On April 8, 2020, the European Commission (the Commission) released its recommendation for a pan-EU approach on the use of technology and data to combat the COVID-19 pandemic (the Recommendation).

The Commission calls for the creation of a “toolbox” consisting of practical measures taken at the EU level to address the use of mobile applications to inform individuals or monitor infected persons (COVID-19 mobile apps) and address the use of anonymized population data to analyze the evolution of the pandemic in the EU. While the Recommendation does not specify the measures to be included in the toolbox, it provides a roadmap to promote the harmonization of these measures across all EU member states.

The Recommendation closely follows the European Data Protection Board’s (EDPB) commitment to accelerate the development of guidance to respond to the COVID-19 crisis[1]. In line with the EDPB’s views, the Recommendation aims to ensure that the use of technology to tackle the pandemic is compatible with EU privacy and data protection rules. It provides key privacy principles that the toolbox should follow, and states that further guidance addressing the privacy aspects of mobile apps and data analytics in the context of the COVID-19 crisis will follow.

A Common EU Approach to COVID-19 Mobile Apps

The Recommendation highlights the potential of apps to inform, warn, or trace individuals to manage the COVID-19 outbreak. To ensure a pan-EU approach to the use of COVID-19 mobile apps, the Commission recommends that the toolbox include specifications, support measures, governance mechanisms, a guide to good practices, and rules on the sharing of data with public health authorities. The Recommendation stresses that COVID-19 mobile apps should be interoperable, including to allow the detection of proximity encounters between users of different contact-tracing apps.

Notably, the Commission indicates that the toolbox should go beyond compliance with EU’s data protection rules and promote privacy-friendly technologies. For instance, careful consideration should be given to the type of technology deployed, such as proximity data or location-based data processing, and the use of anonymized or aggregated data where possible.

Companies developing COVID-19 mobile apps may rely on the toolbox to understand their regulatory obligations across the EU. However, it remains to be seen whether the toolbox will cover all regulatory requirements, for instance, such as regulations on medical devices and other product requirements.

A Strategy on the Use of Anonymous Population Data

The Recommendation acknowledges that the analysis of population data may facilitate predicting the diffusion of the virus and assessing the effectiveness of confinement rules adopted across the EU. This is consistent with other EU initiatives, such as requesting telecoms operators to disclose anonymous metadata to the Commission for research and model-making purposes.[2] The data collected for these purposes should be anonymized and aggregated in the first instance, given that the European Data Protection Supervisor (EDPS) indicated that effectively anonymized data is outside the scope of the EU’s data protection rules.

With respect to population data being used to predict the diffusion of the virus and to assess the effectiveness of confinement rules adopted across the EU, the Commission recommends measures governing the use of anonymized data for public health purposes and testing the effectiveness of data anonymization (such as plausibility tests for the identified anonymization techniques). To ensure that the use of data does not undermine data protection rules, the toolbox will include safeguards to prevent re-identification of data and will provide for the erasure of all data which may be used to identify an individual, as well as the restriction of the processing of such data strictly to COVID-19 purposes. Furthermore, all data should be deleted after 90 days or, in any event, once the COVID-19 crisis has been declared to be “under control.”

Once the toolbox is adopted, national authorities across the EU may decide to revamp their efforts to collect anonymized data and carry out data analytics to inform public health decisions.

Next Steps

The Commission has called on EU member states to immediately make the measures listed in the Recommendation available for peer review, with EU member state and Commission observations on such measures to be submitted before April 15, 2020. The pan-EU approach for COVID-19 mobile applications will also be published on that date. According to the Recommendation, the Commission will develop guidance on privacy and data protection, which will complement the pan-EU approach on mobile applications. By June 2020, the Commission will evaluate the progress of these measures, with further recommendations potentially forthcoming if the necessary.

Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.

[1] EDPB, “European Data Protection Board to issue guidance on data processing in the fight against COVID-19,” April 3, 2020,  https://edpb.europa.eu/news/news/2020/european-data-protection-board-issue-guidance-data-processing-fight-against-covid-19_en.

[2] European Commission, “Commission discusses with telecom operators how to join forces to fight Coronavirus outbreak,” March 24, 2020, https://ec.europa.eu/commission/presscorner/detail/en/mex_20_521.