We have heard about different apps and tools that identify our geolocation. These days, some of them are aimed to use the location data to support the response to the pandemic by indicating the spread of the virus as well as to notify individuals who may have been near someone who is eventually confirmed as a carrier of the virus. But where are the limits?

The systematic and large-scale monitoring of location may involve privacy concerns. In the context of a contact tracing application, the EDPB has underlined different aspects that should be taken into account:

  • Location data collected from electronic communication providers may only be transmitted to authorities or other third parties if they have been anonymised or prior consent of the users has been obtained.
  • In relation to anonymisation, appropriate measures should be in place to prevent the re-identification of users.
  • Instead of tracking the location of individuals, the tracing apps should use the proximity parameter.
  • The information collected by the app should remain on the terminal equipment and only relevant information should be collected when necessary.
  • In addition, the purposes must be specific and exclude further processing for purposes unrelated to the management of the pandemic.

Who are the controllers of these applications?

The EDPB considers that the national health authorities could be the controllers, but if there are more actors involved in the deployment of the app, then their roles and responsibilities must be clearly explained to the users.

What is the legal basis to rely on? 

One of the main aspects that the guidelines point out is that the use of such applications must be strictly voluntary. However, this does not mean that the processing of personal data will necessarily be based on consent. When public authorities provide a service based on and in line with law requirements, the most relevant legal basis for the processing is the necessity for the performance of a task in the public interest.

In addition to the above, the EDPB has provided general guidance to designers of contact tracing apps, underlining that although any assessment must be carried out on a case-by-case basis, the following criteria should be considered:

  • It would be necessary to conduct a data protection impact assessment prior the deployment of the applications as they may result in a high risk to the rights and freedoms of individuals.
  • When a user is diagnosed infected with Covid19, only those individuals with whom the user has been in contact, should be informed.
  • This type of application requires to broadcast data that may be read by devices of other users. In this respect, only pseudonymous identifiers between users' mobile equipment, for example via the Bluetooth should be exchanged.
  • Identifiers must be renewed on a regular basis to reduce the risk of unauthorised tracking.