EU Commission’s Guidance on apps to fight COVID-19: data protection and privacy Q&A
On 16 April 2020, the Commission published its Guidance in relation to the development and use of apps to fight against the COVID-19 pandemic. The Guidance follows-up the Commission’s earlier Recommendation calling for the development of a common pan-European approach and the creation of an EU Toolbox. The Commission also consulted with the European Data Protection Board, which issued a Letter on the topic.
The EU responds to Member States’ enactment of legislation to allow processing of health data based on public interests and measures including the geolocation-based tracking of individuals, the use of technology to rate health risk levels and the centralization of sensitive data. The common approach aims to support competent national authorities, health authorities and policy makers, by providing them with sufficient and accurate data to understand the evolution and spread of the COVID-19 virus and its effects.
Within this context, the eHealth Network has published a Toolbox for Member States to coordinate response and protect fundamental rights in relation to contact tracing. In addition to the development of apps, the Toolbox intends to develop a common scheme for using anonymized and aggregated data on mobility of people to (i) model and predict the evolution of the disease, (ii) monitor the effectiveness of national decision-making, such as social distancing and confinement measures, and (iii) inform a coordinated strategy for exiting from the COVID-19 crisis.
Mobile apps to fight COVID-19
These technologies can help empower citizens to take effective and more targeted social distancing measures. However, appropriate safeguards to protect data protection and other fundamental rights must be ensured, given that some apps’ functionalities are based on data-intensive models. In particular, it is key that apps and processing activities respect of rules under GDPR and the ePrivacy Directive.
The mentioned apps serve three general functions:
1. informing and advising citizens and facilitating medical follow-up with symptomatic persons, coupled with self-diagnosis questionnaires;
2. warning people who have been in proximity to an infected person, in order to interrupt infection chains and prevent resurgence of infections in the reopening phase;
3. monitoring and enforcing quarantine of infected persons, possibly combined with features assessing their health conditions during the quarantine period.
Q&A on the Commission’s data protection and privacy recommendations on the development of app
Q: Who is the data controller?
A: National health authorities, or entities carrying out a task in the public interest in the health field, should act as data controllers.
Q: How will individuals be in control of such data processing?
A: A number of provisions to allow individuals to remain in control of their data are recommended. In particular, the apps should allow:
- Voluntary installation and use;
- No bundling of different app functionalities: specific consent will be needed for each functionality;
- Proximity data (exchanged via Bluetooth) stored on the user’s device. Sharing data with health authorities can only occur upon the choice of the individual and once the infection is confirmed;
- Information provision to individuals by health authorities, pursuant to articles 12 and 13 of GDPR and article 5 of the ePrivacy Directive;
- Exercisability of data subject rights: data subjects must be able to exercise their rights. Any restriction of rights under GDPR or the ePrivacy Directive shall be prescribed by law and be necessary and proportionate.
- Deactivation of the apps once the pandemic is declared to be under control. This should not be dependent on the user’s de-installation.
Q: What is the legal basis for processing?
A: The Commission advises on two scenarios of processing activities:
- Installation of the app and user data storage: in accordance with article 5 of the ePrivacy Directive, consent is the most appropriate basis for processing activities. Within the meaning of GDPR, consent should be expressed through the individual’s clear affirmative action and excludes tacit forms of consent (e.g. silence; inactivity);
- Processing by national health authorities: in accordance with conditions laid down in:
– Article 6(1)(c) of GDPR, i.e. compliance with a legal obligation to which the controller is subject;
– Article 9(2)(i) of GDPR, i.e. necessary for reasons of public interest in the area of public health; or
– When necessary for the performance of a task carried out in the public interest. Pre-existing EU and Member State laws and those enacted specifically to fight the spread of the epidemic may, in principle, serve as a legal basis if they provide for measures allowing monitoring of epidemics and insofar as they meet the requirements of article 6(3) of GDPR.
Q: How will data processing be minimized?
A: The principle of data minimization allows processing only of personal data that is adequate, relevant and limited to what is necessary in relation to the stated purpose(s). For instance, with regards to the symptom checking or tele-medicine functionality, access to the contact list of the device owner is not required.
Q: Will disclosure of and access to data be limited?
A: Yes. The Commission recommends different approaches based on the app’s functionalities:
Information functionality: no information stored in and accessed from the user’s device can be shared with health authorities.
Symptom checker and tele-medicine functionalities:
- Access can be given to health authorities;
- The European Centre for Disease Prevention and Control (ECDC) should receive aggregated data from national authorities;
- Phone number may be disclosed in case contact with health officials is necessary.
Contact tracing and warning functionality:
- Data of the infected person: decentralized processing preferred, i.e. identifiers should be stored on the user’s device;
- Health authorities should have access only to proximity data from the device of an infected person in order to contact individuals at risk;
- No disclosure of the identity of contacted people to the infected person.
- Data of persons who have been in contact with the infected person: no disclosure of the identity of the infected person.
Q: What are the purposes for processing activities with the apps?
A: The identified purposes should be specific in relation to each functionality of the app and should be separate from one another. Further purposes such as scientific research and statistical purposes can be established where necessary but should be clearly communicated to app users.
