Covid-19 tracing apps: ensuring privacy and use across borders

Learn what the EU is doing to ensure phone apps used to fight Covid-19 respect privacy, data protection rules and can be used across the EU.

Covid-19 tracing apps: passengers in protective masks using a mobile phone ©AdobeStock/Yurolaitsalbert

Dedicated mobile apps could play an important role in stopping the spread of the virus and the EU has been working with member states to develop effective solutions.

The European Commission has recommended a common EU approach towards contact-tracing apps, designed to warn people if they have been in contact with an infected person.

Parliament underlines need for ensuring privacy and data protection

As apps could expose sensitive user data, Parliament has underlined the need to ensure they are designed carefully.

In a resolution adopted on 17 April and during a plenary debate on 14 May, Parliament stressed that any digital measures against the pandemic must be in full compliance with data protection and privacy legislation. It said the use of apps should not be obligatory and that they should include sunset clauses so that they are no longer used once the pandemic is over.

MEPs stressed the need for anonymised data and said that to limit the potential risk of abuse, the generated data should not be stored in centralised databases.

In addition, MEPs said It should be made clear how the apps are expected to help minimise infection, how they are working and what commercial interests the developers have.

Check out the timeline of EU action against Covid-19

Tracing preferred to tracking apps in the EU

Among various digital measures aimed at mapping, monitoring, and mitigating the pandemic, the Commission has recognised contact tracing apps, based on short-range technologies such as Bluetooth rather than geolocation, as most promising from a public health perspective.

Such apps can alert users who have been in proximity to an infected person for a certain time, including those one may not notice or remember, without tracking the user’s location.

Combined with other methods such as questionnaires, these apps could enable more accuracy and help limit the further spread of the disease, while the risk to privacy is limited.

They are preferred over geolocation based tracking apps that collect real time data on the precise location and movements of people, together with information about their health, which pose a higher risk to privacy and raise questions on proportionality.

Official EU guidance for data protection and privacy of Covid-19 apps

The guidelines and toolbox for developing any Covid-19 related apps, prepared by the Commission in cooperation with member states, European Data Protection Supervisor and European Data Protection Board aim at guaranteeing sufficient protection of data and limiting intrusiveness.

Guidance on data protection is an essential part of the Commission guidelines, stressing that the apps must fully comply with EU data protection rules, most notably the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

Enabling the use of national covid-19 apps anywhere in EU

On 13 May, the Commission listed the use of contact-tracing apps among the guidelines for resuming travel in Europe and noted they have to be interoperable so that people can use them to be alerted wherever in Europe they are.

In June, when EU countries began relaxing travel restrictions, they agreed to ensure the safe exchange of information between national contact tracing apps to ensure travellers can use their country’s app wherever they are in the EU. This builds on the interoperability guidelines agreed in May, which aim to allow national apps to work seamlessly with each other, while fully complying with privacy and data protection standards.

In October, the Commission launched a gateway that enables the linking of eligible national apps.

Data protection: tracking coronavirus, not you (video published in May 2020)

Parliament will keep monitoring

Juan Fernando López Aguilar, chair of Parliament’s civil liberties committee, noted the important role apps could play in mitigating the crisis and welcomed the introduction of the toolbox, but stressed that fundamental rights and data protection must be maintained.

“We´ll keep a close eye that EU law principles and rules are respected throughout the fight against Covid-19. That includes apps and technologies to control the spread patterns of the pandemics.”

Check out what the EU is doing to help Europe’s economic recovery from the coronavirus pandemic

EU toolbox

  • National health authorities should approve apps and be accountable for compliance with EU personal data protection rules
  • Users remain in full control of personal data. App installation should be voluntary and they should be discontinued as soon as no longer needed
  • Limites use of personal data: only data relevant to the purpose in question, and should not include location tracking
  • Strict limits on data storage: personal data should be kept for no longer than necessary.
  • Security of data: data should be stored on an individual's device and encrypted.
  • Interoperability: apps should be usable in other EU countries as well
  • National data protection authorities should be fully consulted and involved