The Council of Europe called on the governments to ensure data protection when using applications to combat the COVID-19 pandemic and issued a report entitled Digital Solutions to Combat COVID-19, which analyses the impact of the legal framework and policies on the right to privacy and data protection. However, as noted by the Ministry of Public Administration, the report was written very superficially. Due to some flat summaries and interpretations of the report, the Ministry was forced to respond.
The report praised the #StayHealthy (#OstaniZdrav) application as a good tool for finding contacts of the infected, and for “self-diagnosis.” Regarding the security of the application, the National Cyber Security Incident Response Centre SI-CERT also estimates that the adjustment from the German application is made in such a way that it does not allow the misuse of users’ personal data. Also, the information about the location, for which Bluetooth needs to be turned on on the phone when the application is installed, cannot be abused.
The Ministry pointed out that a distinction must be made between the #StayHealthy application and other platforms or web portals. Namely, the report most often mentions the website undefined, instead of the #StayHealthy application, but the aforementioned website was not established by the Government of the Republic of Slovenia. This website made it possible for its users to report an infection: the user had to enter their Unique Master Citizen Number on the website, and in this way ensure that there were no false reports. Due to the lack of security and the collection of private data, the authors of the website had to remove it and delete the obtained data.
The application is not based on a centralized data collection system
The Ministry reported that the report incorrectly states that the Slovenian application #StayHealthy operates on a centralized data collection system. They say that they have only adapted the German application for the Slovenian market, and the German application, of course – as stated in this same report – operates on a decentralized system. This means that the contacts are only detected on the users’ phones, and not on a central server. The decentralized system provides users with greater anonymity. Apple and Google have also chosen a decentralized approach for their COVID-19 exposure notification system, which is the basis for the operating of the Slovenian and German versions of the app, so the #StayHealthy application was not even made based on a centralized data collection system.
The use of the application is voluntary
The Ministry pointed out that an important aspect of the app is that the use of the #StayHealthy application is completely voluntary. However, on the basis of the proposal and coordination with the office of the Information Commissioner, articles relating exclusively to the voluntary use of the #StayHealthy app will be included in the Bill on the Intervention Measures to Contain the COVID-19 Epidemic and Mitigate its Consequences, which will be discussed at the extraordinary session of the National Assembly on Thursday. The new provisions of the fifth Anti-Corona Legislative Package will therefore further define the legal basis for the operation of the application, based on the General Data Protection Regulation (GDPR).
A single application for the whole of Europe?
In the report, the Council of Europe also expresses their regret that the countries failed to agree on a single European application for tracking contacts with infected people, but as the Ministry pointed out, Slovenian Minister Boštjan Koritnik, who met with the European Commissioner Thierry Breton, pointed this out repeatedly.