On 8 April 2020, the European Commission adopted a recommendation on a common European Union toolbox for the use of technology and data to address the COVID-19 crisis (“Recommendation”).  The Recommendation responds to calls for a common EU approach to the use of mobile apps in combatting COVID-19—one that improves the efficacy of the technology while respecting citizens’ privacy rights.

The Recommendation has since been complemented by a separate Commission guidance paper on COVID-19 apps (“Guidance”) and release of a Common EU Toolbox for Member States (“Toolbox”) by the EU’s eHealth Network, a Commission-established body comprised of Member State authorities responsible for eHealth matters.   In addition, the European Data Protection Board (“EDPB”), which contributed to the Guidance, has published a letter to the Commission in response to the Guidance (“Letter”).

This blog will discuss the headline points contained within the Recommendation, Guidance, Toolbox, and Letter.  We will publish more detailed analyses of the Toolbox and Guidance in subsequent blogs.

Commission Recommendation on a Common Union Toolbox for the Use of Technology and Data to Combat and Exit From the COVID-19 Crisis (8 April 2020)

  • The Recommendation responds to calls for a pan-European effort, involving both Member States and private organizations, to contain the spread of the virus; and it highlights, in particular, strategies involving mobile apps and the use of anonymized data, such as telecoms data.
  • The Commission proposes a Toolbox—a body of technology and data measures—to be developed by the Commission in cooperation with Member States (via the eHealth Network). In the Recommendation, the Commission briefly outlines a coordinated approach to the use of smartphone apps for tracing COVID-19 infections, which ensures individual privacy and data security.
  • In order to protect privacy and maintain data protection, and ensure that these efforts do not lead to surveillance and stigmatization, the Commission advises that the Toolbox (and therefore any apps) should:
    • strictly limit the processing of data to combatting COVID-19;
    • ensure regular review of whether the processing of personal data remains necessary; and
    • take measures to ensure that, once processing is no longer strictly necessary, the processing is effectively terminated and the personal data is irreversibly destroyed.
  • The Commission requests that Member States report to the Commission on actions taken pursuant to the Recommendation by 31 May 2020, and on a periodic basis thereafter, as well as ensure that any measures are accessible for peer review by other Member States and the Commission. Commencing in June 2020, the Commission will assess the progress made and may, depending on what it finds, issue additional recommendations.

eHealth Network’s Common EU Toolbox for Member States (15 April 2020)

  • Expanding on the Recommendation, the Toolbox—developed by the eHealth Network with the support of the Commission—offers suggestions for making effective use of technology and data, with a particular focus on two areas:
    • A pan-European approach for the use of mobile apps to: (i) improve targeted social distancing measures; (ii) enable warning and contact tracing; and (iii) assist in limiting the spread of COVID-19.
    • A common scheme for using anonymized and aggregated data regarding the mobility of larger populations in order to: (i) model and predict the evolution of the disease; (ii) monitor the effectiveness of decision-making by Member States’ authorities on measures such as social distancing and confinement; and (iii) inform a coordinated strategy for ramping down on controls inspired by COVID-19.
  • The Toolbox provides significant detail for a common approach on the use of mobile apps, anonymized data, and aggregated data that consists of:
    • Specifications to ensure the effectiveness of mobile information, warning, and tracing apps.
    • Measures to prevent proliferation of apps that are not compatible with EU law, to support disabled access, and for interoperability.
    • Governance mechanisms to be applied by public health authorities, and cooperation with the European Centre for Disease Prevention and Control (“ECDC”).
    • Identification of good practices and mechanisms for the exchange of information on how the apps are functioning.
    • Sharing data with health authorities and public research institutions.
    • Modelling, mapping, and predicting the diffusion of the disease and the impact on health systems (e.g., availability of ICUs and PPE).
    • Optimizing the effectiveness of measures to contain the diffusion of COVID-19 and to address its effects.
  • The Toolbox also lists four essential requirements of national apps—they must be:
    • voluntary;
    • approved by the national health authority;
    • privacy-preserving, through the use of encryption; and
    • dismantled as soon as they are no longer needed.
  • The Commission states that by 30 April 2020, public health authorities will assess the effectiveness of the apps at a national and cross-border level.

