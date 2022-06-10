The COVID Radar app, for digital tracing of coronavirus infectionsit was source of controversy from the first moment, when, in the worst of the pandemic in 2020, the Government commissioned Indra to develop it. It generated distrust among citizens, evidenced the total lack of coordination between public administrations, and it quickly became clear that its usefulness was very limited: there was no way to notify a positive of their own, or the notifications of risk contacts were not received.

Finally, its development, maintenance and promotion came out to us Spaniards by €4.2 million. Since the app was only able to register 1% of the COVID infections that took place in our country (121,390 positives); so that, dividing its cost by the number of cases it registered, each of them ended up costing 35 euros.

The app did not prevent many infections, but it will avoid paying for your GDPR violations

But, although we learned a month and a half ago that the maintenance contract with Indra was no longer going to be renewed, so the app was abandoned by the Administrationthe consequences of the app have not abandoned the Administration…

And it is that, a few hours ago, the AEPD (Spanish Data Protection Agency) published (here the PDF) a sanctioning file against the Secretary of State for Digitization and Artificial Intelligence (the government agency that signed the contract with Indra) for violating up to 8 articles of the General Data Protection Regulation due to Radar COVID.





The AEPD makes it clear that, while being aware of “the extraordinary and emergency situation” generated by the pandemic, and that “the right to the protection of personal data cannot be an obstacle to technological advances to combat the pandemic “, these clear breaches of the regulations continue to be grounds for sanction.

Said sanction, however, is merely a ‘warning’, without financial penalty. some, but that should not serve to assess the seriousness of the Government’s action: it is only a consequence of the fact that the Personal Data Protection Law and the RGPD They do not contemplate fines when the non-compliance is carried out by a public administration.

No impact assessment until one month after launch

Among other facts, the AEPD resolution establishes that the Secretary of State for Digitization acknowledged, in its allegations, that “no data protection impact assessment document was generated for the pilot project.” In fact, such impact assessment was not available until September 22, 2020, three months after the pilot project beganand more than a month after the app’s national launch:

“SEDIA, which acted as data controller, should have prepared an EIPD from the beginning of the development and implementation of the Radar COVID application and, in any case, before the personal data was processed.”

Said evaluation should have been carried out, at the request of SEDIA, by the Data Protection Delegate of the Ministry of Economy, who, according to the allegations, was not consulted at first “because it was not a mandatory procedure” . The AEPD answers that article 35.2 of the RGPD establishes that the Secretary of State was obliged to seek the advice of the DPO.

The development of the application did not effectively take into account the principles applicable to data protection “by design and by default”, according to the AEPD

Known vulnerability, but not fixed half a year later

The AEPD also affirms that “it registered several Complaints alleging a vulnerability in the application design“, which allowed, for example, to associate an IP with the upload of a positive test, which exceeded what was necessary for the operation of the app and allowed to de-anonymize the informationand violated the latest version of Radar COVID’s own privacy policy.

This vulnerability “was already known to the Radar COVID development team, as it was listed in at least one white paper published on april 2020Despite this, the app was launched nationally on August 19 and the problem was not resolved until October 8: