Call for common EU approach to apps and data to fight COVID-19 and protect citizens’ rights

The European Commission has responded to the regional scramble for apps and data to help tackle the coronavirus crisis by calling for a common EU approach to boost the effectiveness of digital interventions and ensure key rights and freedoms are respected.

The European Union’s executive body wants to ensure Member States’ individual efforts to use data and tech tools to combat COVID-19 are aligned and can interoperate across borders — and therefore be more effective, given the virus does not respect national borders.

Current efforts by governments across the EU to combat the virus are being hampered by the fragmentation of approaches, it warns.

At the same time its recommendation puts a strong focus on the need to ensure that fundamental EU rights do not get overridden in the rush to mitigate the spread of the virus — with the Commission urging public health authorities and research institutions to observe a key EU legal principle of data minimization when processing personal data for a coronavirus purpose.

Specifically it writes that these bodies should apply what it calls “appropriate safeguards” — listing pseudonymization, aggregation, encryption and decentralization as examples of best practice. 

The Commission’s thinking is that getting EU citizens to trust digital efforts — such as the myriad of COVID-19 contacts tracing apps now in development — will be key to their success by helping to drive uptake and usage, which means core rights like privacy take on additional significance at a moment of public health crisis.

Commenting in a statement, commissioner for the EU’s internal market, Thierry Breton said: “Digital technologies, mobile applications and mobility data have enormous potential to help understand how the virus spreads and to respond effectively. With this Recommendation, we put in motion a European coordinated approach for the use of such apps and data, without compromising on our EU privacy and data protection rules, and avoiding the fragmentation of the internal market. Europe is stronger when it acts united.”

“Europe’s data protection rules are the strongest in the world and they are fit also for this crisis, providing for exceptions and flexibility. We work closely with data protection authorities and will come forward with guidance on the privacy implications soon,” added Didier Reynders, the commissioner for justice, in another supporting statement. “We all must work together now to get through this unprecedented crisis. The Commission is supporting the Member States in their efforts to fight the virus and we will continue to do so when it comes to an exit strategy and to recovery. In all this, we will continue to ensure full respect of Europeans’ fundamental rights.”

Since Europe has fast-followed China to become a secondary epicenter for the SARS-CoV-2 virus there has been a rush by governments, institutions and the private sector to grab data and technologies to try to map the spread of the virus and inform policy responses. The Commission itself has leant on telcos to provide anonymized and aggregated user location data for COVID-19 tracking purposes.

Some individual Member States have gone further — calling in tech companies to ask directly for resources and/or data, with little public clarity on what exactly is being provided. Some governments have even rushed out apps that apply individual-level location tracking to enforce quarantine measures.

Multiple EU countries also have contacts tracing apps in the works — taking inspiration from Singapore’s TraceTogether app which users Bluetooth proximity as a proxy for infection risk.

With so much digital activity going on — and huge economic and social pressure for a ‘coronavirus fix’ — there are clear risks to privacy and civil liberties. Governments, research institutions and the private sector are all mobilizing to capture health-related data and track people’s location like never before, all set against the pressing backdrop of a public health emergency.

The Commission warned today that some of the measures being taken by certain (unnamed) countries — such as location-tracking of individuals; the use of technology to rate an individual’s level of health risk; and the centralization of sensitive data — risk putting pressure on fundamental EU rights and freedoms.

Its recommendation emphasizes that any restrictions on rights must be justified, proportionate and temporary.

Any such restrictions should remain “strictly limited” to what is necessary to combat the crisis and should not continue to exist “without an adequate justification” after the COVID-19 emergency has passed, it adds.

It’s not alone in expressing such concerns.

In recent days bottom-up efforts have emerged out of EU research institutions with the aim of standardizing a ‘privacy-preserving’ approach to coronavirus contacts tracing.

One coalition of EU technologists and scientists led by institutions in Germany, Switzerland and France, is pushing a common approach that they’re hoping will get baked into such apps to limit risks. They’ve called the effort: PEPP-PT (Pan-European Privacy-Preserving Proximity Tracing).

However a different group of privacy experts is simultaneously pushing for a decentralized method for doing the same thing (DP-3T) — arguing it’s a better fit with the EU’s data protection model as it doesn’t require pseudonymized IDs to be centralized on a server. Instead storage of contacts and individual infection risk processing would be decentralized — performed locally, on the user’s device — thereby shrinking the risk of such a system being repurposed to carry out state-level surveillance of citizens.

Although the backers of this protocol accept it does not erase all risk; with the potential for tech savvy hackers to intercept the pseudonymized IDs of infected people at the point they’re being broadcast to devices for local processing, for instance. (While health authorities may be more accustomed to the concept of centralizing data to secure it, rather than radically distributing it.)

