In June 2020, Amnesty International’s Security Lab published a comparative
analysis of contact-tracing applications deployed worldwide, rating Bahrain’s
BeAware app among the most privacy-invasive COVID surveillance tools in existence.
The app conducted live or near-live GPS tracking, uploading precise location data
to a central government server at frequent intervals. It required users to register
with their national CPR (Central Population Registry) identification number,
directly linking real-time location tracking to a confirmed identity.
Beyond the app itself, Bahrain’s COVID response program mandated the use of
Bluetooth tracking bracelets for quarantine enforcement, with criminal penalties
for non-compliance including imprisonment of three or more months and fines ranging
from BD 1,000 to BD 10,000 (approximately $2,650 to $26,500 USD). The government
further published sensitive COVID case data publicly, including names, health
status, nationality, age, gender, and travel histories. A live television show
called “Are You at Home?” randomly called 10 BeAware app users daily
to verify their quarantine compliance on air. Initially, the system offered no
opt-out mechanism.
## Key Facts
- .**What:** COVID app used live GPS tracking with mandatory bracelets and criminal penalties.
- .**Who:** Entire Bahraini population; no opt-out mechanism initially.
- .**Data Exposed:** Real-time location, health status, names, and nationalities broadcast publicly.
- .**Outcome:** Rated among world's most privacy-invasive apps; no PDPL enforcement.
## What Was Exposed
The BeAware system represents a unique category of data exposure: one where the
government itself is both the data controller and the entity actively publishing
and broadcasting personal data. Unlike conventional breaches where unauthorized
actors access protected systems, the BeAware incident involved the deliberate,
systematic collection and dissemination of sensitive personal data by the state
as a matter of official policy.
- .Continuous GPS location data for every BeAware user, uploaded to central
government servers at intervals of minutes or seconds, creating a comprehensive
movement history for the entire participating population
- .National CPR identification numbers linked to location data, enabling
de-anonymized tracking of individual citizens and residents across the
kingdom at all times
- .Health status data - COVID test results, infection status, quarantine
status - published by the government in public-facing formats, including
individual names, nationalities, ages, and genders
- .Travel histories of infected individuals, published publicly and linked to
identifiable personal information, exposing patterns of movement and social
interaction
- .Bluetooth proximity data from mandatory electronic bracelets, creating a
graph of physical interactions between quarantined individuals and anyone
in their proximity
- .Quarantine compliance data broadcast on national television through the
“Are You at Home?” program, publicly identifying individuals
and their quarantine status to the entire viewing audience
- .Metadata from the BeAware app itself, including device identifiers, network
information, and usage patterns that could be correlated with other government
databases
The technical architecture of BeAware revealed design choices that prioritized
surveillance over public health. The app used centralized GPS tracking rather than
the decentralized Bluetooth-based Exposure Notification system jointly developed
by Apple and Google, which was specifically designed to enable contact tracing
while preserving privacy. The Apple/Google system used rotating Bluetooth identifiers,
on-device matching, and no central location tracking. BeAware rejected this
privacy-preserving architecture in favor of continuous GPS upload to government
servers, a design that provided the government with a real-time population
surveillance capability far beyond what contact tracing requires.
The mandatory Bluetooth bracelet program extended the surveillance apparatus into
the physical realm. Quarantined individuals were required to wear electronic
bracelets that paired with the BeAware app and transmitted continuous Bluetooth
signals. Removing the bracelet, leaving the designated quarantine location, or
failing to respond to app check-ins triggered automatic alerts to authorities.
The criminal penalties for non-compliance - imprisonment and fines of up
to BD 10,000 - transformed a public health measure into a coercive
surveillance regime backed by criminal sanctions. This approach was particularly
punitive for migrant workers, who constituted approximately 55% of Bahrain’s
population and who faced deportation in addition to criminal penalties for
quarantine violations.
The government’s decision to publish COVID case data with identifiable
personal information - names, nationalities, ages, and travel histories -
represents a data exposure with no public health justification. Contact tracing
can be conducted without publicly naming infected individuals. The publication
of nationality data was particularly problematic in Bahrain’s social context,
where demographic tensions between Sunni and Shia populations, and between citizens
and migrant workers, are politically charged. Publishing the nationalities of
infected individuals fueled xenophobic discourse and discrimination against
specific national groups in employment and housing.
The “Are You at Home?” television program stands as perhaps the most
extraordinary element of the BeAware ecosystem. A live daily broadcast that called
10 randomly selected quarantined individuals to verify their compliance, the show
effectively gamified quarantine surveillance and transformed public health compliance
into entertainment. Individuals who answered correctly were praised on air; those
who did not answer or were not at home faced potential criminal prosecution. The
program publicly broadcast the names, faces (via video call), and quarantine
status of citizens and residents on national television - sensitive health
data shared with the entire country for the purpose of social control through
public shaming.
The absence of an opt-out mechanism during the initial deployment of BeAware
meant that participation in the surveillance system was mandatory for all
residents. This eliminated any pretense of consent-based data processing and
transformed the app from a voluntary public health tool into a compulsory
population surveillance system. When combined with the mandatory bracelet
requirement and criminal penalties for non-compliance, the BeAware ecosystem
represented one of the most comprehensive state surveillance programs deployed
under the pretext of pandemic response anywhere in the world.
## Regulatory Analysis
The BeAware program presents the most direct collision between public health
emergency powers and personal data protection obligations under the PDPL (Law
No. 30 of 2018). The government deployed the system as an emergency public health
measure, but the scope and intrusiveness of the data collection, combined with
the public broadcasting of sensitive health data, exceed any reasonable
interpretation of emergency necessity.
Article 5 of the PDPL establishes lawful bases for data processing, including
consent and the legitimate interests of public authorities. While pandemic
response may constitute a legitimate interest, the proportionality principle
inherent in data protection law requires that the means of processing be no
more invasive than necessary to achieve the stated purpose. Continuous GPS
tracking is not necessary for contact tracing - the Apple/Google Exposure
Notification system demonstrated that privacy-preserving Bluetooth-based
approaches could achieve equivalent public health outcomes without centralized
location surveillance. The choice of GPS tracking over Bluetooth proximity
detection was disproportionate and cannot be justified by the stated purpose
of contact tracing.
Article 7 of the PDPL specifically addresses the processing of sensitive personal
data, which includes health data. The law requires enhanced protections for
sensitive data and prohibits its processing except under specific limited
circumstances. The government’s public broadcast of COVID patients’
names, health statuses, nationalities, and travel histories violates the
fundamental purpose of Article 7. Publishing identifiable health data on
government websites and broadcasting it on television is the antithesis of
the enhanced protection the law requires. No interpretation of Article 7’s
exceptions for public health or vital interests supports the public naming
of infected individuals when anonymized data would serve the same epidemiological
purpose.
Article 6 requires that personal data be collected for specific, explicit,
and legitimate purposes and not processed in a manner incompatible with
those purposes. The stated purpose of BeAware was contact tracing and
quarantine enforcement. However, the continuous GPS tracking capability
created a dataset with potential uses far beyond COVID response: law
enforcement investigations, immigration enforcement, political surveillance,
and social control. The absence of explicit data retention limits, purpose
limitation safeguards, and technical controls to prevent repurposing means
that the contact-tracing data could be retained and reused indefinitely for
purposes wholly unrelated to the pandemic. This purpose creep risk is a
fundamental violation of Article 6.
Article 9 establishes requirements for data accuracy and integrity. The use
of BeAware location data as the basis for criminal prosecution (non-compliance
with quarantine) creates an obligation for the highest standards of data
accuracy. GPS technology is inherently imprecise, with accuracy varying from
3 to 15 meters depending on conditions, and can produce false readings due
to signal reflection, atmospheric interference, or device malfunction. Basing
criminal penalties on GPS location data without acknowledging its limitations
risks false prosecutions and undermines the accuracy requirements of Article 9.
The PDPL’s structural limitations are exposed by the BeAware case more
than any other Bahraini data incident. The law was enacted just months before
the pandemic, and its enforcement machinery was not equipped to challenge
government pandemic policy. The Personal Data Protection Authority did not
issue any public guidance on the privacy implications of BeAware, did not
require a Data Protection Impact Assessment (DPIA) for the program, and did
not impose any conditions on the collection, use, or retention of the data.
The PDPL’s maximum fine of BD 20,000 is irrelevant when the data
controller is the government itself - the law lacks the structural
independence to regulate the entity it exists to constrain.
## What Should Have Been Done
The global pandemic response produced a spectrum of contact-tracing approaches,
from privacy-preserving decentralized systems to invasive centralized
surveillance. Bahrain chose the most invasive end of this spectrum. Concrete
alternatives existed that would have achieved equivalent or superior public
health outcomes while respecting personal data protection principles.
