Contact tracing technologies and data protection: a European perspective


The tragic evolution of the Covid-19 health crisis around the world has required the adoption of exceptional measures. Effective responses to the emergency are based on governments’ ability to exercise control over the national territory, including by persuading individuals to change their lifestyles and daily habits.

During a health crisis on a global scale, the right to health may potentially conflict with a number of other protected values, and result in restrictions to personal freedom and lessening of the individual right to privacy. In this context, the adoption of new technologies can play a key role for the containment, the prevention and the monitoring of the pandemic outbreak.

While Taiwan and Singapore have achieved excellent results in containing the virus, China and South Korea are the best examples to demonstrate how data driven technology can be used when the infection has already spread to thousands of people. In particular, South Korea has adopted an impressive surveillance technology system through three different monitoring tools: credit card tracking (South Korea has the highest number of cashless transactions in the world), GPS location for mobile phones and CCTV recordings.

All data collected by such systems are aggregated by algorithms and the output of this process is an essential information tool for Korean public security authorities.

In Israel, the Ministry of Health released an app called “HaMagen” (which translates as “the shield” in Hebrew). The app compares the GPS data location with Government-owned databases and is able to track back people’s movements up to 14 days before a person being tested positive to Covid-19.

It is unlikely that such a high degree of mass surveillance and personal monitoring would be easily accepted in most of European countries. While on one hand these apps’ technical functionalities provide extremely useful data for national security authorities, on the other hand significant concerns arise in relation to potential violations of data protection.

On March 19, the European Data Protection Board issued a statement on the processing of personal data in the context of the COVID-19 outbreak. The EDPB stated that GPS location data can only be used upon the user’s prior consent or when the data are anonymized. At the same time, the European authority also referred to the provisions of the e-Privacy Directive. Article 15 of the e-Privacy Directive allows Member States to adopt laws and regulations aimed at safeguarding public security, which should in any event be subject to compliance with the principles of necessity, adequacy and proportionality. Under the statement, the EDPB affirmed that in a democratic society, every emergency measure must be strictly limited to the period of crisis. Invasive measures, such as the tracking of GPS location in a non-anonymous form can only be considered proportionate under exceptional circumstances. Such measures must be subject to reinforced control and stronger safeguards, in order to ensure compliance with the data protection principles and the values of the EU Charter of Fundamental Rights and the European Convention for the Protection of Human Rights. Also the Council of Europe stated that any measure taken in an emergency situation must respect the principles of necessity, data minimization, transparency and timeliness of the measures adopted, which must always be subject to public and independent scrutiny.

As far as the European data protection legislation is concerned, Regulation 2016/679 (GDPR) already takes into account how data processing can be carried out when specific circumstances exist. Specifically, Article 9 of the GDPR provides that an individual’s explicit consent to the processing of special categories of personal data (including data concerning health) is not required when data processing is necessary (i) to safeguard the vital interests of the data subject (or those of another natural person) or (ii) for reasons of substantial public interest. In light of the current circumstances, it could be expected that the processing of data aimed at limiting and preventing the spread of Covid-19 might benefit from the foregoing exceptions.

Further, to the extent any data is collected, Article 32 of the GDPR requires that the controller and the processor of the data collected must implement appropriate technical and organizational measures to ensure an appropriate level of security, taking into account, among other things, the nature, scope, context and purposes of the data processing. As a result, any app collecting health-related data would have to provide for an adequate degree of security, in light of the extremely sensitive nature of the data involved, in order to avoid data breaches and unauthorized disclosure of the information stored.

A strictly connected issue relates to the period of time during which the personal data collected by apps developed to contain the pandemic can be retained. In the past, the European Court of Justice – in its ruling on the Data Retention Directive (2006/24/EC) – already opined on the balance between the protection of personal data and public security measures. This ruling declared the Data Retention Directive invalid on the basis that the EU legislature had exceeded the limits imposed by compliance with the principle of proportionality. Specifically, the directive contained provisions on the duration of the retention period with respect to telephone traffic and location data, without stating any objective criteria on the basis of which such period would be determined.

The broad and extensive interference of the directive with the fundamental rights to respect for private life and to the protection of personal data would have required such interference to be actually limited to what is strictly necessary. It is likely that the same principle of proportionality could be adopted by the Court with respect to any new scrutiny on the validity of the emergency legislation adopted in the context of the Covid-19 epidemic. As a result, the retention time of data collected through apps issued to respond to the pandemic should be limited to the emergency period only.

Italy has been seriously hit by the Covid-19 outbreak and was the first European country faced with the need to adopt emergency measures to contrast the spread of the virus but, in just few weeks, the epidemic has transcended national borders and has become a global emergency which has affected all European countries.

In the recent weeks, not only the governments of many EU Member States but also some of the main European institutions are considering to use Big Data and algorithms to limit and prevent the spread of the pandemic over the territory of the EU.

In March, the European Commission issued a call for action addressed to all players in the European technological ecosystem. The Commission asked companies and start-ups to develop digital platforms and other data processing systems aimed at providing the authorities with new data-driven tools to monitor and manage the health crisis.

Eight European countries have also taken part to the PEPP-PT (Pan European Privacy-Preserving Proximity Tracing) project to release a source code which can be further developed and implemented to facilitate the launch of national apps in each Member State.

Specifically, the code analyzes the Bluetooth signals exchanged between mobile phones and tracks the users who have incurred a potential risk of infection, in an attempt to interrupt new chains of Covide-19 transmissions. The technology used for the development of the new European tracking system embeds safeguards to encrypt data and anonymizes personal information, to prevent abuse by unauthorized subjects (including governments) and ensure data protections standards.

In the context of this global emergency also tech-giant Google declared its willingness to help authorities by making available reports (in PDF format) setting out the mobility trends collected by Google Maps. The reports, which contain aggregated and anonymized data for 131 countries (including EU Member States), provide a guidance for national health institutions to evaluate the effectiveness of social distancing measures and to identify specific locations that require additional effort and focus by public security authorities.

In the current scenario, data protection authorities of each Member State should ensure that the emergency regulation does not compromise the necessary protection of the individual rights to privacy and therefore does not result in a permanent mass surveillance of the European population.

Also, to the extent the recourse to digital tools and monitoring technologies is further increased in order to respond to the pandemic, each Member State or the European Union should consider the adoption of ad hoc legislation. Such laws and regulations should not only lay down general principles and guidelines, but also set forth specific and detailed rules on the collection, management, and storage of personal data during a global health crisis.

(1) last access 04.07.2020

(2) last access 04.07.2020

(3) last access 04.07.2020

(4) last access 04.07.2020

(5) last access 04.07.2020

(6) last access 04.07.2020

(7) last access 04.07.2020

(8) last access 04.07.2020

(9) last access 04.07.2020

(10) last access 04.07.2020

(11) last access 04.07.2020

(12) last access 04.07.2020

Share this article!

About Author

Leave A Reply