European Commission Issues Common EU Toolbox for Contact-Tracing Apps

April 20, 2020Alerts

The European Commission has laid out considerations for a common European Union toolbox for using technology and data to combat and overcome the COVID-19 crisis.

Key Takeaways:

Data Protection Considerations

With particular regard to the use of COVID-19 mobile warning and prevention applications, the following principles should be observed:

  1. Safeguards ensuring respect for fundamental rights and prevention of stigmatization, in particular applicable rules governing protection of personal data and confidentiality of communications
  2. Preference for the least intrusive, yet effective measures, including the use of proximity data and the avoidance of processing data on the location or movements of individuals, and the use of anonymized and aggregated data where possible
  3. Technical requirements concerning appropriate technologies (e.g. Bluetooth Low Energy) to establish device proximity, encryption, data security, storage of data on the mobile device, possible access by health authorities and data storage
  4. Effective cybersecurity requirements to protect the availability, authenticity, integrity and confidentiality of data
  5. The expiration of measures taken and the deletion of personal data obtained through these measures when the pandemic is declared to be under control, at the latest
  6. Uploading of proximity data in case of a confirmed infection and appropriate methods of warning persons who have been in close contact with the infected person, who shall remain anonymous
  7. Transparency requirements on the privacy settings to ensure trust into the applications.

With Respect to the Use of Mobility Data, Consider:

  1. The appropriate use of anonymous and aggregated mobility data for modelling to understand how the virus will spread and modelling of the economic effects of the crisis
  2. Advice to public authorities on asking providers of the data for the methodology that they have applied for anonymizing the data and to carry out a plausibility test of the methodology applied
  3. Safeguards to be put in place to prevent de-anonymization and avoid re-identification of individuals, including guarantees of adequate levels of data and IT security, and assessment of re-identification risks when correlating the anonymized data with other data
  4. Immediate and irreversible deletion of all accidentally processed data capable of identifying individuals and notifying the providers of the data as well as competent authorities of the accidental processing and deletion
  5. Deletion of the data in principle after 90 days, or in any event no later than when the pandemic is declared under control
  6. Restricting processing of the data exclusively for the purposes stated above and exclude sharing of the data with any third party.

Odia Kagan is Chair of the firm's GDPR Compliance & International Privacy Practice. She can be reached at 215.444.7313 or [email protected].