A European approach to COVID-19 apps? A landscape analysis of apps stores in the initial stages of the health crisis

This article explores to what extent a European approach can be identified in the COVID-19 mobile apps landscape that surfaced in the initial stages of the crisis. Based on information collected from the two most prominent app stores (Google Play for Android-powered devices and Apple’s App Store for iOS-powered devices) between April and August 2020, we examine differences between COVID-19 related apps released in European countries and elsewhere in the world. The article focuses on two aspects: the involvement of actors from the public sector in releasing COVID-19 related apps and the measures implemented for personal data protection. The findings suggest that differences exist according to the geographical context in which apps were released and the specific functions they perform. We identify specific trends in Europe that confirm a stronger emphasis on data protection than what happened on a global scale, and to a certain extent a greater involvement of the public sector through health authorities.


Introduction
This article builds on the policy context and the public debate on COVID-19 related apps that took place in Europe during the early phases of the health crisis (spring and summer of 2020). It hypothesizes that both factors relate to the kind of digital services released in this region. On the one hand, the role of newly released mobile apps for addressing the health crisis was a hotly debated topic among mass media outlets, philosophers, privacy activists, politicians as well as lay citizens (e.g., Ada Lovelace Institute, 2020; Sandvik, 2020;Floridi, 2020;Kitchin, 2020). On the other hand, the early months of the pandemic highlighted serious limitations in the European public sector's readiness to implement digital solutions and to collect and use data responsibly (Benton, et al., 2017;Zook, et al., 2017;Poom, et al., 2020). Noteworthy is the case of the Norwegian app Smittestopp, launched in the very early stages of the health emergency, which turned out to be an incomplete and not well defined "data-hoarding product" with significant vulnerabilities (Sandvik, 2020). The app was withdrawn after strong criticism by civic society, especially tech and data protection communities, and because of privacy concerns raised by the Norwegian Data Protection Authority (Datalisynet, 2020;Sandvik, 2020).
A key issue for the effectiveness of COVID-19 related apps is the extent of their download and consequent use (Findlay, et al., 2020). In fact, already in the early phases of the crisis it was acknowledged that not all citizens were willing to use contact tracing apps. A survey conducted in the U.K., Germany, Italy, France and the U.S. in March 2020 disclosed that around three quarters of those surveyed would "definitely" or "probably" install such an app. Other national surveys, in Italy and Switzerland, revealed lower percentages. Reasons for not wanting to use these apps included privacy and security concerns over personal data handling by public bodies and/or private companies, as well as scepticism towards the accuracy and efficacy of mobile apps in addressing the spread of COVID-19 (Hargittai, et al., 2020).
In that context, the European Commission released ad hoc guidelines and recommendations for the development of COVID-19 related apps in Europe. The guidelines emphasised privacy and security issues, while advocating compliance to EU Fundamental Rights and demanding that apps were to be used only on a voluntary basis (European Commission, 2020a, 2020b, 2020c. A goal of the recommendations was to influence the decisions several European governments were about to make for the development of COVID-19 apps. This work investigates whether, in that context, specific features could be identified in apps developed to address the COVID-19 health crisis in Europe. It is recognised that a European approach currently exists for what concerns data governance and the digital transformation, which combines a strive for technology innovation and the free flow of data, with high privacy, security, and ethical standards and human rights. Therefore, we inquired to what extent this approach, together with the broader public debate on contact tracing apps that took place in Europe, is associated with predominant features in the COVID-19 mobile apps landscape released in the given geo-political context. Through descriptive statistics and a comparative approach, we explored the relevance of context in relation to COVID-19 related apps. We focused on two context dimensions, the involvement of public bodies (such as local or national governments and health authorities) and the data protection measures (such as a clear privacy policy and the minimisation of sensitive data collection), and we identified regional/continental differences revealing knowledge about the specific European geopolitical and cultural context. This article contributes to the nascent literature on the nexus between socio-political contexts and national strategies to the global pandemic (e.g., Anttiroiko, 2021;Kasdan and Campbell, 2020;Kim, 2020;Gokmen, et al., 2021), focusing on the European setting and adopting two of the most prominent app stores as sources of empirical data. Drawing from a dataset with information on COVID-19 related mobile apps (Tsinaraki, et al., 2021b), the study identifies a link between the European context and the features of mobile apps released during the first months of the crisis. Although preliminary and circumscribed to specific features, the findings can inform future studies to explore mobile health technologies in different geo-political settings (Fage-Butler, et al., 2022). More fine-grained comparative approaches, as well as longitudinal analysis, could increase understanding of how geo-political contexts relate with risk management and emergency response through digital means.
