In June 2020, Amnesty International’s Security Lab published a comparative analysis of contact-tracing applications deployed worldwide, rating Bahrain’s BeAware app among the most privacy-invasive COVID surveillance tools in existence. The app conducted live or near-live GPS tracking, uploading precise location data to a central government server at frequent intervals.
Key Facts
- WhatCOVID app used live GPS tracking with mandatory bracelets and criminal penalties.
- WhoEntire Bahraini population; no opt-out mechanism initially.
- Data ExposedReal-time location, health status, names, and nationalities broadcast publicly.
- OutcomeRated among world's most privacy-invasive apps; no PDPL enforcement.
What Was Exposed
The BeAware system represents a unique category of data exposure: one where the government itself is both the data controller and the entity actively publishing and broadcasting personal data. Unlike conventional breaches where unauthorized actors access protected systems, the BeAware incident involved the deliberate, systematic collection and dissemination of sensitive personal data by the state as a matter of official policy.
- Continuous GPS location data for every BeAware user, uploaded to central government servers at intervals of minutes or seconds, creating a comprehensive movement history for the entire participating population
- National CPR identification numbers linked to location data, enabling de-anonymized tracking of individual citizens and residents across the kingdom at all times
- Health status data - COVID test results, infection status, quarantine status - published by the government in public-facing formats, including individual names, nationalities, ages, and genders
- Travel histories of infected individuals, published publicly and linked to identifiable personal information, exposing patterns of movement and social interaction
- Bluetooth proximity data from mandatory electronic bracelets, creating a graph of physical interactions between quarantined individuals and anyone in their proximity
- Quarantine compliance data broadcast on national television through the “Are You at Home?” program, publicly identifying individuals and their quarantine status to the entire viewing audience
- Metadata from the BeAware app itself, including device identifiers, network information, and usage patterns that could be correlated with other government databases
The technical architecture of BeAware revealed design choices that prioritized surveillance over public health. The app used centralized GPS tracking rather than the decentralized Bluetooth-based Exposure Notification system jointly developed by Apple and Google, which was specifically designed to enable contact tracing while preserving privacy. The Apple/Google system used rotating Bluetooth identifiers, on-device matching, and no central location tracking.
BeAware rejected this privacy-preserving architecture in favor of continuous GPS upload to government servers, a design that provided the government with a real-time population surveillance capability far beyond what contact tracing requires.
The mandatory Bluetooth bracelet program extended the surveillance apparatus into the physical realm. Quarantined individuals were required to wear electronic bracelets that paired with the BeAware app and transmitted continuous Bluetooth signals. Removing the bracelet, leaving the designated quarantine location, or failing to respond to app check-ins triggered automatic alerts to authorities.
The criminal penalties for non-compliance - imprisonment and fines of up to BD 10,000 - transformed a public health measure into a coercive surveillance regime backed by criminal sanctions. This approach was particularly punitive for migrant workers, who constituted approximately 55% of Bahrain’s population and who faced deportation in addition to criminal penalties for quarantine violations.
The government’s decision to publish COVID case data with identifiable personal information - names, nationalities, ages, and travel histories - represents a data exposure with no public health justification. Contact tracing can be conducted without publicly naming infected individuals. The publication of nationality data was particularly problematic in Bahrain’s social context, where demographic tensions between Sunni and Shia populations, and between citizens and migrant workers, are politically charged.
Publishing the nationalities of infected individuals fueled xenophobic discourse and discrimination against specific national groups in employment and housing.
” television program stands as perhaps the most extraordinary element of the BeAware ecosystem. A live daily broadcast that called 10 randomly selected quarantined individuals to verify their compliance, the show effectively gamified quarantine surveillance and transformed public health compliance into entertainment. Individuals who answered correctly were praised on air; those who did not answer or were not at home faced potential criminal prosecution.
The program publicly broadcast the names, faces (via video call), and quarantine status of citizens and residents on national television - sensitive health data shared with the entire country for the purpose of social control through public shaming.
