This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIR mHealth and uHealth, is properly cited. The complete bibliographic information, a link to the original publication on https://mhealth.jmir.org/, as well as this copyright and license information must be included.
During the COVID-19 pandemic, contact tracing apps have received a lot of public attention. The ongoing debate highlights the challenges of the adoption of data-driven innovation. We reflect on how to ensure an appropriate level of protection of individual data and how to maximize public health benefits that can be derived from the collected data.
The aim of the study was to analyze available COVID-19 contact tracing apps and verify to what extent public health interests and data privacy standards can be fulfilled simultaneously in the process of the adoption of digital health technologies.
A systematic review of PubMed and MEDLINE databases, as well as grey literature, was performed to identify available contact tracing apps. Two checklists were developed to evaluate (1) the apps’ compliance with data privacy standards and (2) their fulfillment of public health interests. Based on both checklists, a scorecard with a selected set of minimum requirements was created with the goal of estimating whether the balance between the objective of data privacy and public health interests can be achieved in order to ensure the broad adoption of digital technologies.
Overall, 21 contact tracing apps were reviewed. In total, 11 criteria were defined to assess the usefulness of each digital technology for public health interests. The most frequently installed features related to contact alerting and governmental accountability. The least frequently installed feature was the availability of a system of medical or organizational support. Only 1 app out of 21 (5%) provided a threshold for the population coverage needed for the digital solution to be effective. In total, 12 criteria were used to assess the compliance of contact tracing apps with data privacy regulations. Explicit user consent, voluntary use, and anonymization techniques were among the most frequently fulfilled criteria. The least often implemented criteria were provisions of information about personal data breaches and data gathered from children. The balance between standards of data protection and public health benefits was achieved best by the COVIDSafe app and worst by the Alipay Health Code app.
Contact tracing apps with high levels of compliance with standards of data privacy tend to fulfill public health interests to a limited extent. Simultaneously, digital technologies with a lower level of data privacy protection allow for the collection of more data. Overall, this review shows that a consistent number of apps appear to comply with standards of data privacy, while their usefulness from a public health perspective can still be maximized.
The COVID-19 outbreak has shown how digital solutions can transform the health care system in an unprecedented manner. The rapid implementation of numerous innovative technologies to treat patients with COVID-19 has highlighted how much the human race can really benefit from data-driven transformation [
However, not all digital solutions have been launched in a contiguous manner. A specific example in this case includes mobile technologies. In principle, there are three areas in which mobile phone apps could aid in the fight against the COVID-19 pandemic: (1) self-diagnosis and facilitating treatment, (2) monitoring and enforcing the quarantine of infected persons, and (3) signaling if one is in close contact with an infected person [
The app used in the third area is called a
Despite ongoing challenges to limit the spread of the virus, the launch of such digital solutions still faces several hurdles. Meanwhile, digital contact tracing apps have enormous potential, given the fact that there are more than 3.5 billion mobile phone users worldwide. However, there is significant resistance to allowing such technologies to interfere in the lives of individuals. More than one hundred nongovernmental organizations and civil rights associations have urged governments not to use the pandemic as an excuse to enter a new era of digital surveillance [
In an effort to overcome potential privacy challenges in the adoption of contact tracing technologies, the European Data Protection Board (EDPD) has published guidance for the use of location data and contact tracing tools intended to mitigate the impact of the COVID-19 pandemic [
Hence, existing guidelines and principles available at the European level should be considered as safe tools to guide developers of digital solutions, even in critical times, so as to ensure the adequate respect of individuals’ rights. On the other hand, considering that the public health benefit of contact tracing apps depends directly on their widespread use, it is desirable to have governments strive to build trust among citizens with a high level of transparency. The pandemic showed how individual health is strictly connected to others’ health, and that one of the most effective measures in the absence of a vaccine is the behavior of the individual, for that one person as much as for the whole community.
Therefore, while it is desirable to develop an app that guarantees an adequate level of privacy, it is equally desirable that citizens feel the need to use such an app as an act of social responsibility toward themselves and the community in general.
In this context, the objective of our study was to address the following two questions: (1) How do available contact tracing apps allow for data collection for public health benefits and comply with standards of data privacy? and (2) Can the balance between public health interests and the protection of personal data be established to ensure the broad use of digital technologies?
The success or failure of the adoption of contact tracing apps will have impacts beyond the ongoing fight against the COVID-19 pandemic. It will set a precedent for future opportunities and challenges in the integration of other digital solutions into clinical practice while ensuring the data privacy of its users. Therefore, we hope that our conclusions and recommendations can contribute to the debate regarding the adoption of digital technologies in the support of solving health issues, even beyond challenges related to the COVID-19 pandemic.