In the next two sections we present the main issues at stake with the release of COVID-19 related apps and the characteristics of the European context, respectively. Subsequently we present our dataset about COVID-19 mobile apps, collected by drawing on information available on two mobile app stores, as well as the analysis of some key features of the apps, comparing those released in Europe and in other continents. We then discuss the findings and the limitations of the study, before drawing some final remarks.

COVID-19 related apps
A lively public debate took place quickly after the release of the first digital technologies to address the COVID-19 pandemic, especially in relation to the announced release of contact tracing apps Akibi, et al., 2021). COVID-19 related apps fall under the umbrella of mHealth applications, a type of dynamic communication technologies referred as mobile health technologies (Fage-Butler, et al., 2022). Although such apps claim to empower citizens and support patients' autonomy, scholars have raised concerns towards their undesirable effects, such as the exclusion of certain groups, chilling effects (i.e., users limiting their behaviours due to fears of surveillance) and shifting of responsibilities from governments to individuals (Lucivero and Jongsma, 2018). In the context of the COVID-19 crisis, such ethical issues have been amplified with a wide range of stakeholders addressing the promises and risks of digital tools and personal data collection for public health concerns (e.g., Ada Lovelace Institute, 2020; Criddle and Kelion, 2020;Howell O'Neill, et al., 2020;Floridi, 2020;Sandvik, 2020). The issues raised included questions of transparency and privacy, the representativeness and reliability of collected data, the technical and practical efficacy of such technologies, the implications for civil liberties and governmentality (Kitchin, 2020). A particular concern was that of "surveillance creep" (Andrejevic and Gates, 2014;Cheung, 2020), intended as the normalization of governments tracking citizens and using the collected data for different purposes (Kitchin, 2020;Newlands, et al., 2020). A recurrent question raised by policymakers, practitioners and researchers was the following: How can data collected with COVID-19 apps be used for social good for the general population, while also protecting society from social harm that it could generate (Poom, et al., 2020)?
Despite the massive interest towards contact tracing apps, digital apps developed to help address COVID-19 have a much broader range of functions. Several classifications exist of the public mobile health applications adopted for the management of the pandemic (e.g., Gasser, et al., 2020;Ada Lovelace Institute, 2020). Analysis of the apps released in the first months of the COVID-19 health crisis identified the following types of functionalities: Information providers: apps with guidelines and information for the general public (Singh, et al., 2020). These were meant to provide reliable information by trusted sources and were often released by national or local governments as well as by global institutions such as the World Health Organisation. Information provided by such apps concerns: news, description of symptoms and how to detect them, correct behaviours, reliable statistics concerning positive cases and fatalities, location of health centres to get tested, and so on.
Symptom checkers (or symptom trackers): apps that collect, analyse and interpret health-related data reported by a single individual. Such apps usually prompt citizens to share some information about themselves (e.g., age, gender and medical history) and to report their symptoms on a regular basis. Data is collected by an organisation that makes it available for research or to inform decision-makers (Ada Lovelace Institute, 2020). Symptom checkers are released for epidemiological data collection and analysis, since they allow a real-time assessment of the COVID-19 upsurge and inform a response (Drew, et al., 2020). Furthermore, they are expected to provide guidance to single individuals, helping to self-diagnose and act responsibly.
Proximity and contact tracing apps: apps designed to complement manual contact tracing efforts carried out by health authorities to automatically detect if a person may have been exposed to the virus. They measure spatial proximity between individuals, to track interaction in order to identify when they may have been exposed to positive individuals and alert them if that was the case (Gasser, et al., 2020).
Expert support and telemedicine: apps aimed at providing a tool and communication forum between patients and doctors, especially in cases of self-isolation and more generally whenever diagnosis and treatment advice are needed (Scantamburlo, et al., 2020).
The above functionalities are either embedded into apps that were already existing before the COVID-19 crisis outbreak (especially apps from health and public services) or, more often, included in new apps developed explicitly to address the COVID-19 pandemic. A single app might perform more than one functionality.
The COVID-19 related apps that received most societal attention were those with a contact tracing functionality. Different architectures were proposed by developers and adopted by governments worldwide for contact tracing functions. Although a 'Bluetooth variant' quickly emerged as the most promising system for a privacy-preserving approach, other apps also collected GPS location data as alternative, or in addition to, proximity data collected via Bluetooth (Martin, et al., 2020). Contact tracing apps based on Bluetooth technology could adopt a centralised, decentralised or hybrid approach. The Pan-European Privacy Preserving Proximity Tracing (PEPP-PT) is a centralised approach that uses Bluetooth to locally log to a user's smartphone the temporary identifiers (IDs) of other people that are in close proximity, and to notify those who have been in close contact with confirmed COVID-19 cases. It is based on a centralized reporting server that receives a continuous stream of data, processes contact logs and eventually notifies individual clients. The Decentralised Privacy-Preserving Proximity Tracing (DP-3T) (Troncoso, et al., 2020), instead, was released as open source not much after PEPP-PT by a consortium composed of several international experts from academia and research institutions. In the DP-3T, the IDs of people who have been in close proximity are stored on smartphones and not on a central server. In case infected persons are detected, their smartphones are authorised to broadcast their IDs and the users they have been in contact with are notified (Martin, et al., 2020). Finally, the Exposure Notification solution is a hybrid approach proposed by a partnership between Google and Apple and inspired by DP-3T. These were the most discussed frameworks for contact tracing apps in Europe and all were based on the key assumption that no location/GPS data was needed for digital contact tracing.
Besides proximity data, COVID-19 related applications collect additional types of personal data: from information strictly essential for their purposes, such as a person's health status, required for symptom checker and contact tracing functionalities, to spatial, temporal and behavioural data. Apps can be privacyinvasive depending on the kinds of data they collect, their purpose and the extent to which they minimise data collection to what is strictly necessary. For instance, apps measuring spatial proximity between individuals are more privacy-preserving than apps collecting GPS location data, especially those aimed at enforcing quarantine (Akinbi, et al., 2021). In fact, while location data that link a location to a timestamp is usually collected continuously when using GPS-based technology, Bluetooth signals exchanged between devices do not collect information about location.
COVID-19 related apps could also be distinguished according to the type of actor who distributes and provides them. Providers of such apps range from local or national governments, health agencies, technology companies, research institutions, civic groups and other entities. Research has shown that the type of the app provider, together with the app's perceived security and effectiveness, influenced people's willingness to install and use it (Hargittai, et al., 2020;Kaspar, 2020;Kozyreva, et al., 2021). For example, a survey conducted among U.S. citizens (Hargittai, et al., 2020) found that Americans trusted certain app distributors (health protection agencies) more than others (industry and government) as they perceived those actors as more appropriate collectors of sensitive data.

The European context
Public bodies, such as governments and health authorities, were often involved in the release of COVID-19 apps, in collaboration with other actors such as private companies or research institutions. In Europe the European Commission recommended that the responsibility for collecting and controlling health data would have to fall under a public entity (Scantamburlo, et al., 2020). Furthermore, under the priority "A Europe fit for the Digital Age" a set of recent European Union (EU) policies (such as the Data Governance Act and the Artificial Intelligence Act) provide a supporting framework for the digital transformation of the public sector. In addition, the financial package to build back better in response to the COVID-19 crisis (the Recovery and Resilience Facility) fosters substantial expenditures to implement Digital Public Services including, among others, e-government services and the digitalization of healthcare systems.
During the early stage of the pandemic there were mounting concerns regarding government-led datadriven actions for population control, especially by access to mobile network operators' data and contact tracing apps (Sandvik, 2020;Floridi, 2020;Ada Lovelace Institute, 2020;Morozov, 2020). According to Ienca and Vaeyen (2020), on the one hand, the overriding of consent and privacy rights, which happened in China and elsewhere in world, exacerbated public mistrust worldwide. On the other hand, in countries where citizens typically place a lower level of trust in their government, such as Italy, France and the U.S., concerns were widespread for the lack of transparency, uncertainties about the effectiveness of the digital tools, and the necessity of data collection (Ienca and Vaeyen, 2020).
The development of new digital tools to tackle the pandemic, however, did not happen in a regulatory vacuum. The European legal framework influenced the development of COVID-19 related apps through its various regulatory instruments, which provide different amounts of safeguards for the right to privacy and data protection. In particular, in the EU, new data services have to comply with the General Data Protection Regulation (GDPR), the ePrivacy Directive, the European Convention on Human Rights and the EU Charter of Fundamental Rights.
Several principles of data protection of the GDPR are of uttermost importance for COVID-19 related apps because they demand those new digital applications handling personal data to implement privacy-friendly options from the beginning ('privacy-by-design'). In particular, the principles of minimisation, proportionality, purpose limitation and transparency require that no more personal data than necessary is processed, that data is not used for other purposes, and that the use of any data collected with these apps is transparent to the users (Newlands, et al., 2020). Data produced by mobile devices in Europe is also protected under the ePrivacy Directive, which "prescribes that storing information on a user's device or gaining access to information already stored is allowed only with consent of the user or if the storage and/or access is strictly necessary for the app installed or activated by the user" [1].
Other regulatory safeguards at the EU level, not specifically concerned with personal data are the European Convention on Human Rights and the EU Charter of Fundamental Rights. Article 15 of the Convention claims that during emergencies and public health crises it is possible to adopt measures that abridge human freedom only "to the extent strictly required by the exigencies of the situation, provided that such measures are not inconsistent with its other obligations under international law". Similarly, the EU Charter of Fundamental Rights appeals for proportionality in the measures adopted and demand that they do not excessively affect the fundamental right to a private life (Scantamburlo, et al., 2020). Such safeguards could have informed the adoption of technical systems to tackle the COVID-19 health crisis across Europe, especially by governments.
Furthermore, during the first weeks of the crisis, the European Commission issued non-binding guidelines and recommendations on the development of contact tracing apps emphasising the importance of privacy and security and the compliance with EU Fundamental Rights (European Commission, 2020a, 2020b, 2020c. The Commission gave a clear mandate on the voluntary adoption of COVID-19 related apps, while elsewhere in the world these were mandatory. For instance, in India the contact tracing app Aarogya Setu was mandatory for those living in containment zones and for all public and private sector employees, with claims that a failure to install the app would have led to a fine or prison term (Sircar and Sachdev, 2020, cited in Kitchin, 2020). Governments made symptom tracking apps mandatory under some circumstances also in South Korea, where people who quarantined had to report their symptoms twice a day (Ada Lovelace Institute, 2020). In Europe, the Commission recommended that COVID-19 apps adopted the least intrusive, yet effective measures, together with transparency requirements on the privacy settings and preserving fundamental rights (European Commission, 2020b).
The European context was influenced by other actors, beyond regulators. Privacy activists, academics, nonprofit entities and citizens played a key role, e.g., by engaging in public campaigns to ensure that civil liberties were not traded for public health (Sandvik, 2020;Kitchin, 2020). The "rush" to innovate in a time of emergency, in fact, represented a further challenge for compliance with data protection and privacy laws for those releasing mobile health technologies, including governments and public sector organisations (Newlands, et al., 2020). The sense of urgency shaping governments' action during crisis is associated to rushed innovation, which might jeopardize regulatory compliance. As pointed out by Newlands,et al. [2]: "while rushed innovation does not have to mean that privacy rights are infringed upon, it is indeed likely that other concerns such as functionality and usability will be prioritized". Therefore, civic actors, who advocated for a public scrutiny of contact tracing apps, felt their requests were particularly urgent in such circumstances (Ada Lovelace Institute, 2020). Their demands dealt with transparency (e.g., through the release of apps' source code), privacy assessment, and evaluation of effectiveness. The consortium of technologists, legal experts and epidemiologists behind the DP-3T protocol, for instance, stressed the importance of adopting privacy-by-design approaches, claiming that contact tracing could be privacypreserving only if fully decentralised (Troncoso, et al., 2020). Others emphasised that ensuring technical protection of individual privacy is an important measure, but not a sufficient one to earn public trust in digital contact tracing (Ada Lovelace Institute, 2020; . A related question concerned whether the apps were effective and fit-for-purpose. In the case of contact tracing functionalities, in fact, many debated the pitfalls and limitations of GPS and Bluetooth's accuracy in detecting close contact between people (Akinbi, et al., 2021). Furthermore, it was not clear how the app providers would have dealt with false positives, attempts to game the system, and low-quality or fragmented data (Elkhodr, et al., 2020;Kitchin, 2020). A concern revolved around risk of control creep, when a specific measure with a narrow purpose is extended to wider strands of social life to perform surveillance and governance (Sadowski, 2020;Stanley, 2020). Although apps specify their limited purpose and adopt a specific time-bounded setting, worries that those systems could be employed after the crisis and become "naturalised" tools for monitoring and governing societies persisted (Kitchin, 2020).
The public debate on COVID-19 related apps in Europe is informed by Europeans' predominant values and socio-cultural norms (see, for instance, Zygmuntowski, et al., 2021). In other regions and countries, with distinct values and norms, mandated government action might have been more tolerated, if perceived for the common good, even if it implied reduction of privacy and surveillance (Anttiroiko, 2021;Gokmen, et al., 2021;Kim, 2020). For instance, Kasdan and Campbell (2020) explained South Korea's compliance with invasive technological containment measures with the country's specific techno-cultural character, which they named "dataveillant collectivism". In the current article, however, we focus only on the European context and inquiry to what extent COVID-19 related apps released in Europe embed specific principles and values. We inquiry whether they have distinguished features, compared to those released in other areas of the world without such data protection regulation and public debate. In the next section, we describe how we analysed key features of COVID-19 related apps to examine whether a European approach emerged in the COVID-19 mobile apps landscape in the first months of the health crisis.

Methodology
To investigate whether a European approach could be identified in the COVID-19 mobile apps landscape, we examined two factors. The first was public sector's involvement in developing apps that helped tackle the health crisis. We inquired to what extent public bodies in Europe, such as governments and health authorities, engaged in releasing or managing mobile apps related with the COVID-19 health crisis compared to public bodies in other areas of the world. Public sector's entities have a responsibility to implement digital solutions for the public interest and, at the same time, to put in place privacy and security measures to comply to regulations and preserve citizens' trust. The second factor concerns data protection. Given the policy context in Europe, we expect that apps developed in Europe complied with the current regulations and recommendations by implementing measures to safeguard citizens' rights to privacy and to control their data. Therefore, we inquired whether data protection measures were put in place more in COVID-19 apps released in Europe than those released elsewhere.