Commission Guidance on Apps Supporting the Fight Against COVID-19 Pandemic in Relation to Data Protection (16 April 2020)

  • The Guidance supplements the Toolbox, and the two documents are to be read together. Whereas the Toolbox sets out a series of measures and safeguards that should be implemented when developing tracing apps, the Guidance provides further specific detail around the privacy and data protection principles and standards that should be incorporated into apps.  In particular, the Guidance sets out features and requirements that apps should include to ensure compliance with the General Data Protection Regulation (“GDPR”) and the ePrivacy Directive.
  • The Guidance is not legally binding and specifically addresses voluntary apps that offer one or more of the following functionalities:
    • Provide information to individuals about COVID-19.
    • Provide questionnaires to facilitate self-assessment and provide guidance (i.e., symptom checker apps).
    • Alert persons who have been in close proximity to an infected person (i.e., contact tracing and warning apps).
    • Provide a communication forum between patients and doctors (i.e., telemedicine apps).
  • The Commission lists the following as key to ensuring that apps remain trustworthy and accountable:
    • Data Controllers: Apps should be designed in such a manner that national health authorities are the data controllers. This is due to the high sensitivity of the data.
    • Voluntary: Installation of the app should be voluntary, and consent should be given on a per-functionality basis.
    • Proximity Data: Proximity data (i.e., distance between an app user and a third party, e.g., a COVID-19 patient) should be encrypted, stored locally on the user’s device, and should only be shared with the user’s consent.
    • Data Minimization: Apps should adhere to the principle of data minimization, and data should not be kept for longer than is necessary.
    • Accurate Data: Any personal data processed by a third party must be accurate. Bluetooth technology should be used to provide a more precise assessment of an individual’s contact with or proximity to another.
    • Role of Data Protection Authorities: Data protection authorities should be involved in the development of apps and should be tasked with reviewing their deployment.

EDPB Letter in Response to the Commission’s Guidance (14 April 2020)

  • On April 15, 2020, the European Data Protection Board (“EDPB”) published a letter sent to the European Commission in response to the Commission’s Guidance (draft guidance at the time). We highlight key points expressed in the letter below:
    • User Penetration: Achieving significant user penetration is critical to the efficacy of apps, and any functional heterogeneity, lack of interoperability, or difference in the manner of use may create negative externalities.
    • Voluntary: Apps should be provided on a voluntary basis, but appropriate communications promoting apps may assist in avoiding scattered adoption.
    • Legal Basis for Processing Consent may not be the most appropriate legal basis. Where the app is provided based on a mandate assigned by and in line with requirements laid down in a law, the most relevant legal basis for the processing is the necessity for the performance of a task for public interest.
    • Location Tracking: Contact tracing apps do not require location tracking, and because less intrusive methods of contact tracing are available, its inclusion may violate the principle of data minimization. There are also related security and privacy risks.
    • Role of Health Authorities: Health authorities and scientists should play a role in defining what constitutes an event (i.e., contact with infected persons) and related functional requirements of apps.
    • Data Storage: While both local data storage on individuals’ devices and centralized storage (e.g., with a health authority) may be compliant with data protection law, the EDPB is of the opinion that the decentralized solution is more in line with the principle of data minimization.
    • Warning Mechanism: Warning mechanisms (via in-app notifications) should only involve the processing of random pseudonyms. Additionally, to ensure that errors do not result in false warnings, mechanisms should ensure that the information entered, when declaring that a person is COVID-positive, is correct.
    • False Positives: Algorithms used in contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives.
    • Human Input: The advice on “next steps” should not be fully automated (but should envisage human interaction, for example through a telephone number or contact channel).
    • Identification of Users: The app should not identify the infected person nor allow the re-identification of any other persons, whether infected by COVID-19 or not.
    • Role of the EDPB and Supervisory Authorities: The EDPB and the EU Supervisory Authorities should be consulted during the design and implementation of the measures that allow for the creation of contact tracing apps.

In addition to the documents discussed above, the EDPB is expected to publish guidelines on geolocation and other tracing tools in due course.

Please watch this space for our forthcoming blogs.