Introduction
Toolbox


Introduction

With the vast technological developments taking place in recent years, it is important that the European Union becomes aware of the usefulness of these developments in order to inform the public and assist the relevant authorities in their efforts to contain the spread of COVID-19.(1)

The use of digital technologies and data can be a key tool to monitor the spread of COVID-19 in real time and can also empower citizens to take more effective social distancing measures.

Toolbox

On 8 April 2020 the European Commission issued Recommendation 2020/518 on establishing a common EU toolbox for the use of technology and data to combat the COVID-19 crisis, particularly with regard to mobile apps and the use of anonymised mobility data. The recommendation sets out a process to develop a common approach – a so-called 'toolbox' – in the European Union using the most innovative digital means to address the health crisis. The recommendation focuses primarily on:

  • the use of mobile apps to combat the COVID-19 pandemic, including with regard to measures that should be taken in terms of using apps to warn and track EU citizens' contacts; and
  • the use of anonymised and aggregated data on population mobility with the aim of predicting the evolution of COVID-19 and monitoring the effectiveness of decision making (eg, social distancing and confinement).

The toolbox would include an EU approach to mobile apps and the use of data to predict the spread of COVID-19. However, there are limitations of processing personal data, since it cannot be used for other purposes to guarantee individuals' privacy and prevent such data from circulating freely.

The recommendation was accompanied by a communication from the European Commission: Guidance on Apps supporting the fight against COVID-19 pandemic in relation to data protection (2020/C 124 I/01). The framework developed by the commission states that tracking applications should be:

  • voluntary;
  • transparent;
  • temporary;
  • cyber-secure; and
  • use temporary and pseudonymised data.

In addition, they should:

  • rely on Bluetooth technology;
  • be approved by national health authorities; and
  • be interoperable across borders and operating systems.

The European Data Protection Board (EDPB) adopted a similar approach in its Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak dated 21 April 2020.(2) The EDPB noted that when implementing contract tracking applications, general data protection principles should be applied (eg, legality, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and liability).

Consequently, several EU member states have introduced specific legislation allowing them to process health data on the basis of public interest as set out in EU Regulation 2016/679.(3) In any case, the purpose and means of data processing, what data should be processed and by whom must be clearly and specifically established.

A common representation for all EU member states – the European eHealth Network – is needed to develop the toolbox's measure with regard to an EU approach to COVID-19-related mobile apps and the use of mobile data.(4)

The recommendation states that the toolbox should be shared:

  • among all EU member states through the European eHealth Network; and
  • with the European Union's international partners in order to exchange ideas and collaborate with the purpose of curbing the pandemic.

Therefore, throughout this process, fundamental rights must be respected – specifically, the right to privacy and data protection. Point 10 of the recommendation sets out the implications of the development of the toolbox for the use of technology and data:

(1) strictly limit the processing of personal data for the purposes of combating the COVID-19 crisis and ensure that the personal data are not used for any other purposes such as law enforcement or commercial purposes.

(2) ensure regular review of the continued need for the processing of personal data for the purposes of combating the COVID-19 crisis and set appropriate sunset clauses, so as to ensure that the processing does not extend beyond what is strictly necessary for those purposes.

(3) take measures to ensure that, once the processing is no longer strictly necessary, the processing is effectively terminated and the personal data concerned are irreversibly destroyed, unless, on the advice of ethics boards and data protection authorities, their scientific value in serving the public interest outweighs the impact on the rights concerned, subject to appropriate safeguards.

The toolbox's approach to the creation of mobile apps for COVID-19 tracking must be pan-European, allowing for:

  • the effectiveness of the applications from a medical and technical point of view;
  • the prevention of the emergence of apps that are incompatible with EU law;
  • the identification of good practices; and
  • the exchange of data with public epidemiological bodies.

Therefore, the principles of privacy and data protection must guide the toolbox's development. In this regard, the following must be guaranteed:

  • the respect for fundamental rights;
  • the use of less intrusive but effective measures;
  • the use of appropriate technologies;
  • the presence of cybersecurity;
  • the deletion of personal data once the pandemic is under control; and
  • transparency that ensures confidence in the apps.

EU member states should exchange their practices on the use of mobility data – namely:

  • they should make appropriate use of anonymous mobility data;
  • there should be ongoing advice to public authorities to verify the anonymisation of data;
  • de-anonymisation should be prevented and the re-identification of individuals avoided;
  • the deletion of data that has been processed accidentally;
  • the deletion of data within a 90-day period in principle; and
  • the restriction of data processing to the abovementioned purposes.

For further information on this topic please contact Eduardo Buitrón or Natalia Marín Villamiel at Eversheds Sutherland (International) LLP's Madrid office by telephone (+34 914 294 333) or email ([email protected] or [email protected]). Alternatively, please contact Tobias Maier at Eversheds Sutherland (International) LLP's Munich office by telephone (+49 89 54565 0) or email ([email protected]). The Eversheds Sutherland (International) LLP website can be accessed at www.eversheds-sutherland.com.

Endnotes

(1) For further information on EU measures relating to COVID-19 please see "Latest EU measures relating to COVID-19 pandemic – multicentre clinical trials", "Short-term health preparedness for COVID-19 outbreaks" and "European Union issues communication on COVID-19 vaccination strategy".

(2) The EDPB is an EU body in charge of the application of the General Data Protection Regulation (GDPR) as of 25 May 2018. It is made up of the head of each DPA and of the European Data Protection Supervisor (EDPS) or their representatives.

(3) EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data repealing EU Data Protection Directive 95/46/EC.

(4) In accordance with the EU Directive 2011/24/EU on cross-border healthcare, the European Commission has adopted a decision establishing the European eHealth Network. These networks will serve to enable national authorities responsible for eHealth to contact their partners within the European Union on a voluntary basis and work on common guidelines for eHealth.