Privacy and data protection aspects of COVID-19 tracing and warning apps

Even after 8 months, the COVID-19 pandemic still has a significant impact on society, economy, and how we conduct ourselves in our daily lives. Although some countries have been able to effectively mitigate most of the negative effects, not all have been so lucky. In the fight against further spreading, governments have started to look towards tracing and warning apps as a complementary solution to help contain the virus. 

Even though there exist several types of contact tracing and warning apps, most of them function in the same way. The general idea is that your phone sends out random codes to nearby devices, which can be picked up and stored by other phones in the proximity that also have the app installed. In case you are diagnosed with symptoms, you can use the app to send out a warning to all devices that saved your code. Vice versa, you can also receive a warning in case you have been in proximity of a person with symptoms. From a privacy & data protection point of view, one can think of several potential concerns resulting from the wide-spread use of these apps. In the end, authorities must find the right balance between the fundamental rights to privacy & data protection and public health. 

The first consideration relates to the principle of lawfulness (article 5, 1 (a) of the GDPR), which states that the processing of personal data must rely on a valid and legitimate legal basis. The GDPR lays down several legal grounds which can be applied depending on the circumstances (article 6 of the GDPR). In the case of COVID-19 tracing and warning apps, processing also involves special categories of personal data, specifically health data. For these special categories of personal data, an additional legal basis is required (article 9 of the GDPR). The question then arises; which legal basis is the most appropriate for the processing of personal data by COVID-19 apps? A first option is explicit consent (article 9, 2 (a) of the GDPR) by the data subject. Although the most well-known legal basis, explicit consent may not be the most appropriate choice due to the strict requirements for valid consent (consent must be freely given, specific, informed, and unambiguous) and the ability of the data subject to withdraw consent at any time. The second option is the necessity for reasons of public interest in the area of public health (article 9, 2 (i) of the GDPR). This legal basis seems more fitting for the current circumstances. It must be noted that the application of this legal basis must be based on Union or Member State law, which may result in different approaches between Member States.

The second concern is that processing activities by COVID-19 apps must respect the data protection principles set out in the GDPR, particularly the principles of purpose limitation, data minimization, and security of processing. There must exist some guarantees and safeguards for the data subject that only personal data necessary for the purposes of COVID-19 tracing are processed and that these data are only processed for said specified purpose. Lastly, the personal data must be properly secured against unauthorized processing (e.g. access by an unauthorized entity) and accidental loss or damage.

The third major concern relates to the legal roles of controller and processor; who is responsible and accountable for the processing performed by these COVID-19 apps? This is an important question for data subjects and their exercise of data subject rights. In the end, there must be an entity that is responsible to which data subjects can address their requests.