On April 15th, the e-Health Network branch of the European Commission published the EU toolbox: “Mobile applications to support contact tracing in the EU’s fight against COVID-19”. This communications aims at guiding Member States on how to best use mobile apps to tackle COVID-19 while safeguarding data privacy.
The common approach aims to exploit the latest privacy-enhancing technological solutions that enable at-risk individuals to be contacted and, if necessarily, to be tested as quickly as possible, regardless of where they are and the app they are using. It explains the essential requirements for national apps, namely that they be:
- voluntary;
- approved by the national health authority;
- privacy-preserving - personal data is securely encrypted; and
- dismantled as soon as no longer needed.
Mobile apps have potential to bolster contact tracing strategies to contain and reverse the spread of COVID-19. EU Member States are converging towards effective app solutions that minimise the processing of personal data, and recognise that interoperability between these apps can support public health authorities and support the reopening of the EU’s internal borders.
Member States agreed on April 16th that COVID-19 mobile applications should not process the location data of individuals, because "it is not necessary nor recommended for the purpose of contact tracing".
"Collecting an individual's movements in the context of contact tracing apps would create major security and privacy issues," states the EU toolbox adopted by EU countries and supported by the European Commission.
The EU toolbox was delivered following the European Commission’s recommendation, released on April 8th, on apps for contact tracing. This recommendation reflects on a common Union toolbox for the use of technology and data in order to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data.
The recommendation sets out a process towards the adoption with the Member States of a toolbox, focusing on two dimensions:
- A pan-European coordinated approach for the use of mobile applications for empowering citizens to take effective and more targeted social distancing measures and for warning, preventing and contact tracing; and
- A common approach for modelling and predicting the evolution of the virus through anonymised and aggregated mobile location data.
Additionally, on April 16th, the Commission published the EU approach for efficient contact tracing apps to support gradual lifting of confinement measures. Also on April 16th, the European Commission published guidance on the development of new apps that support the fight against coronavirus in relation to data protection.
Since the outbreak of the coronavirus pandemic, Member States, backed by the Commission, have been assessing the effectiveness, security, privacy, and data protection aspects of digital solutions to address the crisis. Contact tracing apps, if fully compliant with EU rules and well coordinated, can play a key role in all phases of crisis management, especially when time will be ripe to gradually lift social distancing measures.
The Commission guidance sets out features and requirements which apps should meet to ensure compliance with EU privacy and personal data protection legislation, in particular the General Data Protection Regulation (GDPR) and the ePrivacy Directive. However, the guidance is not legally binding. It is without prejudice to the role of the Court of Justice of the EU, which is the only institution that can give authoritative interpretation of EU law.
The present guidance addresses only voluntary apps supporting the fight against COVID 19 pandemic (apps downloaded, installed and used on a voluntary basis by individuals) with one or several of the following functionalities:
- Provide accurate information to individuals about the COVID-19 pandemic;
- Provide questionnaires for self-assessment and for guidance to individuals (symptom checker functionality);
- Alert persons who have been in proximity for a certain duration to an infected person, in order to provide information such as whether to self-quarantine and where to get tested (contact tracing and warning functionality);
- Provide a communication forum between patients and doctors in situation of self-isolation or where further diagnosis and treatment advice is provided (increased use of telemedicine).
This guidance does not cover apps aimed at enforcing quarantine requirements (including those which are mandatory).
By the end of April 2020: Member States with the Commission will seek clarifications on the solution proposed by Google and Apple with regard to contact tracing functionality on Android and iOS in order to ensure that their initiative is compatible with the EU common approach.