Imposta come home page     Aggiungi ai preferiti

DIGITAL CONTACT TRACING IN CHINA AND IN EUROPE: Protection of users data and effectiveness of public action

di e - 11 Maggio 2020
      Stampa Stampa      

In the first category, the contact tracing apps are developed by local governments, jointly with internet giants Tencent and Alipay. They aim at regulating movements within the provincial (or city) boundaries, by separating healthy people from potentially infected individuals that need to be isolated. The main example of such tools is the QR Health Code app, first launched in Hangzhou, and now used in hundreds of cities across the country.

Tencent’s recently published “technical guide for anti-epidemic passcode” (防疫通行码参考架构和技术指南), clarifies the functioning of the QR health codes apps[12]. In terms of data, the system integrates the information provided by local public authorities, with those in the hands of the internet platforms. To access the app, users are also required to answer a range of questions about their health condition and recent travels. Based on these data, users are then assigned to different risk categories labeled via a colour code (green, yellow and red). The green code is required to access public transport, residential and office buildings and shopping malls. Users with a yellow or a red code must instead self-isolate and undergo health checks[13]. On top of this, the health apps also allow one to check the code of other users by typing in their name and phone number.

The second type of contact tracing tools are those developed by the central government, with the aim of normalizing movements across different provinces, and of harmonizing local health codes along with unified standards. In this respect, the Politburo Standing Committee (China’s highest decision-making body) recently stated that in order to “accelerate the establishment of an order of economic and social operation compatible with the prevention and control of epidemics (…) the necessary health certificates must be recognized throughout the country”[14] and “all provinces (…) should implement unified policies and consistent standards in personnel control and mutual recognition of health codes”[15].
One example of the government’s effort to unify contact tracing at the national level and to kickstart economic activity is the Communication Big Data Itinerary Card (通信大数据行程卡). Developed by the Ministry of Industry and Information Technology (MIIT), the card relies on phone tracking information provided by the three national mobile carriers to identify and isolate people travelling from red zones, or that boarded the same train or plane of a confirmed case[16]. The card was specifically designed to allow people to travel from the provinces, where many had retired during the New Year holiday, back to their workplaces in coastal cities and industrial regions.
In parallel, the government is also working to integrate the different regional health codes into a fine-grained national system that can effectively track down and isolate single cases, rather than just regulating flows across provinces. In this regard, as early as February 27, the city of Shanghai and three provinces of the Yangtze River delta (Zhejiang, Jiangsu and Anhui) agreed on the mutual recognition of their respective health codes[17]. The codes developed by Tencent, with over 900 million users spread in 20 provinces, have also been progressively integrated[18]. The final goal seems to be to unify all the regional systems into a single and universally recognized health code that can be used throughout the entire country[19]: the Epidemic Prevention Health Information Code (防疫健康信息码).
In sum, China’s multifarious contact tracing tools are progressively being reordered in a pyramidal structure. At the bottom, local authorities cooperate with internet platforms to develop contact tracing tools based on the digital ID system, real-name identification and GPS tracking. These tools are then progressively integrated into the National Integrated Platform of Government Services (全国一体化政务服务平台) to develop a nation-wide system allowing citizens to move freely across the entire country.

This raises the question of the link between the government’s power to access individual data and citizens’ right to privacy. In the Cyber-security law (网络安全法), personal data are not only safeguarded as individual rights, but also as a strategic interest of the State[20]. Civil law remedies offer the main layer of protection to individual data. Treatment of personal data cannot take place without consent, and it should be limited to information that is necessary to the offered service (Article 40). Citizens are granted legal actions to obtain the elimination of data that were gathered illegally, but not a general right to be forgotten[21]. Interested parties can also require the removal of incorrect information, as well as slandering or privacy infringing digital content published by third parties[22].

However, these civil law remedies are shadowed by the government’s intervention in the management and protection of citizen data. The first layer of public protection restricts the gathering and treatment of data exclusively to licensed entities (Article 23 of the Law), who are required to store the data in servers that are physically located in China (Art. 37 of the Law). Moreover, according to the Provisions on the Supervision of the Internet and on the Inspection by Public Security Organs, (公安机关互联网安全监督检查规定), public security organs have the right to enter the premises of Internet Service Providers and remotely access their servers. While the Provisions contain measures aimed at preventing abuse by public security officers (Article 5 of the Provisions), the legitimacy of inspections by public security organs is more intricate. Inspections are grounded on a generic duty of supervision, but the actual reach and boundaries of powers related to this duty are not defined by the Cybersecurity Law, nor by the Provisions.

In sum, the interest of citizens in the protection of personal data, and the interest of the State in the security of the Internet largely coincide. It is thus not surprising that the creation of a centralized information database, the National Integrated Platform for Government Services, is not considered as a limitation to citizens’ right to privacy, but as a way to secure sensitive information.

3) Contact tracing in Europe
The European Union aims at ensuring that apps adopted in different Member States will be interoperable, thus facilitating mobility between EU countries. It therefore implemented a unified standard, contained in the Common EU Toolbox for Member States[23]. The creation of a common technical standard has also allowed the EU to imprint European principles, such as the protection of individual freedom and privacy, within the architectural framework of the contact tracing apps.


12. ]通知公告/附件1:%20《防疫通行码参考架构与技术指南》%20征求意见稿.pdf







19.  There have been several recorded incidents of people being prevented from boarding flights, or forced into quarantine because of a lack of mutual recognition of regional health codes.;

20.  It is therefore unsurprising that the bulk of the provisions regarding protection of personal data is included in a law on cyber security, implemented with the purpose of safeguarding the security of the net and protecting citizens legitimate interests (art. 1). The cybersecurity law is available at:

21.  Article 43 of the Cyber Security Law.

22.  Article 36 of the Chinese Tort Law or 侵权法. In these latter circumstances, Chinese online platforms are subject to strict liability rules and cooperation duties that are stricter than those provided for by the European General Data Protection Regulation or GDPR.

23.  Common EU Toolbox for Member States issued on April 15, 2020.

Pagine: 1 2 3


RICERCA AVANZATA Via Arenula, 29 – 00186 Roma – Tel: + 39 06 6990561 - Fax: +39 06 699191011 – Direttore Responsabile Filippo Satta - informativa privacy