Pan-European Privacy Preserving Proximity Tracing Initiative

According to media sources, an EU consortium led by Germany’s Fraunhofer Heinrich Hertz Institute for telecoms (HHI) will soon release software code that can be used to create apps that will help track transmission chains of COVID-19.  The Pan-European Privacy Preserving Proximity Tracing (“PEPP-PT”) project comprises more than 130 members across eight European countries, including scientists, technologists, and experts.

The PEPP-PT project has published a manifesto explaining its intention to create “well-tested proximity tracking technologies” that national authorities can use to create their own COVID-19 apps.  According to the manifesto, these technologies ensure “secure data anonymization” and “cross border interoperability”.  The apps concerned would inform users, based on the phone’s Bluetooth signals, whether they have been in the proximity of a person who was tested positive for COVID-19.

National public authorities developing apps on the basis of this software remain free to decide how to inform persons that have been in contact with someone who has tested positive.  The PEPP-PT website states that national cyber security agencies and national data protection agencies will assess the apps that are created using the code released by the PEPP-PT.  EU Commissioner Thierry Breton indicated that the European Commission is also investigating whether an app using the PEPP-PT software would be compliant with “EU values”, reflecting the privacy concerns associated with such apps.

Several Member States have been considering using apps in the fight against COVID-19 (e.g., Ireland and Germany).  Polish authorities, for example, have developed an app that individuals who tested positive for COVID-19, and are in quarantine, can voluntary use to prove that they remain in quarantine (i.e., by sending selfies with their location to the authorities), as an alternative to receiving police visits.

COVID-19 Apps and Websites

Since the start of the COVID-19 crisis in Europe, private and public entities have begun releasing COVID-19 related apps.  In response, some EU Supervisory Authorities have issued statements in relation to such apps:

  • The Belgian Supervisory Authority provided brief guidance to developers of COVID-19 apps (and websites). It clarifies the expected standard of anonymity and, in particular, it states that IP addresses should always be considered as personal data. It also distinguishes apps offered by healthcare providers and other health apps.  In the latter case, the apps should provide at the time of set up, and before any personal data is collected or shared, all the information required by Article 13 of the GDPR. According to the statement, “at the end of the use of the application”, all personal data should be deleted.
  • The Italian Supervisory Authority states that it “would have no objection” to an app managed by public authorities that tracks persons who tested positive with COVID-19 and people who have come into contact with such persons, provided the app complies with data protection law.
  • The German Supervisory Authority of Rhineland-Palatinate states that an app that tracks the transmission of COVID-19 using Bluetooth technology “is possible”, provided it complies with data protection law. The statement lists various criteria that, in the opinion of the authority, are decisive in order to comply with data protection law.  In particular, the authority notes that use of the app should be voluntary, the purposes for processing the data be limited, that pseudonymization techniques are applied to the data and that the data be deleted if there is no longer a risk of infection.
  • The Slovenian Supervisory Authority issued a statement about the website https://covid-19-stats.si/, which allowed individuals to report and record their COVID-19 symptoms, provide information about the symptoms, indicate the number of family members in the individual’s household, record the date symptoms were first detected, and the individual’s phone number and residential information. Despite claiming that it only collected anonymized data, the authority’s investigation revealed that the data was only encrypted and not anonymized and therefore did not comply with the GDPR.  As a result, the website announced that it has deleted its database and is looking into how to provide this service in a GDPR-compliant manner.  The same authority issued a statement on the use of geolocation data to fight COVID-19, which states that this is only possible in exceptional circumstances and provided appropriate safeguards are in place.
  • The Spanish Supervisory Authority states that only public authorities have the authority to process personal data to control the epidemic. This includes collecting data in order to offer self-assessment tools and the collection of geolocation data for creating maps of high/low risk areas, or to control whether individuals who have tested positive comply with quarantine restrictions.  Private entities may only process personal data pursuant to the instructions of the public health authorities.

In general, the statements released by EU Supervisory Authorities so far suggest that the use of apps or websites by public authorities to track the spreading of COVID-19 will be allowed, provided they comply with the principles found in EU data protection laws.  By contrast, regulators appear far more skeptical that private-sector bodies should be deploying and using such apps or websites.  Covington’s Privacy and Cyber practice will continue to monitor these developments closely.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.