Following recent plans aimed at using digital tracing to combat Covid-19 outbreaks – the Common EU Toolbox (link) – the European Commission has recently released its non-legally binding Communication on Guidance on Apps supporting the fight against Covid-19 pandemic in relation to data protection (Guidance).
So, what should you consider when developing or using a crisis app?
Background. Rapidly growing importance of digital platforms resulted in intentions to use mobile applications installed on our smartphones to support public health authorities in monitoring and fighting the Covid-19 pandemic. The Guidance relates to voluntary apps supporting the fight against Covid-19 pandemic (apps downloaded, installed and used on a voluntary basis by individuals). It does not cover apps aimed at enforcing quarantine requirements or mandatory ones.
Applicability. Apps are regarded as means to provide direct guidance to citizens, help implementing social distancing measures, support contact tracing efforts and help limiting contamination.
To be subject to the Guidance, an app should have one or several of the following functionalities:
- provide accurate information to individuals about the Covid-19 pandemic;
- provide questionnaires for self-assessment and for guidance to individuals (symptom checker functionality). If the apps provide information related to diagnosis, prevention, monitoring, prediction or prognosis, potential qualification as medical devices according to the medical devices regulatory framework should be assessed;
- alert persons who have been in proximity for a certain duration to an infected person, in order to provide information such as whether to self-quarantine and where to get tested (contact tracing and warning functionality);
- provide a communication forum between patients and doctors in situation of self-isolation or where further diagnosis and treatment advice is provided (increased use of telemedicine).
Functions under scrutiny. The Guidance focuses on general features and requirements which apps should meet to ensure compliance with EU privacy and data protection legislation (GDPR and the ePrivacy Directive). It mainly regards three types of functions voluntary apps regarding Covid-19 provide: (i) informative functions, (ii) symptom checkers functionality (a tool for public health authorities to guide citizens on testing for Covid-19, to provide information on self-isolation, on how to avoid transmission to others and when to seek healthcare) and (iii) contact trackers (tools to identify the persons that have been in contact with a person infected by Covid-19 and to inform him/her about appropriate next steps, such as self-quarantine, testing or providing advice on what to do in case of symptoms).
Essential principles “to be checked” for a trustful and accountable use of Covid-19 apps are:
- National health authorities (or entities carrying out task in the public interest in the field of health) should be deemed as data controllers;
- The individual should always remain in control of their personal data (e.g. voluntary installation, specific consent for each functionality, ability to exercise his/her rights under GDPR);
- Legal basis – the user has given its consent, or the storage and/or access is strictly necessary for the app explicitly requested by the user;
- Data minimization – general recommendation that generating and processing less data limits security risks;
- Limiting the disclosure/access of data, as no information stored in and accessed from terminal equipment can be shared with health authorities other than necessary to have the information functionality;
- Proximity data – which should only be generated and processed if there is an actual risk of infection – should be stored on personal device and shared only upon user’s consent and if contamination with Covid-19 is confirmed;
- Providing for specific purposes of processing, so that there is no doubt what kind of personal data is necessary to process in order to achieve the desired objective;
- Data storage – the data should not be stored more than necessary for achieving the purposes of processing;
- Ensuring data security and accuracy;
- Fully involve your data protection officer and the data protection authority; and
- Deactivation of the app at the end of the pandemic without users’ consent being required.
*This ePublication is provided by Radu Taracila Padurari Retevoescu SCA and is for information purposes only. It does not constitute legal advice or an offer for legal services. The distribution of this document does not create an attorney−client relationship. If you require advice on any of the matters raised in this document, please call your usual contact at Radu Taracila Padurari Retevoescu SCA at +40 31 405 7777.