With a number of COVID-19 applications coming up across the globe each passing day, the European Union (EU) has released guidelines for member countries and health authorities to create new apps. In its document, the commission has mentioned that apps play a major role in fight against the pandemic.
“Mobile applications typically installed on smartphones (apps) can support public health authorities at national and EU level in monitoring and containing the COVID-19 pandemic and are particularly relevant in the phase of lifting containment measures. They can provide direct guidance to citizens and support contact tracing efforts,” the document read.
The document has set out a number of features and requirements which apps must meet to ensure compliance with the EU’s privacy and personal data protection legislation, particularly the General Data Protection Regulation (GDPR) and the ePrivacy Directive.
In its 14-page guidelines, the commission tried to ensure that an individual’s privacy should not be affected. For this it has set following guidelines:
* The installation of the app on their device should be voluntary and without any negative consequences for the individual who decides not to download/use the app;
* Different app functionalities (eg:- information, symptom checker, contact tracing and warning functionalities) should not be bundled so that the individual can provide his/her consent specifically for each functionality. This should not prevent the user from combining different app functionalities if this is offered as an option by the provider;
*If proximity data are used (data generated by the exchange of Bluetooth Low Energy (BLE) signals between devices within an epidemiologically relevant distance and during an epidemiologically relevant time), they should be stored on the individual’s device. If those data are to be shared with health authorities, they should be shared only after confirmation that the person concerned is infected with the COVID-19 and on the condition that he/she chooses to do so;
*Health authorities should provide the individuals with all necessary information related to the processing of his or her personal data (in line with Articles 12 and 13 of the GDPR and Article 5 of the ePrivacy Directive);
*The individual should be able to exercise his/her rights under the GDPR (in particular, access, rectification; deletion). Any restriction of the rights under the GDPR and e-Privacy
*Directive should be in accordance with these acts and be necessary, proportionate and provided in the legislation;
*The apps should be deactivated at the latest when the pandemic is declared to be under control; the deactivation should not depend on de-installation by the user.
The commission further mentioned that data protection authorities must be involved and consulted while developing an app and they must keep its deployment under review. “Given that the processing of data in the context of the app will qualify as a processing on a large scale of special categories of data (health data), the Commission draws attention to Article 35 GDPR on data protection impact assessment,” the document read further.