Earlier this week, one of the technologists involved in the PEPP-PT project told us it intends to support both approaches — centralized and decentralized — in order to try to maximize international uptake, allowing developers to make their own choice of preferred infrastructure.

Though questions remain over achieving interoperability between different models.

Per its recommendation, the Commission looks to be favoring a decentralized model — as the closest fit with the EU’s rights framework.

In a section of its recommendation paper on privacy and data protection for “COVID-19 mobile warning and prevention applications” it also states a preference for “safeguards ensuring respect for fundamental rights and prevention of stigmatization” — and for “the least intrusive yet effective measures”.

The Commission’s recommendation also stresses the importance of keeping the public informed.

“Transparency and clear and regular communication, and allowing for the input of persons and communities most affected, will be paramount to ensuring public trust when combating the COVID-19 crisis,” it warns. 

The Commission is proposing a joint toolbox to be developed with EU Member States to encourage a rights-respecting, coordinated and common approach to smartphone apps for tracing COVID-19 infections — which will consist of [emphasis its]:

  • specifications to ensure the effectiveness of mobile information, warning and tracing applications from a medical and technical point of view;
  • measures to avoid proliferation of incompatible applications, support requirements for interoperability and promotion of common solutions;
  • governance mechanisms to be applied by public health authorities and in cooperation with the European Centre for Disease Control;
  • the identification of good practices and mechanisms for exchange of information on the functioning of the applications; and
  • sharing data with relevant epidemiological public bodies, including aggregated data to ECDC.

It also says it will be providing guidance for Member States that will specifically cover off data protection and privacy implications — another clear signal of concerns.

“The Commission is in close contact with the European Data Protection Board [EDPB] for an overview of the processing of personal data at national level in the context of the coronavirus crisis,” it adds.

Yesterday, following a plenary meeting of the EU data watchdogs body, the EDPB announced that it’s assigned expert subgroups to work on developing guidance on key aspects of data processing in the fight against COVID-19 — including for geolocation and other tracing tools in the context of the COVID-19 outbreak, with its technology expert subgroup leading the work.

While a compliance, e-government and health expert subgroup is also now working on guidance for the processing of health data for research purposes in the coronavirus context.

These are the two areas the EDPB said it’s prioritizing at this time, putting planned guidance for teleworking tools and practices during the current crisis on ice for now.

“I strongly believe data protection and public health go hand in hand,” said EDPB chair, Andrea Jelinek, in a statement: “The EDPB will move swiftly to issue guidance on these topics within the shortest possible notice to help make sure that technology is used in a responsible way to support and hopefully win the battle against the corona pandemic.”

The Commission also wants a common approach for modelling and predicting the spread of COVID-19 too — and says the toolbox will focus on developing this via the use of “anonymous and aggregated mobile location data” (such as it has been asking EU operators to provide).

“The aim is to analyse mobility patterns including the impact of confinement measures on the intensity of contacts, and hence the risks of contamination,” it writes. “This will be an important and proportionate input for tools modelling the spread of the virus, and provide insights for the development of strategies for opening up societies again.”

“The Commission already started the discussion with mobile phone operators on 23 March 2020 with the aim to cover all Member States. The data will be fully anonymised and transmitted to the Joint Research Centre for processing and modelling. It will not be shared with third parties and only be stored as long as the crisis is ongoing,” it adds.

The Commission’s push to coordinate coronavirus tech efforts across the EU has been welcomed by privacy and security experts.

Michael Veale, a backer of the decentralized protocol for COVID-19 contacts tracing, told us: “It’s great to see the Commission recommend decentralisation as a core principle for information systems tackling COVID-19. As our DP-3T protocol shows, creating a centralised database is a wholly unnecessary and removable part of bluetooth contact tracing.”

“We hope to be able to place code online for scrutiny and feedback next week — fully open source, of course,” Veale added. “We have already had great public feedback on the protocol which we are revising in light of that to make it even more private and secure. Centralised systems being developed in Europe, such as in Germany, have not published their protocols, let along code — perhaps they are afraid of what people will find?”

While Lukasz Olejnik, an EU-based cybersecurity advisor and privacy researcher, also welcomed the Commission’s intervention, telling us: “A coordinated approach can certainly be easier to build trust. We should favor privacy-respecting approaches, and make it clear that we are in a crisis situation. After the crisis, such a crisis system should be dismantled, and it looks like the recommendations recognize it. This is good.”

The Commission intends the toolbox for moving towards a pan-European approach for COVID-19 mobile applications to be developed by April 15.

It also wants Member States to report on the actions they have taken in this area by May 31 — making their measures accessible to other Member States and the Commission for peer review.

It adds that it will assess the progress made and publish periodic reports starting in June 2020 and throughout the crisis, recommending action and/or the phasing out of measures that are no longer necessary.