In addition to the adoption by the European Data Protection Board (“EDPB”) of Guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak, various other European guidance regarding the use of data and technology in connection with COVID-19 has also been published.
On April 8, 2020, for example, the European Commission adopted Recommendation 2020/518, relating to a common Union “toolbox” for the use of data and technology to combat and exit from the COVID-19 crisis (“Recommendation”). The Recommendation established a process for developing a toolbox to use digital means to address the pandemic. The toolbox is intended to comprise practical measures for effectively using technologies and data, with particular emphasis on two priorities:
- a pan-European approach for the use of mobile applications for empowering citizens to take effective and more targeted social distancing measures and for warning, preventing and contact tracing to help limit the spread of COVID-19; and
- a common scheme for using anonymized and aggregated data on mobility of populations to: (a) model and predict COVID-19’s evolution; (b) monitor the effectiveness of Member States’ decision making on measures such as social distancing and confinement; and (iii) inform a coordinated strategy for exiting from the crisis.
The process focuses on respect for privacy and data protection rights, the prevention of surveillance and stigmatization.
The pan-European approach is intended to incorporate various elements including, for example, specifications to ensure the efficacy of mobile information warning and tracing applications for combating COVID-19 from medical and technical viewpoints and sharing data with relevant epidemiological public bodies and health research institutions.
The Recommendation also notes that Member State authorities, represented in the eHealth Network, should establish a process of exchanging information and ensuring interoperability of applications in cross-border scenarios. It also stresses that the toolbox should respect various data protection and privacy principles, for example, favoring the least intrusive, yet effective measures, including the use of proximity data and avoiding processing data on individuals’ movements or location and using anonymized and aggregated data where possible.
Regarding the second priority, among other things, the Recommendation notes that safeguards should be implemented to prevent re-identification of individuals, including guarantees of adequate levels of data and IT security, and that re-identification risks should be assessed when correlating anonymized data with other data. Data should also be deleted, in principle, after 90 days, or at least no later than when the pandemic is declared under control.
On April 15 2020, the EU’s eHealth Network released a first iteration of a common EU toolbox comprising a practical guide for Member States (“Guide”). The common approach aims to utilize privacy-enhancing technologies that allow at-risk individuals to be contacted and, if required, tested as soon as possible, regardless of where they are and the apps they are using. The guidance explains the essential requirements for national apps, namely that they be:
- approved by the national health authority;
- privacy-preserving – personal data is securely encrypted; and
- dismantled as soon as no longer needed.
The requirements on how to record contacts and notify individuals reflect best cybersecurity and accessibility practices, covering how to prevent the spread of potentially harmful unapproved apps, success criteria and collectively monitoring apps’ efficacy. They also include a skeleton communication strategy to engage with stakeholders and people affected by such initiatives. The Guide notes that further urgent work will continue to develop further and implement the toolbox as set out in the Recommendation.
Among other things, the Guide sets out certain requirements constituting Member States’ collective understanding of best practice and a common European approach to mobile contact tracing and warning apps. These requirements include: (i) certain essential requirements for national apps and cross-border interoperability covering the epidemiological framework, technical functionalities, cross-border interoperability requirements and cybersecurity measures and safeguards; (ii) measures to ensure accessibility and inclusiveness; (iii) governance and the role of public health authorities regarding approval of tracing apps and their access to data generated by them; and (iv) supporting actions covering sharing of epidemiological information and cooperation with the European Centre for Disease Prevention and Control (“ECDC”), measures to prevent growth of harmful apps and monitoring of apps’ effectiveness.
On April 17 2020, the European Commission published further non-binding guidance on apps supporting the fight against COVID-19 in relation to data protection (“Guidance”). The Guidance sets out requirements which voluntary apps with one of various specified functionalities should meet with to ensure compliance with the GDPR and EU Directive 2002/58/EC, (“ePrivacy Directive”). The Commission’s recommendations, which aim to provide guidance on how to limit the intrusiveness of app functionalities to ensure compliance with EU data protection legislation, include the following (among other things):
- The data controller should be well defined. Due to the sensitivity of the information and the purposes of the processing, national health authorities should act as controllers.
- Individuals should retain control over their personal data. Various conditions should be met including, for example, that use of apps should be voluntary and without negative consequences for users who decline to use them; different app functionalities should be un-bundled to ensure user consent to each functionality can be provided; and proximity data between users should typically be stored on the individual’s device.
- Data minimization should be considered (e.g. location data is deemed to be unnecessary for contact tracing functionalities, so should not be used).
- To ensure security, among other things, data should be stored on user’s terminal devices in encrypted (and, for proximity data, pseudonymized) format and apps’ source code should be made public. Additional features like automatic deletion or anonymization after a certain time should also be considered.
- Apps must accurately reflect whether users have made contact with an infected person.
- Data protection authorities should be involved in app development and review after deployment.
Notwithstanding the calls by the European Commission, the EDPB and other institutions for a common European approach to be adopted in respect of apps used to combat COVID-19, the extent to which EU Member States will adopt such an approach in practice remains to be seen.