On April 14, 2020, the European Data Protection Board (“EDPB”) adopted a letter concerning the European Commission’s (the “Commission”) draft Guidance on apps supporting the fight against the COVID-19 pandemic. This letter was written to the Commission following the Commission’s adoption of a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the pandemic on April 8, 2020.

The EDPB emphasizes in its letter that it supports a pan-EU approach in regard to using mobile apps as a tool to fight the virus, but that the implementation of data protection principles set out under the General Data Protection Regulation (“GDPR”), and respect for the rights and freedoms of individuals, remain of paramount importance, and should not be disregarded in the development of such apps.

The EDPB states in its letter: “The development of the apps should be made in an accountable way, documenting with a data protection impact assessment all the implemented privacy by design and privacy by default mechanisms, and the source code should be made publicly available for the widest possible scrutiny by the scientific community.”

The EDPB noted that in order for such apps to work effectively they must be used by a significant portion of the European population, but also emphasized that it strongly supports the use of mobile apps remaining fully voluntary, as proposed by the Commission, as a “token of collective responsibility.” The EDPB also noted that voluntary use of an app does not mean that processing of personal data by public authorities in connection with the app will necessarily be based on consent for the purposes of identifying a legal basis for processing under the GDPR. Instead, the most appropriate legal basis for such processing is likely to be necessity for the performance of a task for public interest.

The EDPB further noted some limitations that should be placed on the use of mobile apps for contact tracing, commenting that such apps do not require location tracking of individual users since the main function is to record contact with individuals testing positive for COVID-19 rather than to follow the movements of individuals. Collecting such location data would, in the EDPB’s view, violate the principle of data minimization under the GDPR and create major security and privacy risks. The EDPB further emphasized that although storing data collected through an app in one centralized location would not be prohibited, it favors storing such data on the devices of individuals (though it strongly suggests that even the device should not store any directly identifying data), as this would be more in line with the data minimization principle.

Additionally, the EDPB warned that algorithms used by contact tracing apps should be overseen by “qualified personnel” and that full automation in the app’s provision of advice should be avoided. It further adds that once the crisis has passed, use of these apps should cease and the data collected by them be deleted or anonymized.

The EDPB is in the process of drafting additional guidance on tracing, scientific research and teleworking during the pandemic, and plans to issue this in the coming weeks. Read the EDPB’s letter.