EU Commission's Guidance on How to Combat COVID-19 Through Mobile Apps and Location Data While Maintaining GDPR and Data Protection Rights
The European Commission adopted a common EU toolbox for the use of mobile applications and geolocation data in the fight against COVID-19. The recommendation gives practical guidelines for Member States and private organisations concerning compliance with data protection laws and GDPR in developing and putting forward such apps. The European Data Protection Board has strongly supported the Commission's efforts and has addressed the possible impacts of such apps and geolocation data on individual's data protection and privacy rights and how these impacts may be minimised while preserving public health.

 

On 8 April 2020, the European Commission (the Commission) published a recommendation for the use of technology and data to help predict the spread of COVID-19 in a data protection friendly manner. The recommendation answers a call for a pan-European effort, including from Member States and private organisations, to use the technology available for tracing transmission and limiting the propagation of the virus. 

The recommendation details practical measures that focus on the use of mobile apps to enhance social distancing measures, as well as to help with contact tracing and information sharing to curb the spread of COVID-19. It puts these apps forward as the preferred type of apps with the least impact on privacy. 

On 15 April 2020, the European Data Protection Board, gave its support to the Commission's recommendations but added that such apps should be developed in an accountable way using data protection impact assessments and applying the GDPR principles of privacy by design and by default.

What responsibilities do developers of such apps have regarding data protection and privacy? 

The main practical points to bear in mind when developing such apps and collecting and using personal data in the context of COVID-19 are as follows:

  • The processing of personal data should be limited to the sole purpose of fighting COVID-19. No commercial use of data should be made.
  • There needs to be regular reviewing of the continued need for processing of such personal data and setting out of sunset clauses defining an 'expiration date' to ensure the processing stays strictly necessary under GDPR for the purpose of combatting the COVID-19 crisis.
  • There needs to be a termination of the process once it is no longer necessary, with destruction of personal data unless their scientific value in serving the public interest is greater than the impact on personal rights. The recommendation states that this should be determined on the advice of ethics boards and data protection authorities, and appropriate safeguards should be put in place. 

The recommendation encourages cooperation and creation of apps which could be used transnationally, in compliance with EU law, that could notably share data with relevant epidemiological public bodies and health authorities and add to the work of the European Centre for Disease Prevention and Control. 

Next steps

The recommendation sets out the development of a pan-European approach to COVID-19 mobile applications as a first priority, and by 15 April 2020. It will be complemented by additional guidance from the Commission regarding relevant data protection and privacy issues. 

The second priority concerns a common approach for the use of aggregated mobility data to inform measures and exit strategy from the crisis. 

Contact Us

We are available to discuss the above with you and to advise you on any relevant issues you might have. Please contact John O'Connor, David Cullen, Leo Moore or your usual William Fry contact with any queries. 

Please visit our COVID-19 Hub for more information from our other practice areas which might be relevant to your business.

 
 

Contributed by Karolina Rozhnova

 

 

Key Contacts

John O'Connor Partner

David Cullen Partner

Leo Moore Partner

Related Industry