European Data Protection Board Issues Letter on COVID-19 Contact Tracing Apps

April 16, 2020Alerts

The European Data Protection Board (EDPB) adopted a letter concerning the European Commission's draft guidance on apps supporting the fight against the COVID-19 pandemic.

Key Takeaways

  • The EDPB welcomes the Commission’s initiative in developing a pan-European and coordinated approach.
  • No one-size-fits-all solution applies to the matter at stake.
  • The impact to individuals' health must be considered.
  • Envisaged technical solutions need to be examined in detail, on a case-by case basis.
  • The EU data protection authorities need to be consulted to ensure that personal data is processed lawfully.


  • Apps should be developed in an accountable way, documenting with a data protection impact assessment all implemented privacy by design and privacy by default mechanisms.
  • The source code of the apps should be made publicly available for the widest possible scrutiny by the scientific community.
  • Even though wide use is key for the effectiveness of contact tracing apps, the use of the apps should be voluntary, relying on people's collective responsibility

Legal Basis

  • Even though the use is voluntary, the most relevant legal basis for data processing in the apps is the necessity for the performance of a task for public interest. This is because the apps are a service provided by public authorities pursuant to a mandate assigned to them by law.
  • National laws are enacted, promoting the voluntary use of the app without any negative consequence for the individuals not using it could be another legal basis for the processing.

Education and Awareness

  • Laws promoting use of the apps could be accompanied by appropriate communications activities at the national level to promote such tools, with awareness-raising campaigns and assistance to minors, to the impaired or to less-skilled or educated parts of the population, in order to avoid scattered adoption.


  • Contact tracing apps do not require location tracking of individual users.
  • The main function of such apps is to discover events (contacts with positive persons), which are only likely and for the majority of users may not even happen, especially in the de-escalation phase.
  • Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimization. In addition, doing so would create major security and privacy risks.

Functions in the App

  • Health authorities and scientists are well placed to identify what constitutes an event to be shared, where and when it happens, under a strict necessity test as required by the law, and they should define some of the functional requirements of the app.
  • Both local data storage within individuals’ devices, or centralized storage can be valid alternatives, provided that adequate security measures are in place, and that different entities may also be considered as controllers depending on the ultimate objective of the app. However, the decentralized solution is more in line with the minimization principle.
  • Algorithms used in contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives, and by no means should the task “to provide advice on next steps” be fully automated.
  • A call-back mechanism should be put in place where the person is given a telephone number or a contact channel to get more information from a human agent.
  • In order to avoid stigmatization, no potential identifying element of any other data subject should be part of this “advice,” nor should the use of the app, or part of it (such as dashboards, configuration settings etc.), allow the re-identification of any other persons, infected by COVID-19 or not.
  • Directly identifying data should not be stored in users’ devices and such data should be in any case deleted as soon as possible.

Purpose of the App

  • These apps are not social platforms for spreading social alarm or giving rise to any sort of stigmatization. In fact, they should be tools for empowering people to do their part.
  • The objective is “for public health authorities to identify the persons that have been in contact with a person infected by COVID-19 and ask him/her to self-quarantine, rapidly test them, as well as to provide advice on next steps, if relevant, including what to do if developing symptoms."
  • Informing a person, via an in-app notification, may be done in such a way that the application processes only random pseudonyms.
  • A mechanism should ensure that whenever a person is declared as COVID-positive, the information entered in the app is correct, since this may trigger notifications to other people concerning the fact that they have been exposed.
  • Such mechanism could be based, for instance, on a one-time code that can be scanned by the person when the result of a test is given to him/her.
  • Every individual contact must be performed only by health authorities after assessing strong data evidence, with the least amount of inference.


  • Once this crisis is over, such an emergency system should not remain in use, and as a general rule, the collected data should be erased or anonymized.
  • The EDPB and its members, in charge of advising and ensuring the correct application of the GDPR and the e-Privacy Directive, should be fully involved in the whole process of elaboration and implementation of these measures.
  • The EDPB intends to publish guidelines in the upcoming days on geolocation and other tracing tools in the context of the COVID-19 outbreak.

Odia Kagan is Chair of the firm's GDPR Compliance & International Privacy Practice. She can be reached at 215.444.7313 or [email protected].

Additional Information