Benefitting from a mature and largely harmonized data protection legal framework, the European Union and its Member States are taking policymaking steps towards a pan-European approach to enlisting data and technology against the spread of COVID-19 and to support the gradual restarting of the economy. Here is an overview of key recent events essential to understand EU’s data-based approach against the pandemic:
- Early on, the European Data Protection Supervisor (EDPS) – which is the supervisory authority of the EU institutions and bodies and also the consultative body on EU legislation that may impact data protection, issued Comments on the European Commission’s plan to access telecommunications data from telecommunications service providers to monitor the COVID-19 spread (March 25), and also issued a public call for a pan-European approach against the pandemic (April 6).
- Following a detailed Recommendation issued by the European Commission on April 8, the eHealth Network, a voluntary network providing a platform of Member States’ competent authorities dealing with digital health, published a week later a common EU Toolbox for Member States on contact tracing mobile applications.
- The Presidents of the European Commission and the European Council – which reunites the heads of state or government of EU Member States, published on April 15 an exit strategy, or Joint European Roadmap towards lifting COVID-19 containment measures, where the first two of seven measures proposed are based on the collection and use of data.
- The Commission also issued guidelines specifically on how these mobile applications should be designed and implemented to respect data protection requirements (April 16).
- The European Parliament adopted, on April 17, a resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences, including specific recommendations and even ‘demands’ for certain safeguards around contact tracing applications, including a decentralized approach.
- The European Data Protection Board, the EU body reuniting the leaders of all Data Protection Authorities (DPAs) in the EU – meaning the only authorities that are competent to enforce data protection law within Member States both in the public and private sectors, published its Guidelines on contact tracing apps and the use of telecommunications data to fight the effects of the pandemic and Guidelines on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak (April 23). These guidelines come after several other instances where the EDPB quickly provided its view on related pressing issues: a letter to the Commission responding to a consultation on its data protection guidelines mentioned above, and a Statement on the processing of personal data in the context of the COVID-19 outbreak, with a focus on the employer-employee relationship.
This report will further look closer to each of these guidelines, opinions, recommendations, resolutions, to analyze what are the solutions for processing personal data through contact tracing apps or the creation of heat maps based on mobility data in support of lifting the COVID-19 containment measures in the EU, and their data protection implications (see Table 1 for a list of relevant documents, in chronological order). This contribution looks solely at EU-level policy, which will trickle down to national level. The responses of national data protection authorities will be analyzed in a second part. It is important to keep in mind that the EDPB acts as a liant between EU level/agreed-upon data protection policy and national implementation.
1. Preamble: Scientists were here first
Before the calls and guidelines of policymakers at EU level favoring a pan-European approach, scientists and researchers across Europe (from several EU Member States, but also from Switzerland and the UK) were the first ones that rallied to propose a pan-European technical solution for contact tracing apps, at the end of March, initially as part of a broader pan-European project (in the meantime, the broader project seems to lose partners and support due to lack of transparency, including about its original conveners, and differences among scientists on whether centralized or decentralized solutions are preferable).
A lot of attention is now paid to one protocol developed initially under that umbrella but which became independent: the Decentralized Privacy-Preserving Proximity Tracing (DP-3T) protocol. This protocol was developed by ‘over 25 scientists and academic researchers from across Europe’ and ‘it was also scrutinized and improved by the wider community’ after being published. The DP-3T project is ‘an open protocol for COVID-19 proximity tracing using Bluetooth Low Energy functionality on mobile devices that ensures personal data and computation stays entirely on an individual’s phone’ (a decentralized solution). The protocol is being implemented in a ‘soon-to-be-released, open-sourced app and server’. Its data protection and security claims are scrutinized and open to feedback on GitHub.
Apple and Google announced a joint program early on in this debate that supports the creation of infrastructure on their platforms suited for the decentralized approach to contact tracing, leaving a centralized approach with few technical options for implementation.
Officials from Switzerland (non-EU, but ‘associated country’), Austria (EU) and Estonia (EU) announced they plan to implement the DP-3T protocol. But other Member States, like France (who even called for Apple and Google to modify their decentralized framework) and Italy (where the debate is still ongoing), are pushing for a different architecture of a national contact tracing app, based on centralization of information, mimicking the real life contact tracing that is conducted by public health authorities and relies on centralization and identification of all contacts a person that tested positive recalls of having been in touch with. These decisions are currently being taken at national level, with the debate shifting every day.
