Norway’s population is around 5,4 million. There have been approximatively 12,700 positive cases in Norway at the time of writing, with 267 people now confirmed dead. The country seems to be experiencing a second wave of infections, especially in big towns like Oslo and Bergen, and it has now even higher infection rates than Sweden.
The Norwegian government reacted quickly after the first known infection in Norway in February 2020 and took immediately drastic measures – the strictest emergency measures taken outside wartime. All educational institutions (from kindergarten to university) were closed, and organized sports activities were discontinued. A number of events, businesses and services were cancelled or closed, including cultural events, sports events, gyms and swimming pools. There was a travel ban for healthcare professionals working with patient care. People returning from trips abroad were quarantined. On March 16th, non-residents were banned from entering Norway. Nobody was allowed to travel outside their municipality of residence during a few weeks in March-April 2020. And people suspected or confirmed to be infected had to follow stricter home isolation rules, under the threat of heavy fines or even jail time.
Although Norway “usually” ranks amongst the best democracies in the world, the measures taken during the spring of 2020 have infringed upon several human rights, such as the right to freedom of movement, the right to peaceful assembly and the right to privacy.
This short article focuses on the data protection issues raised by the use of a tracing application, “Infection Stop” (Smittestopp), launched (as an unfinished product) on April 16th, and downloaded on mobile phones 1,6 million times, corresponding to nearly a third of the Norwegian population.
The app had been developed under less than five weeks by the research institute Simula, in cooperation with the Norwegian Institute of Public Health (NIPH) and tested in three municipalities. The double purpose was to limit the spread of the coronavirus through digital tracing and to provide data on the movement patterns in the population to develop efficient infection control measures. The data was encrypted and stored for 30 days in a secured cloud solution. The app used a combination of Bluetooth technology and a smartphone’s location services features (GPS) to track and trace coronavirus infections by tracking the users’ movements and their proximity to anyone who was later confirmed to be infected. If a user was found to be infected with the virus, it was possible to trace the phones that had been in close contact (closer than two meters for more than 15 minutes) with the infected person over the last 14 days. SMS-notifications were then sent to the affected phones from the health authorities so that the owners could take the necessary precautions, such as self-quarantine. Only those who had chosen to download the app could receive a notification.
The app was suspended in June, after having raised heavy criticism both nationally and internationally.
The legal background
Several legal measures had already been taken to fight the pandemic since March 2020 when the “Infection Stop”-app was launched in April. With the Emergency Powers Act, the Norwegian government was given a broad scope to change laws without consulting parliament, but the emergency powers were to be valid only for one month initially, not the six months proposed by the government. In addition, it would only take a one-third minority in parliament to overturn government decisions, and all regulations would have to be brought to parliament’s attention immediately.
The legal basis for the “Infection Stop”-app is the Control of Infectious Diseases Act and the emergency regulation “to regulate digital infection tracking and epidemic control in connection with the outbreak of Covid-19”, adopted two weeks before the app was launched. According to its section 1, “[t]he regulation will contribute to trace quickly and give advice to people who may be infected by the corona virus SARS CoV-2. Through monitoring at the population level, the regulations shall also contribute to monitoring the spread of infection and assessing the effect of infection control measures.”
A deeply invasive app putting human rights at risk
The Norwegian “Infection Stop” app: One of the most dangerous contact tracing apps in the world
Technology can and should be used to fight the spreading of the disease. Many governments are and have indeed been looking to technology to help monitor and track the spread of COVID-19. The main problem is that there is no perfect solution to digitally trace infected persons without infringing on the right to privacy.
However, some basic rules and principles of data protection should be upheld. As Amnesty International puts it:
“in order to be human rights compliant, contact tracing apps must, among other things, build in privacy and data protection by design, meaning any data collected must be the minimum amount necessary, and securely stored.
All data collection must be restricted to controlling the spread of COVID-19 and should not be used for any other purpose – including law enforcement, national security or immigration control. It must also not be made available to any third party or for commercial use. Any individual decision to download and use contact tracing apps must also be entirely voluntary. Any data collected must remain anonymous, including when combined with other data sets.”