The following research questions informed the analysis: To what extent were public bodies involved in releasing COVID-19 apps in Europe compared to elsewhere in the world? Were data protection measures put in place more in COVID-19 apps released in Europe than elsewhere in the world?
To explore the two factors, we examined a dataset we collected to provide information on the mobile apps published in the Google Play and Apple's App Store that emerged during the first wave of the COVID-19 pandemic across the world. The dataset, accessible in the data repository of the JRC (Tsinaraki, et al., 2020;Tsinaraki, et al., 2021a;Tsinaraki, et al., 2021b), comprises 837 records (one record per app) and 38 attributes that encode: (a) information about the apps available in the mobile app stores retrieved between 20 April 2020 and 2 August 2020; (b) complementary information about the apps, manually added by a team of researchers until mid-September 2020; and (c) status information about app availability as of 28 February 2021 (Tsinaraki, et al., 2021b). Since many of the apps released during the first wave of the pandemic (i.e., roughly spring and summer of 2020) had only basic functionalities (such as information provision), in-depth analysis was carried out only on apps flagged as "interesting" by the researchers who analysed these apps. The criteria for flagging an app as "interesting" included the novelty of the app at the technological and governance level, the sophisticated use and generation of data, and the potential for fighting the pandemic. All contact tracing apps, apps with more functions for personal data sharing and exchange, as well as the ones with innovative features and/or technical solutions (such as decentralised data management) have been flagged as "interesting" (this corresponded to 259 out of 837 apps). To verify that the results of the analysis made by the researchers were harmonised, they cross-checked the values and held meetings to discuss their understanding of the attributes before and during the analysis.
In the analysis, we compared apps released in different continents, distinguishing by functionality. For the first research question, we examined the percentage of apps released by (1) local/national authorities and/or (2) for which a public health authority was involved in data collection or management. To answer the second question, we separately examined two issues related to data protection: (1) whether the app had an easy to understand and comprehensive privacy policy, and (2) whether the app collected GPS location data and/or cell tower data. We understood these two factors as proxies for the likelihood that the app related to the wider public debate and policy context. According to the GDPR, in fact, in the EU it is mandatory for data subjects to express consent for their data being collected (Article 7). Therefore, privacy policies must always be present and provide the necessary information in a comprehensive and understandable way (Bengio, et al., 2020). Furthermore, the GDPR includes the principle of proportionality, which implies that platforms, apps, and digital services should collect data that is adequate and not excessive with regards to their purposes. The collection of GPS location data by contact tracing apps sparked a lot of debate and concerns because Bluetooth decentralised approaches were recommended as the most privacy preserving solutions and a similar argument could be made for COVID-19 related apps with other functionalities.

Variables
In this section we present the variables used for the analysis. For a more comprehensive overview of the data collection process and the characteristics of the dataset see Tsinaraki, et al. (2021aTsinaraki, et al. ( , 2021b [3].
• Country: The country in which the entity that released the app was based.
• Continent: The continent in which the entity that released the app was based. The continents included are: Africa, Asia, Europe, North America, Oceania, South America, plus apps released by international organisations (such as the WHO). Continents were distinguished according to the widely used sevencontinent model (National Geographic Society, 2011). In the following analysis we will not show the results for the continents with a percentage of apps below the threshold of 10 percent of the total, namely Africa, Oceania and apps released by international organisations (see Table 1).
• EU: Whether the app was released in one of the 27 Member States of the European Union.
• Function: The functionality of the app. The categories are not mutually exclusive as one single app can perform more than one function. In this paper we focus on the following main functionalities: • Information provision: one-directional channel of information (from the app providers to the users) about COVID-19 related issues.
• Information exchange: bi-directional information exchanges (between app providers and users) for COVID-19 related personalised support, such as within "symptom tracker" apps that allow individuals to obtain a diagnosis upon data they provided.
• Expert support: for experts (such as medical staff) to carry out dedicated COVID-19 related duties.
• Contact tracing: apps that identify persons who may have been in contact with an individual infected with COVID-19.
• PublicBody: Whether a public sector entity was the provider of the app. A provider is the entity responsible for the app, whose name appears on the respective page of the app store as the copyright holder. This variable indicates if the entity that released the app was a local, regional, or national government.
• HealthAuthority: Whether a public health authority was involved in the development/distribution of the app and/or use of data collected by the app.
