On Wednesday (8 April), the European Commission called for a common EU approach towards the use of mobile apps and data in the fight against the coronavirus crisis, that both increases the effectiveness of technological solutions as well as respecting citizens’ rights and freedoms.
Many member states have already begun to develop their own solutions, with varying approaches towards transparency. The recommendation offers guidance towards to adopting a common toolbox that focuses on two dimensions:
- a pan-European coordinated approach for the use of mobile applications for empowering citizens to take effective and more targeted social distancing measures and for warning, preventing and contact tracing; and
- a common approach for modelling and predicting the evolution of the virus through anonymised and aggregated mobile location data.
The recommendation also sets out key principles for the use of apps and data as regards data security and the respect of EU fundamental rights such as privacy and data protection.
“Europe’s data protection rules are the strongest in the world and they are fit also for this crisis, providing for exceptions and flexibility,” said Commissioner for Justice, Didier Reynders in a statement. “We work closely with data protection authorities and will come forward with guidance on the privacy implications soon.”
The recommendation stipulates that the common toolbox approach to mobile apps should consists of the following:
- specifications to ensure the effectiveness of mobile information, warning and tracing applications from a medical and technical point of view;
- measures to avoid proliferation of incompatible applications, support requirements for interoperability and promotion of common solutions;
- governance mechanisms to be applied by public health authorities and in cooperation with the European Centre for Disease Control;
- the identification of good practices and mechanisms for exchange of information on the functioning of the applications; and
- sharing data with relevant epidemiological public bodies, including aggregated data to ECDC.
The toolbox will also focus on developing a common approach for modelling and predicting the evolution of the virus through anonymous and aggregated mobile location data. The aim is to analyse mobility patterns including the impact of confinement measures on the intensity of contacts, and hence the risks of contamination.
“Appropriate safeguards” such as pseudonymisation, aggregation, encryption and decentralisation are listed as examples of best practice that public health authorities and research institutions should adhere to.
The mention of decentralisation might refer to the current divide in approach towards use of mobile data on the continent. One coalition of EU researchers led by institutions in Germany, Switzerland and France, is working on a project dubbed PEPP-PT (Pan-European Privacy-Preserving Proximity Tracing) which broadly follows the approach taken by Singapore’s TraceTogether app. The coalition hopes its common approach will be incorporated into the development of Covid-19 mobile apps to limit risks.
However, a different group of researchers is pioneering a decentralised method for achieving the same thing (DP-3T). This group argues that their approach is a better fit with the EU’s data protection model, because it doesn’t require pseudonymised IDs to be processed by a centralised server. Instead, data processing and storage – of an individual’s risk profile, for example – is performed locally, on the user’s device. This is intended to minimise the likelihood of such a system being repurposed for more nefarious means after the fact, such as state-level surveillance of citizens.
Today’s recommendation from the EU Commission follows a proposal from the Data Protection Supervisor (EDPS) on Monday for a pan-European Covid-19 mobile app European for tracking the virus that incorporates “data protection by design”.
Wojciech Wiewiórowski, the European Data Protection Supervisor, said: “The crisis will not be finished in weeks. It will take months to fight with it and years to recover. If we are so connected with each other, we will not be able to solve it with national tools only. The more European will our answer be the better results we will gain.”
Subhajit Basu, associate professor in information technology law at Leeds University, told NS Tech: “The EU project is much more transparent than the UK’s approach. We know that data protection law is technically not “privacy” legislation. It’s more like data processing and data transparency legislation. It is not impossible to follow the letter of the Law, meaning GDPR, but will it be following…’EU values’?”
Emma Cave, professor of healthcare law at the Durham Law School, said that a pan-European app could be a potential means “to allow oversight of privacy issues that potentially goes beyond measures put in place by some individual countries”. “A European mobile app also offers advantages over national apps given the propensity in normal times for cross-border movement,” she adds. “It is important that the data collected is useful (e.g. given the different national approaches to testing), that users are clear as to the implications of participation and uses to which the data will be put when they sign up, that they are able to withdraw effectively and that their privacy and confidentiality are protected (e.g. by ensuring that data is stored anonymously).”
Despite the UK no longer being a member of the EU, Wiewiorowski said his office was in “close consultation” with the UK authorities, as well as those in the US, Latin America, and New Zealand.
EDPS said to NS Tech in a statement: “EDPS is closely now working with our colleagues at national level to provide guidance on geolocation and other tracing tools in the context of the Covid-19 outbreak. Work is ongoing.”
The UK is also in the process of developing its own app, led by NHSX, the innovation arm of the NHS. The app is billed to be ready in a couple of weeks, and is apparently not going to be mandatory to download. However, few details have been confirmed as of yet.
The Commission has said that the toolbox for adopting a pan-European approach for Covid-19 mobile apps should be developed by 15 April.