Making COVID-19 apps data protection compliant

Until now and despite the calls by influential bodies such as the European Data Protection Supervisor for a coordinated approach to the development of single COVID-19 mobile app involving the World Health Organization, different countries have adopted their own strategies.

However, in the European Union and in an attempt to adopt a harmonised approach, the European Commission and the European Data Protection Board (EDPB) have both issued guidelines on the development of COVID-19 apps aimed at ensuring compliance with EU data protection law in a consistent way.

On 8 April, the European Commission issued its Recommendation on a common EU Toolbox for the use of technology and data to combat and exit from the COVID-19 crisis. The Recommendation sets up a process for developing a common approach, referred to as a Toolbox, to use digital means to address the crisis. The Toolbox consists of practical measures for making effective use of technologies and data, with a focus on two areas in particular:

(1) A pan-European approach for the use of mobile apps, coordinated at EU level, for empowering citizens to take effective and more targeted social distancing measures, and for warning, preventing and contact tracing to help limit the propagation of the COVID-19 disease.

(2) A common scheme for using anonymised and aggregated data on mobility of populations in order (i) to model and predict the evolution of the disease, (ii) to monitor the effectiveness of decision-making by Member States’ authorities on measures such as social distancing and confinement, and (iii) to inform a coordinated strategy for exiting from the COVID-19 crisis.

Respect for fundamental rights, such as privacy and data protection, is considered paramount when putting these measures into effect. This means that processing should be strictly limited to what is necessary and that, once the crisis is over, personal data is irrevocably destroyed. There should be a preference for less intrusive measures – proximity data instead of data on the location or movements of individuals and aggregating and anonymising data where possible. Where contact tracing entails warning those who have been in close contact with affected persons, this should be done anonymously, and applications should be transparent.

On 14 April, the EDPB provided comments on the Commission’s initiative. In particular, the EDPB highlights the need to consult with national data protection authorities when developing apps and the importance of making the source code of apps publicly available. In order to achieve maximum efficiency, apps must be used by the greatest possible share of the population. This will be hindered if different nations’ apps are not interoperable. Meanwhile, it is also important that users trust the app, so compliance with privacy laws, fundamental rights and data protection by design and by default (documented in DPIAs) are crucial.

While the EDPB encourages making the adoption of apps voluntary, the EDPB thinks that performance of a task in the public interest may in some cases be the appropriate legal basis for processing rather than consent. The EDPB also notes that contact tracing apps will not require the location tracking of individual users, which would violate the principle of data minimisation and create security and privacy risks. While storage of information about contact “events” could be valid either locally or in a centralised database, provided that adequate security measures are put in place, the decentralised solution is more compatible with the principle of data minimisation.

In light of these statements and guidelines, organisations and businesses looking to rely on contact tracing apps as part of their own strategic approach to tackle the spread of COVID-19 in a data protection compliant manner should follow these key practical steps:

1. Be transparent by explaining in a clear but comprehensive way what data will be collected and disseminated, and why.
2. Make the use of the app as voluntary as possible, even if such use can be justified for reasons of public interest or the protection of the workforce.
3. Respect the ‘purpose limitation’ principle by ensuring that the app and the data collected through it is only used for disclosed and justifiable purposes.
4. Respect the ‘data minimisation’ principle by ensuring that only the data that is truly needed is being used in each case. This also includes using anonymised or pseudonymised data where possible.
5. Make sure that the app works well by testing and verifying its accuracy on an ongoing basis.
6. Delete any data generated by the use of the app once it is established that it is no longer necessary for all of the relevant purposes.
7. Make sure that the app is as safe as possible through the use of encryption and other data security measures.
8. Involve the organisation’s Data Protection Officer in the development and deployment of the app, so they can advise on the appropriate data protection practices along the way.
9. Document all of the steps mentioned above and any measures taken to address them in a Data Protection Impact Assessment, and keep that document under review.

Authored by Eduardo Ustaran, Lilly Taranto and Ellie Hughes

Elizabeth Campion, a paralegal in our London office, contributed to this entry.