The European Commission Issues Guidance on Apps Supporting the Pandemic in Relation to Data Protection

Digital technologies and data have a valuable role to play in combating the COVID-19 pandemic.  As we recently reported, a number of countries are already utilizing or intend to utilize mobile applications with different functionalities aimed at supporting the fight against the virus.  Mobile applications can support health authorities in monitoring and containing the pandemic and are particularly relevant in the phase of lifting containment measures. They can provide direct guidance to citizens, support contact tracing efforts, and have a significant impact on decease diagnosis, treatment, and management.  These applications predictably raise privacy concerns in terms of data collection, sharing, use, and security.

On April 16, 2020, the European Commission published Guidance on Apps Supporting the Fight against COVID 19 Pandemic in Relation to Data Protection.  Although the Guidance is not legally binding, it sets out features and requirements which applications should meet to ensure compliance with the European Union’s privacy and data protection regulations, in particular the GDPR and the ePrivacy Directive.

The Guidance addresses only applications downloaded, installed, and used on voluntary basis with one or several of the following functionalities: (1) provide information to individuals about the COVID-19 pandemic; (2) provide questionnaires for self-assessment and for guidance to individuals (symptom checker functionality); (3) alert persons who have been in proximity for a certain duration to an infected person in order to provide information whether to self-quarantine or where to get tested (contact tracing and warning functionality); and (4) provide a communication between patients and doctors in situation of self-isolation (telemedicine).

The Commission outlined the following elements aimed to provide guidance on how to limit the intrusiveness of app functionalities in order to ensure compliance with the EU’s privacy and data protection regulations:

• National health authorities (or entities carrying out tasks in the public interest in the health field) as data controllers. The Commission recommends that given the sensitivity of the personal data involved and purpose of processing, the applications should be designed in such a manner that the national health authorities (or entities carrying out tasks in the public interest in the health field) are the controllers of the data.

• Ensuring that individuals remain in control. To ensure that individuals remain in control of their data, the Commission considers that the following conditions should be met: (1) the installation of the app on the device should be voluntary and without any negative consequences for the individual who decides not to download or use the app; (2) different app functionalities (e.g. information, symptom checker, contact tracing and warning functionalities) should not be bundled so that the individual can provide his/her consent specifically for each functionality; (3) if proximity data are used (data generated by the exchange of Bluetooth Low Energy (BLE) signals between devices within an epidemiologically relevant distance and during an epidemiologically relevant time), they should be stored on the individual’s device. If those data are to be shared with health authorities, they should be shared only after confirmation that the person concerned is infected with the COVID-19 and on the condition that he/she chooses to do so; (4) health authorities should provide the individuals with all necessary information related to the processing of his or her personal data; (5) the individual should be able to exercise his/her rights under the GDPR, such as access, rectification, and deletion; (6) the apps should be deactivated at the latest when the pandemic is declared to be under control and deactivation should not depend on de-installation by the user.
• Legal basis for processing. The Commission concluded that consent would be the most appropriate legal basis for processing for purposes of installation of the apps and storing of information on the user’s device.  The legal basis for processing by national health authorities, in turn, would be the EU and Member State laws providing for such processing.

• Data minimization. Data minimization is one of the core GDPR principles and requires that only personal data that is adequate, relevant and limited to what is necessary in relation to the purpose may be processed.  Consistent with this principle, the Commission, for example, notes that if the purpose of functionality is symptom checking or telemedicine, these purposes do not require access to the contact list of the person owning the device.  For the metering of proximity and close contacts, the Commission recommends using Bluetooth Low Energy communications data as it appears more precise, and therefore more appropriate, than the use of geolocation data (GNSS/GPS, or cellular location data). Also, unlike the geolocation data, BLE avoids the possibility of tracking.

• Limiting the disclosure/access of data.  Consistent with the limiting the disclosure/access of data principle, the Commission advises that for purposes of the contact tracing applications, identity of the infected person should not be disclosed to the persons with whom he/she has been in epidemiological contact.  Rather, it should be sufficient to communicate to them the fact that they have been in contact with an infected person during the two-week period.

• Providing for precise purposes of processing.   The precise purposes of the app will depend on its functionalities. In order to provide the individuals with full control of their data, the Commission recommends not to bundle different functionalities and that the individual should have the ability to choose between different functionalities pursuant to separate purposes. The Commission also advises against the use of the data for purposes other than the fight against COVID-19.  Thus, should purposes like scientific research and statistics be necessary, they should be included in the original list of purposes and clearly communicated to users.

• Setting strict limits to data storage. The principle of storage limitation requires that personal data may not be kept for longer than necessary.   The Guidance provides that timelines should be based on medical relevance (depending on the purpose of the app: the incubation period, etc.) as well as realistic durations for administrative steps that may need to be taken.

• Ensuring security of the data. The Commission recommends, among other things, that the data should be stored on the terminal device of the individual in an encrypted form using state-of-the art cryptographic techniques. In the case that the data is stored on a central server, the access, including the administrative access, should be logged.

• Ensuring the accuracy of the data. The Commission notes that ensuring the accuracy of the personal data processed is not only a pre-requisite for the efficiency of the app but is also a requirement under the personal data protection legislation. In this context, ensuring the accuracy of the information on whether a contact with an infected person has taken place is essential, to minimize the risk of having false positives.

• Involving data protection authorities. The Guidance recommends that the Data Protection Authorities should be fully involved and consulted in the context of the development of the app and they should keep its deployment under review.

Additional resources:

European Commission Recommendation of 8.4.2020 on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data.

EDPB’s Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak