Coronavirus: Guidance to ensure full data protection standards of apps fighting the pandemic
Today, the European Commission has published guidance on the development of new apps that support the fight against coronavirus in relation to data protection. The development of such apps and their take up by citizens can have a significant impact on the treatment of the virus and can play an important role in the strategy to lift containment measures, complementing other measures like increased testing capacities. It is important, however, to ensure that EU citizens can fully trust such innovative digital solutions and can embrace them without fear. The largest possible participation of EU citizens is necessary to exploit the full potential of tracing apps.
EU rules, notably the General Data Protection Regulation (GDPR) and the ePrivacy Directive, provide the strongest safeguards of trustworthiness (i.e. voluntary approach, data minimisation, time limitation) for such apps to operate widely and accurately. This guidance aims to offer the necessary framework to guarantee that citizens have sufficient protection of their personal data and limitation of intrusiveness while using such apps. The European Data Protection Board was consulted on the draft guidance. By committing to those standards, the full effectiveness and compliance of such tools can be ensured, even in times of crisis.
(...)
The guidance focuses on voluntary apps with one or more of the following functionalities:
- accurate information for users on the coronavirus pandemic;
- questionnaires for self-assessment and guidance for individuals (symptom checker functionality);
- alerts for people who have been in proximity of an infected person to get tested or to self-isolate (contact tracing and warning functionality); and
- a communication forum between patients in self-isolation and doctors including where further diagnosis and treatment advice is provided (telemedicine).
Main prerequisites for the development of coronavirus apps
- The role of national health authorities: It must be clearly established from the start who is accountable for compliance with EU personal data protection rules. Given the high sensitivity of the data and the ultimate purpose of the apps, the Commission sees this as a role for national health authorities, who would in turn be responsible for ensuring GDPR compliance in their use of data collected, including providing individuals with all necessary information related to the processing of their personal data.
- Users remain in full control of their personal data: The installation of an app on a user's device should be voluntary; a user should be able to give their consent to each functionality of an app separately. If proximity data is used, it should be stored on an individual's device and only shared with the user's consent; users should be able to exercise their rights under the GDPR.
- Limited use of personal data: An app should adhere to the principle of data minimisation, which requires that only personal data that is relevant and limited to the purpose in question can be processed. The Commission considers location data not necessary for the purpose of contact tracingand advises not to use location data in this context.
- Strict limits on data storage: Personal data should not be kept for longer than necessary. Timelines should be based on medical relevance as well as the realistic duration for necessary administrative steps to be taken.
- Security of data: Data should be stored on an individual's device and encrypted.
- Ensuring the accuracy of the data processed: It is a requirement under EU personal data protection rules that any personal data processed by a third party must be accurate. To ensure maximum accuracy, which is also essential for the efficiency of contact tracing apps, technology such as Bluetooth should be used to provide a more precise assessment of individuals' contact with one another.
- Involvement of national data protection authorities: Data protection authorities should be fully involved and consulted in the development of an app and should be tasked with reviewing the deployment of an app.