PANDEMIC & PRIVACYGerman Police Unlawfully Accessed Data on Contact-Tracing App

Published 13 January 2022

Police investigators in the German city of Mainz used the Luca app to search for witnesses in a case they were working on. To get around federal and state laws banning such use of the contact-tracing app, the city’s prosecutor office simulated a COVID-19 infection originating near the scene of the incident under investigation.

Police investigators in the German city of Mainz, the capital city of Rhineland-Palatinate State, used the Luca app to search for witnesses in a case they were working on. The state’s public prosecutor’s office said it was wrong for the police to use the app, which has been promoted in Germany for contact tracing under the Infection Protection Act.

The Luca app logs the length of time that patrons spend at a restaurant, bar, or cultural event.

Users download the app to their smartphone and enter their personal information into the app. When they enter a venue, they scan a QR code at a restaurant or event. and then log out when they leave.

If someone tests positive for COVID-19 and reports that he spent time at a restaurant or a concert, local health authorities can easily identify and alert people who may have been exposed to the virus at that venue.

The use of the Luca app, and similar apps, have relieved some of the paperwork burden for restaurants, bars and event organizers. Before the app was developed, businesses were required to have customers write down their contact details on pieces of paper.

The police was investigating the death of a man who fell shortly after leaving a restaurant, and died in the hospital a few days later. The incident occurred at the end of November. The police used the app to identify and track twenty-one visitors to the restaurant, and began to interrogate them.

The Federal Infection Protection Act explicitly stipulates that data collected with the app may only be used for infection-related contact tracing. The state law of Rhineland-Palatinate also bans any use of the app for anything else except infection-related contact tracing.

The police initially asked the public for witnesses to the man’s fall and information about the incident, but when only little information was gathered, the police contacted an employee of the pub and asked for data from the app. The employee was later asked by the city’s health department to release the information for the evening.

Data from the Luca app can only be provided if the locality’s health department and the company operating the app give their consent — and decrypt the data simultaneously. The decrypted data can then only be viewed by the health department.

Culture4life GmbH, the company which produced the Luca app and sells it, has criticized the misuse of data, and said that the company was not aware of the breach. “In this case, the health department probably simulated an infection at the request of the police, and then obtained the consent of the company to provide the data,” the company said in a statement.

Culture4Life said that the process of providing the data to the city’s health department is automatic – once the department, which is an authorized registered user, has filled the appropriate froms on the company’s website.

The public prosecutor’s office has admitted that they acted illegally in instructing the police to use the data from the app – and in instructing the city’s health department to simulate an infection originating at the restaurant. The procedure was based on an “incorrect assessment” of the Infection Protection Act. The public prosecutor said, adding that employees at the public prosecutor’s office would be “sensitized” to the legal requirements involved in accessing the data collected by the app.