COVID-19 alert and warning apps to protect lives and livelihoods
The coronavirus does not stop at borders. Tracing and warning apps can help break the chain of infections. They can save lives by complementing manual tracing. Most Member States have launched a national contact tracing and warning app which can be used on a voluntary basis.
Therefore, the Member States and the European Commission have set up a new services to allow national apps to talk to each other. This will allow users to be warned if they were in contact with someone who has indicated that they have tested positive for COVID-19. Contact tracing and warning apps are based on Bluetooth proximity technology. They are only used voluntarily, respect users’ privacy and do not enable the tracking of people’s locations.
Currently, this service works according to a “decentralised” system where the calculations happen in the user’s app. This has been adopted by the majority of Member States. Solutions are being analysed to include the “centralized” systems (where the calculations take place on a secure server of the national health authority). This “decentralised” system, in combination with the Gateway Services, enables these apps to be used across borders.
Citizens’ personal data are fully protected. Information will only be stored in the gateway for a maximum period of 14 days. The information exchanged is fully pseudonymised, encrypted and limited to the essential.
The gateway is set up by T-Systems and SAP, and the server itself is hosted in the Commission’s own data centre in Luxembourg. The system is operational and the first national apps were connected to it in October 2020.
Three national apps (Germany, Ireland, and Italy) were first linked on 19 October when the system came online. In total, 20 apps are based on decentralised systems and can become interoperable.
Member States are joint controllers for the European Federation Gateway Service: the participating Member States determine together the purpose and means of processing of personal data through the federation gateway.
All Member States should set up effective and compatible apps and reinforce their communication efforts to promote their uptake.
How are users’ personal data protected?
The European Commission has published an EU toolbox on contact tracing and warning apps, as well as guidance on data protection. These resources define a series of guiding principles for these apps:
- contact tracing and warning Apps should only be voluntarily installed and used;
- the data minimisation principle: only the data which are strictly necessary for the running of the service are collected, nothing more;
- apps should use proximity data based on Bluetooth technology;
- no location data is requested or utilized by the tracing App;
- contact tracing and warning apps do not track people's movements;
- the data should not be stored longer than necessary – 14 days;
- data should be protected through state-of-the art techniques, including encryption;
- the applications should be de-activated as soon as the pandemic is over.
Health data is considered sensitive data under the General Data Protection Regulation (GDPR) (Article 9) and their processing can therefore only take place under strict requirements. Aggregated statistical data on the use of contact tracing apps that does not enable identification of the concerned natural persons are not considered personal data and therefore the GDPR does not apply.
Questions and answers
On 8 April 2020, the Commission adopted a recommendation to support the gradual lifting of coronavirus containment measures through mobile data and apps, with key principles for the use of mobile applications used for social distancing measures, warning, preventing and contact tracing. Any use of apps and data should respect data security and EU fundamental rights, such as privacy and data protection.
On 16 April 2020, Member States in the eHealth Network, supported by the Commission, adopted an EU toolbox on contact tracing applications in the EU’s fight against COVID-19, setting out the foundations of a common pan-European approach to contact tracing and warning apps. The eHealth Network adopted the interoperability guidelines on 13 May, detailing the interoperability needs at different stages of the digital contact tracing flow.
Building on the previous work, the eHealth Network adopted in June the technical specifications and guidelines, which set out the architecture for a European Federation Gateway Service that would allow the exchange of contact tracing keys between Member States. This will mean that citizens traveling within the countries that have joined the Federation gateway will only need to install one app. The modalities for processing personal data in the Federation gateway were adopted in July with the amendment of the Implementing Decision on the eHealth Network. The development and deployment of the Federation Gateway has been completed by end September. After this, Member States will be able to start connecting to the system.