On April 8, 2020, the European Commission adopted a recommendation to develop a common European approach to using mobile applications and mobile location data in response to the coronavirus pandemic (the “Recommendation”).
The Recommendation sets out a process by which the European Union (“EU”) Member States can adopt a toolbox of practical measures, with a focus on the following priorities:
- A pan-European, coordinated approach to using mobile apps that empower citizens to take effective and more targeted social distancing measures, and aid with warning, preventing and contact tracing to help limit the propagation of COVID-19; and
- A common approach to using anonymized and aggregated mobile location data to (1) model and predict the evolution of COVID-19; (2) monitor the effectiveness of measures to contain the diffusion of the disease, such as social distancing and confinement; and (3) help develop a coordinated strategy for going forward, including the easing of containment measures.
Background
Digital tools can be potent in combating the current health crisis. In particular, the Recommendation recognizes the potentially critical role of warning and tracing apps in limiting the propagation of the virus and interrupting transmission chains. A variety of COVID-focused mobile apps have been developed, some by public authorities, and there have been calls from EU Member states and the private sector for coordination at EU level. The Recommendation stresses the need to develop a common EU approach, or toolbox, for the use of these apps and mobile data to both avoid the fragmentation of the European internal market and ensure that the apps and data comply with EU data protection standards.
To that end, the Recommendation stresses that the toolbox should:
- strictly limit the processing of personal data for the purposes of combating COVID-19 and ensure that the personal data involved is not used for any other purposes, such as law enforcement or commercial purposes;
- ensure that the processing does not extend beyond what is strictly necessary, including through regular re-assessments of the need for processing such personal data and the use of appropriate sunset clauses;
- take measures to ensure that, once the processing is no longer strictly necessary, the personal data concerned is destroyed, unless, on the advice of ethics boards and EU data protection authorities, their scientific value in serving the public interest outweighs the impact on the rights concerned, subject to appropriate safeguards.
Coordinated Approach to Tracing Apps
The Recommendation’s immediate priority is a pan-EU approach for COVID-19 mobile applications, to be jointly developed by EU Member States and the European Commission and in consultation with the European Data Protection Board. This approach should include:
- specifications to ensure the effectiveness of tools from medical and technical perspectives;
- measures to avoid the proliferation of apps that are incompatible with EU law;
- governance mechanisms EU public health authorities can apply, in cooperation with the European Center for Disease Control (“ECDC”);
- identifying good practices and mechanisms for exchanging information about how the apps are functioning; and
- sharing data with relevant epidemiological public bodies and public health research institutions, including disclosing aggregated data to the ECDC.
The Recommendation also notes specific principles that should be observed in connection with COVID-19 mobile warning and prevention apps, including:
- safeguards ensuring respect for fundamental rights and prevention of stigmatization;
- preference for the least intrusive yet effective measures (such as using anonymized and aggregated data where possible);
- technical requirements concerning appropriate technologies (e.g., Bluetooth Low Energy) to establish device proximity, encryption, data security, data storage on the mobile device and potential access by health authorities;
- effective cybersecurity requirements to protect the availability, authenticity, integrity, and confidentiality of the data;
- deletion of personal data obtained through these measures when the pandemic is declared to be under control, at the latest;
- uploading of proximity data in case of a confirmed infection and appropriate methods of warning those who have been in close contact with the infected person (who should remain anonymous); and
- transparency requirements with respect to the apps.
Common Approach for Modelling and Predicting the Spread and Developing Exit Strategies
The second priority is developing a common approach to using anonymized and aggregated mobile location data to model and predict the disease’s diffusion, optimize containment measures, and prepare exit strategies as the emergency lessens. This common approach should address, among other things, the following:
- advice to public authorities on asking telecom operators to clarify their methodology for anonymizing location data;
- safeguards to prevent de-anonymization;
- deleting the data within 90 days, or in any event no later than when the pandemic is deemed under control; and
- restricting the data processing to the relevant purposes, and generally prohibiting sharing data with any third party.
Next Steps
The pan-EU approach for COVID-19 mobile apps will be published on April 15, 2020. It will be complemented by additional guidance from the European Commission on the privacy and data protection implications in connection with COVID-19 mobile apps.
By May 31, 2020, EU Member States should report the actions they have taken pursuant to the Recommendation to the European Commission. They should make those measures accessible to other EU Member States and the European Commission for peer review. EU Member States and the European Commission may submit observations on such measures.
Starting in June 2020, the European Commission will assess the progress made and publish periodic reports, and may make further recommendations to EU Member States, including on the phasing out of measures that are no longer necessary.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code