Norway has been forced to stop loading data to its national Covid-19 track and trace app after a ruling by the national data privacy watchdog.

The Norwegian Institute of Public Health (FHI) said on Monday that following the ruling by the statutory data privacy guardian on June 11, it would stop uploading data, which was controversially held in a national database. FHI also committed to delete data already uploaded.

The Norwegian Data Protection Authority (DPA) raised concerns that the Covid-19 track and trace software, called “Smittestopp,” poses a disproportionate threat to user privacy — including by continuously tracking and uploading people’s GPS location to a national database for half a year.

The FHI has until 23 June to respond to the authority’s ruling and rectify the issues highlighted.

Bjørn Erik Thon, director of the Data Inspectorate, said: “Now I hope they use the time until June 23 well, both to document the usefulness of the app and to make other necessary changes so that they can resume use.

“Our warning does not mean that technology and apps cannot be used to fight the pandemic.”

He added the use of an app “depends on the social benefits” and that the low public support for the app, around 14% of the population, impacted it’s likely effectiveness.

The DPA raised concerns that users could not opt-out of their data being used for analysis and research, questioning the “lack of freedom of choice for users”.

Solutions for anonymisation and aggregation of the data collected were also absent, the DPA stated, despite the app continuously collecting personal information from users.

The DPA and FHI are due to meet on 19 June.

“There are many issues that need to be discussed. Forming consent and using GPS in infection tracking is central, but also the anonymisation solution is not yet in place,” Thon said.

“The insight solution will also be the theme of the meeting. However, it is important that specific changes are now on the table.”

In mid-April, Norway became one of the first countries to roll-out a contact-tracing app, when FHI awarded a contract to local software company Simula.

Controversially, however, the approach chosen was to gather both Bluetooth and GPS (global positioning system) location data and then do contact-matches on a centralised computer server.

The Norwegian health authority had been advised by Oxford University’s Big Data Institute, which also advised the NHS to adopt a ‘centralised” approach to the NHS contract tracing app.

By the start of June, the Smittestopp app had been downloaded 1.6 million times, with 600,000 active users, according to the FHI,  which is just over 10% of Norway’s population.  Low take-up was linked to concerns over privacy.

The decision follows weeks of growing disquiet in the Norwegian media that the Smittestopp app was a real-time mass surveillance tool that had been introduced with minimal governance or oversight.

An experienced expert on digital health in Norway told Digital Health News: “The data regulator said that the app was taking too much data for too little effect and having too high an impact on privacy.

“With the new ruling they are essentially splitting the app in two, separating location data from personal details.”

They predicted that with coronavirus now long past its peak in Norway and life fast returning to normal, the app would likely be quietly shelved, but said it showed how the crisis had resulted in normal rules being suspended.

“There are also questions of how the procurement was carried put with the impression that they just awarded a 50m Krone (£4.2m) to whoever shouted loudest,” they added.

Highly invasive?

An Amnesty International Investigation this week placed Norway alongside Bahrain and Kuwait as having some of the some of the most invasive Covid-19 contact tracing apps around the world, putting the privacy and security of hundreds of thousands of people at risk.

“Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle Covid-19,” said Claudio Guarnieri, Head of Amnesty International’s Security Lab.

“These systems capture location data through GPS and upload this to a central database, tracking the movements of users in real-time.”

He added: ““The Norwegian app was highly invasive and the decision to go back to the drawing board is the right one.”

Guarnieri warned that while technology can play a useful role in contact tracing to contain Covid-19, privacy should not be another casualty as governments rush to roll out apps.

The Norwegian DPA ruling and Amnesty investigation add to a growing picture that in many countries contact tracing apps have so far largely failed to deliver on promises due in part to challenging technology and privacy issues, and also because of the behavioural asks of populations.