Insight: “The EU’s Common Approach to contact tracing : the EDPB, EDPS, Commission and Parliament’s responses” by Anjum Shabbir
Contact tracing apps are operational in at least 14 Member States, and national supervisory authorities are developing guidelines at national level to advise their governments and telecoms operators on the best way to comply with data protection rules: it appears that 25 different pieces of guidance have been issued. This is a widely divergent and fragmented approach that has led the EU to call for a common approach and align the Member States, in doing so proposing its own guidance that will enable compliance with EU data protection law. A number of EU actors have played a part in developing that guidance.
European Data Protection Board
The European Data Protection Board (EDPB), established by Article 68 of the General Data Protection Regulation, is made up of the EU’s independent supervisor, the European Data Protection Supervisor, and representatives of the national data protection authorities. The EDPB’s approach to contact tracing can be seen through its first statement on the processing of personal data on 16 March 2020, supported by a formal statement issued on 19 March 2020, a later letter of 14 April 2020 sent to the Commission, and guidelines it adopted on 21 April 2020 including a guide for contract tracing apps in the annex. Essentially, its responses are that:
- EU data protection laws still apply and should not be departed from by either public authorities or private parties – in particular, the principles of data minimisation, accountability, and transparency under the GDPR should be protected, as well as the EU law principle and rules on non-discrimination;
- The contract tracing app should be operated on a voluntary basis only;
- Such apps would only achieve their maximum efficiency if used by the largest possible share of the population, and it therefore highlighted the need for interoperability.
The EDPB’s stance is important, considering that the European Commission sought and took up its advice when drawing up its Guidance on data protection for mobile apps in the context of the COVID-19 pandemic, and the Council of Europe also refers to it as ‘important’. The EDPB continues in this collaborative and influential role, and is monitoring the proposed solutions, according to its letters to MEPs dated 23 April 2020 and 24 April 2020, adopted at the EDPB’s 24th Plenary Session.
European Data Protection Supervisor
The European Data Protection Supervisor (EPDS) has taken a similar and coordinated approach, which can be seen through a letter of 20 March 2020 sent to the European Commission, a statement issued on 6 April 2020, its exchange of views with the LIBE Committee on 7 May 2020, and information on its website (‘TechDispatch’). TThe EDPS’s views are that:
- The existing EU data protection rules are flexible enough to be applied in this context;
- There are concerns about anonymisation, security, access and retention, and that it would work with the EU institutions to safeguard fundamental rights and freedoms through limits and restrictions, including ensuring data would be correctly disposed of once the need disappeared;
- And expressed its support for a pan-European approach and COVID-19 mobile app.
Like the EDPB’s monitoring activities, the EDPS has established a COVID-19 task force and has committed to undertake a careful analysis of longer-term implications of the pandemic for EU fundamental rights and freedoms, to be finalised by the end of the year.
The Commission has issued a Commission Recommendation (2020/518), published in the Official Journal on 14 April 2020, a Common EU Toolbox of 15 April 2020, and on 16 April 2020, published Guidance on data protection for mobile apps.
Its Recommendation presented an assessment of how the apps would work, set out a monitoring methodology, and addressed interoperability, cross-border implications, and the fundamental rights-impact, taking on board issues identified by the EDPB and EDPS. It focused particularly on recalling that any interferences must be lawful, any breach must be justified and in line with permitted derogations and tests of proportionality and necessity, setting out key principles and limits to data processing, and referring to existing EU law that still had to be respected – most notably the GDPR, Directive 2011/24, and Directive 2002/58.
The Common EU Toolbox of 15 April 2020 is part of a common coordinated approach, stated as in need of being developed urgently and collaboratively by the e-Health Network made up of competent Member State authorities, with the support of the Commission. It provides a practical guide for Member States in the implementation of contact tracing and warning apps. In summary, the Toolbox refers to accountability for compliance with EU data protection law, highlights the voluntary nature of any contact tracing app, outlines the limits that should be applied and the need to avoid location tracking, and also refers to security of data, interoperability, and the need for full consultation and involvement of national data protection authorities. Member States endorsed the Toolbox and common European Approach through an announcement made on 16 April 2020.
The Guidance on data protection for mobile apps emphasises that it relates to ‘voluntary apps’, set out the features and requirements needed to ensure compliance with EU privacy and personal data protection legislation. The Guidance referred expressly to keeping Data Protection Authorities fully involved and consulted in the context of the development of the app, that it should be kept under review, and stated that the Member States should report on actions they have taken in this area by 31 May 2020 for the purposes of peer review by other Member States and the Commission. The Institution itself has promised to assess progress and publish periodic reports from June 2020 onwards, recommending action, or suggesting the removal of measures that no longer appear to be necessary.
On 13 May 2020, the European Commission issued a further press release bringing to the fore interoperability. It also tied contact tracing and interoperability in with a new package of measures announced by the Commission on 13 May 2020 to reboot travel and tourism in the EU: cross-border interoperability between tracing apps and across operating systems was recognised as allowing citizens to be warned of a potential infection when travelling in the EU.
In a Resolution of 17 April 2020, the European Parliament addressed this issue, agreeing on the voluntary use of the app, warning against data storage on centralised databases, and also advocated full transparency. It called on ‘the Commission and the Member States to publish the details of these schemes and allow for public scrutiny and full oversight by data protection authorities’, and agreed on the need for national and EU authorities to fully comply with data protection and privacy legislation. The Parliament reiterated that in a plenary debate last 14 May 2020, MEPs of the European Parliament reiterated the need for contact tracing apps to be ‘truly voluntary, non-discriminatory and transparent’, strictly limited to their purpose, for data to be deleted as soon as possible in the circumstances, and generally for data protection and privacy laws to be respected. They also repeated the need for a coordinated approach in the development and use of apps to ensure their cross-border interoperability, as also emphasised by the Commission.
A few days ago, the European Parliament reported that it will continue to monitor the situation: “We´ll keep a close eye that EU law principles and rules are respected throughout the fight against Covid-19. That includes apps and technologies to control the spread patterns of the pandemics.”
Common European Approach
The above shows a clear and unified EU response to the divergent courses of action being taken by Member States’ governments, private stakeholders, and supervisory authorities. The EDPB, EDPS, European Commission and European Parliament have all restated the same objectives: a common European approach, respect for the existing EU data protection law and fundamental rights, the voluntary and interoperable nature of the app, and respect for the principles of transparency, accountability, and security and more. Each has submitted how it thinks that could be achieved, and each will also be monitoring whether that is occurring.
Anjum Shabbir is an Assistant Editor at EU Law Live