On April 14, 2020, the European Data Protection Board (the EDPB) published a letter in response to the European Commission’s call for consultation (the letter) regarding its recommendation on the use of mobile applications and location data to fight the COVID-19 outbreak.

As previously reported in our blog post, the European Commission’s recommendation sets out a “toolbox” of measures to be implemented across EU member states to address the use of technology in combating the spread of the COVID-19 pandemic. In its letter, the EDPB sets forth data privacy and information security measures that app developers should consider when developing mobile applications to inform individuals or monitor infected persons (COVID-19 mobile apps).

General Approach to COVID-19 Mobile Apps

The letter recognizes that there is no “one-size-fits-all” solution for the current pandemic. Each COVID-19 mobile app needs to be examined on a case-by-case basis, and the EDPB suggests that app developers consult with privacy regulators to ensure that personal data is processed in accordance with data protection law. However, the letter does not specify the appropriate timing of such consultation (pre-development or pre-launch), nor does it clarify the underlying legal requirement.

Further, the letter stresses the importance of accountability and transparency when developing COVID-19 mobile apps, including privacy-by-design and privacy-by-default obligations. Developers must conduct a Data Protection Impact Assessment (DPIA) to document their privacy practices, and make the app’s source code publicly available for scrutiny. The EDPB will—for the time being—monitor the development and use of COVID-19 mobile apps and provide more detailed guidance on issues such as the application of core data protection principles and rights management. Therefore, app developers should pay attention to updates.

Specific Issues on Contact Tracing and Warning Apps

The letter identifies contact tracing and warning apps as an area of focus, and makes several data protection suggestions:

1) Legal basis

Contact tracing apps must be voluntary. Users should be free to install and uninstall the app at will. However, voluntary use does not necessarily mean that consent is the only appropriate legal basis for the collection and processing of personal information. The EDPB states that public authorities, when they are data controllers, can also rely on the necessity for the performance of a task for public interest.1 EU member states can enact national laws to that effect, and promote the voluntary use of the app along with awareness-raising campaigns. With respect to sensitive personal data, the letter is silent on which legal basis may justify the processing of such data, but the EDPB has previously indicated that such processing can be justifiable if necessary to public health.2

2) Location tracking

The letter stresses that contact tracing apps do not require location tracking of users to be effective, and should not collect data regarding an individual’s movement. The EDPB states that this would violate the principle of data minimization, and create security and privacy risks.

3) Data storage and controllership

The letter favors decentralized data storage limited to an individual’s device, yet notes that centralized storage could be a valid alternative. Regardless of the data storage method, the ultimate objective of the app will affect which entity may be regarded as the data controller.

4) Warning individuals

The letter recommends that app developers work with health authorities and scientists to i) identify what constitutes an “event” to be shared (a “contact event”); ii) define certain functional requirements of the app; and iii) determine when users should be warned about a potential contact event. The accuracy of a positive COVID-19 diagnosis on the app must be verified; the EDPB recommends that test results include a scannable one-time code to verify a positive COVID-19 status on the app to minimize the risk of false positives and unnecessary alarm.

Tracing and warning apps should also contain strong anonymization features. The EDPB recommends that the app i) only process random pseudonyms, ii) not store any identifying data on a user’s device, and iii) not allow for the reidentification of any person during usage, regardless of their COVID-19 status.

5) Algorithms

Algorithms used in contact-tracing apps should work under the strict supervision of qualified personnel, and must not automatically give advice to users if they have been exposed to a contact event. The EDPB recommends such apps implement a call-back feature where a person may provide advice to users. To avoid stigmatization, the user must not be required to provide identifiable information to receive advice.

6) Data retention

The EDPB reaffirms the European Commission’s recommendations that these measures be limited to the duration of the COVID-19 crisis. After the COVID-19 crisis, such emergency systems should be deactivated, and the collected data should be erased or anonymized.

Next Steps

The EDPB intends to publish guidance on geolocation and other tracing tools in the coming days. Separately, the EDPB has also called for further guidance from the European Commission on the data protection and privacy implications of the use of mobile warning and prevention apps.

Wilson Sonsini continues to monitor the global impact of COVID-19 on various industries. Wilson Sonsini’s COVID-19 Client Advisory Resource is a collection of alerts, advisories, and programs—all of which are intended to help the management, boards of directors, and in-house counsel of our clients maintain key operational and business functions, despite pressing challenges caused by the COVID-19 pandemic.

Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric BurtonJan DhontLydia ParnesChristopher Olsen, or another member of the firm’s privacy and cybersecurity practice.

[1] Article 9(1)(e) GDPR.

[2] Article 9(2)(i) GDPR.