Privacy & Information Security Law Blog

On April 8, 2020, the European Commission adopted a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the coronavirus pandemic (the “Recommendation”).

The Recommendation sets out a process by which the European Union (“EU”) Member States can adopt a toolbox of practical measures, with a focus on the following priorities:

• A pan-European, coordinated approach to using mobile apps that empower citizens to take effective and more targeted social distancing measures, and aid with warning, preventing and contact tracing to help limit the propagation of COVID-19; and
• A common approach to using anonymized and aggregated mobile location data to (1) model and predict the evolution of COVID-19; (2) monitor the effectiveness of measures to contain the diffusion of the disease, such as social distancing and confinement; and (3) help develop a coordinated strategy for going forward, including the easing of containment measures.

Background

Digital tools can be potent in combating the current health crisis. In particular, the Recommendation recognizes the potentially critical role of warning and tracing apps in limiting the propagation of the virus and interrupting transmission chains. A variety of COVID-focused mobile apps have been developed, some by public authorities, and there have been calls from EU Member states and the private sector for coordination at EU level. The Recommendation stresses the need to develop a common EU approach, or toolbox, for the use of these apps and mobile data to both avoid the fragmentation of the European internal market and ensure that the apps and data comply with EU data protection standards.

To that end, the Recommendation stresses that the toolbox should:

• strictly limit the processing of personal data for the purposes of combating COVID-19 and ensure that the personal data involved is not used for any other purposes, such as law enforcement or commercial purposes;
• ensure that the processing does not extend beyond what is strictly necessary, including through regular re-assessments of the need for processing such personal data and the use of appropriate sunset clauses;
• take measures to ensure that, once the processing is no longer strictly necessary, the personal data concerned is destroyed, unless, on the advice of ethics boards and EU data protection authorities, their scientific value in serving the public interest outweighs the impact on the rights concerned, subject to appropriate safeguards.

Coordinated Approach to Tracing Apps

The Recommendation’s immediate priority is a pan-EU approach for COVID-19 mobile applications, to be jointly developed by EU Member States and the European Commission and in consultation with the European Data Protection Board. This approach should include:

• specifications to ensure the effectiveness of tools from medical and technical perspectives;
• measures to avoid the proliferation of apps that are incompatible with EU law;
• governance mechanisms EU public health authorities can apply, in cooperation with the European Center for Disease Control (“ECDC”);
• identifying good practices and mechanisms for exchanging information about how the apps are functioning; and
• sharing data with relevant epidemiological public bodies and public health research institutions, including disclosing aggregated data to the ECDC.

The Recommendation also notes specific principles that should be observed in connection with COVID-19 mobile warning and prevention apps, including:

• safeguards ensuring respect for fundamental rights and prevention of stigmatization;
• preference for the least intrusive yet effective measures (such as using anonymized and aggregated data where possible);
• technical requirements concerning appropriate technologies (e.g., Bluetooth Low Energy) to establish device proximity, encryption, data security, data storage on the mobile device and potential access by health authorities;
• effective cybersecurity requirements to protect the availability, authenticity, integrity, and confidentiality of the data;
• deletion of personal data obtained through these measures when the pandemic is declared to be under control, at the latest;
• uploading of proximity data in case of a confirmed infection and appropriate methods of warning those who have been in close contact with the infected person (who should remain anonymous); and
• transparency requirements with respect to the apps.

Common Approach for Modelling and Predicting the Spread and Developing Exit Strategies

The second priority is developing a common approach to using anonymized and aggregated mobile location data to model and predict the disease’s diffusion, optimize containment measures, and prepare exit strategies as the emergency lessens. This common approach should address, among other things, the following:

• advice to public authorities on asking telecom operators to clarify their methodology for anonymizing location data;
• safeguards to prevent de-anonymization;
• deleting the data within 90 days, or in any event no later than when the pandemic is deemed under control; and
• restricting the data processing to the relevant purposes, and generally prohibiting sharing data with any third party.

Next Steps

The pan-EU approach for COVID-19 mobile apps will be published on April 15, 2020. It will be complemented by additional guidance from the European Commission on the privacy and data protection implications in connection with COVID-19 mobile apps.

By May 31, 2020, EU Member States should report the actions they have taken pursuant to the Recommendation to the European Commission. They should make those measures accessible to other EU Member States and the European Commission for peer review. EU Member States and the European Commission may submit observations on such measures.

Starting in June 2020, the European Commission will assess the progress made and publish periodic reports, and may make further recommendations to EU Member States, including on the phasing out of measures that are no longer necessary.