EU Encourages Voluntary Tracing Apps, Stresses Privacy Safeguards
Apps that warn citizens to avoid people infected with COVID-19 are a key element in lifting lockdowns, the European Commission said Wednesday. Its European road map toward easing containment measures noted contact tracing can help. Apps must comply with all EU privacy and data protection rules, the EC said. Among unresolved questions are whether the regime should be mandatory and how effective it will be.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Technical solutions "need to be examined in detail, on a case-by-case basis," European Data Protection Board Chair Andrea Jelinek wrote Tuesday. Development of the apps should be done accountably, with a data protection impact assessment, privacy by design and privacy by default mechanisms, and with source code made publicly available. The apps are one aspect of a pan-EU digital "toolbox" intended to help countries return to normality (see 2004020001).
Apps need "increased attention" to minimize privacy interference while allowing data processing for preserving public health, Jelinek said. The board backed the EC's proposal for voluntary adoption of such apps, saying national laws shouldn't be used to push for compulsory use.
There are two technological approaches, said Winston Maxwell, Telecom Paris director-law and digital technology studies. One involves GPS data to answer the question, where are you? The other uses Bluetooth to ask, with whom have you been in close contact? The choice depends on the objective, he said in an interview. If the idea is to enforce quarantine or confinement on someone who has tested positive, GPS is the right approach. If the goal is to let someone know she tested positive so she can warn those with whom she has been close in the prior two weeks, Bluetooth is best, he said.
A key question is whether apps should be voluntary, Maxwell said. France believes a mandatory approach would violate privacy. Maxwell said it can be compulsory as long as EU privacy laws are obeyed. Strong measures should ensure information-sharing and harmonization across Europe, and apps should be privacy-protective, he said; voluntary is better, but mandatory use of apps is possible if necessary and proportionate.
EU privacy officials favor voluntary apps, speakers said Wednesday at an Information Technology Industry Council webinar. Mandatory should be only when absolutely necessary, said European Data Protection Supervisor Wojciech Wiewiorowski. Some European administrations introduced compulsory applications, raising questions of how to deal with exemptions. In his family, he noted, some people don't use smartphones, some don't use cellphones, so exceptions are needed.
Those who chose compulsion must show there's no better way, said German Federal Data Protection Commissioner Ulrich Kelber. It's hard to imagine how such an approach could be enforced in a democratic society, he said, noting European countries can't do the same things China can.
Not everyone will download an app, Everbridge Vice President-International Marketing Tom Pressley told us. Everbridge provides public warning systems to governments using a gateway for multiple platforms like broadcasts and SMS. Apps can be very useful, but "there are some pitfalls," the company says. Opt-in means not being able to capture a representative data set, the company said. And a "significant portion of any population, particularly in developing nations, don't own smartphones so can't download and use app-based systems."