COVID-19 Tracing Apps Must Respect Privacy and Civil Rights
Publication: ZRVP
Various digital apps could help reduce and prevent the spread of coronavirus. Such apps are particularly useful as more and more countries are preparing to ease lockdown restrictions. However, attention must be paid to avoid breach of privacy regulations and make such apps compatible with the EU’s strict data privacy rules.
On April 8, 2020, the Commission presented a list of general principles and non-binding rules for European countries for the use of mobile applications, as data collection can be essential to understand and respond to the COVID-19 emergency.
The Recommendation adopted by the Commission focuses on the following key principles for the use of these apps and data as regards data security and the respect of EU fundamental rights such as privacy and data protection:
National health authorities or other public authorities irrespective of their field of activity should be designated data controller
These entities are responsible for ensuring compliance with the GDPR and watch over citizens’ fundamental rights such as human dignity, protection of personal data, the freedom of movement, and respect of private and family life. A working framework controlled by a public authority that protects people’s rights and offers guidance builds trust and acceptance among users, making such apps more efficient.
Individuals remain in control of their personal data
Every person is given the choice to install such app(s), with the possibility to uninstall the program once the pandemic is under control. Moreover, the app(s) are automatically deactivated after the COVID-19 crisis is overcome.
Coronavirus tracking apps comply with the strict privacy rules required at European level
Legal basis that allow such apps to store information or get access to already stored information contained by users’ personal devices might only be based on the freely given, specific and informed consent of the users. The Commission also encourages to set strict temporary limits to data storage.
Only relevant and adequate user information will be processed
Data minimization principle should be kept in mind when processing such sensitive information. For instance, telemedicine apps do not need to gain access to the contact list of the user in order to properly function.
Data Protection Authorities supervise the development and usage of these digital tools
The objective is to secure the preservation of fundamental rights and compliance with privacy laws. Many of the technologies that are being developed in Europe – movement tracker, contact tracing, symptoms checker, telemedicine – are complying with and not revealing details of private data. Any measures infringing upon privacy must be temporary, limited in purpose and have restricted access to data.