
Digital contact tracing with apps
Guidelines to strengthen data protection and individual rights.
RB – 05/2020
On 7 May,
the European Parliament Committee on Civil Liberties, Justice and Home Affairs
(LIBE) discussed the use and protection of personal data in the fight against
the spread of the coronavirus. The virtual meeting was attended by the Chair of
the European Data Protection Committee (EDSA), Andrea Jelinek, and the European
Data Protection Supervisor (EDPS), Wojciech Wiewiórowski.
Moral obligation and digital solidarity
Currently,
there are discussions at European and national level on the different ways of
using available data and technologies to help fight COVID-19. The European Data
Protection Supervisor has appealed to the moral obligation to use all available technologies.
However, there is also a responsibility to minimise interference with
individual rights and freedoms and to respect the right to personal data
protection.
Whereas
some apps purely provide information, others use geodata to monitor the spread
of the virus. There are currently no apps in the EU that can locate infected
persons. The main field of application in the EU is currently smartphone
applications which use defined parameters (distanced, time) to indicate to the
user that they have possibly been infected due to contact with a confirmed
infected person. ‘Immunity passports’ or ‘green codes’, which prove a person
who had the virus is now immune to it, are being looked at by the EDPS with the
utmost caution. As a result of these discussions, the EDPS has published the first issue of TechDispatch, which is dedicated to the topic of
digital contact tracing.
Integrating tracing apps securely into the overall strategic concept
In order to
prevent new waves of infection, many EU Member States are working on the
development and use of tracing apps. The Chair of the European Data Protection
Committee stressed that these apps can only support the easing of distancing
restrictions as part of an overall strategy. It is important that trust in these
applications be established through voluntary use. If the protection of
personal data is not ensured, then tracing apps will not be successful.
Ensuring
that the EU General Data Protection Regulation is consistently applied is a
core task of the EU Data Protection Committee. In response to recent events,
the EDPB has adopted guidelines on the development of contact tracing
apps and the use of location data. The guidelines make specific reference to
using the current General Data Protection Regulation and the Directive on privacy and electronic communications. In addition, the guidelines state
that the following aspects should be taken into account when developing tracing
apps:
- The general principles of
effectiveness, necessity and proportionality must be followed when
processing personal data.
- The
use of tracing apps must be completely voluntary. An individual who decides not
to use such apps must not suffer any disadvantages.
- Individuals must be able to
access their data at any time and to delete it.
- The use and processing of data
must be transparent. This also includes clearly defining limitations on
data use.
- Algorithms used must be
strictly monitored to minimise false positives or false negatives.
- Source codes should be made
publicly available to the widest possible scrutiny of the scientific
community.
- Location data is not necessary
for contact tracing and should not be used for this purpose.
The
guidelines show that data protection and health protection are not mutually
exclusive. The flexible and efficient application of the EU General Data
Protection Regulation to changing conditions makes it possible to safeguard
individual rights and data protection, including as part of the fight against
the COVID-19 pandemic.