On April 15, 2020 the European Commission (the “Commission”), in response to a call from the European Council of 26 March, issued a Joint European Roadmap towards lifting COVID-19 containment measures.
The Commission provided a coordinated framework for all Member States with a set of accompanying measures which are recommended for implementation in order to successfully manage the transition phase.
Among the relevant criteria for assessing the timing for lifting the existing containment measures, the Commission highlighted the importance of an “appropriate monitoring capacity, including large-scale testing capacity to detect and monitor the spread of the virus combined with contact tracing and possibilities to isolate people in case of reappearance and further spread of infections”.
Given that the use of mobile apps to trace and warn citizens about contacts with people who tested positive for COVID-19 proved to be effective in containing the spread of the infection in other countries, the Commission recommended such steps as an important element in the Member States´ strategies, provided that “the use of such mobile applications should be voluntary for individuals, based on users’ consent and fully respecting European privacy and personal data protection rules”.
On April 16, 2020 the Commission published “Guidance on Apps supporting the fight against Covid 19 pandemic in relation to Data Protection” (the “Guidance”).
The Guidance addresses only apps downloaded, installed and used on a voluntary basis by individuals with one or more of the following functionalities:
- information about the COVID-19 pandemic
- symptom checker
- contact tracing and warning
- telemedicine
Namely, the Commission presented the elements listed below “to provide guidance on how to limit the intrusiveness of the app functionalities in order to ensure compliance with the EU personal data protection and privacy legislation”:
1) National health authorities (or entities carrying out a task in the public interest in the field of health) should be the controllers:
Having regard to the sensitivity of the personal data concerned and the purpose of data processing in this context, the Commission´s opinion is that the apps should be developed in such a way that national health authorities (or entities carrying out a task in the public interest in the field of health) are the controllers.
For the Commission, “this will also contribute to higher trust among the population and therefore acceptance of the apps (and underlying infection transmission chain information systems) and will ensure that they fulfil the intended purpose of protecting public health”.
2) Individuals should retain control by ensuring that:
(i) users can install the app on a voluntary basis;
(ii) users can provide their consent specifically for each functionality (no “bundling”);
(iii) users can share proximity data with health authorities only after confirmation that the user concerned is infected with the COVID-19 and on the condition that he/she chooses to do so;
(iv) health authorities should provide the users with all necessary information related to the processing of his or her personal data pursuant to Articles 12 and 13 of the GDPR and Article 5 of the ePrivacy Directive;
(v) users should be able to exercise their rights under the GDPR (namely, access, rectification and deletion); any restriction of such rights should be in accordance with these acts and be necessary, proportionate and provided in the legislation;
(vi) the apps should be deactivated at the latest when the pandemic is declared to be under control; the deactivation should not depend on de-installation by the user.
3) The most appropriate legal basis for processing should be:
(i) consent with respect to installation of the apps and storing of information on the user’s device;
(ii) a legal obligation laid down in EU or Member State law with respect to processing by national health authorities.
4) Only personal data that is adequate, relevant and limited to what is necessary in relation to the purpose may be processed according to the principle of data minimization, namely:
(i) apps with information functionality should not process information stored in and accessed from the user´s terminal equipment other than what is necessary to provide such information;
(ii) apps with symptom checker and telemedicine functionalities will be processing personal health data and, possibly, the phone numbers of the users. A list of data which may be processed should be specified in the underlying legislation applicable to the health authorities. Information stored in and accessed from the user´s terminal equipment may be processed only insofar as it is necessary to enable the app to fulfil its purpose and allow it to function;
(iii) apps with contact tracing and warning functionalities may need to process proximity data. In this context, the Commission recommends the use of Bluetooth Low Energy (BLE) communications between devices and not the use of geolocation data (GNSS/GPS, or cellular location data). Indeed, BLE does not enable tracking of users´ location (contrary to geolocation data). Also, while it might be useful to store data about the date (the day) of the contact occurred with an infected person, it does not appear necessary to store the exact time of such contact or the place. Recommendations about the warning mechanisms are also provided.
5) The disclosure/access of data with health authorities should be limited to:
(i) data necessary to operate the information functionality in apps having such functionality;
(ii) information provided by the patient in apps with symptom checker and telemedicine functionalities. ECDC could receive aggregated data from national authorities for the purpose of epidemiological surveillance;
(iii) proximity data from the device of an infected person (only after the infected person, after having been tested, proactively shares this data with health authorities) and data of the persons who have been in (epidemiological) contact with the infected person in apps with contact tracing and warning functionality. The Commission specified that “the identity of the infected person should not be disclosed to the persons with whom he/she has been in epidemiological contact”.
6) Precise purposes of processing should be provided by a Union or Member State law:
The precise purpose(s) is/are associated with the functionalities of the app.
The provision of relevant information to the user is the purpose of data processing in apps with information functionalities.
