EU data protection guidance on Covid-19 apps
23 April 2020
On 16 April 2020, the European Commission issued a Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection (the Guidance). The aim is to set out requirements which apps should meet to ensure compliance with EU privacy legislation, in particular the GDPR and the ePrivacy Directive.
The Guidance is designed for ‘voluntary apps supporting the fight against Covid-19 pandemic’, such as apps (i) providing accurate information to individuals about the Covid-19 pandemic, (ii) with a symptom checker functionality, (iii) with a contact tracing and warning functionality and/or (iv) which provide a communication forum between patients and doctors in situation of self-isolation or where further diagnosis and treatment advice is provided (use of telemedicine).
According to this Guidance, the apps should incorporate the following guarantees:
- identify the correct controllers (it is even recommended that these apps are designed in such a manner that the national health authorities are the controllers);
ensure that the individual remains in control;
- provide the precise legal basis for processing as well as its precise purpose;
- adhere to the principle of data minimisation: eg. if the purpose of the functionality is symptom checking or telemedicine, these purposes do not require access to the contact list of the person owning the device;
- limit the disclosure/access of data: for instance no information stored in and accessed from terminal equipment can be shared with health authorities other than necessary to have the information functionality, however for a symptom checker functionality it can be useful that responsible health authorities and national epidemiological authorities get access to the information provided by the patient;
- set strict limits to data storage: the principle of storage limitation requires that personal data may not be kept for longer than necessary. Therefore, timelines should be based on medical relevance (depending on the purpose of the app: the incubation period, etc.) as well as realistic durations for administrative steps that may need to be taken; and
- ensure the security of the data and the accuracy of the data: eg. proximity data should only be generated and stored on the terminal device of the individual in encrypted and pseudonymised format.
Furthermore, the Commission recommends that the Data Protection Authorities should be fully involved and consulted in the context of the development of the app and they should monitor its use. A Data Protection Impact Assessment (DPIA) is likely to be needed since the processing of data in the context of the app will qualify as a processing on a large scale of special categories of data (health data).
While the scope of the Guidance is limited (as it does not cover apps aimed at enforcing quarantine requirements (nor mandatory apps)) and the Guidance is not legally binding, it nonetheless has an important directional value as it includes contributions from the European Data Protection Board (EDPB) and follows the Commission’s Recommendation and publication of the EU toolbox for the use of mobile applications for contact tracing and warning in response to the Covid-19 pandemic published on 16 April 2020. Note that also the Belgian Data Protection Authority has recently issued a short statement to recall the principles applicable to Covid-19 related apps.