Out-Law / Your Daily Need-To-Know

EU guidelines emphasise need for data protection during coronavirus-pandemic

Out-Law News | 30 Apr 2020 | 8:05 am | 3 min. read

Use of personal data to tackle the coronavirus pandemic should be consistent across Europe and in line with data protection law, regulator the European Data Protection Board (EDPB) has said. An expert has warned that ambiguities still remain on how the law should be applied.

Contact and movement data may help fighting the spread of Covid-19. The EDPB, which co-ordinates action by the EU's national data protection regulators, said that it supports the use of personal data to tackle the crisis but that coronavirus tracing apps should obey the General Data Protection Regulation (GDPR).


The EDPB has published guidelines to help politicians, scientists and software developers to apply GDPR rules to coronavirus tracing apps and other software created to fight the pandemic.

"Where infection control is concerned, data is a valuable resource because the affected people can be informed quickly and easily," said Lisa Stimmer, a data protection law expert at Pinsent Masons, the law firm behind Out-Law.

"With these guidelines the EDPB will help ensure a unified approach on the application of data protection law to infection control measures," she said. "The guidelines are intended to provide a harmonisation of the application of data protection law across Europe."

Smartphones can record the movement of their users and their physical proximity to other users. Apps can collect such data and evaluate it. If a Covid-19 infection was verified, with the help of such apps it would be possible to find people who was in contact with the infected users. Those people could be warned and tested or quarantined.

The EDPB's guidance highlights that data should be anonymised before processing.

"According to the EDPB, data is sufficiently anonymised if it passes a so-called reasonability test," Stimmer said. "This means that objective aspects - such as time and technical means – should be taken into account along with contextual elements.  The result of this test must be that a person cannot be re-identified with 'reasonable' effort."

Currently it is difficult to decide when a sufficient anonymisation according to data protection law has been achieved, Stimmer said: "This principle is meant to solve that problem. But as a matter of fact, the EDPB's criteria does not fully solve it. In the light of unclear legal terms and the magnitude of complex technical options, in individual cases, ambiguities will remain."

The EDPB guidelines underline that the use of apps to fight the pandemic should be voluntary. According to the guidelines, recording movement patterns on a large scale would be an encroachment on the rights of users. This can only be justified with their consent.

The EDPB said that the use of contact tracing apps should be voluntary and should not rely on tracing individual movements, but rather on proximity information regarding users.

The guidelines emphasise that both the GDPR and the ePrivacy Directive contain specific provisions allowing for the use of anonymous or personal data to support public authorities and other actors at both national and EU level in their efforts to monitor and contain the spread of Covid-19. According to them, the general principles of effectiveness, necessity, and proportionality must guide any measures adopted by EU member states or institutions that involve processing of personal data to fight Covid-19.

The EDPB's guidance said that all measures should be appropriate, transparent and that data must be used economically. Generally, as much data as possible should be collected on users' devices instead of central storage facilities.

The EDPB said that the GDPR is very research-friendly and that data protection law should not hinder science or pandemic control. Rather, the GDPR enables the lawful processing of health data to support the fight against the virus. The GDPR foresees the processing of certain special categories of personal data, such as health data, where it is necessary for scientific research purposes.

Andrea Jelinek, chair of the EDPB, said: "Apps can never replace nurses and doctors. While data and technology can be important tools, we need to keep in mind that they have intrinsic limitations. Apps can only complement the effectiveness of public health measures and the dedication of healthcare workers that is necessary to fight Covid-19. At any rate, people should not have to choose between an efficient response to the crisis and the protection of fundamental rights."

At the same time, the EDPB said that some companies might take advantage of the crisis to establish exaggerated data collection methods. Therefore, all personal information recorded for the sake of pandemic control should be deleted when the crisis has come to an end, it said.