Trust & Tracing: The EDPB issues its “specification” for Covid Apps

People may consider the kind of surveillance needed to keep COVID-19 at bay a price worth paying, but public confidence will only be retained in the longer term if the right controls and accountability are in place.” Lord Evans, former head of MI5

Until very recently, the idea that EU states would ask their citizens to download an App that would track their location or personal contacts would have been unthinkable. However, these proposals are just part of the extraordinary response to the Covid outbreak which includes significant restrictions on personal freedom, such as the current physical lockdown across much of the EU.

The extent to which a Covid-tracing App will be effective in combatting the pandemic and thus allow an easing of the lockdown remains to be seen but it is clear the App will only be effective if it is widely adopted. That requires trust.

The European Data Protection Board has just issued detailed requirements for any such App to ensure it will be deployed in a privacy friendly way that puts users in charge of their information. We consider this “specification” and whether it will help create public confidence in these Apps.

Contact tracing v2.0

Contact tracing is a key tool to combating a pandemic. People in close contact with someone who is infected with a virus, such as Covid, are at higher risk of becoming infected themselves, and of potentially further infecting others. Closely watching these contacts after exposure to an infected person helps prevent further transmission of the virus. The contact tracing process has historically been very labour intensive requiring the manual identification, listing and follow-up for all contacts.

The scale of the Covid outbreak has created significant challenges to traditional methods for contact tracing leading to a global race to develop an App to automate this process. Notable developments include:

  • Singapore’s TraceTogether App. The App has won plaudits for its privacy friendly approach. Rather than track user’s actual location it uses Bluetooth emissions to work out if users of the App are near to each other. If a user is infected this information can be used to notify other users who were in close proximity. Importantly, use of the App is voluntary and only works in relation to other users of the App.
  • Apple and Google joint initiative. Apple and Google, who are responsible for the iOS and Android operating systems used on the vast majority of the world’s smartphones, have also issued a contact tracing framework. Like the TraceTogether App, this uses Bluetooth to conduct proximity analysis, but contains a number of additional measures to protect the privacy of users. The UK Information Commissioner’s Office has produced an excellent Opinion on this initiative (here) that is broadly supportive of this development.

Alongside these developments are a range of proposals for other tracing Apps including competing offerings from the German-based Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) and Swiss-based Decentralized Privacy-Preserving Proximity Tracing protocol (DP-3T).

This has also been coupled with input from a range of data protection regulators including opinions from the Belgian, Italian, German Rhineland, Slovenian and Spanish regulators and the EU Commission’s Recommendation on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis (here).

Given this broad spread of developments, the new EDPB guidelines are a welcome development helping to consolidate this existing guidance and ensure a consistent approach across the EU.

Under the bonnet – The EDPB’s “specification”

The EDPB’s Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak (“Opinion”) contains an Annex setting out the Board’s desired requirements in relation to any tracing App.  The seven broad areas covered by this “specification” are set out below:

  • General: The Opinion stresses that the App should be a complementary tool to traditional contact tracing and measures should be put in place to stop the App and delete the data as soon as the pandemic is over. The Opinion also suggests that the source code for the App should be made public.
  • Purposes: The sole purpose for any App should be contact tracing and it should not be used for secondary purposes, for example law enforcement, marketing or enforcing the lockdown.
  • Functional: The Opinion contains a wide range of functional requirements based around proximity measurement to other users of the App.
  • Data: The Opinion is clear that the application must not collect location data and more generally should comply with data minimisation principles. The Opinion also contains detailed recommendations on the use of regularly changing pseudo-random identifiers to track contacts between users in order to protect users’ privacy.
  • Technical: The App should, so far as possible, store data locally on the user’s device, though a central server can be used to implement some functionality.
  • Security: There should be measures in place to verify that users who identify themselves as being infected (and thus trigger alerts to other users) are in fact infected. The Opinion suggests this could be done by giving infected users a one-time code. The Opinion also recommends strong encryption and authentication methods.
  • Privacy: The App should not directly identify users, and instead just rely on passing on the pseudo-random identifiers to allow the App to alert the user if they have been in proximity to someone who has been infected. This is supported by a whole range of other recommendations, including that the deletion of the App should result in the deletion of locally collected data. Finally, a Data Protection Impact Assessment should not only be carried out but also published.

However, the EDPB also makes clear that these requirements are not prescriptive or exhaustive and other solutions are possible so long as they still comply with the GDPR and ePrivacy Directive.

Voluntary adoption

The Opinion is predicated on use of the App being voluntary, which as much as anything reflects the practical challenges in widespread deployment of an App when not everyone in the population has a compatible smartphone - GSMA statistics suggest 20-25% of the EU population do not have a smartphone at all (here) and this is most marked amongst the elderly who are most vulnerable.
Enforcement of mandatory deployment of the App would also be very challenging.

Interestingly, while the Opinion stresses that citizens should have a choice over whether to use the App, it does not recommend consent as a legal basis. Instead, it suggests that access to data on the user’s smartphone would be justified under Art 5(3) of the ePrivacy Directive as being strictly necessary to provide an information society service. Similarly, where the App is provided by a public authority it suggests that the legal basis is the performance of a task in the public interest (Art 6(1)(e)) and addressing issues of public health in relation to special category personal data (Art 9(1)(i)).

A silver bullet?

The Opinion is a welcome means of providing a single and consistent approach to the deployment of these Apps. While compliance with the EDPB’s “specification” will limit or prevent some potential use cases, it should engender greater public trust and thus drive greater adoption, which is likely to lead to better outcomes in the long term.

This leaves the question of whether this new technology will actually work - enabling effective automated contact tracing and thus allowing a relaxation of the current lockdown. Various concerns have been raised including the fact that different Bluetooth implementations use differing amounts of power making accurate proximity calculations difficult. Similarly, the App might generate false positives in areas of high population density, e.g. identifying those in adjoining flats as being in close contact despite being separate by a wall. This is a concern as high numbers of false positive notifications are likely to reduce public confidence in these Apps and drown out notifications where there is a real risk.

Like most technology it seems unlikely these Apps will, by themselves, provide a silver bullet to solve the current pandemic but hopefully will help hasten an end to this crisis.

By Tanguy Van Overstraeten, Richard Cumbley, Georgina Kon, Sonia Cissé


The EDPB’s Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak is available here.