Abstract
In their efforts to curb the COVID-19 pandemic, many countries have introduced contact tracing apps installed on mobile phones with the aim of breaking chains of infection. This raises ethical and legal questions, as these apps have the potential to be used for surveillance of the population. There is pressure to set privacy and data protection aside to allow extensive collection and processing of personal data, while the benefits of the apps remain uncertain. The two versions of the Norwegian COVID-19 tracing app are used as a case study to explore how law and legal norms are made and implemented—or not—in the context of a public emergency. In Norway, the legal question of contact tracing apps has largely been limited to a question of compliance with the GDPR and has excluded a meaningful conversation about the use of apps as pandemic response tools and their impact on rights and freedoms. The normative argument of the article is that to combine a robust form of privacy and data protection with the use of digital tools in a crisis, we need to scrutinize carefully the effects technology choices have on human rights and the rule of law.