Entrance to RPC building - dark

European Commission and EDPB lay out framework for privacy compliant contact tracing apps

Published on 07 August 2020

How do we balance the need for contact tracing with data protection regulation?

The key takeaway

The guidelines and toolbox prepared by the European Commission and EDPB set out the relevant parameters for a coordinated development and use of contact-tracing applications and the monitoring of their performance. The guidance aims to explain how the collection of location data to enable contact tracing can be lawful and proportionate. 

The background 

Against the backdrop of an unprecedented pandemic costing hundreds of thousands of lives and freezing economies worldwide, governments, health authorities and private entities alike have been striving to develop and deploy technology in order to curb the death toll and unearth a new way of living. One of the key technological solutions to be used during the crisis are apps, specifically designed to tackle Covid-19. Apps bring a plethora of benefits, such as: helping monitor the spread of the virus, providing users with available testing measures and information on symptoms, and tracing users’ contact with other infected users. The intention is that contact tracing apps will be one of a number of important elements to support the gradual lifting of border controls within the EU and the restoration of freedom of movement. However, much of this functionality signifies a grave threat to users’ privacy and could ultimately be at risk of breaching privacy legislation worldwide. 

The guidance 

On 17 April 2020 the European Commission issued a Communication providing guidance on the compliance with privacy legislation of these apps (2020/C 124 I/01). The EDPB followed this by adopting guidelines on 21 April 2020 on the use of location data and contract tracing tools in the context of the pandemic (Guidelines 04/2020). These two sets of advice essentially provide a roadmap for app designers to follow to help ensure that their apps adhere to the GDPR and ePrivacy Directive. The two authorities’ guidance is summarised by the checklist below:

  • in order to win greater trust among the population and due to the sensitivity of the data involved, the Commission suggests that the relevant national health authority should be designated as data controller
  • the guidance only applies to apps which are installed and used by users voluntarily and have one or more of the following functionalities: (i) information function; (ii) symptom checker function; (iii) contact tracing function; and (iv) telemedicine function
  • users’ rights should be guaranteed
  • apps should be automatically deactivated when the pandemic is declared to be “under control”, and this should not depend on users uninstalling it
  • data minimization should be a key principle in determining which categories of data are to be processed (for instance, it clarifies that apps for contact tracing should use Bluetooth technology rather than geolocation data, as such technology ensures the fulfilment of the purpose without requiring the tracking of users)
  • limits on accessing and disclosing data must be ensured
  • the precise purpose for processing data should be clarified to users and using a blanket purpose such as “preventing further COVID-19 infections” would not meet the threshold. Instead, a separate purpose for each app function should be identified, to which users should be able to consent or refuse individually
  • data retention should be strictly limited and based on “medical relevance” only, otherwise deleted. Security measures should be in place to ensure this 
  • accuracy of data should be ensured
  • Data Protection Authorities are to be involved and consulted on app development. Reference is made to Art. 35 GDPR on the need for data protection impact assessments to be performed in relation to large-scale processing of special categories of data.
Why is this important?

The guidelines acknowledge that increased attention must be paid when using apps with contact tracing to minimise interferences with private life while still allowing data processing, with the goal of preserving public health. As pointed out by the Commission, “People must have the certainty that compliance with fundamental rights is ensured and that the apps will be used only for the specifically defined purposes, that they will not be used for mass surveillance, and that individuals will remain in control of the data”. As such, the guidelines are intended to limit intrusiveness and ensure a common approach that will be trusted by citizens. 

Any practical tips?

The guidance is a useful framework for the developer of an app to follow to help ensure its adherence to the privacy legislation. It should be noted that the guidance is not legally binding and it is therefore up to app developers to decide how best to proceed. It is notable that several different models of app are already taking shape; some do not follow the guidance of the Commission and it remains to be seen how regulators, particularly those in the EU, will approach them. What is certain, however, is that regulators across the EU are likely to look unfavourably on apps which do not follow the guidelines.