The absence of an opt-out mechanism during the initial deployment of BeAware meant that participation in the surveillance system was mandatory for all residents. This eliminated any pretense of consent-based data processing and transformed the app from a voluntary public health tool into a compulsory population surveillance system. When combined with the mandatory bracelet requirement and criminal penalties for non-compliance, the BeAware ecosystem represented one of the most comprehensive state surveillance programs deployed under the pretext of pandemic response anywhere in the world.
Regulatory Analysis
The BeAware program presents the most direct collision between public health emergency powers and personal data protection obligations under the PDPL (Law No. 30 of 2018). The government deployed the system as an emergency public health measure, but the scope and intrusiveness of the data collection, combined with the public broadcasting of sensitive health data, exceed any reasonable interpretation of emergency necessity.
Article 5 of the PDPL establishes lawful bases for data processing, including consent and the legitimate interests of public authorities. While pandemic response may constitute a legitimate interest, the proportionality principle inherent in data protection law requires that the means of processing be no more invasive than necessary to achieve the stated purpose.
Continuous GPS tracking is not necessary for contact tracing - the Apple/Google Exposure Notification system demonstrated that privacy-preserving Bluetooth-based approaches could achieve equivalent public health outcomes without centralized location surveillance. The choice of GPS tracking over Bluetooth proximity detection was disproportionate and cannot be justified by the stated purpose of contact tracing.
Article 7 of the PDPL specifically addresses the processing of sensitive personal data, which includes health data. The law requires enhanced protections for sensitive data and prohibits its processing except under specific limited circumstances. The government’s public broadcast of COVID patients’ names, health statuses, nationalities, and travel histories violates the fundamental purpose of Article 7. Publishing identifiable health data on government websites and broadcasting it on television is the antithesis of the enhanced protection the law requires.
No interpretation of Article 7’s exceptions for public health or vital interests supports the public naming of infected individuals when anonymized data would serve the same epidemiological purpose.
Article 6 requires that personal data be collected for specific, explicit, and legitimate purposes and not processed in a manner incompatible with those purposes. The stated purpose of BeAware was contact tracing and quarantine enforcement. However, the continuous GPS tracking capability created a dataset with potential uses far beyond COVID response: law enforcement investigations, immigration enforcement, political surveillance, and social control.
The absence of explicit data retention limits, purpose limitation safeguards, and technical controls to prevent repurposing means that the contact-tracing data could be retained and reused indefinitely for purposes wholly unrelated to the pandemic. This purpose creep risk is a fundamental violation of Article 6.
Article 9 establishes requirements for data accuracy and integrity. The use of BeAware location data as the basis for criminal prosecution (non-compliance with quarantine) creates an obligation for the highest standards of data accuracy. GPS technology is inherently imprecise, with accuracy varying from 3 to 15 meters depending on conditions, and can produce false readings due to signal reflection, atmospheric interference, or device malfunction.
Basing criminal penalties on GPS location data without acknowledging its limitations risks false prosecutions and undermines the accuracy requirements of Article 9.
The PDPL’s structural limitations are exposed by the BeAware case more than any other Bahraini data incident. The law was enacted just months before the pandemic, and its enforcement machinery was not equipped to challenge government pandemic policy. The Personal Data Protection Authority did not issue any public guidance on the privacy implications of BeAware, did not require a Data Protection Impact Assessment (DPIA) for the program, and did not impose any conditions on the collection, use, or retention of the data.
The PDPL’s maximum fine of BD 20,000 is irrelevant when the data controller is the government itself - the law lacks the structural independence to regulate the entity it exists to constrain.
What Should Have Been Done
The global pandemic response produced a spectrum of contact-tracing approaches, from privacy-preserving decentralized systems to invasive centralized surveillance. Bahrain chose the most invasive end of this spectrum. Concrete alternatives existed that would have achieved equivalent or superior public health outcomes while respecting personal data protection principles.
The most fundamental change should have been the adoption of the Apple/Google Exposure Notification (GAEN) framework instead of centralized GPS tracking.