2. The European Data Protection Supervisor: Early call for Digital Solidarity in the EU
EDPS’ first call for a European approach to rely on data to fight the pandemic came in the Comments the institution issued on March 25 in response to a consultation from the European Commission on a proposal to rely on telecommunications data, shared by service providers, to monitor the spread of COVID-19. The EDPS called for ‘an urgent establishment of a coordinated European approach to handle the emergency in the most efficient, effective and compliant way possible’, considering that fragmentation at national level may stay in the way of effectiveness. The EDPS also pointed out in the Comments that ‘data protection rules currently in force in Europe are flexible enough to allow for various measures taken in the fight against pandemics.’
As for the safeguards proposed for the use of telecommunications data, they focused on transparency about the data sets to be made available by telecommunications service providers and how will they be used; anonymization to the extent possible, and aggregation of data; contractual accountability for all third parties that will process the data; limitation of access rights to authorized experts in spatial epidemiology, data protection and data science; strict retention limitation – ‘the data obtained from mobile operators would be deleted as soon as the current emergency comes to an end.’
On April 6, the European Data Protection Supervisor, Wojciech Wiewiórowski, doubled down on the European approach against the pandemic and issued a public message for EU Digital Solidarity. He recalled that ‘big data means big responsibility’ and pointed out that responsibility also means ‘we should not hesitate to act when it is necessary. There is also responsibility for not using the tools we have in our hands to fight the pandemic.’
Wiewiórowski called for a pan-European model of a COVID-19 mobile application, ‘coordinated at EU level.’ ‘Legality, transparency and proportionality are essential’, the Supervisor added.
There are four key safeguards the EDPS proposes so the data-based solutions to counter the effects of the pandemic are compliant with data protection law: the measures are temporary – ‘they are not here to stay after the crisis’; ‘Their purposes are limited – we know what we are doing’; ‘Access to the data is limited – we know who is doing what’; and ‘We know what we will do both with results of our operations and with raw data used in the process’ – which seems to refer to justifiable necessity of such measures.
3. The European Commission: Recommendation for a common approach to contact tracing apps and eHealth Network’s Toolbox
On April 8, the European Commission published a Recommendation on ‘a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis, in particular concerning mobile applications and the use of anonymised mobility data’. This Recommendation set up a process for developing a common approach within the EU to use digital means to address this crisis, referred to as a Toolbox.
3.1. The Recommendation: Build a common Toolbox, a fragmented approach will not be effective
In this early document, the Commission acknowledged that ‘digital technologies and data have a valuable role to play in combating the COVID-19 crisis, given that many people in Europe are connected to the internet via mobile devices.’ It also pointed out that ‘a fragmented and uncoordinated approach risks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing serious harm to the single market and to fundamental rights and freedoms.’ Therefore, the Commission considers that a pan-European approach is necessary both for the economy – preserving the single market, and for a coherent fundamental rights approach across the EU.
The Commission enumerated several factors that would render these applications effective, such as user penetration, public trust that the data will be protected by appropriate data protection and security measures, integration and data sharing with other systems and applications, cross-border and cross-regional interoperability with other systems. According to the Commission, interoperability between applications is recommended, as well as the possibility of national health authorities supervising infection transmission chains to be able to ‘exchange interoperable information about users that have tested positive with other Member States or regions in order to address cross-border transmission chains.’
In addition to a pan-European approach for mobile apps designed to fight the pandemic, the Recommendation also pushes for ‘a common scheme for using anonymized and aggregated data on mobility of populations’, specifically in order to:
- Model and predict the evolution of the disease;
- Monitor the effectiveness of decision-making by Member States’ authorities on measures such as social distancing and confinement;
- Inform a coordinated strategy for exiting from the COVID-19 crisis.
According to the Commission, ‘respect for all fundamental rights, notably privacy as well as data protection, the prevention of surveillance and stigmatization’ should be ‘paramount throughout the process’. To this end, three key principles are laid out. The proposed Toolbox should:
- Strictly apply the purpose limitation principle (‘ensure that the personal data are not used for any other purposes such as law enforcement or commercial purposes’);
- Ensure regular review of the technical solutions proposed and ‘set appropriate sunset clauses’;
- Ensure that ‘the processing is effectively terminated and the personal data concerned irreversibly destroyed’, unless their scientific values for research outweighs the impact on the rights concerned. Any such further processing should be done ‘on the advice of ethics boards and data protection authorities’.
Further recommendations are made for each of the two envisaged scenarios involving data – mobile apps and the use of aggregated telecommunications data. The Commission does not express any preference for a specific architecture of contact tracing apps (centralized v. decentralized). Importantly, this Recommendation highlights the key role DPAs play: ‘consultation with data protection authorities … is essential to ensure that personal data is processed lawfully and that the rights of the individuals concerned are respected.’
