EU takes steps to manage Covid-19, mobile data and apps

The European Commission has announced that digital tools can play an important role in the gradual lifting of containment measures, but it is paramount that they are compliant with EU data protection rules.

Different solutions are being developed at Member State level, with Singapore providing inspiration with its Trace Together app.

The Commission is saying that a pan-European approach is needed for Covid-19 mobile applications, and says that in order to follow data protection rules, the apps should use anonymised and aggregated data where possible, and ensure transparency in the privacy settings. Also, there needs to be a clear sunset clause for these measures to expire when no longer needed.

There should be safeguards in place to avoid re-identifications of individuals, including guarantees of adequate levels of data and IT security. Data should in principle be deleted after a period of 90 days, or in any event no later than when the pandemic is declared under control, and the data should be processed only for the purpose of combating COVID-19.

The Commission says that, by 15 April 2020, it will develop a toolbox towards a pan-European approach for mobile applications in association with the European Data Protection Board (EDPB), and provide guidance including on data protection and privacy implications. Member States should report on the actions they have taken by 31 May 2020 and make the measures accessible to other Member States and the Commission for peer review.

See the EU Commission's 12 page recommendation, issued on 8 April.