During its 32nd plenary session, the European Data Protectino Board (EDPB) adopted the following documents:
- a statement on the interoperability of contact tracing apps;
- a statement on the opening of borders and data protection rights;
- two letters to MEP Körner – on encryption ban adopted in third countries and on Article 25 GDPR – and a letter to CEAOB on PCAOB arrangements.
1. The statement on the interoperability of contact tracing applications rolled out as part of the fight against the COVID-19 pandemic strategy
On the basis of the EDPB guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 pandemic (see here), the statement provides a more detailed analysis of key GDPR issues (e.g. transparency, legal basis, controllership, data subject rights, data retention and minimisation, information security and data accuracy) in the context of creating an interoperable network of applications.
The EDPB states that:
- a voluntary action of the user should be the trigger for sharing data about individuals that have been diagnosed or tested positive to COVID-19 with these interoperable applications and the use of these applications should not be a reason to extend the collection of personal data beyond what is necessary;
- contact tracing apps need to be part of a comprehensive public health strategy to fight the pandemic;
- controllers need to ensure that the measures implemented to ensure the interoperability of the apps are effective and proportionate.
2. The statement on the processing of personal data in the context of reopening the Schengen borders following the COVID-19 outbreak
As part of the reopening of the borders, the Member States have envisaged or implemented measures such as testing individuals for COVID-19, requiring certificates issued by health professionals and the use of a voluntary contact tracing app.
In this regard, the EDPB calls for a common European approach when deciding which processing of personal data is necessary in this context and advise the Member States to pay special attention to the compliance of data processing with the GDPR data protection principles.
It is of the opinion that the decision to allow the entry into a country should not only be based on the automated decision-making technologies and should not apply to children (although the GDPR do not provide for such prohibition).
Besides, it stresses the fact that (i) suitable safeguards including specific information notice, the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision should be implemented; (ii) the prior consultation of the competent national supervisory authorities is necessary.
3. The response to the first letter from MEP Moritz Körner on the relevance of encryption bans in third countries for assessing the level of data protection when personal data are transferred to countries where these bans exist.
According to the EDPB, any ban on encryption or provisions weakening encryption would seriously undermine compliance with GDPR security obligations applicable to controllers and processors.
It recalls that security measures are one of the elements the European Commission must take into account when assessing the adequacy of the level of protection in a third country.
We can, therefore, deduct from this statement that any country implementing encryption bans is very unlikely to be considered as ensuring an adequate level of data protection.
4. The response to the second letter from MEP Körner addressing the topic of laptop camera covers
MEP Körner told in this letter that laptop camera covers could help comply with the GDPR and suggested new laptops should be equipped with it. The Board clarified that laptop manufacturers are not responsible for the processing carried out with those products unless they also act as controllers or processors.
5. The letter to the Committee of European Auditor Oversight Bodies (CEAOB).
The EDPB received a proposal from the CEAOB to cooperate and receive feedback on negotiations of draft administrative arrangements for the transfer of data to the US Public Company Accounting Oversight Board (PCAOB). The EDPB is available to hold an exchange with the CEAOB to clarify any potential questions on data protection requirements related to such arrangements in light of the EDPB Guidelines 2/2020 on Art. 46 (2) (a) and 46 (3) (b) GDPR for transfers of personal data between EEA and non-EEA public authorities.