An analysis of contact tracing apps from Europe and the Middle East and North Africa by the Amnesty International Security Lab reported that the Norwegian tracing application “Infection stop” was as dangerous as those used by the government in Bahrain and Kuwait, mostly due to its live or near-live tracking of users’ locations by frequently uploading GPS coordinates to a central server.
A voluntary and temporary abdication of privacy to “regain freedom”
The “Infection Stop”-app was in conformity with the “voluntary” principle and the “time-limit” rule.
During a press conference on 16 April 2020, the Norwegian Prime Minister Erna Solberg urged everyone in Norway to download the “Infection Stop”-application, stating that “if we are to get our everyday life and freedom back, as many people as possible have to download the app.” She also pointed out that it was voluntary to download the app, but that it is required by law to get involved in the infection tracking work. She promised that the data collected would not be used to police adherence to quarantine for those with confirmed infections. And she added that all personal data collected would be continuously deleted after 30 days and that the app itself was scheduled for deletion by the end of the year.
Such a monitoring measure could by no means have been carried out by force. It had to be done on a voluntary basis. That was the case in Norway: Any individual decision to download and use the app was entirely voluntary. It would otherwise have violated the right to privacy enshrined in section 102 of the Norwegian Constitution and in art. 8 ECHR incorporated in the Human Rights Act 1999. But as the European Data Protection Board (EDPB) noted in a public letter dated April 14th, 2020, “the mere fact that the use of the contact tracing takes place on a voluntary basis, does not mean that the processing of personal data by public authorities necessarily be based on the consent”.
The Norwegian Data Protection Authority (NDPA) has also been critical of the fact that users have not had the option to choose to share personal data for just one or several of the purposes. In June, the Norwegian Parliament reached the decision that these different purposes have to be separated in the next version of the app.
Violation of the principle of data minimisation
The app should have been in line with the GDPR and Norway’s data protection legislation, with privacy at the forefront of its design. Moreover, data collected should have been the minimum amount necessary, and securely stored. None of these requirements was respected.
The app is based on an invasive centralized approach, posing a great threat to privacy (and to security: there is a risk that third persons may get access to these centralised data). The app allowed for the continuous monitoring of people’s movements and physical encounters, as well as the storage of these data by the authorities. The system captured location data through GPS and uploaded them to a central database located in Ireland, tracking the movements of users in real-time.
The app and the centralisation of data clearly violated the principle of data minimisation and some basic rules of data protection: When both location data and information about who one has had close contact with are gathered, the combination of these data can provide a significant insight into sensitive information such as movement patterns and social networks.
Even before the app was launched in Norway, the EDPB had expressed the opinion that infection tracking apps that collect location data operated in violation of the principle of data minimization, central to of the GDPR (section 5 nr. 1 c) and the Norwegian Personal Data Act 2018 (LOV-2018-06-15-38): “Contact tracing apps do not require location tracking of individuals users. (…) Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimisation. In addition, doing so would create major security.”
The app’s use of GPS coordinates and the fact that the data from the app were sent to a central Microsoft server located in Ireland was also criticised by the Norwegian Data Protection Authority. For the NDPA, the restricted spread of coronavirus in Norway, as well as the app’s limited effectiveness due to the small number of people using it (almost 600,000 active users were sharing data in June), meant that the invasion of privacy resulting from its use was disproportionate. The NDPA’s notification of decision on temporary ban on processing personal data from the “Infectious stop”-app sent on June 12, 2020, led to the suspension of the app and the deletion of all collected data.
There were alternatives that balance (better) the need to trace the spread of the disease with privacy: Since the purpose with this tracking measure did not require the centralising of data storage, it could have been possible to store encounter history on the users’ own devices, i.e. locally (for instance “Trace Together”-app used in Singapore or the Blue Trace protocol). But the NIPH dismissed them.
Lack of transparency and danger for “purpose deviance”
Another important principle is that of “limited purpose”: all data collection must be restricted to controlling the spread of COVID-19 and it should not be used for any other purpose – including law-enforcement, national security or immigration control. It must not be made available to any third party or for commercial use either.
The Norwegian authorities justified the gathering and centralisation of data by the need to research on infection transmission and to understand how our behaviour is affected by infection control measures. But this fulfils actually another purpose than the one the app was created for.
