Publication date: 23/04/2020
The EU Commission (recommendation and guidance), the European Data Protection Board (EDPB) (statement summarised in our previous ezine, letter and guidelines below) and some Data Protec1tion Authorities have been quite busy the last days regarding the legal framework of tracing apps as one of the complementary measures to a broader set of measures for fighting the virus.
Since some of the envisaged apps raise possible issues regarding compliance with the GDPR and the ePrivacy Directive and many questions amongst possible users and authorities, the EDPB adopted on 21 April 2020 the guidelines No 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak.
You will find hereafter the key takeaways of these guidelines.
1 WHAT IS A CONTACT?
For a contact-tracing app, a contact is a user who has participated in an interaction with a user confirmed to be a carrier of the virus, and whose duration and distance induce a risk of significant exposure to the virus infection.
2 DOES THE APP REQUIRE THE COLLECTION OF PERSONAL DATA?
Yes. Such app will most likely collect some personal data of the user. It may however only collect the personal data that are necessary for the purposes (see point 7) in order to comply with data minimisation and privacy by design and default principles.
3 IS THE CONTROLLER ALLOWED TO COLLECT LOCATION DATA?
In principle, no. The app must not collect location data for the purpose of contact-tracing. The latter should not rely on location tracking of individual users but rather on proximity information. This can be done via Bluetooth signals. Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimisation and privacy by default and by design.
Location data can be processed for the sole purpose of allowing the app to interact with similar apps in other countries and should be limited in precision to what is strictly necessary for this sole purpose. The EDPB emphasises that when it comes to using location data, preference should always be given to the processing of anonymised data rather than personal data.
4 MUST PERSONAL DATA BE ANONYMISED?
Personal data will indisputably be pseudonymised. As contact-tracing apps can function without direct identification of individuals, appropriate measures should be put in place to prevent re-identification.
If the measures implemented do no longer allow re-identification, even if they are combined with other (also third party) data (e.g. IP addresses are always personal data because, with the help of a telecom operator, re-identification can be carried out), they can be considered anonymous. If that is the case, the GDPR will not apply.
5 WHAT KIND OF INFORMATION DOES THE CONTROLLER NEED TO PROVIDE TO THE USER AND WHEN?
6 DOES THE USER NEED TO PROVIDE (EXPLICIT) CONSENT BEFORE DOWNLOADING THE APP? OR CAN ANOTHER LEGAL GROUND BE INVOKED TO PROCESS PERSONAL DATA?
The EDPB notes that contact-tracing apps involve storage and/or access to information already stored in the terminal, which are subject to Article 5 (3) of the ePrivacy Directive. If those operations are strictly necessary in order for the provider of the app to provide the service explicitly requested by the user, the processing would not require his/her consent. For operations that are not strictly necessary, the provider would need to seek the consent of the user.
The use of such kind of app will only be on a voluntary basis for each of the respective purposes. The EDPB notes however that this does not mean that the processing of personal data by public authorities has necessarily to be based on the consent. When public authorities provide a service, based on a mandate assigned by and in line with requirements laid down by law, it appears that the most relevant legal basis for the processing is the necessity for the performance of a task for public interest (Art. 6 (1) (e) GDPR).
However, the legal basis or legislative measure that provides the lawful basis for the use of contact-tracing apps should incorporate meaningful safeguards including a reference to the voluntary nature of the app. A clear specification of purpose and explicit limitations concerning the further use of personal data should be included, as well as a clear identification of the controller(s) involved. The categories of data as well as the entities to (and purposes for which, the personal data may be disclosed) should also be identified.
In case consent is used as legal ground, the consent of the user must be freely given, specific, informed and unambiguous. One or more tick box(es) have to be provided before downloading the app. Evidence of the consent has to be kept.
In any case, users should be free to install and uninstall the app at will, at any time.
7 WHAT ARE THE PERMITTED PURPOSES OF THE PROCESSING?
According to the guidance of the EDPB, the use of the contact-tracing app has to be limited to the following purposes:
- using location data to support the response to the pandemic by modelling the spread of the virus in order to assess the overall effectiveness of confinement measures;
- using contact tracing, which aims to notify individuals who may have been in close proximity to someone who is eventually confirmed as a carrier of the virus, in order to break the contamination chains as early as possible.
8 WHO IS THE CONTROLLER?
In order to ensure accountability, the controller of any contact-tracing app should be clearly identified. The EDPB considers that the national health authorities could be the controllers for such app but other controllers may also be envisaged. In any case, if the deployment of contact tracing apps involves different actors, their roles and responsibilities must be clearly established in agreements (data processing agreement, possible joint controller agreement) from the outset and be explained to the users in the fair processing notice.
9 WHO MAY ACCESS THE PERSONAL DATA?
The recipients having access to the personal data will have to be limited and clearly identified. An employer may not have access.
10 WHERE SHOULD PERSONAL DATA BE STORED?
Another debated issue is the storage of personal data. Two main options are envisaged: local data storage within the individuals’ devices or centralised storage.
The EDPB is of the opinion that both can be valid alternatives, provided that adequate security measures are in place. In any case, the EDPB underlines that the decentralised solution is more in line with the principle of data minimisation. The collected information should reside on the terminal equipment of the user and only the relevant information should be collected when absolutely necessary.
Any server involved in the contact-tracing system must only collect the contact history or the pseudonymous identifiers of a user diagnosed as infected as the result of a proper assessment made by health authorities and of a voluntary action of the user. Alternately, the server must keep a list of pseudonymous identifiers of infected users or their contact history only for the time needed to inform potentially infected users of their exposure and should not try to identify potentially infected users.
11 FOR HOW LONG MAY PERSONAL DATA BE KEPT?
The controller should keep the personal data only for the duration of the COVID-19 crisis. At the end of the use of the app (because uninstalled by the user or because the COVID-19 measures are no longer needed), all personal data must be deleted or anonymised and can no longer be processed except as prescribed by law.
12 IS THE USER ENTITLED TO EXERCISE HIS/HER RIGHTS?
Yes. Users must be able to exercise their rights via the app, including their right to rectification and erasure.
13 CAN AUTOMATED DECISIONS BE TAKEN BASED ON THE CONTACT TRACING APP?
No. The EDPB underlines that procedures and processes including respective algorithms implemented by the contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives or negatives. In particular, the task of providing advice on next steps should not be based solely on automated decision-making.
Therefore, it is doubtful that an employer could oblige an employee to remain at home in case the latter would have informed his employer that (s)he been in contact with an infected person.
14 WHAT SPECIFIC SECURITY MEASURES SHOULD BE IMPLEMENTED?
Adequate security measures have to be implemented in order to, amongst others, avoid data breaches.
In this respect, the EDPB recommends that state-of-the-art cryptographic technologies be implemented to secure the data stored in servers and apps and exchanges between apps and the remote server. Mutual authentication between the app and the server must also be performed. The central server must not keep network connection identifiers (e.g., IP addresses) of any users including those who have been positively diagnosed and who transmitted their contacts history or their own identifiers. Further (non-exhaustive) recommendations are listed in the guidelines.
15 MUST A DPIA BE CARRIED OUT BEFORE LAUNCHING THE APP?
The EDPB considers that a data protection impact assessment (DPIA) must be carried out before launching contact-tracing apps since the processing is considered likely high risk (health data, anticipated large-scale adoption, systematic monitoring, use of new technology).
The EDPB strongly recommends the publication of DPIAs.