The purpose(s) of processing in apps with symptom checker and telemedicine functionalities should be (i) to provide the user with the possibility to self asses, on the basis of a set of questions asked, if he or she has developed symptoms of COVID-19, or (ii) to obtain medical advice if he or she has developed symptoms of COVID-19.
With respect to apps with tracing and warning functionalities, the Guideline clarifies that “the mere indication of a purpose “prevention of further COVID-19 infections” is not specific enough. In this case, the Commission recommends to specify further the purpose(s) along the lines of: “retaining of the contacts of the persons who use the app and who may have been exposed to infection by COVID-19 in order to warn those persons who could have been potentially infected”.
7) Strict limits to data storage should be set:
According to the principle of storage limitation, personal data may not be kept for longer than necessary. The Guidance recommends that “timelines should be based on medical relevance (depending on the purpose of the app: the incubation period, etc.) as well as realistic durations for administrative steps that may need to be taken”.
8) Data should be kept secure:
Data should be stored on the terminal device of the user in an encrypted form using state-of-the art cryptographic techniques. In addition, “proximity data should only be generated and stored on the terminal device of the individual in encrypted and pseudonymised format”.
All data transmissions from the user´s personal device to the national health authorities should be encrypted as well.
Pseudonymisation should be also used in processing for scientific research purposes, provided that the national legislation allows such use.
Notably, the Commission also advised that the source code of the app should be made available to the public and accessible for review.
9) Data should be accurate:
Accuracy of data is crucial in order to minimise the risk of having false positives. For the same reason, the Commission recommended the use of technologies allowing more precise assessment of contacts (such as Bluetooth), rather than location data.
10) Data Protection Authorities should be involved and consulted in the context of the development of the app and they should keep its deployment under review:
This last recommendation relates to the fact that the apps will process special categories of data (health data) on a large scale, which is also relevant to the application of Article 35 GDPR on data protection impact assessment.
In addition to the Guidance, the European Commission recommended the development of a pan-EU reference app, or at least interoperability and sharing of results between such apps.
Indeed, on April 8, 2020 the European Commission adopted a Recommendation on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data (the “Recommendation”).
According to the Recommendation, the Toolbox should be developed taking into account the following requirements:
“(1) strictly limit the processing of personal data for the purposes of combating the COVID-19 crisis and ensure that the personal data are not used for any other purposes such as law enforcement or commercial purposes;
(2) ensure regular review of the continued need for the processing of personal data for the purposes of combating the COVID-19 crisis and set appropriate sunset clauses, so as to ensure that the processing does not extend beyond what is strictly necessary for those purposes;
(3) take measures to ensure that, once the processing is no longer strictly necessary, the processing is effectively terminated and the personal data concerned are irreversibly destroyed, unless, on the advice of ethics boards and data protection authorities, their scientific value in serving the public interest outweighs the impact on the rights concerned, subject to appropriate safeguards”.
The initiative for the development of a pan-European approach was also welcomed by the European Data Protection Board (“EDPB”), which on April 14, 2020 published a letter commenting the European Commission's draft Guidance on apps supporting the fight against the COVID-19 pandemic (“Letter”).
The Letter was mainly focused on the use of apps with tracing and warning functionalities, considering their increased risk of interference with users´ private life.
As a general note, the Letter recommended that “the development of the apps should be made in an accountable way, documenting with a data protection impact assessment all the implemented privacy by design and privacy by default mechanisms, and the source code should be made publicly available for the widest possible scrutiny by the scientific community”.
The EDPB supported the Commission´s recommendation for a voluntary adoption of such apps, clarifying that this does not mean consent should be the legal basis for data processing by public authorities, but rather “the necessity for the performance of a task for public interest”.
The EDPB shared also the Commission´s position to exclude from the functionalities of the apps any location tracking of individual users and, therefore, pursuant to the principle of data minimization, to limit the tracing functionality to the detection of contacts with persons tested positive for the virus.
In particular, the EDPB suggested that algorithms used in apps with contact tracing functionalities should operate “under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives, and by no means the task “to provide advice on next steps” be fully automated”.
In addition, the EDPB recommended that no potential identifying element concerning any other data subject should be part of such “advice” and that nothing in the app should allow the re-identification of any other persons, positive for COVID-19 or not. In this respect, the Letter stressed the need “not to store any directly identifying data in users’ device and that such data be in any case deleted as soon as possible”.
Finally, the EDPB noted that it should be fully involved in the implementation of these measures and anticipated that it will issue Guidelines on geolocation and other tracing tools associated with the COVID-19 out-break in the coming days.
***********************
The above serves only as a brief summary of some of the relevant data protection issues associated with mobile apps falling within the scope of GDPR. For more information on these topics, or any other aspect of EU data protection law affecting your activities, please contact Berggren´s International Team at internationaldesk@berggren.fi. We will be pleased to assist you.
Please note that this overview is not meant as legal advice and that each specific matter should be evaluated in detail and on its own merits.