Pan-European Privacy Preserving Proximity Tracing Initiative

According to media sources, an EU consortium led by Germany’s Fraunhofer Heinrich Hertz Institute for telecoms (HHI) will soon release software code that can be used to create apps that will help track transmission chains of COVID-19.  The Pan-European Privacy Preserving Proximity Tracing (“PEPP-PT”) project comprises more than 130 members across eight European countries, including scientists, technologists, and experts.

The PEPP-PT project has published a manifesto explaining its intention to create “well-tested proximity tracking technologies” that national authorities can use to create their own COVID-19 apps.  According to the manifesto, these technologies ensure “secure data anonymization” and “cross border interoperability”.  The apps concerned would inform users, based on the phone’s Bluetooth signals, whether they have been in the proximity of a person who was tested positive for COVID-19.

National public authorities developing apps on the basis of this software remain free to decide how to inform persons that have been in contact with someone who has tested positive.  The PEPP-PT website states that national cyber security agencies and national data protection agencies will assess the apps that are created using the code released by the PEPP-PT.  EU Commissioner Thierry Breton indicated that the European Commission is also investigating whether an app using the PEPP-PT software would be compliant with “EU values”, reflecting the privacy concerns associated with such apps.

Several Member States have been considering using apps in the fight against COVID-19 (e.g., Ireland and Germany).  Polish authorities, for example, have developed an app that individuals who tested positive for COVID-19, and are in quarantine, can voluntary use to prove that they remain in quarantine (i.e., by sending selfies with their location to the authorities), as an alternative to receiving police visits.

COVID-19 Apps and Websites

Since the start of the COVID-19 crisis in Europe, private and public entities have begun releasing COVID-19 related apps.  In response, some EU Supervisory Authorities have issued statements in relation to such apps:

  • The Belgian Supervisory Authority provided brief guidance to developers of COVID-19 apps (and websites). It clarifies the expected standard of anonymity and, in particular, it states that IP addresses should always be considered as personal data. It also distinguishes apps offered by healthcare providers and other health apps.  In the latter case, the apps should provide at the time of set up, and before any personal data is collected or shared, all the information required by Article 13 of the GDPR. According to the statement, “at the end of the use of the application”, all personal data should be deleted.
  • The Italian Supervisory Authority states that it “would have no objection” to an app managed by public authorities that tracks persons who tested positive with COVID-19 and people who have come into contact with such persons, provided the app complies with data protection law.
  • The German Supervisory Authority of Rhineland-Palatinate states that an app that tracks the transmission of COVID-19 using Bluetooth technology “is possible”, provided it complies with data protection law. The statement lists various criteria that, in the opinion of the authority, are decisive in order to comply with data protection law.  In particular, the authority notes that use of the app should be voluntary, the purposes for processing the data be limited, that pseudonymization techniques are applied to the data and that the data be deleted if there is no longer a risk of infection.
  • The Slovenian Supervisory Authority issued a statement about the website, which allowed individuals to report and record their COVID-19 symptoms, provide information about the symptoms, indicate the number of family members in the individual’s household, record the date symptoms were first detected, and the individual’s phone number and residential information. Despite claiming that it only collected anonymized data, the authority’s investigation revealed that the data was only encrypted and not anonymized and therefore did not comply with the GDPR.  As a result, the website announced that it has deleted its database and is looking into how to provide this service in a GDPR-compliant manner.  The same authority issued a statement on the use of geolocation data to fight COVID-19, which states that this is only possible in exceptional circumstances and provided appropriate safeguards are in place.
  • The Spanish Supervisory Authority states that only public authorities have the authority to process personal data to control the epidemic. This includes collecting data in order to offer self-assessment tools and the collection of geolocation data for creating maps of high/low risk areas, or to control whether individuals who have tested positive comply with quarantine restrictions.  Private entities may only process personal data pursuant to the instructions of the public health authorities.

In general, the statements released by EU Supervisory Authorities so far suggest that the use of apps or websites by public authorities to track the spreading of COVID-19 will be allowed, provided they comply with the principles found in EU data protection laws.  By contrast, regulators appear far more skeptical that private-sector bodies should be deploying and using such apps or websites.  Covington’s Privacy and Cyber practice will continue to monitor these developments closely.