Moreover, recent experience proves that one cannot trust that the collected and stored data will not be used to some other purpose by the Norwegian authorities.
In November 2018, the Supreme Court’s Appeals Committee allowed a woman in a private paternity case to have access to information about a man’s DNA from the police’s DNA register, in order to determine whether he was the father of her child. The man was at the time in an unknown location (probably in Europe) and was not represented in the case (HR-2018-2241-U). This decision was heavily criticised, as it undermines the population’s trust in the management of stored data.
The refusal by the developer of the “Infection Stop” to publicly publish the full source code of the app for fear of malignant use by third parties, was yet another reason to raise mistrust in the app and in the authorities’ future use of the data, and to denounce a lack of transparency. The full source code underlying the app should have been made available for scrutiny.
What now? Towards “Infection stop 2.0”
Amnesty International’s analysis was published right after the Norwegian government had announced it would suspend the use of its contact tracing app. Following the notification sent by the Data Protection Authority on 12 June, the NIPH suspended the collection of data, deleted all collected personal data, and deactivated the app on 16 June.
On 6 July, the NDPA sent its formal decision on a temporary ban based on section 58 nr. 2 f) of the GDPR, maintaining that the app interferes disproportionately in users’ privacy based on the current transmission rate in Norway, the chosen technical solution and the general support for the app. According to the NIPH, this decision does not imply a suspension in the processing of personal data as such, but it means that NIPH cannot resume the collection of personal data through the “Infection Stop”-app until the temporary ban has been lifted.
In accordance with the wishes of a majority in the Parliament, the NIPH and Simula have been working on a new version of the application. The modified version of the app will be in line with the parliament’s decision that users give separate consent to what the data is used for.
On 15 September, the NIPH , in collaboration with two other national public health institutions, presented a “rapidly conducted investigation”, Further plan for the application “Infection-Stop”, with four alternatives:
- Option 0: Discontinue the app completely and opt-out of national automated digital tracking;
- Option 1: Modify the existing solution for Infection Stop, by introducing the requirement of two consents in the app. It would not collect GPS-data that make it possible to see where people have been, but only Bluetooth-data, which only show who a person has been near to. It would still require that the data be stored centrally, but with significantly shorter storage time for GPS data than the original version of Infection Stop, and with additional data minimization measures and anonymization routines;
- Option 2: Creation of new app based on the Exposure Notifications System (ENS) framework developed by Apple and Google, exclusively for digital tracking, opening the choice between three ways to track infection digitally from minimal to extended. The plan supports the “medium” solution: The user would install the app on their phone, and the app would only be used for infection tracking. The user would give his consent for close contacts to be registered when starting the app for the first time. This corresponds to what most countries in Europe have done so far.
- Option 3: Development of two apps, one based on the ENS for digital tracking, and a new “Infection Stop”-app, exclusively for the collection data for analytical purposes.
Having assessed the options in the light other countries’ experience, utility value, time frame and financial consequences, the NIPH supports option 2, as it is in line with the dominant international trend and the recommendations from the EU for digital infection tracking. The possibility of exchanging data across national borders is also emphasized in the assessment as this is relevant in order to be able to open up for increased travel activities. With this alternative, it will be possible to connect the Norwegian digital infection tracking to the EU’s hub for national infection tracking applications that enable cross-border infection tracking. Option 2 also offers the possibility to reuse solutions, factual knowledge and expertise from other countries that have come further with this task. And it does not involve storing data centrally, which makes the solution less invasive than the original infection stop. The NIPH et alia are currently in the process of tendering the development of the app. The Government claims that the app will be available for public release within 8 weeks, probably by the New Year. The NDPA is rather positive and will follow carefully the development of the new app, but it still needs to assess the legality of the proposed solutions. All in all, it seems that Norway is looking to joining efforts with the decentralised approach most often adopted in the EU and the UK. Interoperability seems to make good progress in the fight against Covid-19.
Iris Nguyen Duy is a Law Professor at the University of Agder, Norway. She is the leader of the research group in Comparative and Public Law. Her main research interests include Parliamentary Sovereignty, Comparative Constitutional law, Open Government and Local Government issues