Deutsche Telekom and SAP coronavirus app wins over German data regulators

The designers of Germany’s contact-tracing app have labelled data protection concerns related to the app as “unfounded”, while the country’s data regulators have told GDR they are happy with the app’s privacy safeguards. 

In an article published late last week, executives from Deutsche Telekom and SAP – which designed the app alongside the German health ministry and research organisation the Fraunhofer Institute – argued that “increasingly vocal” criticism of Germany’s contact-tracing app has “missed the point”. 

The app, which is due to be released in the coming weeks, will work using a decentralised system and will not collect personal data, according to Deutsche Telekom board member Adel Al-Saleh and SAP chief technology officer Jürgen Müller. 

“We believe that concerns about data protection are unfounded simply because the app does not record name or address, phone number, location, or users’ social contacts,” the pair wrote last week. 

The app will work in such a way that all parties remain anonymous, they wrote. “All you receive is a notification and a recommendation to get tested.”

The executives also hit back at criticism that the app has taken too long to complete; the French government recently released its own app, while the Italian data protection authority gave the green light to its government’s contact-tracing effort. But the German executives said it was necessary to take time to ensure the app worked properly. 

The approach appears to have found favour with German state and federal data protection regulators, who told GDR that while the app’s designers will need to keep working to ensure privacy is protected, it so far looks promising.

Christof Stein, a spokesperson for the federal regulator, said the authority continues to work with the two companies, and noted the app’s privacy protections. “We appreciate that this app will only deal with pseudonymised data … but the app will only contribute to fighting the pandemic if many citizens are using it,” he said. 

“Therefore they need to trust the app. The [federal regulator] will have a very keen eye on this project.”

Michael Will, head of the Bavarian data protection authority, told GDR that although data processed by the app is not completely anonymised, the level of risk involved is very low, because information which could identify individual users will only be stored on personal devices rather than on a centralised database. The only way to identify app users would be by gaining access to the device, Will said.  

Will said there has been “some confusion” about what the app will entail, with some onlookers conflating the app with proposals to share telecoms data that emerged earlier in the pandemic. The app is more privacy-friendly than those proposals, he said. “We are looking at a solution which is perfectly transparent, which puts into reality the principle of data protection by design and which is very close to anonymised data.”

Marit Hansen, head of the data protection authority for the German state of Schleswig-Holstein, echoed Will’s sentiments – saying the app designed by Deutsche Telekom and SAP is “more promising” from a data protection perspective than earlier telecoms data-sharing proposals. 

“The corona warning app is strongly following the path of data protection by design,” Hansen said. “It makes use of Apple's and Google's joint effort to a decentralised exposure notification ... the name of the persons you meet and the location of the meeting point won't be stored. [This is] a good example of bridging the gap between data protection research and reality,” she said. 

Hansen added that the process used for the app – “built-in data protection and maximum transparency” may become a “blueprint for future digitisation projects”.

Unlock unlimited access to all Global Data Review content