The COVID-19 pandemic has raised multiple questions as to the measures undertaken to tackle the spread of the coronavirus, especially in relation to fundamental rights.
On 8 April, the Fundamental Rights Agency (FRA) published its Bulletin on the impact of responses to the COVID-19 pandemic on fundamental rights. It discusses the initial wave of measures adopted by the EU Member States to address the public health crisis caused by the pandemic. The Bulletin pointed out that the availability and use of data will be key in containing the spread of COVID-19. It recalled the European Commission’s talks with telecommunication operators to assess how data from telecom providers could be transferred to competent scientific authorities while respecting data protection (in relation to contact tracking apps).
Also on 8 April, the European Commission issued a ‘Recommendation to support exit strategies through mobile data and apps.’ This recommendation proposes the establishment of a ‘joint toolbox towards a common coordinated approach for the use of smartphone apps that fully respect EU data protection standards.’ It covers the specifications on the effectiveness of mobile information, measures to avoid the proliferation of incompatible applications, governance mechanisms to be applied by the public health authorities, identification of good practice and sharing data with relevant epidemiological authorities.
Following the publication of the recommendation, on 14 April the European Data Protection Board (EDPB) published an open letter in which it welcomes the Commission’s approach to develop a pan-European response to the COVID-19 pandemic. Importantly, ‘The EDPB considers that the development of the apps should be made in an accountable way, documenting with a data protection impact assessment all the implemented privacy by design and privacy by default mechanisms. In addition, the source code should be made publicly available for the widest possible scrutiny by the scientific community.’ It also supports the Commission’s proposal for a voluntary adoption of such apps and stressed the need for the EDPB’s involvement in the elaboration and implementation of these measures.
Most recently, on 21 April, the EDPB published two guidelines.
Guidelines 03/2020 on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak address first the issue of GDPR compliance in the context of the outbreak and specifically state that the existing legislation does not hinder the measures taken in fighting the pandemic. Furthermore, special derogations exist within the legislation to grant the processing of certain categories of data when necessary for scientific purposes. The Guidelines provide readers with an understanding of: (i) specific definitions; (ii) the legal basis for processing, (iii) data protection principles; (iv) data subjects rights; (v) international data transfers.
Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak seek to help public authorities and private actors to tailor the design of data-driven applications so that digital tools can help with the fight against COVID-19. The guidelines state that when designing contact tracing tools and using location data, two principles need to be accounted for:
- Location data should be used to model the spread of the virus and to assess the overall effect of the confinement measures;
- Contact tracing should be used only to notify individuals when they have been in proximity to someone who is a confirmed carrier of the virus. This can then help to minimise the contamination.
The guidelines also recall the current provisions of the ePrivacy Directive and on anonymised and pseudonymised data and the principles that should be followed in designing tracing apps and their use.
On 17 April, the European Parliament adopted a Resolution on EU coordinated action to combat the COVID-19 pandemic and its consequences which in recitals 51-53 calls for a privacy proof use of contact tracing apps demanding that they should not be obligatory not centrally store information but only decentral on the device, be fully transparency on the functioning of these apps (open source), as well as on the commercial interests. Importantly, it called for: ‘Commission and the Member States to publish the details of these schemes and allow for public scrutiny and full oversight by data protection authorities (DPA); notes that mobile location data can only be processed in compliance with the ePrivacy Directive and the GDPR; stresses that national and EU authorities must fully comply with data protection and privacy legislation, and national DPA oversight and guidance.’