With a view to an exit strategy, the EU and its Member States are pinning great hopes on mobile apps for the purpose of contact tracing. In order to gain the trust of citizens and to prevent any data from being misused, the EU Commission is relying on a joint and coordinated approach.
Increasingly more countries throughout Europe are beginning to gradually relax the current restrictions to contain the Coronavirus. To prevent the situation from escalating again, contact tracing apps also form part of the discussion. These mobile apps shall make it possible to trace and to break the chain of infection. The EU Commission is also of the opinion that “the development of such apps and their take up (...) can have a significant impact on the treatment of the virus”, and can “play an important role in the strategy to lift containment measures”. As the Commission outlines in its Joint European Roadmap towards lifting COVID-19 containment measures, this would be “particularly relevant in the phase of lifting containment measures, when the infection risk grows as more and more people get in contact with each other”. Hence, on 8 April the Commission therefore recommended the development of a common toolbox for the use of technology and data of mobile devices.
EU Commission guidelines
On 16 April, the Commission published data protection Guidelines, which shall provide assistance in the development of respective apps. According to the Commission, current EU legislation has to be taken into consideration for any possible use, in particular the General Data Protection Regulation (GDPR) and the Directive on Privacy and Electronic Communications. The European Data Protection Board has also been consulted with regarding to drafting guidelines; citizens shall be adequately protected and any intrusion into their privacy shall be restricted. Concerning the development of contact tracing apps, the guidelines required that national health authorities will assume responsibility, that the use of personal data will be limited and that users will be fully in control of their data. Apart from that, data of the respected user shall only be saved on their device and for a strictly limited period. The reliability of (contact) data shall be technically guaranteed and the national data protection authorities shall be involved in the development.
Toolbox as guidance
Supported by the Commission, EU Member States have also developed a Common Toolbox for the use of contact tracing and warning apps. It shall serve Member States as practical guidance for the implementation of such apps. It contains requirements, which have been defined as essential and which shall make it possible to trace infection chains simpler, faster and more efficiently than traditional methods – for example, the questioning of infected patients. The Toolbox is regarded as part of an ongoing process; the current version shall be continuously optimised in accordance with Member States’ feedback. The national health authorities have been asked to assess the effectiveness of contact tracing apps by 30 April 2020; Member States are to submit their reports by 31 May.
Data protection and criticism
As it has been made clear by the Commissioner for Internal Market Thierry Breton, “strong privacy safeguards are a pre-requisite for the uptake of these apps, and therefore their usefulness”. In view of the discussion, numerous NGOs and data protection organisations have also referred to requirements and dangers. The Chaos Computer Club (CCC), for example published 10 requirements for the evaluation of such apps. Two of these requirements are voluntariness and anonymity. However, critics doubt the usefulness of such apps. The Toolbox of the EU Commission quotes a Study by Oxford University, according to which these might help to contain the Coronavirus; however, to achieve this, about 60 percent of the population would have to use these apps. In Singapore, which many countries regard as a relevant example, the app has only be installed on about twelve percent of all smartphones. Hence, if two people meet by chance, the statistical probability that both have installed the app, is thereby slightly more than one percent. Apart from that, one has to take into consideration that a significant percentage of the population still does not own a smartphone – in particular elderly people, who are part of the ‘at risk’ group.
Chamber of Labour insists on voluntariness
The AK warns that the potential introduction of such apps must not change the absolute commitment to voluntariness. Anything else would mean an unacceptable infringement of fundamental rights. Voluntarily and without coercion also means that the consent to use such an app must not be linked to any advantages – for example, the relaxation of social distancing, travel or access restrictions. It also has to be continuously monitored whether such apps – in spite of promises regarding a high level of data protection – will in the long run not lead to tendencies, which, with regard to fundamental rights, have to be clearly rejected. In this connection, comprehensive transparency and continuous data protection impact assessments as well as reviews by the data protection authority are also of vital importance. It would also be advisable to introduce a type of data protection certification by independent authorities.