• LocationDataGPS: Whether the app collected information about the location of the user through GPS/cell tower data. To fill in this variable we adopted a twofold strategy. First, we examined the descriptions of all apps flagged as "interesting" in the app stores and concluded whether they collected user GPS data. Second, we collected information provided in the Google Play Store regarding apps' devicerelated permissions, including the permission to collect "Location -precise location" (such information is currently not available in the App Store). Among all Android apps (370) in our sample, 258 had permission to collect "Location -precise location". The latter method was more effective as it allowed identifying undocumented features that could not be seen from the apps' descriptions -in fact only 61 of the 258 apps with permission to collect location data could be identified as such from the information available in the descriptions -but was applicable only for a part of the sample.
Overall, we understood the collection of location data as a proxy for a lack of data minimisation. This refers to the EU guidelines that explicitly discouraged geo-location tracking and posited that COVID-19 applications should use "the least intrusive yet effective measures, including the use of proximity data and the avoidance of processing data on location or movements of individuals" (European Commission, 2020b).
• ClearPrivacyPolicy: Whether the privacy policy of the app was available, clear, and with key information. We examined the descriptions of all apps flagged as "interesting" and assigned an affirmative value to this variable if a privacy policy text was linked in the app store and if it included information about time of data retention and how to ask for personal data deletion.

Public body involvement in COVID-19 apps
Public bodies have been involved in releasing COVID-19 related apps either as official providers of the apps or as "managers" of the information sent out and gathered by the app. For instance, governments and public health authorities provided updated information about the pandemic via digital means and collected health status information of citizens willing to report it, with symptom checkers and contact tracing apps. The involvement of public authorities in providing and managing mobile apps often implies that data is collected and used for the public interest. Therefore, in the context of the current health crisis, we anticipated a great participation of health authorities in developing ad hoc digital solutions, especially in the EU where the public sector is expected to become a leader in digital transformation and AI (European Commission, 2021).
In this section we discuss the results concerning the involvement of two kinds of public bodies: public health authorities and local, regional, and national governments. Table 2 shows the percentage and number of apps in which a public health authority was involved, by providing the app and/or managing the data. The results are grouped by continent (where the entity that released the app is located) and by app functionality. The row at the bottom reports values from the whole sample (i.e., on a worldwide scale), that also includes apps released in continents not represented in the table due to their small number of apps overall (Africa, Oceania and apps from international organisations). The last column at the right reports the total number of apps with health authority involved in each continent, notwithstanding the functionality. Lastly, the coloured cells highlight values that are above the global average [4].
Results show that involvement of health authorities varies according to the app functionality. In contact tracing apps involvement of health authorities is more common than in apps with other functionalities: 62 percent of contact tracing apps released in the world have been managed and/or provided by public health authorities, compared to only 32 percent of apps with functions of "information exchange". In Asia and Europe (especially in countries of the EU) a larger number of apps are managed by health authorities compared to other continents: the average on the total of apps is 40 percent in Asia, 37 percent in Europe and 39 percent in EU Member States. Involvement of public health authorities in COVID-19 apps is sensibly lower in North and South America. In Asia, health authorities are more involved than the average in all kinds of apps, including those that provide information (43 percent), differently from Europe (31 percent). The analysis of local, regional, and national governments involvement in COVID-19 related apps shows that the public sector in Europe has not been particularly active compared to other continents. For contact tracing functionalities, public sector involvement is even lower in apps released in EU Member States than in Europe as a whole. In Asia and South America, instead, public authorities have been more proactive in launching mobile apps that help address the COVID-19 health crisis. Overall, more than two thirds of the apps released in those areas of the world were run by governments. On the contrary, in North America, the public sector played a minor role in developing digital mobile services, as only one third of all apps released in North America were provided by public entities. Europe sits in the middle, with almost one out of two COVID-19 related apps provided by public authorities. Regardless of the geographic differences, public bodies were more involved in releasing apps with contact tracing functionalities than other kind of apps.

Data protection measures in COVID-19 apps
As a proxy for the way providers minimise unnecessary data collection, we verified how many COVID-19 related apps collected information about the exact location of the user through GPS or cell tower data. Although this information is often collected by mobile apps, for COVID-19 related apps it is often not strictly necessary and, especially for contact tracing apps, it has been publicly discouraged by policymakers (European Commission, 2020b). Therefore, this information allows to identify apps that might have engaged in unnecessary personal data collection, which we adopted as a proxy for data minimisation. On this item, we find a stark difference between Europe and other continents (see Table 4). The gaps are even bigger if we examine values for EU Member States only. Overall, 28 percent of the apps released in Europe (25 percent in EU) collected GPS/cell tower data, while up to 59 percent of those released in Asia did, followed by South America (39 percent). In general, on a worldwide scale, contact tracing apps collect location data to track users' geographic location (63 percent) more commonly than apps with a different functionality (see Table 4). However, the percentage of contact tracing apps based in the Europe, and even more in EU, that collect location data is notably lower than elsewhere. While in Asia and South America most contact tracing apps collect location data (80 percent and 83 percent, respectively), in the EU only one third does (33 percent), with slightly higher numbers in Europe as a whole (39 percent). The difference between continents is confirmed also for apps with other functionalities, which might collect location data to tailor the information or service delivered to the exact location in which the user resides. For instance, in Asia up to 63 percent of the apps with the function "information exchange" geo-locate users, while only 25 percent of the same kind of apps in EU Member States (31 percent in Europe) does so.

