The EU approach towards tracing and warning apps
In order to react appropriately to the use of COVID-19 tracing and warning apps, the EU has published an EU toolbox relating to mobile applications to support contact tracing in the EU’s fight against COVID-19. This toolbox supports a common EU approach with implementation recommendations for Member States.
The European Data Protection Board (EDPB) has already made clear that tracing and warning apps can be acceptable under exceptional circumstances of emergency, such as the COVID-19 pandemic. However, the European Commission (EC) has also said that these types of apps should be deactivated once the pandemic is under control. This is, however, an impossible thing to predict at this point in time.
In April 2020, the EDPB also adopted guidelines on the use of location data and contact tracing tools in the context of COVID-19. Firstly, both the EDPB and the EC are of the opinion that, with regard to downloading the tracing app itself, consent may be a valid option as a legal basis. However, with regard to the processing of personal data by national health authorities, the legal basis of public interest based on national legislation would be the most appropriate. In any case, even where no consent has been provided, the data subject are still able to exercise their rights under the GDPR. Secondly, according to the EDPB, the app should not become mandatory. This would enable a way to control, stigmatize, or repress individuals based on the processing of their personal data. Thirdly, the EDPB and EC propose that national health authorities act as data controllers. This would make the exercise of rights by data subjects easier and would contribute to trust and public acceptance of the app.
The EDPB also mentions that the principles of data minimization, purpose limitation, and data protection by design and by default should be respected at all time. Consequently, location data of individuals should not processed by the app, but instead proximity data should be used. Similarly, measures to prevent re-identification should be implemented because these apps can, in principle, function without direct identification of individuals.
The introduction of COVID-19 tracing and warning apps give rise to several privacy and data protection concerns. Fortunately, we can see that the EU has made efforts to inform and guide government authorities towards an approach that takes these concerns into account. On the other hand, efforts from the private sector (e.g. Google and Apple), although not perfect, have also shown to be promising.