Jess Bauldry: Luxembourg's prime minister has shown scepticism to the idea of a contact tracing app for coronavirus in Luxembourg. Is a contact-tracing app something that the scientific and medical community in Luxembourg welcomes and why?
Damien Dietrich: Many infections (>50%) occur before the onset of symptoms. Identifying the contacts of positive individual (contact tracing) and isolating them is thus needed to break the infection chain.
Traditionally, manual contact tracing (via the regular phone calls or in the field) is used, but it is resource-consuming and can be inaccurate (challenging to remember the contacts and their coordinate over a period that can be as long as two weeks before).
Digital contact tracing has the potential to be very reactive and exhaustive. However, it is not perfect as false positives may occur, and the context of contacts is not assessed (for example contact through a wall).
Overall, digital contact tracing is complementary to manual contact tracing and has the potential to drastically increase the efficiency of the process and prevent the health authorities from being overwhelmed. For these reasons, the scientific community has shown a marked interest in the topic. However, the real-world effectiveness of digital contact tracing still needs to be proved.
What would be the benefits of such an app for the scientific study of the pandemic here in Luxembourg?
The main aim is to facilitate the contact tracing activity, which is mainly an operational rather than a research activity. However, some tracing apps offer the possibility for citizens to willingly share their data. In that case, they could help us understand the dynamics of the infection (assess more precisely when contagion occurs during the natural history of the disease).
What existing apps, elsewhere in the world, do you think would be most appropriate, if at all, in Luxembourg?
There is probably no perfect solutions. Each solution has its pros and cons and that is ultimately a political decision. However, the solution should be effective, maximise privacy, comply to the GDPR and the Luxembourgish law, be interoperable with neighbouring countries, at least, and be integrated in the global strategy against covid-19.
Some solutions are more privacy preserving (because they are fully anonymous), but some public health experts are doubtful about their efficacy. These decentralised solutions can be based (non-exhaustively) on the European academic initiative DP-3T or the framework of the tech giants Apple and Google. On the other hand, partly centralised solutions have a potential to be more effective, with a trade-off in the cybersecurity risk and privacy. The main example in Europe is the centralised implementation of the Pan-European Privacy-Preserving Proximity Tracing framework.
The question is: where do we set the threshold between effectiveness and privacy/cybersecurity? Importantly, participation in these applications is based on free will and must reach at least 60% of the population in order to be effectively work. Bearing that in mind, it is important to consider that a solution that is not sufficiently privacy preserving will probably not be used by citizens and thus not be effective in the real world.
At the moment in the EU, the situation is unfortunately fragmented: Germany is working with Apple and Google. Austria, Switzerland and Italy have chosen DP-3T. France and Spain are considering a centralised implementation based on the European academic initiative PEPP-PT. It is important to note that all these solutions can be implement in a way that is compliant to GDPR and the larger legal framework.
If 60% of the population would have to agree to use such an app for the results to be effective, in Luxembourg that would have to include residents and cross-border workers. To what extent do you think it's possible to recruit this critical mass?
This is indeed one challenge for Luxembourg and further emphasises the need for interoperability at the EU level. If this interoperability is achieved and the app(s) deployment conducted in a coordinated way across borders, the 60% could probably be achieved.
Data privacy questions are among the issues that make contact tracing controversial, it would seem. To what extent do you think it is possible to create an app that does not compromise these kinds of rights?
Whenever you process personal data, you put privacy at risk. GDPR’s purpose is to make sure that risk is acceptable. Contact tracing apps raise at least risk to the privacy of personal information, risk to the privacy of personal behaviour, the risk to the privacy of location, and risk to privacy of association.
A contact tracing app that complies with GDPR is designed to mitigate such risks. We consider that D3-PT framework is the architecture that better mitigates such risks (through decentralisation and anonymisation). On this basis, it is possible to create a contact tracing app that minimises risks to privacy.