European Data Protection Board Releases Guidance for COVID-19 App Development

The European Data Protection Board (EDPB) has released guidance, in a letter, in relation to the European Commission’s recommendation for the development and implementation of apps used for specific purposes, such as contact tracing, in the battle against the COVID-19 pandemic.

The European Commission published its initial recommendation on apps for contact tracing on 8 April and sought additional guidance from the EDPB. This recommendation is seeking to establish a common EU toolbox for the use of technology and data to combat and exit from the COVID-19 crisis.

The findings of the EDPB pay particular attention to the use of apps for contact tracing and warning functionality. This is the area that could experience the most issues as private data will need to be processed in a compliant manner, while at the same time not impacting the provision of any required healthcare treatment(s).

In its letter, the EDPB gives it support for the Commission’s proposal for a voluntary adoption of such apps. It goes on to say that this process of adoption should indicate a choice was made by the individuals involved as ‘a token of collective responsibility’. Along with this, it was stated that the source code of the apps should be made publicly available for the widest possible scrutiny by the scientific community.

In relation to location tracking, the EPDB said that contact tracing apps do not require location tracking of individual users as their main function is to unveil contact with those who have tested positive for COVID-19. The body stated that the recording of an individual’s movements would be a breach of the principle of data minimization. The use of the contact tracing apps must be ended when the pandemic is deemed to be over and all collected data must be erased or anonymized.

Additionally, the EDPB called for the creation of these apps to be conducted in an accountable and transparent manner. The process should be recorded and include a data protection impact assessment that looks at each and every aspect of the app’s evolution.

The letter ended calling for EDPB to be included in the European Commission’s planning for the use of technology in the fight against COVID19 as it is the body charged with the application of GDPR and E-Privacy Directives. It is also expected that the EDPB will release further guidance in the coming days in relation to the use of geolocation and tracing tools during the COVID-19 pandemic.

Andrea Jelinek, Chair of the EDPB, said: “The EDPB welcomes the Commission’s initiative to develop a pan-European and coordinated approach as this will help to ensure the same level of data protection for every European citizen, regardless of where he or she lives.”

You can read the full content of the EDPB letter here: