbox 71 16, 24171, Kiel, Germany

    Kirsten Bock

Authors
  1. Rainer Rehak
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian R. Kühne
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kirsten Bock
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rainer Rehak .

Editor information

Editors and Affiliations

  1. Cardinal Stefan Wyszyński University in Warsaw, Warsaw, Poland

    Agnieszka Gryszczyńska

  2. Koźmiński University, Warsaw, Poland

    Przemysław Polański

  3. University of Oslo, Oslo, Norway

    Nils Gruschka

  4. Goethe University Frankfurt, Frankfurt, Germany

    Kai Rannenberg

  5. ENISA, Athens, Greece

    Monika Adamczyk

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Rehak, R., Kühne, C.R., Bock, K. (2022). Analysis and Constructive Criticism of the Official Data Protection Impact Assessment of the German Corona-Warn-App. In: Gryszczyńska, A., Polański, P., Gruschka, N., Rannenberg, K., Adamczyk, M. (eds) Privacy Technologies and Policy. APF 2022. Lecture Notes in Computer Science(), vol 13279. Springer, Cham. https://doi.org/10.1007/978-3-031-07315-1_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-07315-1_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07314-4

  • Online ISBN: 978-3-031-07315-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation