One of Europe’s first national new crown virus contact tracking apps has been suspended in Norway because of concerns the country’s data protection authority (DPA) that the software, called Smittestopp, could pose a serious threat to user privacy,media reported. But following friday’s warning by the watchdog, the Norwegian Institute of Public Health (FHI) announced today that it would stop uploading data from tomorrow – and the DPA has asked for the use of the app to be suspended by the June 23 deadline to make changes.
It added that it did not agree with the regulator’s assessment, but would delete user data as soon as possible.
As of June 3, the app had been downloaded 1.6 million times, with about 600,000 active users, accounting for just over 10 percent of Norway’s population and about 14 percent of the population aged 16 and over, according to FHI.
“We don’t agree with the data protection authority’s assessment, but now we have to delete all data and suspend work,” FHI director Camilla Stoltenberg said in a statement. In this way, however, we have weakened an important part of our preparedness against the growing spread of infection, as we wastetime developing and testing the app. At the same time, our ability to combat the spread of infection is declining. “
“The pandemic is not over yet. We don’t have immunity, no vaccines, no effective treatments in the population. Without the App Smittestop, we wouldn’t be able to prevent new outbreaks that could occur locally or across the country. “
It is understood that the regulator’s intervention was due to the application’s low spread and low download rates in the country – meaning the agency now believes that Smittestopp is no longer a proportional intervention.
Unlike new crown virus applications in many European countries, Norway’s also tracks real-time GPS location data. New Crown virus applications in European countries use only Bluetooth signals to estimate user distance as a means of calculating the risk of contracting the new coronavirus.
The country also made its decision on GPS tracking before the European Data Protection Commission proposed guidelines. It is understood that the commission specifically pointed out that the new Crown Contact Tracker tracking app does not need to track the location of individual users, and also recommended the use of proximity data instead.
In addition, Norway has chosen a centralized application architecture, whereby user data is uploaded to a central server controlled by a health agency rather than a local storage device.
FHI has been using so-called “anonymous” user data in the app to track mobile patterns across the country, which the agency says will be used to monitor whether restrictions designed to limit the spread of the virus work.
In response, the DPA said today that users of the app did not have the right to be allowed to track new coronavirus contacts, in violation of the EU’s principle of limiting data protection purposes.
Another objection is how application data is anonymized and aggregated on to FHI — because it is well known that locating data is difficult to completely anonymize.
Still, FHI said today that it wants users to suspend the app — by disabling their access to GPS and Bluetooth in settings, rather than removing it altogether — so that the software can be reactivated more easily if it is considered necessary and legal in the future.