EU lawmakers set out guidance for coronavirus contacts tracing apps

The European Commission has published detailed guidance with Member States on developing coronavirus contacts tracing and warning apps.

The toolbox, which has been developed by the e-Health Network with the support of the Commission, is intended as a practical guide to implementing digital tools for tracking close contacts between device carriers as a proxy for infection risk that seeks to steer Member States in a common, privacy-sensitive direction as they configure their digital responses to the COVID-19 pandemic.

Commenting in a statement, Thierry Breton — the EU commissioner for Internal Market — said: Contact tracing apps to limit the spread of coronavirus can be useful, especially as part of Member States’ exit strategies. However, strong privacy safeguards are a pre-requisite for the uptake of these apps, and therefore their usefulness. While we should be innovative and make the best use of technology in fighting the pandemic, we will not compromise on our values and privacy requirements.”

“Digital tools will be crucial to protect our citizens as we gradually lift confinement measures,” added Stella Kyriakides, commissioner for health and food safety, in another supporting statement. “Mobile apps can warn us of infection risks and support health authorities with contact tracing, which is essential to break transmission chains. We need to be diligent, creative, and flexible in our approaches to opening up our societies again. We need to continue to flatten the curve – and keep it down. Without safe and compliant digital technologies, our approach will not be efficient.”

The Commission’s top-line “essential requirements” for national contacts tracing apps are that they’re:

  • voluntary;
  • approved by the national health authority;
  • privacy-preserving (“personal data is securely encrypted”); and
  • dismantled as soon as no longer needed

In the document the Commission writes that the requirements on how to record contacts and notify individuals are “anchored in accepted epidemiological guidance, and reflect best practice on cybersecurity, and accessibility”.

“They cover how to prevent the appearance of potentially harmful unapproved apps, success criteria and collectively monitoring the effectiveness of the apps, and the outline of a communications strategy to engage with stakeholders and the people affected by these initiatives,” it adds.

Yesterday, setting out a wider roadmap to encourage a co-ordinated lifting of the coronavirus lockdown, the Commission suggested digital tools for contacts tracing will play a key role in easing quarantine measures.

Although today’s toolbox clearly emphasizes the need to use manual contact tracing in parallel with digital contact tracing, with such apps and tools envisaged as a support for health authorities — if widely rolled out — by enabling limited resources to be more focused toward manual contacts tracing.

“Manual contact tracing will continue to play an important role, in particular for those, such as elderly or disabled persons, who could be more vulnerable to infection but less likely to have a mobile phone or have access to these applications,” the Commission writes. “Rolling-out mobile applications on a large-scale will significantly contribute to contact tracing efforts also allowing health authorities to carry manual tracing in a more focussed manner.”

“Mobile apps will not reach all citizens given that they rely on the possession and active use of a smart phone. Evidence from Singapore and a study by Oxford University indicate that 60-75% of a population need to have the app for it to be efficient,” it adds in a section on accessibility and inclusiveness. “However, non-users will benefit from any increased population disease control the widespread use of such an app may bring.”

The toolbox also reiterates a clear message from the Commission in recent days that “appropriate safeguards” must be embedded into digital contacts tracing systems. Though it’s less clear whether all Member States are listening to memos about respecting EU rights and freedoms, as they scrambled for tech and data to beat back COVID-19.

“This digital technology, if deployed correctly, could contribute substantively to containing and reversing its spread. Deployed without appropriate safeguards, however, it could have a significant negative effect on privacy and individual rights and freedoms,” the Commission writes, further warning that: “A fragmented and uncoordinated approach to contact tracing apps risks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing adverse effects to the single market and to fundamental rights and freedoms.”

On safeguards the Commission has a clear warning for EU Member States, writing: “Any contact tracing and warning app officially recognised by Member States’ relevant authorities should present all guarantees for respect of fundamental rights, and in particular privacy and data protection, the prevention of surveillance and stigmatization.”

Its list of key safeguards notably includes avoiding the collection of any location data.

“Location data is not necessary nor recommended for the purpose of contact tracing apps, as their goal is not to follow the movements of individuals or to enforce prescriptions,” it says. “Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimisation and would create major security and privacy issues.”

