This post is part of a series on contact tracing apps. You can read our introduction to the series here and get links to the other entries below.
The German government has released its corona tracing app today – two months later than originally planned.
The delay was caused by public discussions about data privacy and state surveillance concerns, leading to the government’s decision of implementing a decentralised software architecture that stores the data on the users’ mobile phones and not – as opposed to the centralised approach taken for example in France – on a central server.
A voluntary app with a strict data-privacy design
The mobile phones that have installed the German app exchange temporarily generated and encrypted identification numbers that are stored only on the user’s phones. No location data is tracked or processed. Each app calculates an exposure risk of the user based on the exchanged proximity data and other epidemiological thresholds.
The use of the app is voluntary and there are no incentives in place to increase the download of the app. Once a user is tested COVID-19 positive, it is left to their discretion to enter this information into the app. Whether the user has chosen to do so or not is neither tracked by any server nor by public health authorities.
To avoid false or abusive data entries, the user must scan a QR code received on the positive test results from the doctor or the laboratory or a TAN received via an official hotline. The app regularly scans a list of anonymised identification numbers of the positive tested users and receives a warning when there is an overlap with one of the ID numbers stored on the user’s phone.
There will be no specific tracing app law regulating the app’s conditions like this is for example the case in France with its centralised app approach. The general GDPR rules will apply and the Federal Data Protection Commissioner Kelber is tasked with monitoring the app’s operation. Kelber does not see any data privacy concerns regarding the installation of the app but he criticises the option of receiving a TAN via a hotline when tested positive, as this would open the ground to new data processing activities. And he is warning public transportation operators and businesses 'to not even think of making the app indirectly mandatory for clients or consumers'.
May employers use the tracing app at the workplace? Are they obliged to ask for the app status?
Employers in Germany are not entitled to request the use of the government’s tracing app at the workplace: The German government’s COVID-19 occupational health and safety standards do not mention tracing apps, and German employment law does not entitle employers to demand it (see our previous blog post).
Still, employers could recommend to employees to use the government’s tracing app on a voluntary basis and could announce to the workforce that the installation of the tracing app on the business mobile phones is permissible and not breaching any of the company’s IT policies.
The question remains whether employers may order that employees disclose when their tracing app indicates that they have been exposed to an infected person.
Under German employment law, employees have an obligation to disclose to the employer if they are infected with a highly transmissible disease.
But if the tracing app notifies an employee about having been in contact with an infected person, that does not mean that the employee is infected. Therefore, there is no obligation from the employee to disclose his or her app status.
Still, the employer may be entitled to ask whether the app says that an employee has been exposed to an infection risk. There is no case law and no precedents on this question, but the answer in Germany is probably 'yes'. This right to ask is based on the employers’ obligation to protect their workforce. Where at the start of the pandemic, the employers were entitled to ask whether an employee has been travelling to a high-infection risk region, an employer should also be entitled to ask whether a tracing app used by the employee indicates an infection risk.
If there is no right of the employer to request the use of tracing apps under general employment law, can the use of tracing apps be made compulsory by collective agreement, for example with the works council? And could this even solve data protection issues because a collective agreement may be a legal basis for employee data processing under article 88 of the GDPR?
This all depends on whether the app would be used only in the workplace or also in private life. A collective agreement must not put duties on employees outside the workplace and outside working hours.
As the government’s app is intended to be used for public health purposes all the time and not only in a workplace environment, the collective agreement option will not apply.
Still, we see private providers develop tracing apps specifically for businesses to track their employees in the closed working environment. These private apps must be must reviewed on data privacy and employment law compliance on a case-by-case and jurisdiction-by-jurisdiction basis like any other tech tool deployed.
Other posts in this series:
- Round 1: What’s happening?
- Round 2: Legal considerations for companies that want to use contact tracing
- Round 3: Are companies required to use contact tracing?
