EU: Europe’s toolbox for building compliant Corona tracking apps

Mobile applications supporting the EU in its fight against Covid-19: the common EU Toolbox for Member States

By Heidi Waem and Alizée Stappers

On the 8th of April 2020, the European Commission adopted Recommendation 2020/518 to address the need of a common toolbox (the “Toolbox”) for the use of technology and data in order to fight and exit the Covid-19 crisis, with a particular focus on the use of mobile applications.

Given the urgency of the situation, the adoption of the Toolbox followed quickly (15 April 2020), providing a first iteration of common baseline requirements and functionalities regarding mobile applications supporting contact tracing (the “Apps”).

From the outset, the Toolbox specifies that the common approach applies to contact tracing and warning functionalities of voluntarily installed Apps. Therefore, as things currently stand, other functionalities (e.g., information and symptom tracking functionalities) do not fall within the scope of the Toolbox but a common approach in relation thereto is likely to be further developed in future iterations of the Toolbox.

While the Toolbox already plans a calendar for future reviews and efficiency-related assessments of the Apps and the Toolbox itself, we can already pinpoint key features of the common requirements which are divided into four parts:

  1. Essential requirements

The Toolbox underlines, among others, that Member States should clearly define procedures for informing and managing persons who may have been exposed to Covid-19, as well as providing potentially infected Apps-users with immediate information.

It is also acknowledged that the Apps should comply with applicable law and minimise the processing of personal data. In this regard, the Toolbox categorises the Apps into two general groups: (i) decentralised processing of proximity data which remains only on the device (i.e., mobile phone), and (ii) backend server solution held by the public health authorities.  In order to tackle the crisis, it might well be that the second category will be preferred as it enables public health authorities to  have access to anonymised and aggregated information on social distancing, effectiveness of the Apps or the potential diffusion of Covid-19.

Regarding Apps’ effectiveness, the Toolbox emphasises that several technical and interoperability requirements should be considered by Member States. Indeed, taking into account the fact that the infection transmission chains do not stop at national or regional borders, national health authorities should be technically able to exchange information about infected or exposed individuals. In this perspective, the Toolbox underlines that the Apps should follow common EU interoperability protocols so as to ensure tracing and warning functionalities, as well as safeguarding rights (e.g., privacy and data protection), irrespective of the device’s location within the EU.

As for cybersecurity, it is specified that the requirements detailed in the Annex of the Toolbox intend to address the need to enhance both national authorities’ but also citizens’ trust in the Apps, which ultimately impacts the uptake of the latter. Such cybersecurity-related requirements include the use of encryption, communications security, secure development practices and user authentication.

Finally, the Toolbox states that the Apps should present all guarantees for respect of fundamental rights (in particular, privacy and data protection), as well as the prevention of surveillance and stigmatization. Safeguards are, among others, the temporary (i.e., deletion of remaining personal data and proximity information as soon as the crisis is over) and voluntary (i.e., consent-based installation) nature of the Apps.

  1. Measures aimed to ensure accessibility and inclusiveness

At this stage, it is already acknowledged that the Apps will not reach all citizens. The Toolbox underlines that manual contact tracing efforts will complement the Apps (e.g., when potential infected or exposed individuals are admitted to hospital, the personnel will ask – to the extent possible – the individual to draw up a list of persons he/she has been in contact with recently) and that Helplines will be made available to support persons desiring to install the Apps but need further assistance in relation thereto.

  1. Governance and role of the public health authorities

Regarding the role played by public health authorities, the Toolbox states that the national competent authorities in charge of the Covid-19 crisis should ultimately be accountable for the Apps developed in accordance with the national system (see below, 4. Supporting actions). For instance, Member States’ health authorities should be considered as the controller for the processing of personal data.

  1. Supporting actions

The final category touches upon the need for information exchange between health authorities in order to help understanding the epidemic and transmission dynamics. Supporting actions would also include the prevention of harmful apps, by means of setting up a national system of evaluation/ accreditation endorsement of national Apps, as well as close cooperation with app stores.

Even though the Toolbox sets out common requirements in order to increase the Apps’ leverage across the European Union in the fight against Covid-19, the Apps’ leverage will also largely depend on their uptake by EU citizens.

The type of technology used for contact tracing might potentially exclude a large proportion of EU citizens. For instance, it has already been noted that the Bluetooth Low Energy technology, used in some Apps currently being developed, is only available in smartphones produced less than 5-years ago. Moreover, the digital divide will also come into play as certain categories of persons would not be able to have access to the Apps (e.g., more vulnerable persons such as the elderly).

While the Toolbox already acknowledges this risk and intends to overcome it by means of manual contact tracing efforts or the use of alternative digital devices, it is yet to be seen how it will be implemented in practice.

For more information please contact Heidi Waem, Alizée Stappers, or your usual DLA Piper contact.