The toolbox also emphasizes that such contacts tracing/warning systems be temporary and voluntary in nature — with “automated/gentle self-dismantling, including deletion of all remaining personal data and proximity information, as soon as the crisis is over”.

“The apps’ installation should be consent-based, while providing users with complete and clear information on intended use and processing,” is another key recommendation. 

The toolbox leans towards suggesting a decentralized approach, in line with earlier Commission missives, with a push for: “Safeguards to ensure the storing of proximity data on the device and data encryption.”

Though the document also includes some discussion of alternative centralized models which involve uploading arbitrary identifiers to a backend server held by public health authorities. 

Users cannot be directly identified through these data. Only the arbitrary identifiers generated by the app are stored on the server. The advantage is that the data stored in the server can be anonymised by aggregation and further used by public authorities as a source of important aggregated information on the intensity of contacts in the population, on the effectiveness of the app in tracing and alerting contacts and on the aggregated number of people that could potentially develop symptoms,” it writes. 

“None of the two options [decentralized vs centralized] includes storing of unnecessary personal information,” it adds, leaving the door open to states that might want their public health authorities to be responsible for centralized data processing.

However the Commission draws a clear distinction between centralized approaches that use arbitrary identifiers and those that store directly-identifiable data on every user — with the latter definitely not recommended.

They would have “major disadvantage”, per the toolbox, because they “would not keep personal data processing to the absolute minimum, and so people may be less willing to install and use the app”.

“Centralised storage of mobile phone numbers could also create risks of data breaches and cyberattacks,” the Commission further warns.

Michael Veale, a backer of a decentralized protocol for COVID-19 contacts tracing that’s being developed by an EU coalition of privacy and security experts, told us: “It is good to see the document clearly lay out how you can achieve contact tracing in a decentralised, privacy-preserving way. However, some Member States might be confused, as they think that if they go for PEPP-PT [a separate EU initiative to standardize contacts tracing apps, by distributing tools and processes, whose spokesman previously told us it will support both centralized and decentralized approaches], they get privacy and decentralisation. In fact, PEPP-PT has removed mention of DP-3T from its website, but has not published any alternative white paper or code for scrutiny for its own system.”

We’ve reached out to PEPP-PT for comment.

Discussing cross-border interoperability requirements, the Commission’s toolbox highlights the necessity for a grab-bag of EU contacts tracing apps to be interoperable, in order to successfully break cross-border transmission chains, which requires national health authorities to be technically able to exchange available information about individuals infected with and/or exposed to COVID-19.

“Tracing and warning apps should therefore follow common EU interoperability protocols so that the previous functionalities can be performed, and particularly safeguarding rights to privacy and data protection, regardless of where a device is in the EU,” it suggests.

On preventing the spread of harmful or unlawful apps the document suggests Member States consider setting up a national system of evaluation/accreditation endorsement of national apps, perhaps based on a common set of criteria (that would need to be defined).

“A close cooperation between health and digital authorities should be sought whenever possible for the evaluation/endorsement of the apps,” it writes. 

The Commission also says “close cooperation with app stores will be needed to promote national apps and promote uptake while delisting harmful apps” — putting Apple and Google squarely in the frame.

Earlier this week the pair announced their own collaboration on coronavirus contracts tracing — announcing a plan to offer an API and later opt-in system-level contacts tracing, based on a decentralized tracking architecture with ephemeral IDs processed locally on devices, rather than being uploaded and held on a central server.

Given the dominance of the two tech giants their decision to collaborate on a decentralized system may effectively deprive national health authorities of the option to gain buy in for systems that would give those publicly funded bodies access to anonymized and aggregated data for coronavirus modelling and/or tracking purposes. Which should, in the middle of a pandemic, give more than a little pause for thought.

A note in the toolbox mentions Apple and Google — with the Commission writing that: “By the end of April 2020, Member States with the Commission will seek clarifications on the solution proposed by Google and Apple with regard to contact tracing functionality on Android and iOS in order to ensure that their initiative is compatible with the EU common approach.”