European Commission weighs in on potential privacy risks of coronavirus contact tracing apps

As many European nations slowly lift containment measures after the initial COVID-19 outbreak, a number of jurisdictions intend to use mobile phone technology to trace and contain potential new outbreaks. Numerous jurisdictions have already launched apps with varying functionality to enable such tracking. While this is seen by some as an opportunity, others are concerned that such apps might intrude on personal privacy. This has prompted the European Commission to respond. This article reports on the new European Commission Guidelines (2020/C 124 I/01) on apps supporting the fight against the COVID-19 pandemic in relation to data protection.

As COVID-19 infection rates start to fall in numerous countries across the globe, many nations are slowly easing restrictions and gradually reopening their economies. Avoiding new outbreaks of the disease as containment measures are lifted requires thorough tracking, testing and containment of infected individuals, according to experts. Several countries are introducing tracking apps that use mobile phone technology to provide varied functionality to help authorities contain the disease. The functions offered by these apps range from non-intrusive, such as providing information and guidance, to potentially intrusive, such as tracking individuals.

To strike a balance between potential breaches of privacy and the need to make effective use of mobile technology to track and contain outbreaks, the European Commission and the European Data Protection Board (EDPB) have recently provided guidelines for national and regional authorities as well as for app developers in the EU on the development of apps aimed at combatting the COVID-19 pandemic. The guidelines only provide guidance on the use of apps on a voluntary basis.

Different types of apps
The guidelines cover four main functions:

• the povision of accurate information to individuals about the COVID-19 pandemic (information functionality);
• the provision of questionnaires to individuals for self-assessment and guidance (symptom checker functionality);
• the alerting of those who have been in proximity to an infected person for a certain amount of time, in order to provide information such as whether to self-isolate and where to get tested (contact tracing and warning functionality); and
• the provision of a forum for communication between doctors and patients in self-isolation or to provide further advice on diagnosis and treatment (increased use of telemedicine).

Depending on the scope of the app and the relevance of one or more of the abovementioned functions, functionality may impact a range of rights contained in the Charter of Fundamental Rights of the EU. The European Commission has therefore set out important aspects to consider when creating an app with one or more of the aforementioned functions. The key aspects are detailed below.

Personal data controller
The EU Commission has stressed that the data controller for data gathered through the functions listed above should be national health authorities (or other entities performing health-related tasks in the public interest). This way, the flow of data can be controlled and is transparent for the data subject, which can enhance the credibility and acceptance of such apps. 

Individual control over data flows
In addition to stating that national authorities should act as data controllers, the EU Commission has also provided additional specific guidance to ensure user consent and control:

• Most importantly, the installation of the app should be voluntary, which also means there should be no negative consequences for individuals who do not install the app.
• Users must be able to separately consent to each specific function of the app (this does not mean, however, that the app cannot provide combined services based on users’ choices).
• Data indicating epidemiologically relevant proximity to other users should be stored on the user’s device (and not automatically uploaded to the personal data controller). The data controller may only receive the data if users actively choose to share it.
• Health authorities should provide individuals with sufficient information about the processing of their data, as laid out in the GDPR and the ePrivacy Directive.
• Individuals should be able to exercise their rights relating to their data under GDPR.
• Health authorities should not use such apps to gather data for longer than is necessary, i.e. they must deactivate such apps once the pandemic is under control.

These European Commission guidelines clearly encourage restrictive use of tracking technology in order to maintain the rights and freedoms of individuals, stressing the importance of voluntary efforts by individuals.

Data minimisation, limitation of disclosure and security
The guidelines stress the importance of not deviating from the core principles, such as the principles of data minimisation, limitation of disclosure and access, and security. The main limitations for different functions may be summarised as follows:

Limitations on information functionality
To provide information, there is no need to gather any health data relating to individuals. For this purpose, health authorities should not gather any personal data other than the data required to provide such information. In addition, no data on users’ devices may be shared with health authorities. Any data accidently gathered should be erased immediately.

Limitations on symptom checker functionality and telemedicine
If an app gathers health data through symptom checker functionality or telemedicine, a list of data that may be processed should be specified in the applicable national legislation. In addition, users’ telephone numbers may be gathered to ensure functionality. Following a decision by the relevant health authorities, aggregated anonymised data may be gathered to ensure epidemiological surveillance. Users should also be properly informed that the health data is being processed to allow individuals to self-assess whether they have COVID-19 symptoms or to receive medical advice if they have such symptoms.

Limitations on contact tracing and alert functionalities
Proximity data may, under certain circumstances, be used for contact tracing and alert functionalities. The guidelines stress that such apps should not extend beyond their purpose and should not be used to track individuals. For this reason, Bluetooth Low Energy (BLE) communication is preferred over geolocation data (GNSS/GPS) for this purpose, as BLE does not allow localisation. Geolocation data is not encouraged. In addition, the time and date of the contact should not be processed, as it is not necessary for this purpose. Furthermore, proximity data should only be created and processed in cases where there is an actual infection risk, based on the proximity and duration of the contact.

As with symptom checker functionalities, data should only be shared with health authorities upon active sharing by users, and the possibility of identifying users directly should be minimised through appropriate technical solutions. The identification of persons who have been in (epidemiological) contact with an infected person should only be shared with health authorities based on objective, relevant criteria as described in the guidelines.

The purpose of such data processing should be specified to users to ensure transparency on the types of processing that occur and the specific purposes.

Legal basis for data processing
An important aspect to consider is the legal basis for such processing. The processing of health data for tracking individuals could lead to considerable intrusion of individuals’ privacy. The guidelines state that health data may be processed by national health authorities under Article 9.2 i) of the GDPR, provided that such processing is necessary for the performance of a task in the public interest, as recognised by EU or member state law. It is further specified that such legal basis may only be used if national legislation is in place allowing for the surveillance of epidemics and if such legislation meets the additional requirements of Article 6.3 of the GDPR.

To date we have not seen any initiatives from the Swedish government regarding the use of apps to protect Sweden against the COVID-19 pandemic. Setterwalls hopes to see further clarification in this regard and will follow any developments closely.