The European Commission (EC) met in Brussels last week and issued a recommendation outlining what it hopes will be a unified approach throughout the European Union (EU) on how smartphones and data are used to fight the spread of COVID-19. The EC laid out an ambitious timeline and explained “[t]he first priority for the Toolbox should be a pan-European approach for COVID-19 mobile applications, to be developed together by Member States and the Commission, by 15 April 2020.” The EC added that “[t]he European Data Protection Board (EDPB) and the European Data Protection supervisor (EDPS) will be associated to the process.” The EC stated “[t]he second priority for the Toolbox should be a common approach for the use of anonymised and aggregated mobility data necessary” for a range of purposes to model, predict, and track the virus throughout the EU. On this second priority, the EC is calling for measures to ensure anonymization, safeguarding, and permanent deletion after these data are no longer needed.
It bears note that the EC is working within the structure provided by the General Data Protection Regulation (GDPR), the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications (the ePrivacy Directive), and other statutes and regulations. In its press release, the EC asserted “[t]o support Member States, the Commission will provide guidance including on data protection and privacy implications…[and] is in close contact with the EDPB for an overview of the processing of personal data at national level in the context of the coronavirus crisis.” The EC also remarked on its 23 March call with the heads of EU telecommunications companies and GSMA, their association, that “also covered the need to collect anonymised mobile metadata to help analysing the patterns of diffusion of the coronavirus, in a way that is fully compliant with the GDPR and ePrivacy legislation.”
The EC declared
The public health crisis caused by the current COVID-19 pandemic (hereinafter, ‘COVID-19 crisis’) is compelling the Union and the Member States to face an unprecedented challenge to its health care systems, way of life, economic stability and values. No single Member State can succeed alone in combating the COVID-19 crisis. An exceptional crisis of such magnitude requires determined action of all Member States and EU institutions and bodies working together in a genuine spirit of solidarity.
The EC continued
Since the beginning of the COVID-19 crisis, a variety of mobile applications have been developed, some of them by public authorities, and there have been calls from Member States and the private sector for coordination at Union level, including to address cybersecurity, security and privacy concerns. These applications tend to serve three general functions:
(i) informing and advising citizens and facilitating the organisation of medical follow-up of persons with symptoms, often combined with a self-diagnosis questionnaire;
(ii) warning people who have been in proximity to an infected person in order to interrupt infection chains and preventing resurgence of infections in the reopening phase; and
(iii) monitoring and enforcement of quarantine of infected persons, possibly combined with features assessing their health condition during the quarantine period.
Certain applications are available to the general public, while others only to closed user groups directed at tracing contacts in the workplace. The effectiveness of these applications has generally not been evaluated. Information and symptom-checker apps may be useful to raise awareness of citizens. However, expert opinion suggests that applications aiming to inform and warn users seem to be the most promising to prevent the propagation of the virus, taking into account also their more limited impact on privacy, and several Member States are currently exploring their use.
The EC found
A common Union approach to the COVID-19 crisis has also become necessary since measures taken in certain countries, such as the geolocation-based tracking of individuals, the use of technology to rate an individual’s level of health risk and the centralisation of sensitive data, raise questions from the viewpoint of several fundamental rights and freedoms guaranteed in the EU legal order, including the right to privacy and the right to the protection of personal data. In any event, pursuant to the Charter of Fundamental Rights of the Union, restrictions on the exercise of the fundamental rights and freedoms laid down therein must be justified and proportionate. Any such restrictions should, in particular, be temporary, in that they remain strictly limited to what is necessary to combat the crisis and do not continue to exist, without an adequate justification, after the crisis has passed.
The EC explained the purpose of the recommendation:
(1) This recommendation sets up a process for developing a common approach, referred to as a Toolbox, to use digital means to address the crisis. The Toolbox will consist of practical measures for making effective use of technologies and data, with a focus on two areas in particular:
(1) A pan-European approach for the use of mobile applications, coordinated at Union level, for empowering citizens to take effective and more targeted social distancing measures, and for warning, preventing and contact tracing to help limit the propagation of the COVID-19 disease. This will involve a methodology monitoring and sharing assessments of effectiveness of these applications, their interoperability and cross-border implications, and their respect for security, privacy and data protection; and
(2) A common scheme for using anonymized and aggregated data on mobility of populations in order (i) to model and predict the evolution of the disease, (ii) to monitor the effectiveness of decision-making by Member States’ authorities on measures such as social distancing and confinement, and (iii) to inform a coordinated strategy for exiting from the COVID-19 crisis.
(2) Member States should take these actions as a matter of urgency and in close coordination with other Member States, the Commission and other relevant stakeholders, and without prejudice to the competences of the Member States in the domain of public health. They should ensure that all actions are taken in accordance with Union law, in particular law on medical devices and the right to privacy and the protection of personal data along with other rights and freedoms enshrined in the Charter of Fundamental Rights of the Union. The Toolbox will be complemented by Commission guidance, including guidance on the data protection and privacy implications of the use of mobile warning and prevention applications.
The EC added “[t]he EDPB and the EDPS should also be closely involved to ensure the Toolbox integrates data protection and privacy-by-design principles.”
The EC stated that “[t]he first priority for the Toolbox should be a pan-European approach for COVID-19 mobile applications, to be developed together by Member States and the Commission, by 15 April 2020” that “should consist of:
(1) specifications to ensure the effectiveness of mobile information, warning and tracing applications for combating COVID-19 from the medical and technical point of view;
(2) measures to prevent proliferation of applications that are not compatible with Union law, to support requirements for accessibility for persons with disabilities, and for interoperability and promotion of common solutions, not excluding a potential pan-European application;
(3) governance mechanisms to be applied by public health authorities and cooperation with the ECDC;
(4) the identification of good practices and mechanisms for exchange of information on the functioning of the applications; and
(5) sharing data with relevant epidemiological public bodies and public health research institutions, including aggregated data to ECDC.
Regarding the second principle for the Toolbox, the EC stated it “should be guided by privacy and data protection principles” including:
(1) safeguards ensuring respect for fundamental rights and prevention of stigmatization, in particular applicable rules governing protection of personal data and confidentiality of communications;
(2) preference for the least intrusive yet effective measures, including the use of proximity data and the avoidance of processing data on location or movements of individuals, and the use of anonymised and aggregated data where possible;
(3) technical requirements concerning appropriate technologies (e.g. Bluetooth Low Energy) to establish device proximity, encryption, data security, storage of data on the mobile device, possible access by health authorities and data storage;
(4) effective cybersecurity requirements to protect the availability, authenticity integrity, and confidentiality of data;
(5) the expiration of measures taken and the deletion of personal data obtained through these measures when the pandemic is declared to be under control, at the latest;
(6) uploading of proximity data in case of a confirmed infection and appropriate methods of warning persons who have been in close contact with the infected person, who shall remain anonymous; and
(7) transparency requirements on the privacy settings to ensure trust into the applications.
The EC added it “will publish guidance further specifying privacy and data protection principles in the light of practical considerations arising from the development and implementation of the Toolbox.”