3.2. The Common Toolbox: adopted by the eHealth Network and pushed against tech solutionism
Version 1 of the Common EU Toolbox called for in this Recommendation was developed at incredible speed and it was published a week later, on April 15. The Toolbox was adopted by the ‘eHealth Network’ which is a voluntary network1 that provides a platform of Member States’ competent authorities dealing with digital health. Enlisting the support of Member States for a pan-European approach of relying on data to fight the pandemic is essential. This is because the European Union does not have exclusive competence on health matters. Primary responsibility for health protection and, in particular, healthcare systems continues to lie with the Member States.2
The document solely focuses on mobile apps for contact tracing. As opposed to most recent policy documents in this area, it also contains an explanation of what contact tracing means during an epidemic or pandemic and it details how it is usually carried out manually, by public health authorities: ‘This is a time-consuming process where cases are interviewed in order to determine who they remember being in contact with from 48 hours before symptom onset and up to the point of self-isolation and diagnosis. (…) Such manual processes rely on the patient’s memory and obviously cannot trace individuals who have been in contact with the patient but who are unknown to him/her.’ Nonetheless, the eHealth Network is clear in its recommendation that mobile apps should be complemented by manual contact tracing, which will ‘continue to play an important role, in particular for those, such as elderly or disabled persons, who could be more vulnerable to infection but less likely to have a mobile phone or have access to these applications’.
The Toolbox was built by taking the position that both centralized and decentralized solutions can be relied on, without a preference being expressed for either, and with advantages and shortcomings of both being laid out in the document. For the decentralized option, the Toolbox notes that ‘this approach would considerably reduce the risks to privacy as close contacts would not be directly identifiable and this option would thereby enhance the attractiveness of the application’, but in this case public health authorities would not have ‘access to any anonymised and aggregated information on social distancing, on the effectiveness of the app or on the potential diffusion of the virus’ and ‘this information can be important to manage the exit of the crisis’. The centralized option described in the Toolbox presupposes that ‘users cannot be directly identified’ through the data stored in the backend server, which are ‘arbitrary identifiers generated by the app’. According to the eHealth Network, ‘the advantage is that the data stored in the server can be anonymised by aggregation and further used by public authorities as a source of important aggregated information on the intensity of contacts in the population, on the effectiveness of the app in tracing and alerting contacts and on the aggregated number of people that could potentially develop symptoms.’
The Toolbox concludes that ‘none of the above two options includes storing of unnecessary personal information’. However, it alerts developers that centralized solutions which do involve ‘directly-identifiable data on every person downloading the app’ that is held centrally by public health authorities, ‘would have major disadvantage, as noted by the EDPB in its response to consultation on Commission draft guidance on data protection and tracing apps.’
Compared to other guidelines, there is more detailed focus in this Toolbox on the epidemiological relevance of any technological solution proposed. As such, apps should be following national legislation and international guidance ‘that defines which contacts should be followed up and what the management of these contacts should be’ under the coordination of public health authorities.
The Toolbox sets out various relevant parameters to enable a coordinated development and use of ‘officially recognized contact tracing applications and the monitoring of their performances.’ It provides a detailed list of baseline requirements and functionalities that should be taken into account (see Annex I of the document), which have been ‘identified collectively by Member State authorities who are considering the launch of an app to support contact tracing.’ In eHealth Network’s view, the essential requirements for national apps are that they should be:
- Approved by the national health authority;
- Privacy-preserving, with personal data securely encrypted;
- Dismantled as soon as no longer necessary.
4. Joint Statement of the Presidents of the Commission and the Council: EU Exit Strategy Roadmap enlists data as key to lifting confinement
European Commission’s President, Ursula von der Leyen, and the President of the European Council, Charles Michel, co-signed a Joint European Roadmap towards lifting COVID-19 containment measures, on April 15, which sets out recommendations to Member States with the goal of preserving public health while gradually lifting containment measures to restart community life and the economy. This Roadmap contains principles that should guide the Member States and the EU in their exit strategy and a set of seven recommended measures. The first two of these seven measures rely on using data.
The first recommended measure is to ‘gather data and develop a robust system of reporting’. By this, the Roadmap means ‘gathering and sharing of data at national and subnational level by public health authorities in a harmonised way on the spread of the virus, the characteristics of infected and recovered persons and their potential direct contacts’. Recognizing that reporting only cases that are known to health authorities is not enough (they ‘may only represent the tip of the iceberg’), the document refers to both ‘social media and mobile network operators’ as being in the position to ‘offer a wealth of data on mobility, social interactions, as well as voluntary reports of mild disease cases (e.g. via participatory surveillance) and/or indirect early signals of disease spread (e.g. searches/posts on unusual symptoms).’
