On April 16, 2020, the European Commission (EC) published guidance (guidance) regarding mobile applications developed to combat the spread of the COVID-19 pandemic (COVID-19 mobile apps). As previously mentioned in our blog posts, the guidance follows the EC recommendation last week on the same topic, and takes into account a prior consultation with the European Data Protection Board (EDPB).
The guidance expands on the legal bases for data processing identified in the EC’s consultation with the EDPB and highlights key data protection requirements for certain COVID-19 mobile apps.
The guidance addresses COVID-19 mobile apps that contain one or more of the following features: 1) provision of information about the COVID-19 pandemic, 2) self-assessment for COVID-19 symptoms, 3) tracing and warning of potential contacts between a COVID-19 positive and a non-infected individual (contact event), and 4) provision of telemedicine services. The guidance does not cover apps aimed at enforcing quarantine requirements (including those which are mandatory). In addition, the guidance does not overrule any national requirements that EU member states may introduce regarding the processing of health data, or other legal regimes such as the EU’s medical devices regulatory framework.
COVID-19 mobile apps must ensure that their technical specifications provide for cross-border interoperability with other IT solutions. The apps must be functional and effective in a cross-border context and allow for the sharing of personal data that is strictly necessary and for notification of national health authorities regarding a potential contact event.
The EC stated that COVID-19 mobile apps should be designed in such a way so that national health authorities, or entities “carrying out the task” of public health, are the data controllers. However, the guidance indicates that national laws may further determine which entity takes on a controllership role.
3) Voluntary nature
COVID-19 mobile apps must be voluntary and individuals should not suffer any negative consequences for not installing them. In addition, the EC states that if an app contains different features (such as contact tracing and a symptom checker), separate consent for each feature should be obtained.
4) Legal basis for processing
The guidance indicates that different uses of the app may require different legal bases for processing. For instance, an app may require consent to be installed, but require a separate legal basis to process proximity data for contact-tracing purposes (e.g. the performance of a task carried out in the public interest). In addition, national health authorities may only rely on other available legal bases such as the necessity to process personal data to comply with a legal obligation or for the performance of a task carried out in the public interest where they have a specific epidemiological basis in national law.
5) Use of Bluetooth technology
The EC recommends that contact-tracing and warning apps use Bluetooth Low Energy (BLE) data instead of geolocation data in order to establish a contact event before warning users of exposure. Further, Bluetooth activation should not be bundled with the activation of other location services. Regardless of whether BLE or geolocation data is used, proximity data must be stored in an encrypted and pseudonymized format. The guidance also states that: i) exposure warnings require prior confirmation by health authorities of a positive COVID-19 status (such as through scanning a QR or TAN code); ii) national health authorities should determine the content of the alert message; and iii) potentially affected individuals should be informed through the app or through a backend server solution. The warnings should inform the potentially affected individuals that they have been in contact with an infected person in the past 16 days, without otherwise disclosing that person’s identity. This warning message must not subject users to an automated decision that significantly affects them (e.g., automated quarantine order).
6) Data Storage
Regardless of whether BLE data or geolocation data is used, proximity data should only be stored on the individual’s device. In addition, COVID-19 mobile apps should only store the day of the contact event, and not the exact time or location. The guidance also recommends that COVID-19 mobile apps store constantly-changing temporary user IDs rather than the actual device ID.
7) Data access and sharing restrictions
The guidance states that only necessary information for public health purposes must be shared with national health authorities. For example, health authorities can access the self-assessment data that a user inputs in a COVID-19 mobile app, and a phone number to contact the user if necessary. The proximity data of infected users may only be shared with said authorities if the user proactively chooses to do so. In addition, all data transfers from the user’s device to national health authorities should be encrypted.
8) Termination / data retention
A COVID-19 mobile app that provides information should not retain any user data collected upon its installation. Data collected from self-assessment and contact tracing and warning apps should be deleted after a maximum of one month from the date it was collected, or after an infected individual tests negative for COVID-19. However, such data may be stored for longer periods if it is rendered truly anonymous.
9) Consultation with data protection authorities
The guidance recommends that app developers keep data protection authorities fully informed during the development process, and that they carry out a data protection impact assessment. This takes into account the EC’s earlier consultation with the EDPB.
App developers should carefully review the guidance before determining the functions and features of their COVID-19 mobile app. Due consideration and implementation of the EC’s recommendations may be critical to obtaining approval and cultural acceptance of the apps in the EU. App developers should also bear in mind that COVID-19 mobile apps may, depending on their functionalities, count as medical devices—if so, developers should also pay heed to the EU’s medical devices regulatory framework.
Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.
 GDPR Article 6(1)(e).
 GDPR Article 6(1)(c).
 GDPR Article 6(1)(e).