EU Guidance on Apps Supporting Fight against COVID-19 Pandemic in Relation to Data Protection
Designed for use by developers, the guidance sets out features and requirements for voluntary apps supporting the fight against COVID 19 pandemic that:
- provide accurate information about the COVID-19 pandemic; or
- provide questionnaires for self-assessment and for guidance to individuals (symptom checker functionality); or
- alert persons who have been in proximity for a certain duration to an infected person, in order to provide information such as whether to self-quarantine and where to get tested (contact tracing and warning functionality); or
- provide a communication forum between patients and doctors in situation of self-isolation or where further diagnosis and treatment advice is provided (increased use of telemedicine).
If adhered to, the guidance ensures compliance of voluntary apps with EU privacy and personal data protection legislation, in particular the General Data Protection Regulation (GDPR).
First and foremost, the guidance requires to identify the data controller who is deciding on the purposes of and legal basis for data processing and who should provide information to data subjects concerning the processing of their personal data. Given the sensitivity of the personal data at hand, the guidance sets out that the apps should be designed in such a manner that the national health authorities (or entities carrying out task in the public interest in the field of health) are the controllers and that the use of such apps should be voluntary whereby:
- The installation of the app on the individual’s device should be voluntary and without any negative consequences for the individual who decides not to download/use the app.
- The individual should be able to provide his/her consent specifically for each functionality and can freely choose the manner and purposes of processing his/her personal data (the consent should be very specific).
- If proximity data are used (data generated by the exchange of Bluetooth Low Energy (BLE) signals between devices within an epidemiologically relevant distance and during an epidemiologically relevant time), they should be stored on the individual’s device. If those data are to be shared with health authorities, they should be shared only after confirmation that the person concerned is infected with the COVID-19 and on the condition that he/she chooses to do so.
- The apps should be deactivated at the latest when the COVID-19 pandemic is declared to be under control (the deactivation should not depend on de-installation by the user).
As for the legal basis for data processing, the European Union makes it clear that data subject’s consent be the most appropriate ground for the relevant activities; specifically, in regard to the sensitive and detailed data that can be processed. The guidance mentions a situation when (national) health authorities typically process personal data when there is a legal obligation, in which case no user should be forced to install the app and no adverse consequences should occur for the user whenever he/she decides not to use the app – that is, the data subject should have the right not to have his/her personal data processed.
The guidance also addresses in detail data minimisation and limiting the disclosure/access of data with regard to the purpose of data processing and recalls that the purpose of data processing should be specific and known to the data subjects. The Commission considers it necessary that different app functionalities (information, tracing, warning and other functionalities) are not bundled but rather separated as much as possible so that the data subject can use only some of the functionalities entirely at his/her own choice. Despite the existing risks of COVID-19 infection, the Commission attaches great importance to the fact that the right to the protection of personal data and privacy as such are not breached. Thus, a positively tested individual should have the right to choose freely whether he/she allows the app (or rather the health authority processing his/her data) to notify others that he/she has tested positive (i.e. alert the others that they have come into contact with an infected person). As is obvious, the identity of the person infected can be revealed indirectly in specific situations – for instance, by reference to the place or time of contact – even if the information is anonymised (that is, even if the person alerted is not informed about the identity of the infected person).
The guidance suggests that the protection of human rights, including the protection of privacy and personal data, must not retreat in the face of technocratic approach to the fight against COVID-19 pandemic. One can only believe that the app developers, app operators and data controllers will become aware of and respect the same. The unique situation that we are in today may cause that the specificities of lawful personal data processing – such as voluntary consent – will be redefined or specified in more detail in the future. It is open to discussion whether the data subject would consent to the processing of his/her personal data in the manner requested by an app supporting the fight against COVID-19 pandemic if the data subject was provided with objective information regarding the infection and related risks.
Article provided by: Tomáš Nielsen (Nielsen Legal, advokátní kancelář, Czech Republic)
Dr. Tobias Höllwarth (Managing Director INPLP)