On April 16, 2020, the European eHealth Network—a voluntary network connecting national authorities responsible for eHealth designated by EU Member States—published a common EU toolbox for the use of contact tracing and warning apps in response to the coronavirus pandemic (the “Toolbox”). The Toolbox is part of the common EU coordinated approach to using COVID-19 mobile apps, as set out in the European Commission’s Recommendation of April 8, 2020. The Toolbox was accompanied by guidance from the European Commission on data protection and privacy aspects of the use of such apps (the “Guidance”).
Mobile apps, and in particular contact tracing and warning apps, can play an important role in all phases of the COVID-19 outbreak, especially in the phase of lifting containment measures. These apps can help to interrupt infection chains faster and more efficiently than general containment measures. If deployed correctly, they could contribute substantively to containing the spread of the virus. However, if deployed without appropriate safeguards, they could also have a significantly negative impact on privacy and individuals’ rights and freedoms. Further, a fragmented and uncoordinated approach to using these apps would risk hampering the effectiveness of measures aimed at combating the virus, and causing adverse effects to the European single market. This is the reason why EU Member States, within the eHealth Network, developed the Toolbox to be applied consistently by all EU Member States, while the European Commission issued the Guidance for EU Member States and app developers.
Both the Toolbox and the Guidance only apply to voluntary apps, i.e., apps downloaded, installed and used on a voluntary basis by individuals. While the Toolbox only covers voluntary contact tracing and warning apps, the Guidance also addresses apps with other functionalities, including information, symptom checker and/or telemedicine functionalities.
Common EU Toolbox to Contact Tracing Apps
The Toolbox sets out the relevant parameters to enable coordinated development and use of officially recognized contact tracing apps, and the monitoring of their performances. To that end, the Toolbox provides a detailed list of baseline requirements and functionalities that should be taken into account, which represent the EU Member States’ collective understanding of best practice. This includes:
- Essential requirements covering the epidemiological framework, technical functionalities, cross-border interoperability requirements and cybersecurity requirements as well as safeguards to respect individuals’ fundamental rights;
- Measures aimed at ensuring accessibility and inclusiveness, such as the implementation of helplines at national level to support the uptake of the app for people who have a smartphone, but would benefit from guidance and support in installing and using the app, and complementary, location-based solutions to increase the coverage of digitally excluded people (e.g., elderly, children, and health and care workers). In this respect, the Toolbox stresses that tracing apps will complement manual contact tracing efforts that will continue to play an important role, in particular, for those who are digitally excluded;
- Governance / role of public health authorities in the approval of tracing apps;
- Supporting actions for the sharing of epidemiological information and cooperation with the European Center for Disease Control; (1) measures to prevent proliferation of unlawful or harmful apps (e.g., national systems of evaluation/accreditation endorsement of national apps); (2) close cooperation with app stores to promote national apps and promote uptake while delisting harmful apps, etc.); and (3) measures to monitor the effectiveness of the apps (e.g., set of KPIs to assess the effectiveness of the apps in supporting contact tracing, and peer-reviews at national level and among EU Member States).
In particular, the Toolbox addresses the options for privacy-preserving solutions in support of public health efforts. This includes the two following options:
- Decentralized solution, where the data related to contacts generated by the app is stored only on the user’s device. Tracing apps generate arbitrary identifiers of mobile phones that come into close contact with the user. Under this approach, these identifiers are stored on a user’s device with no additional personal data. The provision of mobile phone numbers or other personal data by the user at the time of the app installation is not necessary because an alert is automatically delivered via the app to the close contacts when a user notifies the app—with the approval or confirmation by the health authority, for instance via a QR or TAN code—that they have tested positive. Public health authorities would have access to proximity data from the device of an infected person only after the infected person (having been tested) proactively shares this data so that they are able to contact people at risk of infection. Under this approach, they would not have access to any anonymized and aggregated information on social distancing, on the effectiveness of the app or on the potential diffusion of the virus, which could help them manage the exit of the crisis.
- Back-end server solution. In this solution, the app functions through a back-end server held by public health authorities on which the arbitrary identifiers are stored. Users cannot be directly identified through this data as only the arbitrary identifiers generated by the app are stored on the server. The advantage of this solution is that the data stored on the server can be anonymized by aggregation and further used by public authorities as a source of important information on the intensity of contacts in the population, the effectiveness of the app and the aggregate number of people that could potentially develop symptoms. Through the identifiers, users who have been in contact with a positively tested user will receive, as in the previous version, an automatic message or alert on their phone.
Data Protection Guidance for COVID-19 Apps
Taking into account the contribution from the European Data Protection Board, the Guidance sets out features and requirements that apps should meet to ensure compliance with EU privacy and personal data protection legislation, in particular the EU General Data Protection Regulation (“GDPR”) and the EU ePrivacy Directive. This includes the following features and requirements:
- National health authorities as data controllers: The apps should be designed in such a manner that national health authorities (or entities carrying out tasks in the public interest in the field of health) are the data controllers;
- Ensuring that individuals remain in control: Measures should be taken to ensure that individuals remain in control of their personal data, including:
- Ensuring that the installation of the app is genuinely voluntary and without any negative consequences for individuals that decide not to download/use it;
- Not bundling different app functionalities (e.g., information, symptom checker, contact tracing and warning functionalities). Individuals should be able to provide their consent specifically for each functionality;
- If proximity data are used, storing such data on the individual’s device and sharing the data with health authorities only after confirmation that the individual is infected and on the condition that they choose to do so;
- Providing individuals with all necessary information about the processing of their personal data;
- Ensuring they can exercise their data protection rights under the GDPR; and
- Deactivating the app, at the latest, when the pandemic is declared to be under control.
- Legal basis for the data processing: Users’ consent would be required for installation of the apps and the storing of information on their device, while national health authorities should rely on a Member State law and the need to comply with that law as a legal basis for processing the data. That law should (1) prescribe in detail the processing of specific health data and clearly specify the purposes for the processing; (2) clearly spell out who is the data controller, and who, besides the data controller, can have access to such data; (3) exclude the possibility of processing such data for purposes other than those listed in the legislation; and (4) provide for specific safeguards.
- Data minimization: An assessment of the need to process personal data and the relevance of such personal data should be carried out in the light of the purpose(s) pursued. Regarding contact tracing and warning apps, the Guidance recommends using Bluetooth Low Energy communications data (or data generated by equivalent technology) to determine proximity. Location data is not necessary for the purpose of contact tracing functionalities.
- Limiting data disclosure and access: The Guidance recommends using the decentralized solution for contact tracing and warning apps (see above).
- Providing precise purposes for processing: For example, the purpose “for the prevention of further COVID-19 infections” is not specific enough.
- Setting strict data retention periods: For contact tracing and warning apps, proximity data should be deleted within one month (incubation period plus margin) or after the person was tested and the result was negative.
- Ensuring data security: The Guidance recommends storing data on the individual’s terminal device using state-of-the art encryption.
- Carrying out a DPIA: The Guidance emphasizes the need to carry out a data protection impact assessment for processing health data on a large scale.
By April 30, 2020, public health authorities will assess the effectiveness of the apps at the national and cross-border level. By May 31, 2020, EU Member States should report on the actions they have taken pursuant to the Toolbox, and make the measures accessible to other EU Member States and the European Commission for peer review. Starting in June 2020, the European Commission will assess the progress made and publish periodic reports, and may make further recommendations to EU Member States, including on the phasing out of measures that are no longer necessary.