‘Contact tracing’ is a process used by public health officials to identify individuals who may have come into close proximity with a contagious virus, such as COVID-19. Traditionally, infected persons are asked to identify interactions with people whilst infected or in the days leading up to infection being diagnosed. Health practitioners can then contact those at risk to warn them of potential exposure, what steps to take and how to avoid infecting others.
Our mobile devices do, of course, have the potential to contact trace far more efficiently than traditional methods allow. Taking one example, a mobile app could inform users that they have come into close proximity of another user who has been confirmed as infected, and, if so, what steps to take (e.g., to self-isolate, seek medical assistance, etc.).
The digitisation of contact tracing no doubt has significant societal benefits. These benefits do, however, need to be balanced against concerns over privacy and data security. In particular, for contact tracing to be effective, a majority of the public needs to share health and device data with local governments and technology providers, potentially leading to a loss of individual privacy and concerns over the misuse of that data.
It is against this backdrop that the European Commission and the European Data Protection Board (EDPB) have now issued guidance for Member States, public health authorities and technology companies when developing contact tracing apps.
EU Commission Guidance and the EDPB Guidelines
On 16 April 2020, the EU eHealth Network, supported by the EU Commission, released a toolbox on the use of mobile applications for contact tracing (Toolbox), along with separate guidance published the following day (Data Protection Guidance).
Shortly after publication of the Toolbox and the Data Protection Guidance, on 22 April 2019, the EDPB then published its own guidelines on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (Guidelines).
Requirements When Developing Contact Tracing Apps
The Toolbox focuses on setting out the general requirements for developing contact tracing apps, including that apps must be secure, effective, interoperable across the EU, subject to minimum safeguards (including that use of apps is voluntary and that apps must be dismantled at the end of the crisis) and anchored in accepted epidemiological guidance. Apps should also be implemented in close coordination with, and approved by, public health authorities.
The Toolbox is clear in its conclusion that contact tracing apps must not be powered by location data, and should not be capable of following the movements of individuals. Instead, developers should use Bluetooth data (or equivalent) to log when a device has come into close proximity with another device.
The Data Protection Guidance and the Guidelines focus specifically on issues of data protection. In particular:
- Data controller: Apps should be designed so that Member State national health authorities (or entities carrying out tasks in the public interest in the field of health) control the apps and the data collected, although other controllers may be envisaged;
- Information on processing: Users must be provided all necessary information related to the processing of their personal data, i.e., in the form of a privacy notice;
- Data Subject Rights: Individuals whose data is collected via an app must be able to exercise their GDPR rights (e.g., access, rectification and deletion);
- Location data: Contact tracing apps should not collect location data;
- Purpose limitation: The purposes of an app must be limited (e.g., contact tracing alone, or contact tracing with a standalone symptom checker), and should not allow for further unrelated processing for more general purposes associated with management of the pandemic, e.g., for commercial or law enforcement purposes;
- Functionalities: Different app functionalities (e.g., information, symptom checker, contact tracing and warning functionalities) should not be bundled so that users are able to provide their consent specifically for each functionality individually;
- Anonymous processing: Apps should assign pseudo-random identifiers to users (which renew regularly), so that individuals are not identifiable;
- Notification: If a user has been diagnosed with COVID-19, only other app users with whom the infected user has been in close contact within the epidemiologically relevant period should be informed (but on an anonymous basis—e.g., “you have been in close proximity with someone who has tested positive for COVID-19”);
- Storage: Information stored on central servers should not allow controllers to identify diagnosed users or users who have come into contact with infected users;
- Data protection impact assessment: A DPIA must be conducted before an app goes live, and should be made publicly available;
- Data retention: Data must only be stored for as long as necessary (e.g., for the duration of the pandemic). Afterwards, as a general rule, all personal data should be erased or anonymised; and
- Security measures: Adequate security measures must be in place, including measures to prevent re-identification of users.
Outside of contact tracing apps, the EDPB Guidelines acknowledge that location data may be used to model the spread of COVID-19, or to assess the effectiveness of confinement measures on an anonymous basis.
Contact tracing apps can undeniably complement existing manual contact tracing processes and will hopefully help interrupt the transmission chain of the virus. However, to be truly effective, there must be substantial public buy-in and use of apps developed.
Organizations looking to pivot into this space must pay careful attention to the requirements of the Toolbox, Guidelines and Data Protection Guidance, and work with the governments and national health authorities of the Member States in which they hope to help develop tech to slow the tide of the pandemic.