Start of main content

European Data Protection Committee guidelines on the use of location data and other tracking tools in the context of COVID-19

| COVID-19 | Privacy, IT & Digital Business

On 21 April, the European Data Protection Board ("EDPB") published Guidelines 04/2020 on the use of location data and other tracking tools in the context of COVID-19  (the "Guidelines"), with the aim of providing guidance and establishing a legal framework at European level for the processing of personal data through tracking applications in the fight against the virus.

Recently, to control and eliminate the COVID-19 pandemic, different initiatives have emerged, both public and private, related to the containment and control of the spread of COVID-19. Among them, we can highlight the creation of maps or models on how the pandemic spreads, using geolocation data from citizens' mobile devices. Along the same lines, it should be remembered that the Spanish government is currently developing an application to control the pandemic in our country, which we have already explained here.

In addition to the public initiatives, companies such as Apple and Google have presented a collaboration project to help authorities reduce the spread of the virus by using Bluetooth technology. In this respect, it should be noted that the Information Commissioner's Office, the UK data protection authority, has recently come out in favour of this project.

Through the Guidelines, the EDPB aims to clarify the conditions and principles to be considered in carrying out these tracing activities to prevent the spread of the disease. Firstly, the EDPB recalls that the use of such geolocation applications should in any case be voluntary. It also stresses that these tools should not track or follow individual movements of people, but only gather information on the proximity between users (contact tracing).

The ECPB also emphasises that any measures taken by Member States or by any body of the European Union on the use of location data and tracking tools must be subject to the principles of effectiveness, proportionality, and necessity.

In this respect, the EDPB aims to establish criteria and recommendations that are indicative and harmonised at European level, stressing, in any case, that the use of these technologies must be solely to combat COVID-19, and cannot be used to control or repress the population. In particular, the EDPB states that: 

  • The use of geolocation tools should be limited to the elaboration of COVID-19 propagation maps, with the aim of checking the effectiveness of the social distancing measures implemented by the different Member States.
  • As for the tracking applications or tools, the aim of their use should be to notify those concerned if they have been in contact with someone who is either infected or subsequently confirmed as a carrier of the disease, in order to break or reduce the chain of contagion.

At the structural level, the Guidelines state that:

  • Geolocation data obtained either by telecommunication operators or by different information society service providers (i.e. Facebook, Google, etc.) can only be processed if they have been previously made anonymous. Likewise, such data may only be transferred to authorities or third parties that have been authorized by the authorities.
  • A Data Protection Impact Assessment is required, given the sensitive nature of the personal data that will be processed.
  • Preferably, personal data should be made anonymous and data processors or controllers should take appropriate security measures to safeguard the protection of the data collected. In order to assess when personal data should be processed, objective aspects (e.g. time or technical means) and contextual elements of each specific situation (e.g. frequency of the phenomenon, including population, density, nature and volume of data) should be analysed. In this regard, the EDPB recalls that the concept of anonymous data should not be confused with pseudonymized data.
  • Tracking applications that report contact with a potential infected person must use data on the proximity of people, not their exact location. In addition, it is necessary to ensure that identification is not possible, with the information being stored only on their devices. In particular, the EDPB recalls that contact tracing requires measures to comply with the principle of privacy by design and the principle of minimization. In this same sense, it is recommended that the source code of the application be published, also identifying the person or persons responsible for it.
  • Contact tracing applications or tools cannot replace qualified personnel to verify the infection (i.e. complete automation of the infection verification process is prohibited). Algorithms must be properly monitored to minimize the risk of false positives and negatives.
  • Storage of information on the user's device or access to information already stored is only allowed if the user has given his consent, or storage and access is strictly necessary for the requested information society service
  • Respect the principle of data minimization, i.e. data processing must be reduced to the strict minimum. Consequently, tracking applications may under no circumstances collect unnecessary data such as name, telephone number, terminal serial number, call log, etc.
  • Respect the principle of purpose of processing, so that personal data cannot be used later for purposes unrelated to the COVID-19 and pandemic.
  • Data should be kept according to reasonable and objective criteria (i.e. incubation period or other epidemiological criteria) and, at most, until the end of the crisis. Thereafter, they should, as a rule, be deleted or made anonymous.
  • Notification of infected users from the application or tool should be subject to prior authorisation (e.g. single-use code linked to a pseudonym of the infected person and linked to verification by a test or health professional). Otherwise, no processing should be performed on the user's status. At this point, only persons with whom the infected user has been in direct contact in the epidemiologically relevant period should be informed.

Finally, it should be noted that the EDPB Guidelines consist of a final annex containing a guide for developers and programmers, which aims to establish certain basic guidance criteria when developing such tracking applications.

In short, the EDPB maintains that the General Data Protection Regulations are flexible enough to accommodate and allow for all those treatments that derive from the fight against COVID-19. However, it is necessary to comply with the requirements to guarantee due respect for the right to data protection of the data subjects, promoting transparency in the processing, and thus guaranteeing the confidence and support of the citizens.

We hope the information is useful and of your interest. At Andersen Tax & Legal we have created a multidisciplinary team to deal with all the questions that may arise in this area or in relation to the COVID-19 and all the firm's professionals are at your disposal.

You can consult the EDPB Guidelines on the use of location data and other tracking tools in the context of COVID-19 by clicking here or you can download the document here.

For more information please contact:

Isabel Martínez Moriel | Director in the area of Privacy, IT & Digital Business

End of main content