Will the warning app become a data octopus?

Created: 2/8/2022Updated: 2/8/2022 10:41 am

By: Matthew Schneider

Digital proof of vaccination on the yellow international vaccination certificate (photo from 06/17/2021).

With the end of free corona tests, some federal states are registering increased fraud with fake vaccination certificates up to outright trading.

©epd

INTERVIEW about new features, a vaccination register and police access to Luca contacts

Munich – Online registrations, digital certificates and a possible vaccination register: Central storage of personal data is repeatedly required to combat pandemics.

The Corona warning app is also getting more and more functions that could torpedo the former charm of the app – not being a data octopus.

A conversation with Michael Will, President of the Bavarian State Office for Data Protection Supervision.

Mr. Will, with a new version of the Corona warning app, users can send their certificates to the organizer when buying a ticket.

This should make access control easier.

How do you feel about this?

You always have to compare whether the Infection Protection Act justifies a technical process.

For example, it requires access control at events, but by no means data storage for a long time.

The great charm of the Corona-Warn-App was always that the data was only stored decentrally on the device.

The online transmission of the certificates can therefore at best be the comfort solution and requires the express consent of the user.

Such systems - i.e. both at the validation service provider and at the organizer - would have to be checked strictly for their storage duration and security.

Otherwise, such services would result in a shadow vaccination register with the organizers, which is not a nice idea.

Can this procedure become the norm?

No, in terms of data protection, the storage of certificates is the exception and not the rule until further notice, as it goes beyond the current version of the Infection Protection Act.

Every visitor to an event has the right to be checked by a human being, which does not store their data.

The Association of Towns and Municipalities calls for a general vaccination register, critics counter with data protection concerns.

I am not aware of any case in which data protection has prevented the fight against sources of infection.

In any case, an official vaccination register would not be ruled out under data protection law, as long as it is subject to correspondingly high standards.

Political responsibility must not be passed on to data protection.

Here, too, the main thing is the technical design, i.e. the security.

Basically, central data storage is always more vulnerable.

as a decentralized one.

And we're talking about very sensitive health data that could be skimmed off by criminals.

Unsolicited data requests came from a different direction in south-west Germany: from the police.

Meanwhile, officials have been confirmed to have attempted to access contact record data on several occasions.

It was mostly about the centrally stored, encrypted data from the Luca app, which, in contrast to the Corona warning app, records personal data such as name and address.

Regardless of technical safeguards, there is a legal ban on changing the purpose, i.e. a ban on confiscation, in order to increase the acceptance of contact tracing.

That's right, because citizens should be involved in contact tracing and, for example, use the Luca app voluntarily to contain the pandemic and not to facilitate criminal prosecutions.

Irrespective of this, we, as data protection authorities, are now asking ourselves

whether, in view of the ever-increasing number of infections and the resulting fewer evaluation options for the health authorities, the last obligations to collect contact data that still apply in Bavaria should not be lifted.

It would be good if the legislature tackled this before another court abolished this obligation, which still applies to major events, for example, as disproportionate.

Interview: Matthew Schneider

Michael Will, Bavarian State Office for Data Protection Supervision © Bavarian State Office for Data Protection Supervision