COVID-19 Apps and Websites

With the rollout of COVID-19 vaccination programs across the EU and the UK, employers are faced with questions about whether or not they are legally permitted to ask employees about their vaccination status and, if so, how that information may be used.

Employers may wish to inquire about the vaccination status of their employees in order to comply with their general obligation to ensure a safe workplace and minimize the risk of exposure to COVID-19.  This raises privacy issues under the General Data Protection Regulation (“GDPR”), because employees’ vaccination status falls within a special category of personal data that concerns the health of individuals (Art. 9(1)).  This category is subject to more stringent data protection measures due to the sensitive and personal nature of data, and can only be processed in very limited circumstances (Art. 9(2)).


Continue Reading COVID-19: Processing of Vaccination Data by Employers in Europe

On April 17, 2020, the UK’s Information Commissioner’s Office (“ICO”) issued an opinion on the recently announced Apple-Google initiative to develop a Bluetooth-based Contact Tracing Framework (“CTF”) to help prevent the spread of COVID-19.  The ICO opinion is generally supportive of the Apple-Google proposal and perceives it to be, at this early phase, aligned with principles of data protection by design and by default.  The ICO also cautions that since apps developed under the CTF could also be used to collect additional data using other techniques beyond those currently planned, developers of such apps must ensure compliance with data protection laws.

Continue Reading UK ICO Issues Opinion on Apple-Google Initiative for a Contact Tracing Framework

On 8 April 2020, the European Commission adopted a recommendation on a common European Union toolbox for the use of technology and data to address the COVID-19 crisis (“Recommendation”).  The Recommendation responds to calls for a common EU approach to the use of mobile apps in combatting COVID-19—one that improves the efficacy of the technology while respecting citizens’ privacy rights.

The Recommendation has since been complemented by a separate Commission guidance paper on COVID-19 apps (“Guidance”) and release of a Common EU Toolbox for Member States (“Toolbox”) by the EU’s eHealth Network, a Commission-established body comprised of Member State authorities responsible for eHealth matters.   In addition, the European Data Protection Board (“EDPB”), which contributed to the Guidance, has published a letter to the Commission in response to the Guidance (“Letter”).

This blog will discuss the headline points contained within the Recommendation, Guidance, Toolbox, and Letter.  We will publish more detailed analyses of the Toolbox and Guidance in subsequent blogs.


Continue Reading EU Commission Releases Guidance on COVID-19 Apps

Pan-European Privacy Preserving Proximity Tracing Initiative

According to media sources, an EU consortium led by Germany’s Fraunhofer Heinrich Hertz Institute for telecoms (HHI) will soon release software code that can be used to create apps that will help track transmission chains of COVID-19.  The Pan-European Privacy Preserving Proximity Tracing (“PEPP-PT”) project comprises more than 130 members across eight European countries, including scientists, technologists, and experts.

The PEPP-PT project has published a manifesto explaining its intention to create “well-tested proximity tracking technologies” that national authorities can use to create their own COVID-19 apps.  According to the manifesto, these technologies ensure “secure data anonymization” and “cross border interoperability”.  The apps concerned would inform users, based on the phone’s Bluetooth signals, whether they have been in the proximity of a person who was tested positive for COVID-19.

National public authorities developing apps on the basis of this software remain free to decide how to inform persons that have been in contact with someone who has tested positive.  The PEPP-PT website states that national cyber security agencies and national data protection agencies will assess the apps that are created using the code released by the PEPP-PT.  EU Commissioner Thierry Breton indicated that the European Commission is also investigating whether an app using the PEPP-PT software would be compliant with “EU values”, reflecting the privacy concerns associated with such apps.
Continue Reading COVID-19 Apps and Websites – The “Pan-European Privacy Preserving Proximity Tracing Initiative” and Guidance by Supervisory Authorities