As we anticipated in a previous blog post, on April 22, 2020, the European Data Protection Board (“EDPB”) issued new guidelines on the use of location data and contact tracing apps in the context of the present COVID-19 pandemic.
The EDPB’s new guidelines complement and build on similar guidance previously issued by the Board itself (see here, here and here), and by the European Commission (see our blog post here).
The EDPB’s close scrutiny over the use of mobile data and apps in the context of the ongoing public health crisis is unsurprising, as many EU Member States have launched—or are in the process of launching—contact tracing apps to fight the spread of the virus, and these initiatives are receiving great attention by data privacy authorities and the general public (see our blog post here).
The guidelines aim to clarify the data protection conditions and principles that should be followed when:
- using location data to model the spread of the virus to assess the overall effectiveness of confinement measures; and
- using contact tracing apps, which aim to notify individuals who may have been in close proximity to someone who is infected or confirmed as a carrier of the virus, in order to break the contamination chain as early as possible.
The EDPB stresses that EU data protection rules have been designed to be flexible and, as such, do not stand in the way of an efficient response to the pandemic. However, it notes that governments and private actors should be mindful of a number of considerations when they use data-driven solutions in response to the COVID-19 outbreak.
(1) Use of Location Data
In practice, location data can be used for modeling the spread of the virus and monitoring the overall effectiveness of confinement measures. Location data may be obtained from: (i) electronic communication service providers (e.g., mobile telecommunication operators); or (ii) information society service providers where their services require the use of such data (e.g., navigation, transportation services, etc.).
The EDPB notes that different data protection conditions apply depending on which party is the source of the location data.
Location data collected from electronic communication service providers: location data collected from electronic communication service providers may only be processed in accordance with Articles 6 and 9 of the ePrivacy Directive. This means that these data may only be transmitted to authorities or other third parties where the data have been anonymized by the provider or, for data indicating the geographic position of the terminal equipment of a user, where it does not also constitute traffic data (where separate rules apply), with the prior consent of the user.
Location data collected by an information society service provider: the collection of location data directly from the terminal equipment of the user (e.g., a smartphone) must comply with Article 5(3) of the ePrivacy Directive. This means that the storing of information on the user’s device or gaining access to the information already stored in the device is allowed only if: (i) the user has given their consent; or (ii) the storage and/or access is strictly necessary for providing the information society service that the user has explicitly requested. These are the requirements that information society service providers must normally meet to collect location data through an app installed on the device of the user.
According to the Board, the re-use of such location data collected by an information society service provider for modelling purposes must comply with additional conditions:
- data collected in compliance with Article 5(3) of the ePrivacy Directive may be further processed only with the additional consent of the data subject; or
- on the basis of a specific EU or Member State law that is necessary and proportionate to safeguard the objectives referred to in Article 23(1) GDPR (e.g., important objectives of public health).
Possible derogations under EU or Member State law: the EDPB underlines that Member States (or the EU) may introduce specific derogations to the above requirements of the ePrivacy Directive through emergency legislation specific to the COVID-19 outbreak. However, such laws must be necessary, appropriate and proportionate.
Focus on the use of anonymized location data: the EDPB stresses that whenever possible, the processing of anonymized location data should be preferred over the processing of identifiable data. The Board acknowledges that rendering data anonymous is highly complex, but suggests that options for effective anonymization of mobile phone datasets do exist. The robustness of any anonymization methods should be assessed in accordance with a “reasonability test” (i.e., a case-by-case contextual evaluation of the ability to link the data with an identified or identifiable natural person against any “reasonable” effort of re-identification).
(2) Contact Tracing Apps
The EDPB does not raise objections to the use of contact tracing apps as such. However, the Board’s view is that the use of such apps should be subject to the following limitations and requirements:
- The use of the apps should be voluntary. This would imply that individuals who decide not to or cannot use such apps should not suffer from any disadvantage.
- Data processed through such apps should be reduced to the strict minimum. The app should not collect unrelated or unnecessary information, such as civil status, communication identifiers, equipment directory items, messages, call logs, location data, device identifiers, and so forth.
- The controller of the data should be clearly identified. This could be a national health authority or others. In any event, the responsibilities and roles of all the actors involved in the running of the app should be clearly defined.
- The purposes that the app serves should be specified in great detail, and should exclude purposes unrelated to the management of the COVID-19 health crisis (e.g., commercial or law enforcement purposes). The purposes of the app should also be adequate, necessary and proportionate.
- The app should not trace individual movements, but rather rely on proximity information regarding the user. This suggests a preference for the use of Bluetooth technology, rather than GPS technology.
- Data broadcasted by the apps must be limited to unique and pseudonymized identifiers, generated by and specific to the app. Moreover, the EDPB stresses that contact tracing apps can function without direct identification of individuals, and that appropriate measures should be put in place to prevent re-identification.
- State-of-the-art cryptographic techniques must be implemented to secure the data stored in servers and applications, exchanges between applications and the remote server.
- The data collected by the app should reside on the terminal equipment of the user and relevant information only should be collected when absolutely necessary. In this regard, the EDPB notes that contact tracing can follow either a centralized or a decentralized approach, but would seem to express a preference for a decentralized solution, where data are not aggregated into a single dataset.
- Regarding legal bases, the Board notes that the fact that an app is used on a voluntary basis does not necessarily mean that the relevant processing of personal data will be based on consent. Other legal bases may be relevant; in particular Article 6(1)(e) (e.g., processing for the performance of a task in the public interest) may apply. However, to rely on the latter legal basis, Member States should adopt a specific legislative measure defining the purpose of the processing, and offering appropriate safeguards.
- As for data retention, the personal data collected thorough the app should be kept only for the duration of the COVID-19 crisis. Afterwards, as a general rule, all personal data should be deleted or anonymized.
- The app should operate under the strict supervision of qualified healthcare professionals.
- Any app-related algorithms must be auditable and should be regularly reviewed by independent experts. Moreover, an app’s source code should be made publicly available.
- A data protection impact assessment (DPIA) should be carried out before implementing an app, as the relevant data processing is likely to be of high risk. The EDPB strongly recommends the publication of DPIAs.
- Any server involved in the contact tracing system must only collect the contact history or the pseudonymous identifiers of a user diagnosed as infected. The reporting of users as COVID-19 infected on an app must be subject to proper authorization, for example through a single-use code tied to a pseudonymous identity of the infected person and linked to a COVID-19 testing facility or healthcare professional. If confirmation cannot be obtained in a secure manner, no data processing should take place that presumes the validity of the user’s status.
Interestingly, many of the apps that Member States have launched so far do not seem to meet all of the above requirements. For example, many Member States have not published a DPIA or the source code of their apps. Thus, it is likely that some of the apps currently in use will need to be modified or further steps taken by the operators of the apps to comply with the recommendations of the EDPB.
Finally, it should be noted that on April 22, 2020, the EDPB also issued guidelines on the processing of health data for the purpose of scientific research in the context of the COVID-19 outbreak, which we will discuss in a separate blog post.