The situation around the COVID-19 pandemic enters into a new stage. De-confinement measures are being adopted and general travel restrictions are gradually lifted. As a result, certain governments tend to use modern technologies in order to track the effects of the adopted strategies, to contain the spread of the virus, and to prevent and mitigate possible second waves of the virus. An important tool in this process is the use of mobile contact tracing applications ("COVID-19 Applications") dedicated to recognising individuals who have been in contact with virus carriers to allow a rapid interruption of contamination chains.

While Luxembourg has not so far made the choice of the use of a Covid-19 Application and has only implemented a "remote monitoring of all patients who test positive for COVID-19 (both those who are in isolation at home and those who have just been discharged from hospital)" on a voluntary basis,1 France and Italy have already released their COVID-19 Applications, StopCOVID and Immuni, respectively.

COVID-19 Applications obviously require compliance with European data protection standards, particularly the EU General Data Protection Regulation2 ("GDPR"). European institutions have advocated a coordinated approach and the European Data Protection Board ("EDPB") issued its guidelines3 on April 21, 2020 regarding the rules that shall govern COVID-19 Applications, such as the following:

  • The requirement of a Data Protection Impact Assessment ("DPIA"). While contact-tracing applications are likely to result in a high risk to the rights and freedoms of natural persons, the EDPB considers that a DPIA must be carried out before the implementation of a COVID-19 Application.
  • Lawful bases of processing. The EDPB underlines that the use of COVID-19 Applications must rely on a strict voluntary basis (no one shall be obliged to upload a COVID-19 Application) and that users must remain in absolute control over their own personal data. The EDPB notes that this does not necessarily imply that the processing of personal data will be based on consent.Other lawful bases for processing are available, such as the necessity for the performance of a task carried out in the public interest4. Regarding health data5 (such as the status of an infected person), their processing shall rely either on explicit consent from the data subject or on a specific lawful basis such as the necessity for reasons of public interest in the area of public health6 or for scientific research purposes or statistical purposes.7
  • The use of proximity data rather than location data. The EDPB underlines that COVID-19 applications should not involve the use of location data, but only process proximity information, which is obtained without locating individuals.
  • COVID-19 Applications as a complementary tool to manual contact tracing. COVID-19 Applications should be understood as complementary to manual contact tracing already performed by qualified personnel who are able to evaluate virus transmission chains and respond accordingly. The EDPB therefore recommends that advice and recommendations sent to users should not be based on solely automated processing.
  • Erasure of data. The EDPB recommends that all personal data should be erased or anonymised as soon as the pandemic is over. Personal data should only be kept for the duration of the COVID-19 crisis.

The coming months will show whether the COVID-19 Applications reveal themselves compliant with these rules, and as an effective response to control and mitigate the rise of the virus infections. Any such strategy must always be guided by existing data protection principles in order to ensure the respect of the individual rights and freedoms of the data subject.

Footnotes

1. Press release from the Ministry of Health of 9 April 2020 on the MAELA telemonitoring tool.

2. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

3. Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID 19 outbreak: EDPB Guidelines 04/20.

4. Article 6.1 (e) GDPR.

5. Health data qualify as "special category of personal data" (i.e sensitive personal data) under the GDPR.

6. Article 9.2 (i) GDPR.

7. Article 9.2 (j) GDPR.

Originally published by Elvinger Hoss, July 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.