EU agrees not to use location data in tracing apps
-
Experts warn it is difficult to hold accountable all the coronavirus apps that are appearing on an almost daily basis (Photo: Barney Moss)
Member states agreed on Thursday (16 April) that Covid-19 mobile applications should not process the location data of individuals, because "it is not necessary nor recommended for the purpose of contact tracing".
"Collecting an individual's movements in the context of contact tracing apps would create major security and privacy issues," states the EU toolbox adopted by EU countries and supported by the European Commission.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Don't miss out on
Our exclusive news stories and investigations. Influential. Investigative. Independent.
Why join?
Watch our founder Lisbeth Kirk explain the reasons in this 30-second video.
Already a member?
These apps should also be both temporary and voluntary, while they should ensure that no user knows the identity of any infected persons or of close contacts of infected persons.
And the storage of such data should also be time-limited to enhance security and privacy.
"While we should be innovative and make the best use of technology in fighting the pandemic, we will not compromise on our values and privacy requirements," said the commissioner for the internal market, Thierry Breton, in a statement on Thursday.
However, experts warned that it is difficult to hold accountable all the apps that are appearing day-by-day in all different member states.
This is why the European Data Protection Supervisor called for a pan-European Covid-19 app, amid the ongoing proliferation of country-specific apps.
This toolbox is part of the guidelines for the use of technology and data proposed by the commission last week, which also focuses on a common scheme for using anonymised and aggregated data on the mobility of populations - provided by telecom operators since 23 March 2020.
Moreover, the toolbox is accompanied by guidance on data protection for such mobile apps.
Users should be able to give their "specific" consent for each functionality of the app (e.g. contact tracing and warning or symptom checker) - even if the health authorities want to contact them via phone or SMS.
Likewise, individuals upheld their rights under the EU's data protection rules, such as the right to be forgotten or access data - although restrictions might be put in place.
The commission also makes a call for transparency and recommends that the source code of Covid-19 tracing apps should be made public and available for review.
Next steps
Given the privacy concerns that the use of these technologies give rise to, the EU's data protection board and national data protection bodies are in charge of monitoring if these applications are fully aligned with the EU's data protection rules (GDPR).
Public health authorities are expected to assess the effectiveness of the apps at the national and cross-border level by the end of the month, while the commission will asses and publish periodic reports from June onwards.
Several MEPs are urging a debate in the European Parliament over the ethical and practical implications of these apps for citizens' fundamental rights.
Meanwhile, Apple and Google have teamed up to open up their operating systems - iOS and Android - to allow developers to build Covid-19 tracing apps.
Under this new framework, they would use bluetooth to track who has been in contact with coronavirus cases rather than location data.
Site Section
Related stories
- Coronavirus: Are we trading privacy for security?
- Privacy issues arise as governments track virus
- MEPs: 'Mass surveillance' still possible under US privacy deal
- 'Consent' - the good, the bad and the ugly in e-privacy regulation
- Contact-tracing apps: a major test for privacy in Europe
- The Dutch tracing app 'soap opera' - lessons for Europe