38%
(320) Table 5 presents the results on privacy policies. To collect information on data protection, we first examined whether the privacy policy of apps flagged as "interesting" was accessible directly from the app stores (therefore a user could read it before downloading the app). Second, we verified whether the privacy policy included key information related to data retention and data deletion. The results show that only a minority of COVID-19 related apps included a comprehensive privacy policy with all such information (16 percent). However, apps with contact tracing functionalities provided such information (56 percent) much more than other kinds of apps.
Apps released in Europe were notably more prone to include comprehensive privacy policies. On the opposite, both Asia and South America scored lower percentages than the average concerning comprehensive privacy policies regardless of the app functionality. The difference between Europe and Asia was particularly wide for apps with contact tracing functionalities: while the large majority of contact tracing apps released in Europe included a comprehensive privacy policy (91 percent, increased to 93 percent in EU Member States only), only 24 percent of those released in Asia and 50 percent of those from South America did the same.

Discussion and conclusions
The paper examines whether a European approach emerges from the COVID-19 mobile apps landscape in relation to the EU policy context and the overall public debate that took place in the early stages of the health crisis. We investigated two factors in particular: the involvement of public bodies in releasing and managing apps, and and the data protection measures of these apps. We then compared Europe (with a particular emphasis on EU Member States) to other areas of the world. The analysis was conducted on a dataset that we collected between April and August 2020 with information available on two app stores and complementary information obtained by our team (837 apps in total).
The findings suggest that differences exist according to the geographical context in which apps were released and the specific functions they perform. Europe and the EU presented specific trends that confirm, to a certain extent, a greater involvement of the public sector, and a greater emphasis on data protection than what occurred on a global scale. Our findings also show that governments in the EU (national, regional, or local) have not been involved as much as those in Asia in the provision of COVID-19 related apps, with the exception of public health authorities. The results seem to suggest that Asia's public sector has been the front-runner as concerns development of digital services that help tackle the COVID-19 health crisis compared to governments in other regions of the world. This finding resonates with the different role of governments in Eastern societies, especially in China. The presence of strong government institutions, in fact, explains the prompt and effective, but also to a certain extent authoritarian, adoption of technical systems to tackle the COVID-19 health crisis in certain countries (Riemer, et al., 2020;Morozov, 2020). Yet, the results also indicate that the COVID-19 mobile apps landscape in the early stages of the crisis did not fulfil the narrative that depicts EU public services as being transformed by big data and data-driven innovation (Rieder, 2018). The level of involvement of national, regional, and local governments in developing digital tools to tackle the crisis, in fact, was not higher than the worldwide average.
Furthermore, distinctions between the whole European continent and the EU are limited, excluding some indications that EU countries put in place more safeguards for privacy and data protection than other European countries as a result of the GDPR (see Tables 4 and 5). Such minor differences between the EU and the rest of Europe might indicate that a certain culture is now widespread in Europe overall: an expectation for data protection might be shaping digital innovation in Europe, as an outcome of both EU regulations and overall values and principles.
Remarkable and distinct differences exist between Europe and the other continents. First, there is a wide gap between Europe and North America for what concerns the role of the public sector in releasing or managing apps. This is an expected finding considering the limited welfare state and low public sector intervention in the U.S., which represents a relevant feature of the North American continent. Second, we observe a difference between Europe and Asia or South America in data protection measures. In particular, the proportion of apps that collect GPS/cell tower data is more than double in Asia or South America compared to Europe, especially for apps with contact tracing functionalities. Furthermore, apps with a comprehensive privacy policy are very few in Asia, while they are the large majority in Europe/EU. The differences between continents might be explained by the predominant socio-cultural contexts, such as national cultures and societal values, the level of digitalisation and specific circumstances of the pandemic (Kasdan and Campbell, 2020; Anttiroiko, 2021;Gokmen, et al., 2021;Kim, 2020). Yet, another factor that might explain differences between Europe and other continents is the presence in the EU of a transnational regulation for data protection in the form of the GDPR, which seems to have had an influence on the COVID-19 mobile apps landscape (Zygmuntowski, et al., 2021).
