On 14 April, the European Data Protection Board (EDPB) published a letter providing advice on the draft Guidance on apps supporting the fight against COVID-19 pandemic, released by the European Commission.
Contact tracing apps aim to keep track of the spread of the virus and inform users when they came in contact with a person who tested positive for COVID-19.
In its response, the EDPB highlights some of the most important principles which should be observed when developing mobile applications designed to empower authorities and individuals in the response to fight the pandemic, such as:
- consulting with data protection authorities to ensure that personal data is processed lawfully,
- performing data protection impact assessments in connection to all implemented privacy by design and privacy by default mechanisms,
- minimising the interferences with private life,
- examining the technical solutions in detail, on a case-by-case basis.
The EDPB specifically addresses to the use of apps for the contact tracing and warning functionality, supporting the Commission’s proposal for a voluntary adoption of such apps. The individuals should be free to install and uninstall the app at will, without any negative consequence for the ones not using it.
As a side note, the EDPB highlights that use of contact tracing apps on a voluntary basis does not mean that the processing of personal data by public authorities is necessarily based on the consent, as a legal ground for carrying out the processing. Moreover, given the current situation created by the Covid-19 outbreak, it appears that the most relevant legal basis for the processing is the necessity for the performance of a task for public interest.
The EDPB encourages the enactment of national laws promoting the voluntary use of the apps, accompanied by awareness-raising campaigns and assistance to minors, to the impaired, or to less skilled or educated parts of the population.
Apps should comply with privacy rules in order not to create major security and privacy risks
Contact tracing apps should not require location tracking of users, but instead discover events (contacts with positive persons), which are only likely to happen. Collecting an individual’s movements would violate the principle of data minimisation and would create major security and privacy risks. The storage of such events may be either decentralised (the related data is stored within individuals’ devices) or centralised, provided that adequate security measures are in place. However, the recommendation is to opt for the decentralised solution.
Finally, the EDPB emphasises that these apps should not give rise to any sort of stigmatisation. In order to avoid such, no potential identifying element of any other data subject should be made available to the user, nor should the use of the app, or part of it allow the re-identification of any other persons, infected by COVID-19 or not. Thus, no directly identifying data should be stored in users’ device and, in any case, such data should be deleted as soon as possible.
Finally, the EDPB strongly advises that once the crisis is over, such emergency system should not remain in use and, as a general rule, the collected data should be erased or anonymised.
The full content of the letter may be found here.