GAEN uses Bluetooth Low Energy to exchange rotating anonymous identifiers between devices in proximity. When a user tests positive, their anonymous identifiers for the infectious period are uploaded to a server, and other devices check for matches locally. No location data is collected, no central database of movements is created, and the government never receives identifiable information about who was near whom. Countries including Switzerland, Germany, Ireland, and Japan successfully deployed GAEN-based apps with demonstrated public health benefit and minimal privacy impact.
Bahrain’s rejection of this approach in favor of GPS surveillance was a choice, not a technical necessity.
If centralized data collection was deemed necessary for quarantine enforcement (a purpose distinct from contact tracing), the system should have been designed with strict purpose limitation controls. Location data should have been collected only from individuals under active quarantine orders, not from the general population. The data should have been encrypted at rest and in transit, accessible only to authorized public health officials, and automatically deleted within 14 days of the quarantine period ending. Technical controls
- not just policy promises - should have enforced these limitations through code-level access restrictions, automated deletion routines, and comprehensive audit logging of all data access.
A mandatory Data Protection Impact Assessment (DPIA) should have been conducted and published before the BeAware app was deployed. The DPIA should have evaluated the necessity and proportionality of each data collection element (GPS tracking, CPR linkage, bracelet data, public health data publication), considered less invasive alternatives, and established specific safeguards for each identified risk. The UK’s Information Commissioner’s Office published detailed DPIA guidance for contact-tracing apps in April 2020, providing a template that Bahrain could have adapted.
Conducting a DPIA would not have delayed deployment significantly but would have forced a structured evaluation of whether each invasive element was truly necessary.
The publication of identifiable health data should never have occurred. Public health reporting can be conducted with aggregated, anonymized data: case counts by geographic area, age range, and nationality grouping, without individual names or identifying details. If individual-level contact tracing information needed to be shared with specific contacts of infected individuals, this should have been done through private notifications, not public broadcasts.
” television program should not have existed in any form - broadcasting identifiable health and quarantine data on national television for entertainment purposes is indefensible under any data protection framework and serves no legitimate public health function that could not be achieved through private compliance monitoring.
The mandatory bracelet program should have been replaced with a voluntary self-reporting system supplemented by random compliance checks. Singapore’s approach of periodic check-ins via SMS with randomized location verification achieved comparable quarantine compliance rates without requiring physical monitoring devices or criminal penalties.
For the small number of individuals who posed genuine compliance risks, targeted judicial orders for electronic monitoring (similar to criminal justice electronic monitoring) would have been more proportionate than blanket mandatory bracelets for the entire quarantined population.
An independent oversight mechanism should have been established from the outset.
A temporary COVID Data Ethics Board, including representatives from civil society, the legal profession, and the medical community, could have provided ongoing review of the BeAware program’s data practices. This board should have had the authority to require modifications to data collection practices, mandate the deletion of data no longer necessary for the stated purpose, and publish regular transparency reports on the scope and duration of data collection.
The absence of any oversight body meant that the government operated without external accountability for the most extensive personal data collection program in Bahrain’s history.
Finally, a clear sunset clause should have been established from the beginning, specifying that all BeAware data collection would cease and all collected data would be permanently deleted within a defined period after the end of the pandemic emergency. Without such a clause, the infrastructure and datasets created for COVID surveillance persist indefinitely, available for repurposing to other government objectives.
The transition from emergency surveillance to permanent surveillance is a well-documented pattern globally, and the absence of enforceable data retention limits in the BeAware program represents an ongoing risk to the privacy rights of every person whose data was collected.
The BeAware Bahrain program demonstrates how pandemic emergencies can be used to deploy population surveillance infrastructure that far exceeds the requirements of public health. Continuous GPS tracking, mandatory tracking bracelets, public broadcasting of health data, and criminal penalties for non-compliance created a surveillance ecosystem without precedent in Bahrain’s history. The PDPL’s inability to constrain its own government’s data collection reveals the law’s fundamental structural weakness: data protection without institutional independence is data protection in name only.