18 May THE EUROPEAN COMMISSION PROVIDES GUIDELINES FOR THE USE OF MOBILE APPLICATIONS DEVELOPED FOR THE COVID-19 COMBAT
The European Commission (“EC”) published on April 16,2020 data protection guidelines for the use of mobile applications developed for combating the pandemic of COVID-19.
The EC is the executive body of the European Union (“EU”), politically independent, responsible for proposing to the EU Parliament and Council laws and measures to protect the interests of the EU and its citizens, whenever issues can be better dealt with at European level than at national level.
The guidelines are part of the context of increasing the use of mobile application technology in order to contain the advances of the COVID-19 pandemic in the EU and worldwide.
Google and Apple recently announced, for example, a joint effort in the development of an application, operable on Android and iOS, which will use the Bluetooth tool to identify the proximity of individuals infected with COVID-19 and notify people who have been close to them.
The EC’s guidelines are based on the premise that it is desirable to have limits to these technologies and parameterization in the regulation among the Member States, in order to ensure fundamental rights of its users, data and sensitive data subjects.
Whether by increasing the capacity of health authorities to interrupt chains of infection or allowing individuals to trace their social interactions by notifying them of any imminent danger, the trust placed on the platforms is a precondition for their development. To ensure that trust, the EC stresses that people need to be sure that these applications respect fundamental rights and that they will only be used for the protection of public health and other specifically defined purposes, which will not be used for large-scale surveillance and that citizens will maintain control over their data.
Furthermore, it is essential that such measures have an expiration date, that is, the EC recommends that applications be deactivated at the latest when the pandemic is declared under control, in addition to implementing, during its operation, information security protections more advanced than usual.
The EC provides for certain application functionalities, on which its guidelines would focus, being:
(i) Provide accurate information to individuals about the COVID-19 pandemic;
(ii) Provide questionnaires for self-assessment and for guidance to individuals (symptom checker functionality);
(iii) Alert persons who have been in proximity for a certain duration to an infected person, in order to provide information such as whether to self-quarantine and where to get tested (contact tracing and warning functionality); and
(iv) Provide a communication forum between patients and doctors in a situation of self-isolation or where further diagnosis and treatment advice is provided (increased use of telemedicine).
The EC resonates that a platform with such interference on the confidentiality of private communications could only be imposed on European citizens through a legislative measure that is adequate and proportional, to protect specific objectives and that it will still be necessary to carry out a thorough investigation before to resort to this option.
For this reason, the European authority recommends the use of these technologies be voluntary and that it occurs at the initiative of citizens, from the mobile applications available for download, without any negative consequences for the person who decides not to download the app or not to use it.
The EC presents and discusses 10 elements to guarantee the trust of applications, limit the intrusive nature of their functionalities and ensure compliance with EU legislation on data protection and privacy.
1. National Health Authorities as data controllers.
The EC considers that, given the sensitivity of the data, it is important to identify as responsible for the processing, that is, who will decide the means and the purposes of the data processing, the national health authorities (or entities carrying out tasks in the public interest in the field of health). Such a measure can contribute to higher trust among the population and therefore acceptance of the apps, ensuring that they fulfill the intended purpose of protecting public health.
2. Ensuring that the individual remains in control.
In addition to the recommendation that the installation of applications should be voluntary, without any negative consequences for those who do not download/use the apps, it is important that: (i) the purposes are not bundled so that the individual can provide his/her consent specifically for each functionality, (ii) proximity data must be stored on people’s devices and any sharing with the health authority of a positive result of the COVID-19 infection should occur only after confirmation and at the initiative of the infected person, (iii) the authorities must inform the data subject about the processing of his/her data, allowing the exercise of the rights provided for in the legislation and (iv) the applications must be deactivated when the pandemic is declared under control, and the deactivation should not depend on the user’s uninstallation of the app.
3. Legal basis for processing.
The EC recommends obtaining prior, freely given, specific, explicit and informed consent from the data subject, under the terms of the General Data Protection Regulation (“GDPR”). In addition, it should be expressed through a clear affirmative action of the individual; this excludes tacit forms of consent. In addition, the EC draws attention to the prohibition of subjecting people to a decision taken solely on the basis of automated processing that has effects in its legal sphere or that significantly affects it in a similar way (according to article 22 of the GDPR).
4. Data minimization.
The EC recommends being used only the personal data that are adequate, relevant and limited to what is necessary for the purpose of the application. As an example, the EC mentions that in the context of symptom checking or telemedicine, these purposes do not require access to the contact list of the person owning the device. Thus, the EC concludes that generating and processing less data limits security risks.
5. Limit the disclosure/access to data.
The EC recommends that the information that is not directly related to the purpose of the application and its role to users should not be shared with health authorities. The identity of the infected person cannot be revealed to people with whom he has had epidemiological contact. For these people, the EC recommends that they are only told that they have had contact in the previous 16 days with a person infected with COVID-19.
6. Providing for precise purposes of the processing.
Specifically, the EC recommends that different purposes of data processing are not bundled in applications in order to provide the individuals with full control of their data. The EC also discourages the use of data collected for purposes other than the fight against COVID-19 and, and if should purposes such as scientific and statistical research be necessary, they should be included in the original list of purposes and clearly communicated to users.
7. Setting strict limits to data storage.
The EC recommends maximum periods for storing the data, being one (1) month (virus incubation period, plus a safety margin) for the purpose of symptom control and telemedicine, or after the person has been tested and the result was negative for the infection. For the purpose of preparing surveillance and investigation reports, the authorities will be able to keep the data for longer, only, in an anonymous form. For the purposes of contact tracing and warning, the EC recommends the same deadline outlined above or they may be deleted as soon as they are no longer necessary for the purpose of warning people.
8. Ensuring the security of the data
The EC recommends that data be stored on the individual’s device, in an encrypted form using state-of-the-art cryptographic techniques. In the case that the data is stored in a central server, the access, including the administrative access, should be logged and the proximity data must only be generated and stored in an encrypted or pseudonymized format, among other information security measures.
9. Ensuring the accuracy of the data.
At this topic, the main recommendation is to avoid false positives. In this regard, the EC recommends that applications use more accurate location tools, such as Bluetooth, and that there is a validation of the positive test of COVID-19 informed by the user.
10. Role of data protection authorities.
Direct involvement of data protection authorities in the development of these technologies is recommended, allowing consultation and advice for the implementation of solutions. The EC also highlights the importance of the authority on data protection impact assessments.
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KGV Advogados concerning the matters herein addressed. Copyrights are reserved to Kestener, Granja & Vieira Advogados.
No Comments