This paper proposes a legal and architectural inquiry to Google and Apple’s Exposure Notifications system, from a data protection point of view, with the purpose to respond to two main questions. (1) Is the Exposure Notifications framework legal by design? (2) Does it afford legal protection by design? The raw material to answer these questions involves (i) a legal assessment of the contractual framework established between Google and Apple (Gapple) and governments; (ii) a review of relevant aspects of the system architecture; and (iii) the identification of some of the system security vulnerabilities. The contractual assessment reveals the underlying power relations between governments and Gapple regarding the use of the API and the design of national proximity tracking apps. The analysis of the system architecture and of the tools to develop national apps expose contradictions between the available public information on data protection and the functioning of the system. The identified security vulnerabilities show that tracking and profiling are possible if simple attacks are deployed. Our analysis indicates that Gapple’s framework may be an example of legal by design which remains blind to legal protection by design.