So-called tracking apps are currently the subject of intense political and social discussion. These apps are intended to be deployed to detect chains of infection faster, and accordingly, to slow, or even control, the spread of COVID-19. But how should users recognise whether these apps fulfil the conditions of EU data protection law? In this regard, Professor Franziska Boehm’s research team has developed a checklist of data protection recommendations.
Tracking apps and data protection in the context of the COVID-19 pandemic
Recommendations for the deployment of COVID-19 tracking and tracing apps from the perspective of data protection
Franziska Boehm, Diana Dimitrova, Francesca Pichierri and Dara Hallinan1
Since the outbreak of the COVID-19 pandemic, countless apps have been developed worldwide, which collect pandemic-relevant data. The data collected ranges from anonymised location data to sensitive health data. Medical professionals believe the use of these apps is appropriate, even necessary, in order to ensure the long-term containment of the pandemic. Politicians discuss whether they should recommend the voluntary use of the apps to citizens. We may soon face difficult choices concerning whether we want to install such apps and if so, which apps we want to install.
The reason for this is: according to their goal and purpose, apps are designed differently, and, as a result, their differing functions constitute different degrees of invasiveness into the rights of users. Some apps serve to inform users about other individuals who have had contact with COVID-19 sufferers, other apps aim to support research and yet other apps aim to ensure compliance with lockdown rules.
All apps, with differing degrees of emphasis, have the protection of public health as their main goal. However, all uses are also fraught with risks for the right to the protection of personal data and their effects on this right should be carefully balanced against possible benefits. Consequently, all individuals who are considering using an app, can only make an informed decision concerning the pros and cons of use if they are aware of the advantages, as well as the disadvantages, in advance.
It will be a political task to ensure this transparency and to recommend an app which requires the minimum possible infringement of the users’ rights – an app, the use of which represents the optimum balance between users’ rights and the protection of public health. Otherwise a serious loss of trust may occur, reflecting a perception that the use of apps implies a disproportionate infringement of rights. In this regard, app-developers, and data protection officers are called upon to design apps which recognise the need for an appropriate balance between users‘ rights and public health.
To provide an initial orientation for how this might be achieved, a research team led by Professor Franziska Boehm at FIZ Karlsruhe has elaborated the following data protection recommendations. These are based on an analysis of the EU law principles which must be fulfilled by COVID-19 tracking and tracing apps. In the analysis, the team also investigated the degree to which seven apps, all recently deployed in EU Member States, conform to data protection law requirements. The provisional findings are outlined in two comparative tables, which will be updated as apps are further developed, and as new information becomes available.
Data protection recommendations for COVID-19 tracking and tracing apps
Design, development and default:
Data protection and IT security friendly function should already be considered in the design and development phase of COVID-19 apps. Data security, confidentiality and suitable technical and organisational safeguards must be guaranteed.2
Data should be, whenever possible, stored in a decentralised system – e.g. on the user’s device – and not in a centralised system – i.e. in a large database. 3
Access to data:
Access to data, in particular access to sensitive data, should be limited to those parties which require the data for legitimate purposes – e.g. for treatment, for research, or for crisis response.
Data must be secure – e.g. stored and transferred in encrypted form.
Automatic deletion function:
Data on apps should be automatically deleted when the pandemic is over – or a deletion function/button should be included. This should ensure, among other things, that implemented surveillance measures will not be used any longer than necessary and that users can prohibit transfers of their data at any time.
After the original purpose of data processing is fulfilled, data must be either deleted or anonymised. Apps which, for example, aim to ensure compliance with lockdown rules should delete or anonymise data after 14 days, or after the expiry of the relevant lockdown rules.
If an app can fulfil its intended purpose without the processing of personal data, the app should only collect anonymous data.
In relation to the collection of anonymised or pseudonymised data, the risk of re-identification, in particular by third parties, should be taken into account.
Data flows between private and public organisations – which may process the same data – should be transparent. Transparency is also important in relation to: how data are processed, the storage duration, the purpose of processing, the rights of data subjects and possible further transfers to third parties.
Users must be provided with easy access to understandable information about the exercise of data subject rights. The easy exercise of these rights should already be considered in the design and development of the app.
Collaboration with supervisory authorities:
Collaboration with the relevant supervisory authority, as well as with data protection experts, is strongly advised.
Secondary uses – e.g. scientific research:
Secondary uses, and further processing for purposes other than the original purpose, must be restricted. Secondary processing for scientific research purposes must, for example, adhere to the principles outlined in Article 89 GDPR, according to which, for example, data, where possible, must be anonymised if they are further processed for research or statistics purposes (principle of storage limitation).
Data protection impact assessment:
A Data Protection Impact Assessment4 should be conducted, in particular when sensitive health data will be processed in an app or when individuals and their movements will be subject to continuous surveillance through an app. The impact assessment should be made public, easily findable and should be regularly updated.
Correction of data:
Data entered into the system should be accurately reproduced. Users should have the possibility to correct data collected from them at any time.
Restrictions and the essence of fundamental rights:
All restrictions on data protection principles must fulfil the relevant conditions outlined in Articles 23 and 89 of the GDPR and Article 15 of the ePrivacy Directive and, in particular, must be proportionate and respect the essence of fundamental rights.
Prof. Dr. Franziska Boehm is Head of the Intellectual Property Rights department at FIZ Karlsruhe and holder of the Professorship of the same name at Karlsruhe Institute for Technology (KIT). Dana Dimitrova, Dr. Dara Hallinan and Francesca Pichierri are researchers in the Intellectual Property Rights department.
Articles 25 and 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119, 4-5-2016 (GDPR).
See, for a discussion of decentralization and COVID-19 apps, White Paper, Decentralized Privacy-Preserving Proximity Tracing, p. 2, available at: https://github.com/DP-3T/documents.