On 21 April, the European Data Protection Board (EDPB) issued guidelines concerning key data protection and privacy issues related to the use of certain tools that aim to combat the spread and resurgence of COVID-19. The guidelines address the use of location and contact tracing tools, and an April 14 letter states the EDBP’s views on the use of mobile applications and mobile data.
Guidelines on the use of location data and contact tracing tools. The EDPB emphasized the importance of using anonymized — not personal — data when utilizing location information, which isn’t subject to the European Union’s (EU) data protection law. Anonymization means it’s impossible to:
- Use the data to single out an individual from a larger group.
- Link different records related to the same individual.
- Infer unknown information about an individual.
Letter addressing the use of mobile applications and mobile data. The EDPB’s letter responds to the European Commission’s proposal for a common approach to the use of mobile applications and data to inhibit the spread of COVID-19. Currently, member states are pursuing different approaches. According to the commission, applications can be developed by the public or private sectors and must comply with the EU’s data protection principles. Applications should aim to inform and advise citizens; interrupt infection chains; prevent a resurgence of infection; and help with monitoring and quarantining of individuals. The EDPB supports balancing public interest and individuals’ privacy to fight the pandemic, and emphasized the following considerations:
- Individual use of applications should be voluntary.
- Tasks should be performed in the public interest.
- Applications must not incorporate location tracing.
- Data storage preferably should be decentralized, not centralized.
- Commission recommendation concerning mobile applications and the use of anonymised mobility data (EDPB, 8 Apr 2020)
- Letter to commission (EDPB, 14 Apr 2020)
- Guidelines on the use of location data and contact tracing tools (EDPB, 21 Apr 2020)
- General data protection regulation (EurLex, 27 Apr 2016)