Recognizing the increasing prevalence of data-driven solutions in combatting COVID-19 and the numerous related privacy concerns, on April 21, the EDPB adopted guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (“Guidelines”).
The Guidelines clarify the conditions and principles for proportionate use of location data and contact tracing tools for two particular purposes: (i) the use of location data to support the response to the pandemic by modelling COVID-19’s spread to calculate the overall effectiveness of confinement measures; and (ii) contact tracing, which aims to notify individuals that they have been in close proximity to an infected individual, to break the contamination links quickly and combat the virus’ spread.
The Guidelines observe that both the GDPR and the ePrivacy Directive 2002/58/EC (“ePrivacy Directive”) permit use of anonymous or personal data to assist with monitoring and containing the spread of COVID-19.
Location data for modelling the spread of COVID-19 and the overall efficacy of confinement measures originate from two main sources, namely location data collected by: (i) electronic communication service providers in the course of providing their service; and (ii) information society service providers’ applications whose functionality requires the use of such data.
The EDPB confirms that permitted uses of location data can vary under the ePrivacy Directive based on source. For example, location data collected from electronic communication service providers can only be transmitted to authorities or other third parties if anonymised by the provider or, for data indicating the geographic position of a user’s terminal equipment, which are not traffic data, with prior user consent. For information, including location data collected directly from terminal equipment, or re-use of location data collected by information society service providers for modelling purposes, different rules apply. Derogations under the ePrivacy Directive are possible, however.
The Guidelines stress that location data must be anonymized whenever possible.
The Guidelines make various points and recommendations in respect of contact tracing applications, including the following (consideration of various other principles and issues is also recommended):
- User of apps should be entirely voluntary. Individuals who do not use them should not be disadvantaged;
- To ensure accountability, controllers of contact tracing apps must be clearly defined;
- Purposes must be well defined to avoid processing for purposes unrelated to the management of COVID-19;
- Apps should minimize data collected and avoid collecting unrelated or unnecessary information like location data, or device identifiers;
- Apps should rely on proximity information, rather than tracking individual movements. Re-identification of individuals should be prevented;
- Various possible lawful bases for processing personal data (and special category health-related data) exist, including that processing is necessary for performing a task carried out in the public interest. User consent may be required in some circumstances (although will not always be appropriate);
- Data should be kept for no longer than necessary (i.e. only for the duration of the pandemic) and then erased or anonymized;
- Apps cannot replace, but only support manual contact tracing and should be strictly supervised by qualified public health personnel;
- Data protection impact assessments must be conducted because of the high risk nature of the processing;
- Data broadcast by apps that are read by other users’ devices and listened to by apps should only include unique and pseudonymous identifiers generated by and specific to the apps which are exchanged between users’ mobile equipment. These should be renewed regularly to reduce the risk of physical tracking and linkage attacks;
- Apps must deploy state-of-the-art cryptographic techniques to secure data in various ways and be secured to guarantee safe technical processes;
- Both centralized and de-centralized approaches can be used, provided adequate security measures are implemented;
- Reporting of infected users on apps must be subject to proper authorization;
- After users are diagnosed with COVID, only those with whom they have had close contact within the epidemiologically relevant retention period for contact tracing should be notified.
The Guidelines, which also include a general, non-exhaustive, non-prescriptive Contact Tracing Applications Analysis Guide for app designers and implementers, will doubtless be welcomed by those using location data and contact tracing tools in the fight against COVID-19 and should assist in developing a pan-European approach to the pandemic in these areas.