Contact tracing apps present specific trends compared to apps with other functionalities. This suggests that contact tracing apps could be understood as a "test-bed" for the upcoming digital transformation in the public sector, especially during times of crisis and emergencies. Overall, in contact tracing apps we found a greater involvement of public bodies, compared to apps with other functionalities, and more widespread adoption of comprehensive privacy policies with wider differences between continents as concerns collection of location data. This could be interpreted in different ways. On the one hand, a prominent level of attention was placed on contact tracing apps (including guidelines and recommendations issued by policy-makers), which might have diverted from the fact that other apps could be privacy invasive. On the other hand, a critical public sphere that raised concerns about contact tracing apps might have prompted a greater involvement of the public sector and more careful consideration of privacy issues in such apps. Notwithstanding all their limitations and controversies, and to a certain extent because of those, contact tracing apps have contributed to shaping the future of digital transformation in the public sector. They compelled public institutions to engage with digital innovation and to find new ways to collect and manage data to serve the public interest and, in certain geographic contexts, they demanded accountability and attention to concerns raised by civic society in relation to data protection principles (Sandvik, 2020).
Regulators usually struggle to keep pace with technological innovation, and it is even more difficult for them to promptly respond during a crisis. Furthermore, in a context of "rushed innovation" such as during emergencies, regulatory compliance might be more challenging for both private and public actors (Newlands, et al., 2020). Therefore, to address a regulatory vacuum and promote the diffusion of efficient and privacy preserving COVID-19 related apps, the European Commission released a set of non-binding guidelines for the development of contact tracing apps. The guidelines recommended that apps be used on a voluntary basis and discouraged the collection of geo-location information to protect citizens' privacy (European Commission, 2020b, 2020c. At the same time, a lively debate was sparked among activists, experts, and citizens, at times in response to "failed" attempts of rushed innovation (Sandvik, 2020). The analysis conducted in the paper suggests that both the policy context and the public debate did relate to (and might have shaped) the European COVID-19 mobile apps landscape. In fact, it is exactly on data protection measures (privacy policy and collection of GPS/cell tower data) for contact tracing apps that the most remarkable difference is found between Europe/EU and other continents/worldwide. In exceptional conditions such as the initial stages of the COVID-19 crisis, European laws on privacy, data protection, and fundamental human rights have been important leverage. However, they have been reinforced by a critical public sphere and a widespread culture of data protection and accountability, which discouraged noncompliant behaviours in processing of personal data (Newlands, et al., 2020).
The dataset that we adopted for the study provided recent and updated information about COVID-19 related mobile apps, yet it also had several methodological challenges and limitations. It relied on information retrieved via the search APIs of the Google Play and Apple's App Store, which had some technical shortcomings (Tsinaraki, et al., 2020). Not all information available through APIs on Google Play was also accessible in the Apple App Store, for instance on the "app permissions". Information available via APIs had to be integrated with information collected manually by researchers through the analysis of app descriptions in the Stores, which meant that we could not identify apps' undocumented features. Furthermore, such qualitative assessment, even if complemented by additional efforts to cross-check and harmonise the results, nevertheless involves a certain degree of subjectivity -especially because the kind of apps being released were fluid and shifting even while we were in the process of conducting the analysis.
Another set of limitations concerns the analysis and lack of granularity of the variables. The analysis is conducted at the macro-level of continents and not at the more fine-grained one of single countries and it mainly compares Europe to other regions of the world. Therefore, it does not bring to the surface key differences regarding the development and data governance of COVID-19 related apps that certainly exist within continents. We are aware that distinct approaches have been adopted to address the COVID-19 health crisis in such big geo-political contexts, for instance, in China compared to South Korea, or in Norway compared to Germany or Hungary. Furthermore, only longitudinal approaches could attempt to identify the impact of policy interventions on the digital strategies adopted to address the crisis. The goal of the paper, however, was to identify major trends that have characterised the COVID-19 mobile apps landscape in Europe compared to other regions of the world. For this reason, we adopted both Europe and the EU as key variables to identify relevant patterns. Future studies could explore more in depth to what extent indicators of digital innovation vary between Europe as a continent and the EU as a political entity and other areas of the world. Furthermore, another limitation concerns the variables we adopted to assess data protection measures. The measures adopted in the study can only suggest the likelihood that a privacy policy was comprehensive and that only necessary personal information was collected. They must be understood as proxies, since more reliable and extensive information was not available.
Finally, we believe the findings could provide an indication of how the public sector and other actors respond with digital innovation in times of crisis as well as the key differences in the approaches adopted at the macro-regional level. However, digital and data-related factors cannot be considered in isolation. Mobile apps are not a solution by themselves, as they must be part of a wider strategy in the health sector and more broadly across society. Our analysis of the mobile apps landscape provides an indication of how the digital transformation can be deployed to address emergencies, but if digital solutions are not integrated into a wider strategy, they risk only being adopted to "signal that something (indeed anything) has been tried" without any positive societal outcomes (Floridi, 2020