The Roadmap refers to anonymizing and aggregating such data before being used, and offers the Joint Research Center and the European Center for Disease Control as centralizing bodies for this data collection and for conducting modelling work. This is interesting, since this is the only instance where social media data is being brought to the discussion among the different EU-level policymaking sources. On the other hand, telecommunications data has been enlisted early on in the pandemic to offer an EU-wide window into how individuals are moving during lockdowns, following a push initiated by Thierry Breton, the commissioner for the internal market (see also Section 2 of this report).
The second recommended measure is to ‘create a framework for contact tracing and warning with the use of mobile apps which respect data privacy’. According to the signatories of the Joint Statement, contact tracing apps are ‘particularly relevant in the phase of lifting containment measures’. Because they can ‘help interrupt infection chains and reduce the risk of further transmission’, contact tracing apps ‘should be an important element in the strategies put in place by Member States’, as long as they complement other measures, including increased testing capacities. In fact, the third recommended measures in the document is expanding testing capacity and harmonising testing methodologies. As for the mobile apps, it is recommended in the Exit Strategy that they are voluntary and that ‘national health authorities should be involved in the design of the system.’
The safeguards proposed are a mix of technical safeguards – anonymization and aggregation of data, no tracking of users; and governance safeguards – transparency and expiration ‘as soon as the COVID-19 crisis is over’, with a recommendation to erase any remaining data at that time and have the apps being deactivated. According to the document, ‘confidence in these applications and their respect of privacy and data protection are paramount to their success and effectiveness.’ The document refers to the earlier Recommendation made by the Commission to set up the framework for a data protection centered contact tracing app and to guidance by the Commission on how such apps can be respectful of data protection law. However, the Roadmap omits to include the crucial role that Data Protection Authorities and their pan-EU body, the European Data Protection Board, will have in ensuring contact tracing apps, if deployed, are fully respectful of the rights and freedoms of individuals by complying with data protection law requirements.
Finally, the Presidents of the Commission and the Council state that a pan-EU reference app, or at least interoperability and sharing of results between contact tracing apps at EU level, ‘allows a more effective warning of people concerned and a more efficient public health policy follow-up’. Indeed, the lack of a pan-EU approach to deploying and relying on contact tracing apps would risk enderanging the freedom of movement which is so central to the EU.
5. The European Commission: Data protection guidance on apps to support the fight against COVID-19
To complement the features recommended in the Toolbox for contact tracing apps by the eHealth Network, the Commission published separately, on April 16, data protection guidance for apps to support the fight against COVID-19. This abundance of data protection guidance may be confusing for app developers and for the public authorities wanting to implement apps, considering that both the EDPS and the EDPB have been very active in giving input, following their specific mandate. In fact, the Commission includes as the last point in its guidance the fact that DPAs ‘should be fully involved and consulted in the context of the development of the app and they should keep its deployment under review.’
One interesting nuance is that the Commission includes in the scope of its analysis several variations of mobile apps that could potentially be useful in the fight against the pandemic: apps that provide accurate information to individuals about the COVID-19 pandemic; that provide questionnaires for self-assessment and for guidance to individuals (symptom checker functionality); that provide contact tracing and warning functionality; and that provide a communication forum between patients and doctors in situation of self isolation or where further diagnosis and treatment advice is provided (increased use of telemedicine).
This guidance identifies and details ten elements that ensure ‘a trustful and accountable use of apps’:
- National health authorities (or entities carrying out tasks in the public interest in the field of health) should be the data controller.
- Ensuring that the individual remains in control (for example, different app functionalities – like information, symptom checker, contact tracing and warning functionalities, should not be bundled so that the individual can provide his/her consent specifically for each functionality).
- As lawful grounds for processing: relying on consent for the installation of the apps and for placing information, such as random identifiers, on devices, in compliance with the ePrivacy Directive; for further processing, relying on a legal obligation for processing of the personal data by health authorities (Article 6(1)(c) and Article 9(2)(i) GDPR), as long as the law, even if pre-existent to the COVID-19 pandemic, provides for measures allowing for the monitoring of epidemics and meets further requirements set out in Article 6(3) GDPR; keeping in mind that there is a ‘prohibition’ of subjecting individuals to a decision based solely on automated processing which produces legal effect or similarly significantly affects the individual (Article 22 GDPR).
- Data minimisation (for example, ‘if the purpose of the functionality is symptom checking or telemedicine, these purposes do not require access to the contact list of the person owning the device’; for contact tracing, the Commission recommends the use of Bluetooth Low Energy (BLE) communications data, or data generated by equivalent technology, to determine proximity, considering that ‘for the metering of proximity and close contacts BLE communications between devices appears more precise, and therefore more appropriate, than the use of geolocation data (GNSS/GPS, or cellular location data).
