‘Major security and privacy issues’ in using location data for COVID-19 apps, Commission says  

The European Commission has warned against the processing and storage of location data in the use of mobile applications designed to trace the potential spread of the coronavirus across the bloc.

“Location data is not necessary nor recommended for the purpose of contact tracing apps, as their goal is not to follow the movements of individuals or to enforce prescriptions,” an EU paper on a common toolbox for mobile applications to combat COVID-19, published on Thursday (April 16), states.

“Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimisation and would create major security and privacy issues,” the document, which has been signed off by EU member states and the Commission, adds.

The recommendations borrow directly from a letter written by Andrea Jelinek, Chair of the European Data Protection Board, to the European Commission earlier this week. The letter highlighted that tracking the location of users as part of such apps, is not necessary for the technologies to be effective.

Cyprus, Czech Republic & Finland

The toolbox also surveys a number of national initiatives underway in Member States that involve contact tracing apps in the fight against Covid-19. Despite the warnings against using location data, the toolbox highlights projects underway both in Cyprus and in the Czech Republic that use location data in the clampdown against the outbreak.

The referenced project in the Czech Republic, ‘Smart Quarantine memory maps,’ uses location data from mobile operators to construct called ‘memory maps,’ which represent visualisations of locations an individuals have spent significant time in over the last 5 days. The document notes that this helps the authorities to “lead more effective and efficient contact tracing call with infected people.”

However, the document does not reference the fact that recently the Finnish Chancellor of Justice has launched an investigation into how the government has been using location data in their monitoring of the spread of the coronavirus in the country, as reported over the weekend by the Finnish national broadcasting company, Yle.

Broader recommendations

More broadly as part of the EU’s toolbox published on Thursday, recommendations for the development of contact tracing applications state that such technologies should be voluntary and must implement privacy-friendly technologies using only anonymised data, being ideally based on bluetooth proximity technology.

The apps should also be dismantled as soon as they are no longer needed, interoperable and cyber-secure.

For those less likely to have access to smartphones, the toolbox recognises that manual tracing methods, such as phone interviews with the elderly, should continue.

Health Commissioner Stella Kyriakides welcomed the agreement on the toolbox on Thursday. “Mobile apps can warn us of infection risks and support health authorities with contact tracing, which is essential to break transmission chains,” she said in a statement. “Without safe and compliant digital technologies, our approach will not be efficient.”

However, in the rush to develop contact tracing technologies, a broader debate on the effectiveness of such apps is required, says Alice Stollmeyer, Founder and Executive Director of the campaign group Defend Democracy.

“Any app, tech and AI must ensure privacy, security and ethics from collection through use and sharing to storage of data by design,” she told EURACTIV.

“We need a multidisciplinary public debate at the EU level before deciding if we want and actually need them, even if they comply with the General Data Protection Regulation.”

No One-app recommendation

Meanwhile, last week, the EU’s data protection watchdog, the European Data Protection Supervisor, said that the bloc should establish its own “pan-European COVID-19 mobile application” due to divergences in current app developments across the bloc.

However, a singular EU app coordinated from Brussels is unlikely. The European Commission’s exit strategy from the coronavirus crisis, published on Wednesday, states that “widespread take-up of a pan-EU reference app, or at least interoperability and sharing of results between such apps, would allow for a more effective tracing and public policy follow-up,” but fails to entertain the suggestion of the EDPS.

“I’m not sure that it would be terribly useful to add apps to the market, or add to those which are already in development,” a spokesperson from the executive said on Tuesday. “It’s not up to the Commission to be developing an app, particularly when there are already solutions which are being worked on.”

Future reporting

In terms of the endorsement of specific apps rolled out across member states, the toolbox published on Thursday states that national competent authorities in charge of the health crisis should be held accountable for approvals.

Public health authorities are due to assess the effectiveness of apps at a national level by 30 April, and member states have been asked to report back to the Commission on their actions by 31 May 2020.

For their part, the executive, will continue to monitor the rollout of apps across the EU, and publish periodic reports from June onwards, throughout the crisis.

Edited by Benjamin Fox

Subscribe to our newsletters