We first performed a literature search in PubMed, MEDLINE, IEEE (Institute of Electrical and Electronics Engineers), and ACM (Association for Computing Machinery) Digital Library databases, covering the period between January 1 and August 31, 2020. The following key phrases were applied: “contact tracing,” “contact detector,” “contact mapping and COVID-19,” “COVID-2019,” “severe acute respiratory syndrome coronavirus 2,” “2019-nCoV,” and “SARS-CoV-2.” The search terms are included in
A supplementary search on the GitHub repository, as well as on governmental and app webpages, was then performed separately to collect additional information related to contact tracing apps that were identified in the systematic literature review. The following terms were screened: (1) overview, (2) frequently asked questions (FAQ), (3) data privacy, and (4) terms of use.
In order to address the first research question, two checklists were then developed to ensure a standardized approach toward the review of each technology. Both were sourced based on external reports in the fields of interest. The first checklist was constructed to review the key functions of mobile apps that define their fulfillment of public health interests. It was based on the Ada Lovelace Institute’s report [
Finally, in order to address the second research question, a set of minimum requirements that simultaneously fulfill objectives of data privacy and public health was constructed. All reviewed contact tracing apps were ranked. The score of 1 or –1 was applied for each condition being met or not met, respectively. In the absence of information, a score of 0 was assigned. All requirements were considered as equally important. The ranking of all the reviewed technologies was constructed based on the number of scores granted.
Overall, 611 unique records were identified across three databases, of which 531 articles did not meet the inclusion criteria (
Flowchart of the article selection process for the literature search. ACM: Association for Computing Machinery; IEEE: Institute of Electrical and Electronics Engineers.
In total, 11 criteria were defined to assess how digital technologies were able to fulfill public health interests. The three most frequently adopted types of functions in the group of reviewed contact tracing apps were (1) information about geographical coverage, (2) contact alerting, and (3) governmental responsibility. The two least frequently adopted functions were (1) medical and organizational support and (2) efficiency threshold (
In total, 12 criteria were defined to verify to what extent digital technologies complied with data privacy guidelines. The three most frequently met conditions were (1) user consent, (2) voluntary basis, and (3) adoption of anonymization techniques (
The set of 10 and 6 minimum requirements related to data privacy and public health interests, respectively, were defined to assess the balance between these two domains (
The success of the digital revolution in the health care sector depends on access to a consistent volume of quality data that are useful to medical advancement, while ensuring an appropriate level of protection of personal data privacy. In our research, we attempted to systematically analyze the state of the art in the adoption of contact tracing apps in the fight against the COVID-19 pandemic, with the objective to verify to what extent the requirements concerning data protection and public health interests can be achieved simultaneously.
In order to develop the comprehensive list of criteria for our analysis, we searched the public domain for available guidelines in the fields of interest. We adopted a human-centered approach in that respect, which should be interpreted from two perspectives.
Firstly, when addressing the type of data being collected, we strived to choose the most comprehensive set of criteria that would ensure the maximization of public health benefit from a societal perspective. Therefore, we deliberately selected the Ada Lovelace Institute’s report, which is based on the core values and the underlying mission of the institute (ie, to ensure that data and artificial intelligence work for people and society) [
Secondly, when addressing data protection, we focused on guidelines that were developed based on the most comprehensive set of data protection rules, such as the GDPR. From the European perspective, data protection is, in fact, considered a fundamental human right. Hence, we selected (1) the Privacy Code of Conduct on mobile health apps from the European Commission [
Not only did we develop the set of criteria for our analysis based on the chosen guidelines, but we also constructed a scorecard that simultaneously evaluated compliance with data protection and the level of fulfillment of public health benefits. It should be noted that although we did assign the same weight to all minimum requirements on the scorecard, we do value data protection as an essential condition due to the recognition of privacy as a human right and the urge to prevent a surveillance society. Hence, from our perspective, meeting the data protection criteria should be recommended as the mandatory base upon which to build digital health solutions and, consequently, public health benefits.
In sum, we reviewed 37 records about 21 contact tracing apps. In total, 12 and 11 criteria were used for the assessment of compliance with data privacy and fulfillment with public health interests, respectively. There are three key important findings worth highlighting.
Firstly, the majority of reviewed contact tracing apps were, to a greater extent, compliant with data privacy standards. As many as 18 out of 21 (86%) apps were designed to be used on a voluntary basis. Such an approach should be considered as optimal because it prevents any discrimination against individuals who are unable or unwilling to download the app. Moreover, the mandatory use of digital technology could lead to financial and technical burdens. Hence, jurisdictions with mandatory use of such apps are actually not compliant with the European standards. As demonstrated in
Secondly, as far as public health interests are concerned, there is still room for improvement among contact tracing apps. Only 8 out of 21 (38%) apps provided the definition of close contact, and governmental accountability was limited to 19 out of 21 (90%) cases. Additionally, 10 out of 21 (48%) apps reviewed solutions that were allowed for data accessibility for health care professionals. In that group, only 8 out of 10 (80%) apps provided details regarding techniques used for data aggregation, encryption, and/or anonymization. Meanwhile, there were just 13 out of 21 (62%) apps that used the mechanism of diagnosis verification, and the threshold for the population coverage needed for the digital solution to be effective was provided only once.
