Guidelines to strengthen data protection and individual rights.

RB – 05/2020

On 7 May, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) discussed the use and protection of personal data in the fight against the spread of the coronavirus. The virtual meeting was attended by the Chair of the European Data Protection Committee (EDSA), Andrea Jelinek, and the European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski.

Moral obligation and digital solidarity

Currently, there are discussions at European and national level on the different ways of using available data and technologies to help fight COVID-19. The European Data Protection Supervisor has appealed to the moral obligation to use all available technologies. However, there is also a responsibility to minimise interference with individual rights and freedoms and to respect the right to personal data protection.

Whereas some apps purely provide information, others use geodata to monitor the spread of the virus. There are currently no apps in the EU that can locate infected persons. The main field of application in the EU is currently smartphone applications which use defined parameters (distanced, time) to indicate to the user that they have possibly been infected due to contact with a confirmed infected person. ‘Immunity passports’ or ‘green codes’, which prove a person who had the virus is now immune to it, are being looked at by the EDPS with the utmost caution. As a result of these discussions, the EDPS has published the first issue of TechDispatch, which is dedicated to the topic of digital contact tracing.

Integrating tracing apps securely into the overall strategic concept

In order to prevent new waves of infection, many EU Member States are working on the development and use of tracing apps. The Chair of the European Data Protection Committee stressed that these apps can only support the easing of distancing restrictions as part of an overall strategy. It is important that trust in these applications be established through voluntary use. If the protection of personal data is not ensured, then tracing apps will not be successful.

Ensuring that the EU General Data Protection Regulation is consistently applied is a core task of the EU Data Protection Committee. In response to recent events, the EDPB has adopted guidelines on the development of contact tracing apps and the use of location data. The guidelines make specific reference to using the current General Data Protection Regulation and the Directive on privacy and electronic communications. In addition, the guidelines state that the following aspects should be taken into account when developing tracing apps:

  • The general principles of effectiveness, necessity and proportionality must be followed when processing personal data.
  • The use of tracing apps must be completely voluntary. An individual who decides not to use such apps must not suffer any disadvantages.
  • Individuals must be able to access their data at any time and to delete it.
  • The use and processing of data must be transparent. This also includes clearly defining limitations on data use.
  • Algorithms used must be strictly monitored to minimise false positives or false negatives.
  • Source codes should be made publicly available to the widest possible scrutiny of the scientific community.
  • Location data is not necessary for contact tracing and should not be used for this purpose.

The guidelines show that data protection and health protection are not mutually exclusive. The flexible and efficient application of the EU General Data Protection Regulation to changing conditions makes it possible to safeguard individual rights and data protection, including as part of the fight against the COVID-19 pandemic.