- Limiting the disclosure of/access to data, with different recommended access permissions depending on the functionality of the app.
- Providing for precise purposes of processing: the Commission also advises against the use of the data gathered under the above conditions for other purposes than the fight against COVID-19, recommending additional limitations even with regard to processing for scientific research and statistics, which ‘should be included in the original list of purposes and clearly communicated to users.’
- Setting strict limits to data storage: timelines should be based on ‘medical relevance’, as well as ‘realistic durations for administrative steps that may need to be taken’; for example, proximity data collected by contact tracing apps should be deleted ‘after maximum one month (incubation period plus margin) or after the person was tested and the result is negative’; health authorities may retain it for longer periods ‘for surveillance reporting and research provided it is in an anonymised form.’
- Ensuring data security: the Commission recommends that the data should be stored on the terminal device of the individual ‘in an encrypted form using state-of-the art cryptographic techniques’; in the case that the data is stored in a central server, the access, including the administrative access, should be logged.
- Ensuring the accuracy of data: accuracy on whether a contact with an infected person (epidemiological distance and duration) has taken place is essential, to minimise the risk of having false positives.
- Involving DPAs, which should be consulted in the context of the development of the app; further along, they should keep its deployment under review.
The Guidelines do not specifically recommend a centralized or decentralized approach to contact tracing apps, but they do highlight that ‘the decentralised solution is more in line with the minimisation principle’. This specification was included in the letter the EDPB sent to the Commission in response to a consultation on this draft guidance. The Commission also states that ‘health authorities should have access only to proximity data from the device of an infected person so that they are able to contact people at risk of infection.’ This would mean that proximity data ‘will be available to the health authorities only after the infected person (after having been tested) proactively shares these data with them.’
6. The European Parliament: A Resolution on EU coordinated action to combat the COVID-19 pandemic
The European Parliament adopted on April 17 a Resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences, where it recalled that ‘solidarity among the Member States is not an option but a Treaty obligation and forms part of the European values’ and it sanctioned the lack of coordination and solidarity among Member States at the beginning of the pandemic. The Resolution is broad in scope and it looks beyond an immediate exit strategy, by tackling issues related to longer term public health goals, solutions to overcome the economic and social consequences and recommendations to protect democracy, rule of law and fundamental rights. Under this latter headline, the Resolution includes specific references to relying on telecommunications data and on contact tracing applications in a way that is congruent with fundamental rights.
The Parliament took a stance unequivocally in favor of decentralized contact tracing apps, as opposed to centralized apps, and it pushed for transparency and demonstrable necessity of these apps. It used strong wording and noted that it ‘demands that all storage of data be decentralised, full transparency be given on (non-EU) commercial interests of developers of these applications, and that clear projections be demonstrated as regards how the use of contact tracing apps by a part of the population, in combination with specific other measures, will lead to a significantly lower number of infected people.’ In its Resolution, the Parliament also asked for the code of contact tracing apps to be public and recommended that ‘sunset clauses are set and the principles of data protection by design and data minimisation are fully observed’.
While recommending a pan-European approach to the use of contact tracing apps, the Parliament also acknowledged these initiatives seem to be primarily national at this point. Therefore, it called for both the Commission and the Member States ‘to publish the details of these schemes and allow for public scrutiny and full oversight by data protection authorities’. As opposed to the Roadmap published by the Presidents of the Commission and the Council, the European Parliament not only acknowledged the key role DPAs play, but called for their full oversight and urged ‘national and EU authorities’ to fully comply with both data protection and privacy legislation, as well as ‘national DPA oversight and guidance’.
7. The European Data Protection Board: Ample guidance on enlisting data against the spread of the COVID-19 pandemic
In an extraordinary step, at the beginning of April the EDPB converted its monthly plenary meetings into weekly plenary meetings, to respond to the urgency of measures proposed across the EU to rely on personal data in the fight against the COVID-19 pandemic. On April 21, it adopted two sets of Guidelines which are essential to inform the responses at national level, one focused on the use of location data and contact tracing tools, and the other one on the processing of health data for research purposes in the context of the COVID-19 pandemic.
The Guidelines of the EDPB are very important from two points of view. First, they represent the agreed position of all national DPAs, which are the only administrative entities that have competence to enforce the GDPR and the Law Enforcement Directive at national level, both against government bodies and private organizations. Second, they are capable of ensuring a harmonized approach across the EU, at a time when national governments prefer to act by themselves, contributing thus decisively to a pan-European approach of the data-based response to the COVID-19 pandemic.
7.1. Processing of health data for research purposes
Starting from the premise that ‘the GDPR is a broad piece of legislation and provides for several provisions that allow to handle the processing of personal data for the purpose of scientific research connected to the COVID-19 pandemic in compliance with the fundamental rights to privacy and personal data protection’, the EDPB published guidance to support compliant scientific research involving health data. Here are some of the key points:
- What is ‘scientific research’? The EDPB noted that the special GDPR regime for processing of personal data for scientific research purposes applies to ‘a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice’ and the term scientific research ‘may not be stretched beyond its common meaning.’ The EDPB also clarified that when talking about processing of health data for the purpose of scientific research, there are two types of data uses:
- Research on personal (health) data which consists in the use of data directly collected for the purpose of scientific studies (“primary use”).
- Research on personal (health) data which consists of the further processing of data initially collected for another purpose (“secondary use”).’
- Compatible purposes for secondary uses. The EDPB notes that this distinction is important in the context of identifying the lawful ground for processing. Even though not specifically explained in the guidance, this has to do with the fact that secondary uses of data are permissible without the need for an additional lawful ground, as long as they are compatible with the purpose for which the data was originally collected. However, the EDPB does not give specific guidance on compatibility of purposes in this context and only mentions that ‘this topic, due to its horizontal and complex nature, will be considered in more detail in the planned EDPB guidelines on the processing of health data for the purpose of scientific research.’ However, the Board emphasizes that strong security measures are highly advisable ‘considering the sensitive nature of health data and the risks when re-using health data for the purpose of scientific research’.
- Lawful grounds for processing. A general lawful ground from Article 6 GDPR has to be complemented by a permissible use for special categories of data in Article 9(2) GDPR. EDPB explains that besides consent (as long as all conditions for valid consent are met, including the possibility for individuals to withdraw consent at any time), controllers can also possibly rely on necessity for the performance of a task in the public interest by a public authority – Article 6(1)(e) GDPR, or the legitimate interests of the controller or a third party – Article 6(1)(f) GDPR, in combination with the enacted derogations under Article 9(2)(j) or Article 9(2)(i) GDPR. Under these two paragraphs of Article 9(2), both the EU or the national legislators at Member State level may enact specific laws ‘to provide a legal basis for the processing of health data for the purpose of scientific research’.
- International data transfers. A section of the guidance is dedicated to international data transfers, considering the global nature of the COVID-19 pandemic and that ‘there will probably be a need for international cooperation that may also imply international transfers of health data for the purpose of scientific research outside of the EEA [European Economic Area].’ The EDPB gives the green light for health data to be transferred on the basis of derogations, where an adequacy decision is not in place or where one of the other appropriate safeguards are absent (like Standard Contractual Clauses). In particular, data can be transferred on the basis of the express consent of the data subject, or on the basis of the transfer being necessary for important reasons of public interest. The EDPB remarks that not only public authorities, but also private entities playing a role in pursuing a public interest related to the COVID-19 pandemic, such as a university’s research institute cooperating on the development of a vaccine in the context of an international partnership, could, under the current pandemic context, rely upon those derogations. However, the EDPB highlights that such transfers must be ‘a temporary measure, due to the urgency of the medical situation globally’. It adds that while the COVID-19 crisis may justify the initial transfers of data, repetitive transfers, part of a long lasting research project would need to be framed with appropriate safeguards in accordance with Article 46 GDPR (e.g. standard contractual clauses, certification mechanisms, contracts approved by DPAs etc.).
7.2. Location data, ‘notoriously difficult to anonymize’
In the guidance on location data and contact tracing apps, the EDPB expresses its firm belief that ‘when processing of personal data is necessary for managing the COVID-19 pandemic, data protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures’. It also clearly calls for ‘a common European approach in response to the current crisis’, or to ‘at least put in place an interoperable framework’, considering that ‘the virus knows no borders’.
The EDPB recalls that ‘the general principles of effectiveness, necessity and proportionality must guide any measure adopted by Member States or EU institutions that involve processing of personal data to fight COVID-19’. This is a call for any data-based solutions to be grounded in actual needs of authorities to manage the pandemic. ‘Such applications need to be a part of a comprehensive public health strategy to fight the pandemic, including, inter alia, testing and subsequent manual contact tracing for the purpose of doubt removal’.
When discussing the processing of location data, the EDPB points out that there are two principal sources of such data available for modelling the spread of the virus and the overall effectiveness of confinement measures: location data collected by electronic communication service providers (such as mobile telecommunication operators) in the course of the provision of their service and location data collected by information society service providers’ applications whose functionality requires the use of such data.
