COMMISSION RECOMMENDATION (EU) 2020/518 of 8 April 2020 on a set of common EU instruments for the use of technology and data to combat and overcome the COVID-19 crisis, in particular for mobile applications and for the use of anonymised mobility data.
No Member State can be successful on its own in combating the COVID-19 crisis, least of all a political party or an autonomous community! An exceptional crisis of such magnitude requires determined action by all Member States and the EU institutions and bodies, working together in a true spirit of solidarity.
A common approach needs to be developed, as for all other issues, for the use of digital technologies and data in response to the current crisis.
PURPOSE OF THE RECOMMENDATION
– A pan-European approach to the use of mobile applications.
– A common plan for the use of anonymised and aggregated data on population mobility to (i) model and predict disease progression, (ii) monitor the effectiveness of decision making by Member State authorities on measures such as social distancing and containment, and (iii) obtain information for a coordinated strategy for exit from the VIDOC-19 crisis.
– Member States should take these measures urgently and in close coordination with each other.
PROCESS OF DEVELOPING A TOOLKIT FOR THE USE OF TECHNOLOGY AND DATA
The European Data Protection Committee and the European Data Protection Supervisor should be closely involved to ensure that the toolkit integrates data protection and privacy principles by design. This should be done:
– Strictly limit the processing of personal data to the fight against the COVID-19 crisis and ensure that personal data is not used for other purposes, such as coercion or for commercial purposes.
– Ensure regular review of the continued need for the processing of personal data. Provide for limits on the storage of such data.
– Take measures to ensure that, once the processing is no longer strictly necessary, it is actually terminated and the personal data concerned are irreversibly destroyed.
A PAN-EUROPEAN APPROACH TO COVID-19 RELATED MOBILE APPLICATIONS
The main priority of the toolkit should be a pan-European approach to mobile applications related to COVID-19, to be developed jointly by Member States and the Commission
The European Data Protection Committee and the European Data Protection Supervisor will be involved in the process. This approach will consist of the following:
– Specifications that ensure the effectiveness of mobile information, alert and tracking applications to combat VOC-19 from a medical and technical point of view.
– Measures to prevent the proliferation of applications that are not compatible with Union law.
– Governance mechanisms applicable by public health authorities and cooperation with the ECDC.
– The identification of good practices and mechanisms for the exchange of information on the operation of applications
– Exchange of data with relevant public epidemiological bodies and public health research institutions, including data aggregated to the ECDC.
PRIVACY AND DATA PROTECTION ISSUES ARISING FROM THE USE OF MOBILE APPLICATIONS
– safeguards to ensure respect for fundamental rights and avoid stigmatization.
– preference for the use of the least intrusive but effective measures, such as the use of proximity data and avoiding the processing of data relating to the location or movement of persons, as well as the use of anonymised and aggregated data where possible.
– technical requirements regarding appropriate technologies (e.g. low power Bluetooth) to establish the proximity of the device, encryption, data security, data storage on the mobile device, possible access by health authorities and data storage.
– effective cyber security requirements to protect the availability, authenticity, integrity and confidentiality of data.
– the expiry of the measures taken and the deletion of personal data obtained through these measures no later than when the pandemic is declared under control.
– the loading of proximity data in case of confirmed infection and appropriate methods of alerting persons who have been in close contact with the infected person, who will remain anonymous, as well as transparency requirements on privacy settings to ensure trust in the applications.
The Commission shall publish guidelines further specifying privacy and data protection principles in the light of practical considerations arising from the development and implementation of the toolkit.
USE OF MOBILITY DATA AS A BASIS FOR MEASURES AND EXIT STRATEGY
The second priority of the toolkit has to be a common approach to the use of the aggregated and anonymised mobility data needed for
– Modelling, in order to map and predict the spread of the disease and its impact on the needs of the Member States’ health systems
– Optimize the effectiveness of measures to contain the spread of VOC-19 and to address its effects, in particular containment (and de-containment), and to obtain and use such data.
This approach should include the following elements:
– The appropriate use of anonymous and aggregated mobility data for modelling purposes, to understand how the virus will spread and to model the economic effects of the crisis.
– Advice to public authorities to verify with data providers the methodology they have applied to anonymize data and to carry out a plausibility check of the applied methodology.
– Application of safeguards to prevent de-anonymization and avoid re-identification of individuals.
– Immediate and irreversible deletion of all data processed accidentally that would allow persons to be identified.
– Deletion of the data, in principle, after a period of 90 days or, in any case, at the latest when the pandemic is declared under control.
– Restriction of data processing to the above-mentioned purposes only, and exclusion of data exchange with third parties.