Thirdly, we observed the tendency that, with a high level of compliance with data privacy regulations, public health interests could be achieved to a limited extent, whereas a lower level of compliance with data privacy occurred across cases with greater potential for data collection. The COVIDSafe and SwissCovid apps met 15 out of 16 requirements. Both ensured that the minimum amount of data necessary for contact tracing was collected (ie, proximity data through Bluetooth). Contrary to that, Alipay Health Code ranked last in the scorecard as it processed a vast amount of data. Such a difference seems to be linked with different cultural, geographic, and political backgrounds. In principle, collecting more data could be useful from a public health perspective, for example, in order to closely monitor the contagion or to have a clearer and bigger picture of the spread of the disease from an epidemiological standpoint. Nonetheless, in relation to Alipay Health Code, no information was found about the actual use of the collected data for public health purposes. The lack of information available to users concerning the use of their data for further public health purposes would not, per se, infringe on the European principles as expressed in the GDPR. Indeed, Article 5.1 (b) of the GDPR considers further processing of collected data for public interest as compatible with the initial purpose of processing. Nonetheless, from a policy perspective, such ambiguity about the use of personal data might not be desirable in the European environment. In fact, not only might it disincentivize the use of apps due to the lack of transparency, but it could also have detrimental effects on society by undermining trust between citizens and governments.
Our findings need to be regarded with caution due to certain limitations of our study that must be acknowledged. Firstly, given the dynamic pandemic situation, we are aware that new developments in the field occur on a daily basis; as such, a number of new contact tracing apps were published after our systematic literature review was completed, or they were excluded due to limited information. On that note, it is worth mentioning that one of the most downloaded apps in the United States, namely HealthLynked COVID-19 Tracker [
Secondly, let us highlight that our checklists were based on specific references, while there have been other relevant guidelines already developed in relation to COVID-19 contact tracing apps. An example in this case is the article
Thirdly, we deliberately omitted the assessment of effectiveness of reviewed contact tracing apps, as this was already published by other authors [
Finally, although we used a global approach to search for apps, our analysis was conducted from a European perspective. Non-European jurisdictions have diverse cultural and political backgrounds and, as such, may follow different sets of values [
Despite the above limitations, we hope that our results and conclusions will inspire approaches on how to develop digital health solutions and ensure their broad adoption. Our literature review indicated that a consistent number of apps appear to be substantially compliant with the standards of data privacy, while the usefulness of contact tracing technologies from the public health perspective can still be maximized. Available surveys indicate that attitudes toward the use of contact tracing apps vary across different jurisdictions. According to a University of Oxford survey, the acceptance rate for contact tracing apps ranged from 67.5% to 85.5% in France, Germany, and Italy [
Overall, a prima facie analysis suggests that the more intrusive the government is into an individual’s privacy, the more that public health can benefit from the data. Moreover, it seems that a high level of privacy protection corresponds to an obstacle in terms of the use of data for public health. Nonetheless, we argue that the two interests can be perceived as not contradictory. Indeed, digital health solutions that protect individuals’ privacy can be directed toward optimization of public health benefits. To achieve such a goal, the adoption of transparency policies that increase trust between public and private stakeholders should be encouraged. In fact, solid public confidence in digital solutions developed by governments that prioritize the protection of the rights of individuals can foster further data sharing for public health purposes, among other things.
Indeed, we believe that the key success factors in this matter are transparency and information campaigns targeting individuals, which can be achieved by working toward an awareness of citizens’ responsibility and by providing relevant information on data protection and cybersecurity. Fostering citizen involvement in public matters such as public health can help to make every individual feel like a member of the state. Such awareness would stimulate individuals to share their data in a controlled and safe environment for the benefit of society.
Search terms for the systematic review.
Definitions of data privacy standard criteria.
Reasons for exclusion of full-text articles.
Reasons for exclusion of apps.
Supplementary sources of information.
Assessment of public health interests.
Assessment of data privacy.
Ranking of apps.
Association for Computing Machinery
European Data Protection Board
European Intellectual Property Institutes Network–Innovation Society
frequently asked questions
General Data Protection Regulation
Institute of Electrical and Electronics Engineers
Preferred Reporting Items for Systematic Reviews and Meta-Analyses
During the conduct of this research, ZZ has received funding from the European Research Council under the European Union’s Horizon 2020 research and innovation program (grant 679681). This research was implemented with the support provided from the National Research, Development and Innovation Fund of Hungary, financed under the Tématerületi Kiválósági Program funding scheme (project No. TKP2020-NKA-02). MP has received funding from project No. 2019-1.3.1-KK-2019-00007, implemented with the support provided from the National Research, Development and Innovation Fund of Hungary, financed under the 2019-1.3.1-KK funding scheme. FM received funding from the European Intellectual Property Institutes Network–Innovation Society (EIPIN IS) project funded by the European Union’s Horizon 2020 research and innovation program under the Marie Skłodowska-Curie grant (agreement No. 721733).
None declared.