Interplay between security and data protection assessments

[pdehaye]

The way this protocol is rolled out is an interesting kind of optimization within constraints:

• decentralize as much as possible (security);
• while ensuring no personal data is given to some actors (data protection)

It is therefore composed of two assessments: a data protection assessment on top of a security assessment.

However the paper fails to convey well how dynamic the data protection assessment should be, compared to the security assessment.

For instance, if some of the following conditions are satisfied:

1. one theoretical attack is demonstrated, or
2. some function creep does start occurring (hinted at in Other deployment scenarios and stigmatization concerns #12)
3. some new commercial actors come in market (see Data protection consequence of missing security actor #9),
4. new deployment scenarios are considered.

the entire data protection assessment would immediately reach a different conclusion through the Breyer test.

[pdehaye]

In #43, the theoretical attack has been demonstrated by @oseiskar (Condition 1).

Here, @oseiskar shares his expertise as the CTO of IndoorAtlas, and finishes with a promotional pitch (Condition 3).

In #281, Conditions 2 and 4 are met, but possibly with a twist: while originally I thought the data protection assessment would simply change to reach the different conclusion that "this data is indeed personal data", I suspect #281 (and the mathematical reference therein) shows that in fact "there are better deployments of DP-3T than peer-to-peer", for instance as "in-background device-based listening of DP3T-compatible beacons emitted by a possibly-centralized system" (potential problem: such deployments would be prevented by Apple and Google).

In any case, this last point suggests that the model DPIA here is already incomplete, as it fails to address the potential comparative advantages of such a hybrid system.