Accessing or collecting location data from both these sources falls under the provisions of the ePrivacy Directive. As such, location data collected from electronic communication providers may only be processed under the conditions of Articles 6 and 9 of the ePrivacy Directive. This means that the location data ‘can only be transmitted to authorities or other third parties if they have been anonymised by the provider or, for data indicating the geographic position of the terminal equipment of a user, which are not traffic data, with the prior consent of the users’. As for collecting location data and other information directly from the terminal equipment (device) of a user, Article 5(3) of the ePrivacy Directive is applicable. As such, ‘the storing of information on the user’s device or gaining access to the information already stored is allowed only if:
(i) the user has given consent;
(ii) the storage and/or access is strictly necessary for the information society service explicitly requested by the user.’
The EDPB stopped short of giving some examples on what type of services in the context of COVID-19 can argue they need access to location data because it is strictly necessary to provide the service.
The guidelines point out that derogations to these rules are possible only ‘when they constitute a necessary, appropriate and proportionate measure within a democratic society for certain objectives’, according to Article 15 of the ePrivacy Directive. However, these exceptions can only be adopted if they concern national security, defence, public security and the prosecution of criminal offenses. In addition, according to existing case-law of the CJEU interpreting Article 15, all these areas ‘constitute activities of the State or of State authorities unrelated to the fields of activity of individuals’ (Case C-275/06 Promusicae). This seems to indicate that exceptions can be applicable only if the controllers are public authorities and if Member States can justify they concern one of the areas enumerated, such as public security.
The EDPB established that after the location data has been accessed in compliance with Article 5(3) ePrivacy, they can be further processed only on the basis of additional consent or on the basis of a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1) GDPR. Even though technically organizations could rely on the fact that further processing of location data for modelling purposes to combat the pandemic is compatible with the original purpose of accessing the data, the EDPB considers that further processing on the basis of a compatibility test according to Article 6(4) GDPR is not possible in these cases where original access is obtained under the conditions of the ePrivacy Directive, since it would undermine the data protection standard of the ePrivacy Directive, as explained in the earlier Guidelines on Connected Vehicles.3
The EDPB advises that preference should always be given to the processing of anonymized data rather than personal data, but cautions that location data ‘are known to be notoriously difficult to anonymize’, since ‘mobility traces of individuals are inherently highly correlated and unique’ and ‘they can be vulnerable to re-identification attempts under certain circumstances.’ The EDPB further states that ‘data cannot be anonymized on their own, meaning that only datasets as a whole may or may not be made anonymous’. To highlight this point, it is further argued that ‘any intervention ona single data pattern (by means of encryption, or any other mathematical transformations) can at best be considered a pseudonymisation.’
The EDPB also proposes a test to evaluate the robustness of anonymization, which relies on three criteria:
‘(i) singling-out (isolating an individual in a larger group based on the data);
(ii) linkability (linking together two records concerning the same individual); and
(iii) inference (deducing, with significant probability, unknown information about an individual).’
7.3. Contact tracing: the door was kept open for both centralized and decentralized apps
With regard to contact tracing apps, the EDPB points out from the outset that ‘the systematic and large scale monitoring of location and/or contacts between natural persons is a grave intrusion into their privacy.’ This is why ‘it can only be legitimised by relying on a voluntary adoption by the users’. The EDPB continues with a series of recommendations:
- Responsibility: As a first rule, the EDPB underscores that the controller of any contact tracing application should be clearly defined, to ensure accountability. Public health authorities are a natural choice, but ‘other controllers may also be envisaged’. In any case, regardless of the number and nature of actors involved in controlling the data processing through the app, their responsibilities ‘must be clearly established from the outset and be explained to users.’
- Purpose limitation: the purposes of the app must be specific enough to exclude further processing for purposes unrelated to the management of COVID-19, like commercial or law enforcement purposes.
- General lawful basis: the storage and access to information already stored on devices are subject to Article 5(3) GDPR, which means that for all data that is not strictly necessary to provide the service requested by the user, consent will be required. For the further processing of data, the EDPB highlights that ‘the mere fact that the use of contact-tracing applications takes place on a voluntary basis does not mean that the processing of personal data will necessarily be based on consent.’ The Board advises that Article 6(1)(e) GDPR is the most relevant legal basis whenever public health authorities or other public authorities are the controllers (meaning the necessity to process data for the performance of a task in a public interest). If this lawful ground will be relied on, additional Union or Member State laws that detail the tasks must be in place. The EDPB seems to suggest new, dedicated legislation is needed, because it will have to provide for meaningful safeguards, including ‘a reference to the voluntary nature of the application’, a clear specification of purpose and explicit limitations concerning the further use of personal data, a clear identification of the controllers involved, and, potentially, ‘as soon as practicable, the criteria to determine when the application shall be dismantled and which entity shall be responsible and accountable for making that determination. Controllers could also rely on consent as a basis for processing, but in that case they need to ensure all conditions for valid consent are met, including the possibility for users to withdraw consent at any time.