Q: Will data storage be limited?
A: Yes, the Commission recommends strict data storage limitation. This principle requires that personal data may not be kept for a longer period than necessary. Timelines should be based on medical relevance, which depends on the identified purposes of the app’s functionalities, as well as realistic durations for administrative steps that may need to be taken. The Commission identifies as appropriate time periods:
- Maximum one month (incubation period plus margin);
- In any event, after the person has tested negative.
Q: How will data security be insured?
A: The Commission advises that data be stored on the user’s terminal device in an encrypted form, using state-of-the art cryptographic techniques. If data is stored in a central server, access, including administrative access, should be logged.
Proximity data should only be generated and stored on the app user’s terminal device in an encrypted and pseudonymized format.
Q: Will the data be accurate?
A: It is crucial to the effectiveness of these apps to fight the spread of COVID-19 that the data collected and used be accurate. For this reason, the Commission advises that apps rely on technologies that allow a more precise assessment of contact between persons, such as Bluetooth technology.
Q: Will Data Protection Authorities be involved in this process?
A: Yes, Data Protection Authorities should be fully involved and consulted in developing and deploying the apps. Given that this will qualify as processing on a large scale of special categories of data (health data), the Commission advises considering data protection impact assessments requirements under article 35 of GDPR.
It should be kept in mind that this is an ongoing process. The EU and Member States will continue to refine the
use of the toolbox and other practical tools in response to the COVID-19 crisis.
- 30 April 2020: public health authorities will assess the effectiveness of the apps at national and cross-border level;
- 31 May 2020: Member States report on their actions and make the measures accessible to other Member States and the Commission for peer review;
- The Commission will assess the progress made;
- From June 2020 the Commission will publish periodic reports with recommendations on actions and phase-out.
EDPB follows up with a set of dedicated Guidelines to deal with processing during the COVID-19 outbreak
Following up on the debate, Commission Recommendation and to the many initiatives that Member States are taking, the EDPB swiftly issued a new set of guidelines to address data processing activities related to the management and fight against the COVID-19 pandemic, with regards to the use of location data and contact tracing tools and the processing of health data for scientific research.
In addition and complement to the Commission’s Recommendation and the EDPB’s initial statement, the EDPB makes the following recommendations:
Use of location data and contact tracing tools
- Location data use: anonymized data should always be preferred to personal data. As anonymization is notably a difficult result to achieve irreversibly, location data must be carefully processed in order to fulfill the reasonability test. This includes considering location datasets globally and processing data from a reasonably large set of individuals using available robust anonymization techniques. Anonymization methodologies should be transparent.
- Contact tracing should be voluntary. Individuals who choose not to use the app should not face disadvantages. Voluntary basis does not amount to the user’s consent as basis for processing.
- Purpose limitation: purposes must be sufficiently specific so as to exclude further processing for purposes unrelated to the COVID- 19 health crisis (e.g., commercial or law enforcement purposes). Subsequently, adequacy, necessity and proportionality of data must be ensured.
- Data minimization and data protection by design and by default:
– Location tracking of individual users is not necessary: proximity data should be used;
– Direct identification of individuals is not functionally necessary: appropriate measures should be put in place to prevent re-identification;
– Collected information should reside on the user’s terminal equipment and be limited to absolutely necessary information.
- Storage and access to data already present on the user’s terminal: no consent required only for strictly necessary operations in relation to the provision of the service explicitly requested by the user.
Importantly, the current health crisis should not be taken as an opportunity to establish disproportionate data retention mandates:
- Storage limitation should consider necessity and medical relevance;
- Personal data should be kept only for the duration of the COVID-19 crisis, then erased or anonymized.
- (Human) qualified personnel’s strict supervision should verify the implementation of procedures and processes including respective algorithms to limit the occurrence of any false positives and negatives. Follow-up advice should not be based solely on automated processing.
- Performance of data protection impact assessments (DPIA) before implementation, and their publication is strongly recommended.
Processing of health data for scientific research in the context of the COVID-19 outbreak
- National legislators may enact specific laws pursuant to Article (9)(2) (i) and (j) GDPR (i.e. public health and public interest, scientific research purposes) to enable the processing of health data for scientific research purposes. Such processing must be covered by one of the legal bases provided in Article 6(1) GDPR.
- National laws enacted as above must be interpreted in the light of GDPR’s guiding principles and in accordance with ECJ caselaw. Derogations and limitations are applicable only to the extent of strict necessity.
- Particular emphasis is required on establishing the following:
- Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 89(1) of GDPR);
- Security of processing (Article 32(1) of GDPR);
- Principle of integrity and confidentiality (Article 5(1)(f) of GDPR);
- DPIA must be carried out.
- Storage limitation must be defined and must be proportionate.
- In principle, no limitation of data subject rights’ exercisability. Some rights may be lawfully restricted on the basis of Article 89(2) of GDPR.
- International transfers: in the absence of adequacy decisions, public authorities and entities may rely upon the exceptional applicable derogations of Article 49.