Abstract
On June 15, 2020, the official data protection impact assessment (DPIA) for the German Corona-Warn-App (CWA) was made publicly available. Shortly thereafter, the app was made available for download in the app stores. However, the first version of the DPIA had significant weaknesses, as this paper argues. However since then, the quality of the official DPIA increased immensely due to interventions and interactions such as an alternative DPIA produced by external experts and extensive public discussions. To illustrate the development and improvement, the initial weaknesses of the official DPIA are documented and analyzed here. For this paper to meaningfully do this, first the purpose of a DPIA is briefly summarized. According to Article 35 of the GDPR, it consists primarily of identifying the risks to the fundamental rights and freedoms of natural persons. This paper documents at least specific methodological, technical and legal shortcomings of the initial DPIA of the CWA: 1) It only focused on the app itself, neither on the whole processing procedure nor on the infrastructure used. 2) It only briefly touched on the main data protection specific attacker, the processing organization itself. And 3) The discussion of effective safeguards to all risks including such as the ones posed by Google and Apple has only insufficiently been worked out. Finally, this paper outlines the constructive criticism and suggestions uttered, also by the authors of this paper, regarding the initial release. As of now, some of those constructive contributions have been worked into the current DPIA, such as 1) and 2), but some central ones still haven’t, such as 3). This paper aims to provide an opportunity to improve the practical knowledge and academic discourse regarding high-quality DPIAs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
RKI – Robert Koch-Institut: Corona-Warn-App: Documentation (2021). https://github.com/corona-warn-app/cwa-documentation . Accessed 2 Feb 2022
Rehak, R., Kühne, C.R.: The processing goes far beyond “the app” – privacy issues of decentralized digital contact tracing using the example of the German Corona-Warn-App. In: Proceedings of 2022 IEEE 6th International Conference on Cryptography, Security and Privacy (CSP 2022) (forthcoming)
RKI – Robert Koch-Institut: (Archived) Version 1.0 of the official DPIA of the Corona-Warn-App (2020). https://web.archive.org/web/20200616232321/https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung.pdf. The current version can be found here https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung.pdf. Accessed 2 Feb 2022
SDM - UAG “Standard Data Protection Model” of the AK Technik of the Independent Data Protection Supervisory Authorities of the Federation and the Länder: The Standard Data Protection Model – A method for Data Protection advising and controlling on the basis of uniform protection goals, AK Technik of the Independent Data Protection Supervisory Authorities of the Federation and the Länder (2020). https://www.datenschutzzentrum.de/uploads/sdm/SDM-Methodology_V2.0b.pdf. Accessed 2 Feb 2022
Bock, K., Kühne, C.R., Mühlhoff, R., et al.: Data protection impact assessment for the corona app, 29 April 29 2020. SSRN: https://ssrn.com/abstract=3588172. Accessed 2 Feb 2022
Tschohl, C., Scheichenbauer, H., Kastelitz, M., et al.: Bericht über die Datenschutz-Folgenabschätzung für die Anwendung Stopp Corona-App des Österreichischen Roten Kreuzes (OeRK), Version 2.0. vom 04.08.2020. https://www.roteskreuz.at/fileadmin/user_upload/PDF/Datenschutz/Datenschutz-Folgenabschaetzung-Bericht_OeRK_StopCoronaApp_04-08-2020_V2.0_final.pdf. Accessed 2 Feb 2022
Google/Apple: Exposure Notification Framework – ENF / Googe-Apple-Exposure-Notification – GAEN (2020). https://developer.apple.com/documentation/exposurenotification and https://www.google.com/covid19/exposurenotifications/. Accessed 2 Feb 2022
DP3T – Decentralized Privacy-Preserving Proximity Tracing (2020) EPFL and ETH Zurich advance digital contact tracing project. https://actu.epfl.ch/news/epfl-and-eth-zurichadvance-digital-contact-tracin/ (last visited 2/2/2022)
GDPR – General Data Protection Regulation. Regulation (EU) 2016/679. https://eurlex.europa.eu/eli/reg/2016/679/oj. Accessed 2 Feb 2022
Pohle, J.: Datenschutz und Technikgestaltung: Geschichte und Theorie des Datenschutzes aus informatischer Sicht und Folgerungen für die Technikgestaltung. Dissertation, Mathematisch-Naturwissenschaftliche Fakultät, Humboldt-Universität zu Berlin (2018). https://edoc.hu-berlin.de/handle/18452/19886. Accessed 2 Feb 2022
Guidelines 05/2020 on consent under Regulation 2016/679. https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf. Accessed 2 Feb 2022
Rost, M.: Risks in the context of data protection/Risiken im Datenschutz. In: vorgänge – Zeitschrift für Bürgerrechte und Gesellschaftspolitik 57(1/2), 79–92 (2018). English version. https://www.maroki.de/pub/privacy/Rost_Martin_2019-02_Risk:_8types_v1.pdf. Accessed 2 Feb 2022
Rost, M.: Zur Soziologie des Datenschutzes. Datenschutz und Datensicherheit - DuD 37(2), 85–91 (2013). https://doi.org/10.1007/s11623-013-0023-3
Steinmüller, W.: Grundfragen des Datenschutzes, Gutachten, BT-Drucksache 6/3826, German Bundestag (1972)
Article 29 Data Protection Working Party. Opinion 4/2007 on the concept of personal data. Working Paper 136 (2007). https://ec.europa.eu/justice/article29/documentation/opinion-recommendation/files/2007/wp136_en.pdf. Accessed 2 Feb 2022
Felschen, C.: Geplante Corona-App soll Daten doch dezentral speichern (2020). https://www.zeit.de/digital/datenschutz/2020-04/datenschutz-corona-tracing-app-dezentrale-speicherung. Accessed 2 Feb 2022
Greis, F.: Steuervorteile für Corona-App-Nutzer gefordert (2020). https://www.golem.de/news/lockerungsdebattesteuervorteile-fuer-corona-app-nutzer-gefordert-2004148137.html. Accessed 2 Feb 2022
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Rehak, R., Kühne, C.R., Bock, K. (2022). Analysis and Constructive Criticism of the Official Data Protection Impact Assessment of the German Corona-Warn-App. In: Gryszczyńska, A., Polański, P., Gruschka, N., Rannenberg, K., Adamczyk, M. (eds) Privacy Technologies and Policy. APF 2022. Lecture Notes in Computer Science(), vol 13279. Springer, Cham. https://doi.org/10.1007/978-3-031-07315-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-07315-1_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-07314-4
Online ISBN: 978-3-031-07315-1
eBook Packages: Computer ScienceComputer Science (R0)