- Permissible use for sensitive data. Since personal data related to health may be collected by a contact tracing app, one of the permissible uses under article 9(2) must also be in place, in addition to the general lawful ground for processing. ‘Processing of such data is allowed when such processing is necessary for reasons of public interest in the area of public health, meeting the conditions of art. 9(2)(i) GDPR14 or for healthcare purposes as described in Art. 9(2)(h) GDPR. Depending on the legal basis, it might also be based on explicit consent (Art. 9(2)(a) GDPR).’
- Data retention should be dependent on true needs and medical relevance. ‘Personal data should be kept only for the duration of the COVID-19 crisis. Afterwards, as a general rule, all personal data should be erased or anonymized.’
- Human supervision. Given that contact tracing apps cannot replace, but only support manual contact tracing, the EDPB underlines that ‘procedures and processes including respective algorithms implemented by the contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives.’
- Fairness and accountability: ‘algorithms must be auditable and should be regularly reviewed by independent experts.’ To this end, ‘source code should be made publicly available for the widest possible scrutiny.’
- Risk assessment: a data protection impact assessment must be carried out before implementing contact tracing apps, and the EDPB ‘strongly recommends’ its publication.
- Data minimisation, Data protection by design and by default: the application should not collect unrelated or not needed information, ‘which may include civil status, communication identifiers, equipment director items, messages, call logs, location data, device identifiers, etc.’
- Centralization v. Decentralization. The members of the EDPB did not agree on a recommendation that would harmonize approaches EU-wide in the centralization versus decentralization debate, a fact which may end up hampering the pan-European approach if Member States will end up implementing different architecture which are not interoperable. The EDPB merely stated that ‘both should be considered viable options, provided that adequate security measures are in place, each being accompanied by a set of advantages and disadvantages.’ It did add in a footnote that ‘in general, the decentralised solution is more in line with the minimisation principle’. However, the guidelines leave the door open to both types of architectures, while giving specific recommendations for servers to rely on pseudonymous identifiers and very short retention times.
- Data security: State-of-the-art cryptographic techniques must be implemented to secure the data, as well as mutual authentication between the application and the server, proper authorization for reporting infected users.
In its closing remarks, the EDPB showed that ‘data and digital technologies can be key components in the fight against COVID-19’, but it also warned against the ‘ratchet effect’: ‘It is our responsibility to ensure that every measure taken in these extraordinary circumstances are necessary, limited in time, of minimal extent and subject to periodic and genuine review as well as to scientific evaluation.’ The EDPB added that one should not have to choose between an efficient response to the current crisis and the protection of our fundamental rights. ‘We can achieve both, and moreover data protection principles can play a very important role in the fight against the virus’.
The EU took advantage of its mature data protection legal framework and acted rapidly to outline the possibility of a pan-European approach to support the fight against the pandemic with data, be it under the guise of mobility data for heat maps and modelling, health data for research purposes or proximity data for contact tracing, while ensuring fundamental rights and freedoms remain protected. The push for a pan-European approach, which was sparked by scientists working across borders to build a protocol for a contact tracing app that is privacy preserving, seems to be successful, even if not entirely. Several Member States already announced they will implement the same decentralized protocol for a contact tracing app (Estonia, Austria, but also Switzerland as associated country to the EU), with others, like Germany and Italy, considering now a decentralized approach to contact tracing after having initially announced plans for a centralized approach.
Developments at national level, at least in the Member States of the EU, will be ultimately influenced by EU policy. Even if public health is primarily a regulatory area where national governments lead – with the EU just complementing policies, data protection is an area where the EU has been granted powers to lead the rulemaking (see Article 16 of the Treaty on the Functioning of the European Union). Be it a decentralized or centralized approach to contact tracing, or any of the other necessary uses of personal data for modelling or research in the context of the COVID-19 pandemic, they will all need to follow data protection rules and principles, as provided by EU law.
Table 1. List of EU policy documents and guidance in relation to COVID-19 and data protection
1 Set up under article 14 of Directive 2011/24/EU.
2 European Parliament, Factsheets on the European Union: Public Health, available at https://www.europarl.europa.eu/factsheets/en/sheet/49/public-health, retrieved on April 27, 2020.
3 EDPB, Guidelines 1/2020 on Processing personal data in the context of connected vehicles and mobility related applications, available at https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-12020-processing-personal-data-context_en, retrieved on April 30, 2020.