Today, the European Commission has published guidance on the development of new apps that support the fight against coronavirus in relation to data protection. The development of such apps and their take up by citizens can have a significant impact on the treatment of the virus and can play an important role in the strategy to lift containment measures, complementing other measures like increased testing capacities. It is important, however, to ensure that EU citizens can fully trust such innovative digital solutions and can embrace them without fear. The largest possible participation of EU citizens is necessary to exploit the full potential of tracing apps.
EU rules, notably the General Data Protection Regulation (GDPR) and the ePrivacy Directive, provide the strongest safeguards of trustworthiness (i.e. voluntary approach, data minimisation, time limitation) for such apps to operate widely and accurately. This guidance aims to offer the necessary framework to guarantee that citizens have sufficient protection of their personal data and limitation of intrusiveness while using such apps. The European Data Protection Board was consulted on the draft guidance. By committing to those standards, the full effectiveness and compliance of such tools can be ensured, even in times of crisis.
Vice-President for Values and Transparency, Věra Jourová, said:”This is the first global crisis where we can deploy the full power of technology to offer efficient solutions and support the exit strategies from the pandemic. Trust of Europeans will be key to success of the tracing mobile apps. Respecting the EU data protection rules will help ensure that our privacy and fundamental rights will be upheld and that the European approach will be transparent and proportional.”
Commissioner for Justice, Didier Reynders, said: “The use of mobile phone apps have the potential to really help in the fight against coronavirus, for example by helping users to diagnose themselves, as a safe communication channel between doctors and patients, by alerting users who are at risk of catching the virus, and to help us lift confinement measures. At the same time, we are talking about very sensitive data being collected on the health of our citizens, which we are duty-bound to protect. Our guidance supports the safe development of apps and protect our citizens’ personal data, in line with the EU’s strong data protection rules. We will get out of the sanitary crisis, while keeping our fundamental rights intact.
This guidance follows the recent publication of the Commission Recommendation on a common EU approach for the use of mobile applications and mobile data, and is accompanying an EU toolbox on contact tracing apps, which is also published today.
What kind of apps and functionalities?
The guidance focuses on voluntary apps with one or more of the following functionalities:
- accurate information for users on the coronavirus pandemic;
- questionnaires for self-assessment and guidance for individuals (symptom checker functionality);
- alerts for people who have been in proximity of an infected person to get tested or to self-isolate (contact tracing and warning functionality); and
- a communication forum between patients in self-isolation and doctors including where further diagnosis and treatment advice is provided (telemedicine).
Main prerequisites for the development of coronavirus apps
- The role of national health authorities: It must be clearly established from the start who is accountable for compliance with EU personal data protection rules. Given the high sensitivity of the data and the ultimate purpose of the apps, the Commission sees this as a role for national health authorities, who would in turn be responsible for ensuring GDPR compliance in their use of data collected, including providing individuals with all necessary information related to the processing of their personal data.
- Users remain in full control of their personal data: The installation of an app on a user’s device should be voluntary; a user should be able to give their consent to each functionality of an app separately. If proximity data is used, it should be stored on an individual’s device and only shared with the user’s consent; users should be able to exercise their rights under the GDPR.
- Limited use of personal data: An app should adhere to the principle of data minimisation, which requires that only personal data that is relevant and limited to the purpose in question can be processed. The Commission considers location data not necessary for the purpose of contact tracingand advises not to use location data in this context.
- Strict limits on data storage: Personal data should not be kept for longer than necessary. Timelines should be based on medical relevance as well as the realistic duration for necessary administrative steps to be taken.
- Security of data: Data should be stored on an individual’s device and encrypted.
- Ensuring the accuracy of the data processed: It is a requirement under EU personal data protection rules that any personal data processed by a third party must be accurate. To ensure maximum accuracy, which is also essential for the efficiency of contact tracing apps, technology such as Bluetooth should be used to provide a more precise assessment of individuals’ contact with one another.
- Involvement of national data protection authorities: Data protection authorities should be fully involved and consulted in the development of an app and should be tasked with reviewing the deployment of an app.
Today, Member States, supported by the Commission, published an EU toolbox for mobile contact tracing and warning apps, following the adoption of a Commission Recommendation for a common EU approach for the use of technology and data in the fight against coronavirus. To ensure that the data of European citizens is protected at all times, in line with EU data protection rules, this guidance accompanies the toolbox as advice for the development of new apps and the subsequent use of data by national health authorities.