Countries all over the world are facing an unprecedented challenge due to the health crisis caused by the COVID-19 pandemic, which affected, among other things, our healthcare systems, our lifestyle, and our economic stability.
Digital technologies and data are playing an important role in fighting the COVID-19 pandemic. Indeed, both within the European Union and worldwide, public authorities and developers have launched apps designed to strengthen the fight against COVID-19.
The currently available apps may be used for information, symptom checking and telemedicine, as well as contact tracing and warning purposes.
It is indisputable that those applications are an important tool for helping individuals, public authorities and healthcare organizations in their efforts to stop the spread of the pandemic.
However, an uncoordinated approach may hinder the effectiveness of the measures taken to fight the pandemic, and may even have a negative impact on the single market and on fundamental rights and freedoms, such as the right to health and the right to data protection.
In order to ensure a coherent and common European approach, on April 16, 2020, the European Commission issued its Guidelines to support member state governments and app developers in the implementation of apps to fight the COVID-19 pandemic (see here for more information). This document has been followed, among others, by the Guidelines on the use of location data and contact-tracing tools in the context of the COVID-19 outbreak (“Guidelines”), issued on April 21, 2020, by the European Data Protection Board (“EDPB”) (see here for more information).
The objective of the European institutions was to create a legal ground for launching mobile apps, ensuring that, while achieving the most effective results in terms of public health, individuals’ fundamental rights are properly safeguarded.
Interoperability: key issues
According to the latest report issued by the eHealth Network, 20 European Member States have implemented or have decided to implement a mobile app to fight the spread of COVID-19.
While some countries, including Italy, already launched a contract tracing app (see here and here for further information, only available in Italian), Latvia, Belgium, Netherlands, Croatia, Hungary, and Romania are still evaluating the possibility to launch a contact-tracing app; while Sweden, Luxemburg, and Slovenia have no plans to launch one.
In order to ensure that contact-tracing apps are effective once travel bans are lifted, interoperability among them is essential. For this purpose, member states have agreed on a set of technical requirements aimed at providing a safe exchange of information between national contact-tracing apps based on a decentralised architecture. The interoperability has been defined by the eHealth Network as “the ability to exchange […] the minimum information necessary for individual app users, wherever they are located in the EU, to be alerted, in accordance with the procedures defined by public health authorities, if they have been in proximity with another user who has notified the app that he/she has tested positively for COVID-19”.
This means that citizens moving throughout Europe may rely on one app only – the one made available in their home country – and still be able to benefit from the apps’ functionalities, including receiving an infection confirmation if they have been in proximity to a positive person an exposure risk calculation, as well as an exposure alert and a follow-up (i.e. the actions triggered by the exposure notification).
The eHealth Network explained that, in order to develop the interoperability network, personal devices should be able to broadcast and detect proximity with other devices through a Bluetooth notification. The proximity information will be transferred in an encrypted way, and no geolocation or movement data will be stored.
With respect to the technical requirements of interoperability, on September 4, 2020, the eHealth Network released an updated version of its Guidelines on interoperability published on June 16, 2020, proposing a “definite ready-to implement architecture of the Federation Gateway Service” (European Proximity Tracing) and explaining how the Federation Gateway Service works in detail.
Briefly, the Federation Gateway Service is an interoperability pattern used to synchronize the diagnosis keys across all national backend servers. This means that each national backend uploads regularly the keys of recently infected citizens (“diagnosis keys”) and downloads the diagnosis keys from the other states engaged in the scheme. The Federation Gateway Service collects the information of positive citizens, as well as the countries they visited (“countries of interest”). However, it does not know either the real identity of the citizens, or who got closer to the infected people. Indeed, the pairing of diagnosis keys to exposure data takes place on the mobile devices.
At the same time, the eHealth Network released the European Interoperability Certificate Governance, addressing how trust in the European Federation Gateway Service can be established.
Given the role of contact-tracing apps and interoperability, the EDPB issued a statement on the data protection impact of the interoperability of contact-tracing apps focusing on the consequences that an interoperable implementation of contact-tracing apps entail for the protection of personal data.
The main takeaways from the EDPB are the following:
- Proportionality. The EDPB stressed that interoperability should not be considered as an argument to extend the collection of personal data beyond what is necessary. Infection data can be shared only if triggered by a voluntary action of the user.
- Transparency. Since interoperability will lead to further processing and to additional disclosure of data, the data controller has to provide data subjects with a clear understanding of the further processing. In clear and plain language, information notices shall include how the data will be processed by the interoperable contact-tracing app.
- Legal basis. By highlighting that the legal basis discussed in the Guidelines still apply, the EDPB clarified that (i) where the processing is based on public interest, Member State law may need to be modified to provide for the data sharing with other services; (ii) where it is based on consent, the controller shall collect an additional specific consent for the processing related to the use of interoperability. At the same time, the exceptions mentioned in Article 9 GDPR for the processing of health data shall apply.
- Controllers. Operations aimed at ensuring the interoperability of the apps have to be assessed separately from the processing carried out for the other functionalities, and require appointment of data controllers, individually or jointly, and data processors, whose roles, relationships and responsibilities have to be defined and thereafter made available to the data subjects.
- Data retention and minimization. The EDPB encourages data controllers to adopt a common policy concerning both the level of data minimization and the data retention period.
- Information security and data accuracy. The EDPB recommends that interoperability should not lead to a diminishing in data security, data quality, and accuracy. Thus, it will mandatory to address in the DPIA the measures put in place to ensure data security and data accuracy.
As Vera Jourova, Vice-President of the European Commission for Values and Transparency, said: “This is the first global crisis where we can deploy the full power of technology to offer efficient solutions and support the exit strategies from the pandemic. Trust of Europeans will be key to the success of the mobile tracing apps. Respecting the EU data protection rules will be upheld and the European approach will be transparent and proportional.”
While technology is of great importance in tackling the current pandemic, data subjects’ trust in the apps is critical to their success: fundamental rights, data protection and data security cannot be put aside.