Contact-tracing apps to get EU guidance as privacy regulators back Commission's approach

15 April 2020 06:37 by Matthew Newman

Contact-tracing apps will benefit from a “pan-European and coordinated approach” to regulation after European data-protection authorities endorsed the European Commission’s draft guidance, MLex has learned.

Momentum is building among both businesses and regulators to roll out contact-tracing apps, which inform citizens when they have crossed paths with someone who later tested positive for Covid-19. Last week, Google and Apple said they are working together to release Bluetooth-based apps for their mobile platforms that would work with each other.

Now Andrea Jelinek, the president of the European Data Protection Board, has strongly backed the commission’s principles for regulating these apps, in a letter dated 14 April 2020 and seen by MLex.

“The EDPB welcomes the commission’s initiative in developing a pan-European and coordinated approach, where mobile applications may become one of the proposed measures to empower individuals in the response to fight the pandemic,” Jelinek wrote.

The commission’s guidance to national regulators and governments is that contact-tracing apps should work with each other across platforms and include safeguards to ensure the protection of citizens’ fundamental rights, MLex reported last week. EU governments must also ensure that the technology isn’t used for “mass surveillance.”

The apps must be voluntary, use anonymous data, and all proximity data should be deleted from users’ phones or central servers as soon as it’s no longer necessary for alerting the individual, the commission said.

Technological momentum

Following signs that infection rates are slowing or reaching a plateau, European governments are studying how they could deploy technical solutions — combined with more testing and continued social distancing — to help gradually lift stay-at-home orders and get people back to work. Italy, France and the UK are actively considering contact-tracing apps.

In Europe and the US, researchers and developers are scrambling to develop an app that would warn someone when they come into contact with someone who has tested positive for Covid-19.

These apps, which would be downloaded on smartphones, send out Bluetooth signals and keep a log of nearby devices. If somebody gets infected, that user can upload relevant data to a central server run by a public entity, which then notifies the owners of all the devices pinged by the infected person’s phone.

People who receive an alert would know that they should be tested and go into self-isolation. The goal is to prevent the epidemic from starting again when governments start lifting lockdown orders and people begin circulating in public.


In a separate document prepared by the European Data Protection Supervisor, which took part in developing the guidelines as a member of the EDPB, said that these apps “have (and will continue to play) an important role in managing the current crisis.”

“Contact tracing apps may play a useful role in the de-confinement strategy, in particular if they are used as a tool to empower, rather than to control, repress or stigmatize citizens,” according to the document seen by MLex.

The EDPS has also welcomed the initiative by Google and Apple, saying that it “seems to tick the right boxes as regards user choice, data protection by design and pan-European interoperability”.

The national data-protection authorities, which plan to publish guidelines “on geolocation and other tracing tools” in the “coming days,” reviewed the commission’s guidance to assess the “overall goal of the envisaged apps” and to “to verify whether they are in line with data protection principles.”

The EU body said that ensuring that smartphones can talk to each other — known as interoperability — and smoothing out differences in app designs would boost their acceptance by the “largest share of the population” and thus help them achieve “maximum efficiency.”

An Oxford University study has found that 60 percent of the population would have to use the contact-tracing app for it be effective in controlling the spread of the coronavirus.


The EDPB said a key element of building trust among people would be to ensure that the app is voluntary.

“The EDPB strongly supports the commission’s proposal for a voluntary adoption of such apps, a choice that should be made by individuals as a token of collective responsibility,” the letter said. “Voluntary adoption is associated with individual trust, thus further illustrating the importance of data protection principles.”

Under the EU’s data protection rules, personal data can only be processed if a user has given “informed” consent or under another legal basis. The EDPB said that the fact that a contact-tracing app is used on a voluntary basis, doesn’t mean that a health authority’s processing of that data is based on consent.

Governments’ national laws, which promote the voluntary use of the app without any negative consequences for those who don’t, “could be the legal basis for the use of the apps,” the EDPB said in the letter.

“Such legislative interventions should accordingly not be intended as a means to push for compulsory adoption, and the individuals should be free to install and uninstall the app at will,” the letter said.


The EU data-protection authorities made it clear that European governments shouldn’t deploy apps that would track citizens with geolocation technology.

In several Asian countries, notably China, South Korea, Taiwan and Hong Kong, mobile apps have used geolocation technology to track people infected with the virus and to enforce quarantines.

“Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimization. In addition, doing so would create major security and privacy risks,” the EDPB said.

The EDPS said the commission should recommend that governments include a number of legal safeguards in their rules for contact-tracing apps, including limits on reusing the personal data after the emergency, the specific types of data to be processed, which entities the data may be disclosed to; and the specific data controller.

"The EDPS also suggests that conservation periods must be clearly defined," the authority said, adding that the rules should define "when the individual user data is deleted."

Finally, the EDPS said that “data protection by design and by default” will be essential to boost citizens confidence “that the information collected through the app will not be used against them, as a tool of control or repression rather than empowerment.”

The EDBP, in its letter, said that algorithms used in contact-tracing apps that alert users about infected persons should work “under the strict supervision of qualified personnel” to limit the occurrence of any “false positives and negatives.”

“By no means the task ‘to provide advice on next steps’ should be fully automated, the EDPB said.

False positives are generated when one user’s phone comes near the phone of an infected person, but there is no chance of transmission, perhaps because of a wall or protective equipment between people.

Related Articles

No results found