Covid-19 tracing apps: ensuring privacy and data protection 


Phone apps could play a part in the fight against Covid-19, but raise privacy and data protection issues. Discover what the EU is doing.

Dedicated mobile apps could play a key role in the fight against Covid-19 and the EU has been working with member states to develop effective solutions. As apps could expose sensitive user data, Parliament has underlined the need to ensure they are designed carefully.

The European Commission has recommended a common EU approach towards contact-tracing apps, designed to warn people if they have been in contact with an infected person.

In a resolution adopted on 17 April and during a plenary debate on 14 May, Parliament stressed that any digital measures against the pandemic must be in full compliance with data protection and privacy legislation. It said the use of apps should not be obligatory and that they should include sunset clauses so that they are no longer used once the pandemic is over.

MEPs stressed the need for anonymised data and said that to limit the potential risk of abuse, the generated data should not be stored in centralised databases.

In addition, MEPs said It should be made clear how the apps are expected to help minimise infection, how they are working and what commercial interests the developers have.

Check out the timeline of EU action against Covid-19

Tracing and tracking apps in the EU

The EU and many member states have been putting forward various digital tracking measures aimed at mapping, monitoring and mitigating the pandemic.

The Commission has recognised contact tracing apps, based on short-range technologies such as Bluetooth rather than geolocation, as the most promising from a public health perspective.

Such apps could alert people who have been in proximity to an infected person for a certain time, including those one may not notice or remember, without tracking the user’s location.

Combined with other methods such as questionnaires, these apps could enable more accuracy and help limit the further spread of the disease, while the risk to privacy is limited.

They are preferred over geolocation based tracking apps that collect real time data on the precise location and movements of people, together with information about their health, which pose a higher risk to privacy and raise questions on proportionality.

Covid-19 related apps could also provide accurate information to individuals on the pandemic, provide questionnaires for self-assessment and guidance, or provide a communication forum between patients and doctors, while the use of anonymised and aggregated data, collected by telecommunications operators and other digital technology companies, can help identify risk areas and plan public health resources.

The use of apps and data might prove effective, but could also expose sensitive user data, such as health and location.

The guidelines and toolbox for developing any Covid-19 related apps, prepared by the Commission in cooperation with member states, European Data Protection Supervisor, and European Data Protection Board aim at guaranteeing sufficient protection of data and limiting intrusiveness.

Guidance on data protection is an essential part of the Commission guidelines, stressing that the apps must fully comply with EU data protection rules, most notably the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

On 13 May, the Commission listed the use of contact-tracing apps among the guidelines for resuming travel in Europe and noted they have to be interoperable so that people can use them to be alerted wherever in Europe they are.

The Parliament will keep monitoring

Juan Fernando López Aguilar, chair of Parliament’s civil liberties committee, noted the important role apps could play in mitigating the crisis and welcomed the introduction of the toolbox, but stressed that fundamental rights and data protection must be maintained.

“We´ll keep a close eye that EU law principles and rules are respected throughout the fight against Covid-19. That includes apps and technologies to control the spread patterns of the pandemics.”

Read 10 things the EU is doing to fight Covid-19 and reduce its impact

EU toolbox 
  • National health authorities should approve apps and be accountable for compliance with EU personal data protection rules  
  • Users remain in full control of personal data. App installation should be voluntary and they should be discontinued as soon as no longer needed 
  • Limites use of personal data: only data relevant to the purpose in question, and should not include location tracking 
  • Strict limits on data storage: personal data should be kept for no longer than necessary. 
  • Security of data: data should be stored on an individual's device and encrypted. 
  • Interoperability: apps should be usable in other EU countries as well 
  • National data protection authorities should be fully consulted and involved