At the beginning of the pandemic, digital contact tracing was a much-hoped-for initiative that spurred a myriad of apps. Despite a great theoretical promise, however, the tool fell short of significant impact and, essentially, came to nothing. The technological development effort has attracted much scholarly and media attention and coverage. This article seeks to contribute to this growing body of knowledge by approaching the topic from a largely unexplored perspective. It examines the emergence of digital contact tracing as a standard setting exercise, focusing on key actors, processes of technical specification development and data protection assessment of technological choices. It also explores the governance attributes of standard settings from the perspective of data protection law. Given a potential of a technical standard to act as a regulatory means, it is proposed that the governance and legitimacy issues should receive much more consideration. It is believed that for a technical solution to stand the competition for a regulatory share and succeed in the future, the values of inclusiveness, transparency, accountability and openness should be meaningfully internalised in the very process of its development.