On April 21, 2020, the European Data Protection Board (EDPB) published two sets of guidelines addressing data processing in the context of the COVID-19 pandemic. These guidelines address the use of location data and contact tracing tools to combat the spread of COVID-19 and the use of health data for the purposes of scientific research into COVID-19 (together, the guidelines).
Since March 2020, the EDPB and the European Commission (EC) have been active in addressing the use of data to combat the COVID-19 pandemic. The EC released its recommendation regarding contact tracing apps and the use of mobility data on April 8, while the EDPB issued a letter on April 14 addressing the same issue. The EC then published specific guidance regarding the use of COVID-19 mobile apps. In these most recent guidelines, the EDBP further elaborates on the signposts provided in its earlier letter and provides specific guidance on the deployment of contact tracing apps as well as the re-use of information for scientific research purposes.
Use of Location Data and Anonymization
The guidelines highlight the requirements on sharing of location data for both electronic communication service providers (such as telecommunication operators) and information society service providers (such as navigation and transport services providers (ISS providers)).
Electronic communication service providers are only allowed to share data with authorities or third parties if they have anonymized the data, or obtained the user’s prior consent. The guidelines favor anonymization and require controllers to be transparent regarding the anonymization method they use as well as to monitor relevant developments in the field.
ISS providers can store or access information, including location data, on a user’s device only if i) they have obtained the user’s consent, or ii) the storage/access is strictly necessary to provide the information society service requested by the user. An ISS provider can re-use location data (e.g., collected through the operating system or a previously installed application) for modeling purposes only if the user consents to such use, or on the basis of an explicit national law derogation.
Further, the guidelines strongly recommend that location data not be used for contact tracing purposes, but only to monitor the spread of the virus by assessing the effectiveness of confinement measures.
Additional Requirements for Contact Tracing Apps
The guidelines provide additional requirements for COVID-19 mobile apps that have contact tracing functionality.
1) Rectification and DPIAs
Contact tracing apps “must have the ability to correct data or results” in order to mitigate false positives (e.g., when an individual is mistakenly identified as an infection risk). Data protection impact assessments (DPIA) are mandatory prior to the implementation of contact tracing apps, and the EDPB recommends that app developers make them publicly available.
2) No processing of COVID-19 personal data without prior confirmation by a national health authority
The EC previously stated that contact tracing apps must require prior confirmation by national health authorities of a positive COVID-19 status before issuing a warning to other users of a potential exposure to an infected user.1 The guidelines similarly provide that COVID-19 personal data can only be processed if a national health authority confirms that an individual is infected. No self-diagnosis is permitted, and any user input regarding a positive COVID-19 status must be verified by a national health authority before any data processing based on the user’s status may occur.
3) Additional requirements on controllership
The EC previously recommended that the apps be designed so that the national health authorities (or organizations carrying out a public health task) are the data controller of COVID-19 mobile apps. However, the guidelines do not contain such a recommendation and state that other entities, apart from national health authorities, can also be data controllers. However, all involved entities must, from the outset, clearly establish their roles and responsibilities, and inform users accordingly. Organizations that work with national health authorities to implement an official contact tracing app must provide a link for users to download the official app and must sufficiently inform potential users so that they may avoid downloading a third-party app.
4) Data minimization and retention
The guidelines provide that only individuals who have been in close contact with a COVID-19 case should be notified, according to criteria defined by epidemiologists. If the contact tracing app stores information on a centralized server, the information stored must be the minimum amount required to conduct the tracing. The app should not collect unrelated or redundant data (e.g., civil status, communication identifiers, messages, call logs, location data, device identifiers, etc.). The guidelines also recommend that contact tracing apps be used only until COVID-19 infections drop to the point where tracing can be done manually. This approach suggests a potentially earlier date for the cessation of such apps than previously envisaged by the EC, which initially limited the lifespan of such apps to the duration of the COVID-19 crisis.2
5) Additional functions
The guidelines also contain an overview of practical considerations and examples for app developers (e.g., on topics such as app functionality, technical properties, security standards, data sharing principles). For instance, contact tracing apps could provide recommendations to users exposed to a COVID-19 positive case, such as instructions regarding the measures users should follow, and allow users to request advice from a human agent. Also, the EDPB recommends that algorithms which determine infection risks be regularly updated to take into account newly acquired knowledge on the spread of COVID-19 (e.g., transmissibility patterns).
Secondary Use for Scientific Research
The guidelines do not exclude the further use of data collected through COVID-19 mobile apps for scientific research purposes. Scientific research is regarded as different from epidemiological surveillance and is defined by the EDPB as “a research project set up in accordance with relevant sector-related methodological and ethical standards, in conformity with good practice.”3 The EDPB announced that it will discuss the reuse of personal data for secondary purposes in its future guidelines on medical research. Nonetheless, the EDPB highlights the general requirements that ought to be observed when reusing personal data for research purposes: Controllers must only reuse personal data that is strictly necessary for the scientific research, and must clearly define storage periods. Furthermore, the EDPB emphasizes the importance of data minimization, data integrity and confidentiality, and privacy by design and by default. In addition, a DPIA should also be carried out if such research is likely to result in a high risk to the rights and freedoms of natural persons, and companies are advised to consult with their data protection officers.
Finally, users must be informed about the use of their data for scientific research before the implementation of the research project, unless i) informing users is impossible, ii) it involves a disproportionate effort, iii) it would seriously impair the objectives of the processing, or iv) if national law requires such scientific research. In terms of legal bases, the guidelines suggest that consent4, public interest5, or legitimate interests6 may be appropriate for non-sensitive data, while consent7, laws and regulations supporting public health interests8, or archiving purposes9 may be appropriate for sensitive data.
Effective contact tracing will be quintessential to controlling the pandemic. Digital applications have tremendous potential to support government efforts to fight a further spreading of the virus, especially in a context where markets are slowly re-opening. The EDPB appears to recognize the role and potential of digital technology in this context but reminds app developers that the core General Data Protection Regulation (GDPR) requirements remain in effect. Taking the guidance to heart will be crucial for developers to obtain acceptance of their technology in the EU, both by regulators as well as the general public.
Wilson Sonsini Goodrich & Rosati routinely advises clients on GDPR compliance issues, and helps clients manage risks related to the enforcement of global and European data protection laws. For more information, please contact Cédric Burton, Jan Dhont, Lydia Parnes, Christopher Olsen, or another member of the firm’s privacy and cybersecurity practice.
Wilson Sonsini continues to monitor the global impact of COVID-19 on various industries. Wilson Sonsini’s COVID-19 Client Advisory Resource is a collection of alerts, advisories, and programs—all of which are intended to help the management, boards of directors, and in-house counsel of our clients maintain key operational and business functions, despite pressing challenges related to the COVID-19 outbreak.
 Available here: https://ec.europa.eu/digital-single-market/en/news/coronavirus-recommendation-use-mobile-data-response-pandemic.
 Guidelines 03/2020 p. 6 and WP259 rev.01, 17EN, p. 27 (endorsed by the EDPB).