Is a privacy-friendly use of mobile applications to combat COVID-19 our exit plan from the crisis?

Europe

A Pan-European Approach to the Use of Mobile Apps and Mobile Data

With its Recommendation of 8 April 2020 on steps and measures to develop a common approach to the use of mobile applications and mobile data to avoid the further spread of COVID-19, the European Commission has envisaged a toolbox for Member States to create a pan-European framework.

Since the beginning of the current exceptional situation, governments have been making efforts to empower citizens to take effective and targeted measures to shape the fight against COVID-19. Mobile applications with their various functions can contribute a significant added value in this regard.

As pointed out by the Commission, the debated mobile applications would serve three main functions: (1) informing and advising citizens and facilitating the organisation of the medical follow-up of persons with symptoms, regularly involving self-diagnosis questionnaires; (2) interrupting infection chains and preventing a resurgence of infections in the reopening phase by warning people who have been in (close) contact with an infected person; and (3) monitoring and enforcing the quarantine of infected persons, regularly involving self-assessment of their health condition during quarantine.

The developers of such apps are both public authorities and private sector companies. Importantly, though, in the Commission’s view, the efforts to combat the virus are impeded by the fragmentation of particular Member States’ approaches and hence the Commission’s calls for a common approach of the European Union to the COVID-19 crisis.

Data Protection Considerations

As these mobile apps could e.g. track the geolocation of individuals, assess the degree of health risk of an individual or allow centralisation of specific categories of data, the question of users’ privacy cannot be avoided.

To this end, the European Data Protection Board (the EDPB) has expressed its views following the Commission’s recommendations. In general, the EDPB welcomed the Commission’s call for a coordinated pan-European approach to combating the COVID-19 crisis, where mobile apps could play an important role. The EDPB has also stressed the importance of balancing the public interest purpose of fighting the pandemic and the privacy of individuals. Below you will find some of the major points raised by the EDPB in this context.

Voluntary use of the apps: The larger the proportion of the population using the apps, the higher their effectiveness. Nonetheless, both the EDPB and the Commission strongly support the voluntary use of such apps by citizens.

Performance of a public task as the legal basis for processing: While the Commission refers primarily to consent as the legal basis for the processing of data within the applications, the EDPB stressed the need to perform tasks in the public interest as the most appropriate. The EDPB considers that voluntary use of the app does not automatically indicate consent as the legal basis for processing and supports legislative initiatives promoting the voluntary use of such apps and calls for relevant accompanying communication and awareness-raising activities.

No location tracing of individual users: The EDPB states very clearly that the aim of contact tracing apps is not to locate individuals or to enforce measures introduced by governments, but to detect events, especially contacts with individuals with positive test results. The collection of localisation data from individuals in the context of contact tracing apps would, in the EDPB’s view, violate the principle of data minimisation and pose major risks to privacy and security.

Decentralised storage of data: Both centralised and decentralised storage of data could potentially work but the EDPB prefers the latter as being more privacy friendly.

Limitation of storage period: The EDPB follows the Commission's approach regarding the limitation of the storage period in the sense that the contemplated emergency applications should not remain in use after the COVID-19 crisis has passed and the collected data should be deleted or anonymised.

Following the general GDPR principles: In any case, the discussed apps should be developed in line with general GDPR requirements. The accountability principle should be observed, including privacy by design and privacy by default. A data protection impact assessment should be carried out and the source code should be made publicly available to allow the widest possible review by the scientific community. The EDPB also emphasises the paramount significance of quality and accuracy of the data collected by the apps to avoid false positives and false negatives. Ensuring appropriate security of data may by no means be overlooked either.

Current reality?

Looking at the present – fragmented – app landscape, it is noticeable that many, if not all, EU countries are currently working on apps aimed at facilitating the fight against the COVID-19 crisis. Some of them are based on geolocation, such as Coronamadrid and StopCovid19 in Spain, whereas others are based on the Bluetooth technology as a “digital handshake”, such as Stopp-Corona-App in Austria, StopCovid in France, ProteGo in Poland or an app being developed by NHSX in the United Kingdom .

It remains to be seen whether the current Member States’ efforts will be combined under a common EU approach and to what extent the privacy considerations will be taken into account