The European Commission has recently published a recommendation to ensure full data protection standards of apps fighting the COVID-19 pandemic together with a toolbox.
This document is one among numerous documents recently published by the European Data Protection Board (EDPB) and the Commission on this subject matter (e.g. recommendations, letter, press release etc.).
Before digging into the details of this new recommendation, we thought it would be helpful to retrace the history of all the relevant Commission and EDPB publications to get a better outlook of how they fit together into the two agency’s strategy for tackling privacy issues in the context of the COVID-19 outbreak.
1. Understanding the European Commission and the European Data Protection Board’s strategy
1.1. Publication history
March 19: The EDPB adopted a statement on the processing of personal data in the context of the COVID-19 pandemic that was followed by national supervisory authorities recommendations.
April 7: The EDPB adopted mandates on the following matters:
- Mandate on the processing of health data for research purposes in the context of the COVID-19 outbreak — 07/04/2020
- Mandate on geolocation and other tracing tools in the context of the COVID-19 outbreak — 07/04/2020
April 8: The Commission published a Recommendation on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data (see here);
April 14: The EDPB posted a letter about its review of the European Commission’s recommendation released on April 16 (see here);
April 15: The Commission published the Common EU toolbox (see here);
April 16: The Commission published a recommendation to ensure full data protection standards of apps fighting the pandemic (see here);
April 17: According to its press release, the EDPB is still working on its guidelines. However, it should publish Guidelines, in the upcoming days, on geolocation and tracing tools in the context of the COVID-19 outbreak.
1.2. Our understanding of the aim of these publications
All these documents (e.g. letters, toolkits or recommendations) deal with privacy issues in the context of the COVID-19 outbreak. As a result, we may wonder which documents should prevail and what the purpose of publishing all these documents in a short period is.
Our understanding is that given the emergency, the Commission has provided a swift response to ensure that Member States apply the same privacy standards on apps supporting the fight against the COVID-19 Pandemic.
However, this not legally binding recommendation only reflects the Commission’s position on this matter and, even though it is quite comprehensive, its scope is limited to a certain type of apps and purposes (see below).
The EDPB has, so far, provided high-level recommendations on how employers and public authorities should process personal data in the context of the COVID-19 pandemic and cooperated with the Commission.
The next EDPB guidelines should, to be useful, address issues outside the scope of the Commission’s recommendation such as the use of data for research purpose, non-voluntary apps, quarantine monitoring etc.
2. Overview of the latest recommendation released by the Commission
2.1. What are the purpose and scope of this recommendation?
This non-legally binding document sets out privacy-related features and requirements that apps developed to fight the COVID-19 outbreak should meet to comply with the General Data Protection Regulation (GDPR) and the ePrivacy Directive. This document complements the toolbox also released by the Commission.
However, the Commission has chosen to focus only on voluntary apps supporting the fight against COVID 19 pandemic with at least one the following functionalities:
- Information service (i.e. providing accurate information to individuals about the COVID-19 pandemic);
- Symptom checker (i.e. questionnaires for self-assessment and guidance to individuals);
- Contact tracing and warning functionality (i.e. alerting persons who have been in contact with an infected person to provide information such as whether to self-quarantine and where to get tested);
- Telemedicine.
Are therefore excluded, apps aimed at enforcing quarantine requirements.
Furthermore, the recommendation does not address any further conditions such as limitations provided for in Member States law with regard to the processing of health data.
2.2. Why does the Commission recommend using voluntary apps only?
If the Member States wanted to impose the use of an app involving the application of the confidentiality of communications rights set out in the e-privacy directive, they would have to enact a law which is necessary, appropriate and proportionate to protect certain specific objectives.
Given the challenges and complexity that this approach entails, the Commission recommends the use of voluntary apps.
2.3. When should the individuals provide their consent?
The Commission sets out details on how to obtain the individual’s consent. Although the individual’s consent is not the recommended legal basis for processing personal data, the commission’s consent requirements are similar to the GDPR ones.
As a result, the installation of the app on individuals’ device should be voluntary and individuals should not suffer any negative consequences for not downloading/using the app.
Specific consent for each functionality is necessary (e.g. information, symptom checker, contact tracing and warning functionalities).
Proximity data (i.e. data generated by the exchange of Bluetooth Low Energy (BLE) signals between devices within an epidemiologically relevant distance and during an epidemiologically relevant time) must be stored on the device and share with the health authorities with the individual’s authorisation and on confirmation that they have been infected with the COVID-19;
2.4. What is the legal basis for processing the data?
As stated above, even though the installation and use of the apps are voluntary, consent is not the recommended legal basis for processing the data by the Health Authorities.
In this regard and although their approach differs slightly, the Commission and the EDPB are of the view that law and the public interest are a more appropriate legal basis for the processing of personal data.
Indeed, according to the EDPB, “when public authorities provide a service, based on a mandate assigned by and in line with requirements laid down in law, the most relevant legal basis for the processing is the necessity for the performance of a task for the public interest. The enactment of national laws, promoting the voluntary use of the app without any negative consequence for the individuals not using it, could be a legal basis for the use of the apps.”
Our understanding is that provided the law promotes a voluntary use of the apps (i.e. the individuals must agree to the use of each functionality), processing personal data on this ground should comply with Human rights requirements and provides more legal certainty to the Health Authorities.
However, the Commission reminds that, as required under the e-privacy directive, the use of cookies or equivalent technologies that are not strictly necessary for the functioning of the apps is subject to the individual’s consent (e.g. when the users agree to upload proximity data).
2.5. What are the other requirements set out in this recommendation?
The Commission provides specific recommendations on how to comply with the GDPR requirements such as data minimisation, data sharing, data storage but also, on other issues such as the interoperability between the apps in operation in the different Member States.
In particular, the recommendation provides that:
- The national health authorities should be the controllers in charge of the compliance of the processing operations with the GDPR requirements including providing individuals with an information notice (accountability principle);
- The deactivation of the apps should automatically occur at the latest when the pandemic is declared to be under control (i.e. it should not depend on the user’s action);
- The Commission prefers the use of proximity data to geolocation data that it considers irrelevant to achieve the purposes at stake;
- A DPIA is necessary since the processing operations involve the processing of sensitive data on a large scale.
