A number of private and government entities have released apps and software development kits (SDKs) relying on location tracking data to help tackle the COVID-19 pandemic. While the use of such technologies are being hotly debated, commentary continues to emerge from the EU about developing such applications in compliance with EU data protection laws.

 Coronavirus, location tracking

On April 8, the European Commission issued its recommendation for a common EU toolbox for the use of technology to combat COVID-19. The Toolbox consists of practical measures for making effective use of technologies and data, with a focus on two areas in particular:

  • A pan-European approach for the use of mobile apps, coordinated at EU level, for empowering citizens to take effective and more targeted social distancing measures, and for warning, preventing and contact tracing to help limit the propagation of the COVID-19 disease.
  • A common scheme for using anonymized and aggregated data on mobility of populations in order (i) to model and predict the evolution of the disease, (ii) to monitor the effectiveness of decision-making by Member States’ authorities on measures such as social distancing and confinement, and (iii) to inform a coordinated strategy for exiting from the COVID-19 crisis.

On April 14, the EDPB released comments on the Commission’s initiative. The EDPB highlights the need to consult with national data protection authorities when developing apps, the importance of making the source code of apps publicly available, and the need for documentation through DPIAs.

While the EDPB encourages making the adoption of apps voluntary, the EDPB stated that performance of a task in the public interest may in some cases be the appropriate legal basis for processing rather than consent. The EDPB also notes that contact tracing apps will not require the location tracking of individual users, which would violate the principle of data minimization and create security and privacy risks. Further, while the EDPB noted that storage of information about contact “events” could be valid either locally or in a centralized database, provided that adequate security measures are put in place, the decentralized solution is more compatible with the principle of data minimization. Finally, the EDPB called for the need of all applications to be under the supervision of “qualified personnel” and that once the crisis is over, the system should be disbanded and the collected data should be erased or anonymized.

Putting it Into Practice. As we previously wrote on, and noted in the EDPB’s latest letter, the board will be releasing guidelines on geolocation and other tracing tools in the context of COVID-10 in the “upcoming days.” Organizations looking to use location tracking apps must continue to be mindful of key principles under EU data protection laws, even in this time of crisis. Such safeguards include being transparent about why information will be collected and shared; making the use of the app as voluntary as possible; deleting any data generated by using the app once it is no longer relevant; using encryption and other data security measures, and documentation of all steps in a DPIA.

As you are aware, things are changing quickly and the guidance described here may change.  This article represents our best understanding and interpretation based on where things currently stand.

*This alert is provided for information purposes only and does not constitute legal advice and is not intended to form an attorney client relationship. Please contact your Sheppard Mullin attorney contact for additional information.*