The most fundamental change should have been the adoption of the Apple/Google
Exposure Notification (GAEN) framework instead of centralized GPS tracking.
GAEN uses Bluetooth Low Energy to exchange rotating anonymous identifiers
between devices in proximity. When a user tests positive, their anonymous
identifiers for the infectious period are uploaded to a server, and other
devices check for matches locally. No location data is collected, no central
database of movements is created, and the government never receives
identifiable information about who was near whom. Countries including
Switzerland, Germany, Ireland, and Japan successfully deployed GAEN-based
apps with demonstrated public health benefit and minimal privacy impact.
Bahrain’s rejection of this approach in favor of GPS surveillance was
a choice, not a technical necessity.
If centralized data collection was deemed necessary for quarantine enforcement
(a purpose distinct from contact tracing), the system should have been designed
with strict purpose limitation controls. Location data should have been collected
only from individuals under active quarantine orders, not from the general
population. The data should have been encrypted at rest and in transit,
accessible only to authorized public health officials, and automatically
deleted within 14 days of the quarantine period ending. Technical controls
- .not just policy promises - should have enforced these
limitations through code-level access restrictions, automated deletion
routines, and comprehensive audit logging of all data access.
A mandatory Data Protection Impact Assessment (DPIA) should have been
conducted and published before the BeAware app was deployed. The DPIA should
have evaluated the necessity and proportionality of each data collection
element (GPS tracking, CPR linkage, bracelet data, public health data
publication), considered less invasive alternatives, and established specific
safeguards for each identified risk. The UK’s Information Commissioner’s
Office published detailed DPIA guidance for contact-tracing apps in April
2020, providing a template that Bahrain could have adapted. Conducting a
DPIA would not have delayed deployment significantly but would have forced
a structured evaluation of whether each invasive element was truly necessary.
The publication of identifiable health data should never have occurred. Public
health reporting can be conducted with aggregated, anonymized data: case counts
by geographic area, age range, and nationality grouping, without individual
names or identifying details. If individual-level contact tracing information
needed to be shared with specific contacts of infected individuals, this should
have been done through private notifications, not public broadcasts. The
“Are You at Home?” television program should not have existed in
any form - broadcasting identifiable health and quarantine data on
national television for entertainment purposes is indefensible under any
data protection framework and serves no legitimate public health function
that could not be achieved through private compliance monitoring.
The mandatory bracelet program should have been replaced with a voluntary
self-reporting system supplemented by random compliance checks. Singapore’s
approach of periodic check-ins via SMS with randomized location verification
achieved comparable quarantine compliance rates without requiring physical
monitoring devices or criminal penalties. For the small number of individuals
who posed genuine compliance risks, targeted judicial orders for electronic
monitoring (similar to criminal justice electronic monitoring) would have been
more proportionate than blanket mandatory bracelets for the entire quarantined
population.
An independent oversight mechanism should have been established from the outset.
A temporary COVID Data Ethics Board, including representatives from civil
society, the legal profession, and the medical community, could have provided
ongoing review of the BeAware program’s data practices. This board
should have had the authority to require modifications to data collection
practices, mandate the deletion of data no longer necessary for the stated
purpose, and publish regular transparency reports on the scope and duration
of data collection. The absence of any oversight body meant that the government
operated without external accountability for the most extensive personal data
collection program in Bahrain’s history.
Finally, a clear sunset clause should have been established from the beginning,
specifying that all BeAware data collection would cease and all collected data
would be permanently deleted within a defined period after the end of the
pandemic emergency. Without such a clause, the infrastructure and datasets
created for COVID surveillance persist indefinitely, available for repurposing
to other government objectives. The transition from emergency surveillance to
permanent surveillance is a well-documented pattern globally, and the absence
of enforceable data retention limits in the BeAware program represents an
ongoing risk to the privacy rights of every person whose data was collected.
The BeAware Bahrain program demonstrates how pandemic emergencies can be used
to deploy population surveillance infrastructure that far exceeds the requirements
of public health. Continuous GPS tracking, mandatory tracking bracelets, public
broadcasting of health data, and criminal penalties for non-compliance created
a surveillance ecosystem without precedent in Bahrain’s history. The
PDPL’s inability to constrain its own government’s data collection
reveals the law’s fundamental structural weakness: data protection without
institutional independence is data protection in name only.