EDPB Guidelines on the Use of Location and Health Data
The European Data Protection Board (the EDPB), which brings together the data protection authorities of the 28 member states of the European Union, issued guidelines on the use of location data and the use of health information in the combat against the coronavirus pandemic.
The guidelines on processing location data reiterate the importance of the GDPR principles of proportionality, purpose limitation, transparency, and legal basis for processing. The EDPB emphasizes that for location data, preference should always be given to process anonymized data rather than personal data that relates to an individual person.
As per the EDPB, a systematic and large scale monitoring of location or contacts between individuals is a grave intrusion into their privacy. It can only be legitimized by relying on users’ voluntary use. This, in turn, means that individuals who decide not to use, or who cannot use these applications should not suffer from any disadvantage.
The EDPB also discusses contact tracing applications, stressing that such applications should not rely on tracing the geolocation and movement of users. Instead, they should rely on proximity data regarding users. Also, proximity information collected should be kept in the user’s device.
The guidelines on processing health information discuss the use of such information for scientific research in the context of the COVID-19 outbreak. The EDPB states that all processing of personal data concerning health must comply with the GDPR requirements for the legal basis and the specific permissions for lawfully processing special categories of personal data.
Health data should be anonymized where possible for scientific research. The EDPB also acknowledges the special permissions under Article 49 GDPR which allow the international transfer of data out of the EEA in exceptional cases. As per the EDPB, such cross-border transfer is possible when “necessary for important reasons of public interest” – an exception to the general rule that only allows cross-border data transfer to a jurisdiction recognized with an EU Commission adequacy decision or with other safeguards. The EDPB still underscores that the use of such derogation from the general rule must be interpreted restrictively and on a case-by-case basis.
CLICK HERE to read the EDPB guidelines on the processing of location data and contact tracing tools.
CLICK HERE to read the EDPB guidelines on the processing of health information for Coronavirus research.
EU Commission Guidelines on the Use of Apps Supporting Coronavirus Battle
Apps may be an important element in Europe’s exit strategy, says the EU Commission in guidelines published this month. The guidelines stress the importance of people’s trust that their data will not be used for other purposes unrelated to the fight against the pandemic. The Commission, therefore, deems it essential to identify the least intrusive solutions that fully comply with personal data protection and privacy requirements set out in EU law. Moreover, these apps must be deactivated at the latest when the pandemic is declared to be under control and must implement state-of-the-art information security protections. Data minimization and limited disclosure and access to the data collected are also of key importance.
The EU Commission also published its specific recommendations for contact tracing apps, which the commission indicates must be approved by the national health authority. Personal data needs to be securely encrypted and discarded as soon as no longer needed. The guidelines, called a Common EU Toolbox, outline the EU member states’ collective understanding of best practice in the development and use of contact tracing apps. The common approach addresses the essential requirements covering the epidemiological framework, technical functionalities, cross-border interoperability requirements, and cybersecurity measures.
CLICK HERE to read the EU Commission’s guidance on apps supporting the fight against COVID 19 pandemic.
CLICK HERE to read the EU Commission’s guide on mobile contact tracing apps.