Europe’s plan for contact tracing apps against COVID-19

In the face of the COVID-19 pandemic, mobile apps are developed to contain the spread of the new coronavirus disease. Contact tracing and warning apps are described as the most promising in this effort. They can warn us of contact with an infected patient and supposedly help breaking up transmission chains. Singapore, China, South-Korea, Russia and Israelheavily rely on these apps. Impatient to revive their economies, the European Member States too are prying into these so-called corona apps. Should we trust that corona apps can be deployed without compromising our privacy? Or should we fear the worst and prepare for Big Brother to take over? As more questions emerge, this blogpost investigates the EU Toolbox, the recently published Commission Guidance, the EDPB Statement and Guidelines to figure out what to expect.

How would contact tracing app work?

There are too many contact tracing app initiatives to provide a detailed description for each of them. To give only a few examples, the Singapore Government launched TraceTogether and open sourced its BlueTrace protocol. It was the first contact tracing app from a national government. From an industry perspective, Apple and Google are joining forces in the development of a joint API for governments to run their contact tracing apps. Concerned about privacy issues with Apple and Google’s API, a consortium of European academics led by the Fraunhofer Institute of Telecommunications has put up a coalition named Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) project. PEPP-PT calls for a standardized approach to process user’s data for contact tracing apps and to limit privacy intrusions, but in turn received critique from many of its partners – including the KU Leuven – due to the lack of transparency around their protocol. Led by the Ecole Polytechnique Fédérale de Lausanne, a new team proposes a decentralized solutions that has received the name of Decentralised Privacy-Preserving Proximity Tracing (DP-3T) protocol.

Myriads of initiatives are emerging, however, most of them follow the same general idea: when you download the COVID-19 app on your phone, your phone will start sending out ‘random gibberish codes’ to all nearby devices. If your phone comes into proximity of another device who installed the app, that other device will remember the random gibberish it received from your phone. If you develop symptoms in the next days and a test shows you have been infected, you can ask the app to send out a warning to all devices that remembered your code. If you were in close proximity to an infected patient, you can receive a notification too. In this way, Governments hope to quickly break transmission chains because they can provide alerted citizens with information on whether to self-quarantine and where to get tested. This allows to recommend quarantines to selected individuals instead of a general confinement.

Will I remain anonymous?

The EU Member States, together with the European Commission have developed an EU Toolbox to support a common European approach for tracing apps and to provide a practical guide for the Member States in the implementation thereof. One of the requirements identified in the toolbox is that the ‘random gibberish messages’ should be randomly assigned, and the app should use Bluetooth technology. The EDPB adds to it that contact tracing apps do not need location data and proximity data should be used instead. In other words, your identity and location should not be disclosed. However, this does not make you anonymous. Even if Bluetooth is considered the most privacy-friendly solution for a tracing app, re-identification attacks are conducted, even on anonymized datasets. Using the app and remaining completely anonymous seems nearly impossible.

The question of anonymity is a very important one. The GDPR only applies to personal data, meaning data relating to an identifiable person. The GDPR does not grant any protection to anonymous data. If a contact tracing app were to indicate that the data it processes is anonymous, it will not consider data quality principles or its users’ data protection rights. But all of this does not mean that users are completely left to themselves. When an app allegedly processes only anonymous data, but in reality, makes use of your personal data, this triggers the applicability of the data protection framework according to Article 2 GDPR. Users deceived by an app claiming to guarantee anonymity can still rely on the GDPR to exercise their rights.

Besides, it is important to remember that this is not the only way a tracing app could work. Although a clear preference has been expressed for this more privacy-friendly option, other variants exist. For example, Cyprus, Czech Republic and Norway have indicated in the EU Toolbox to make use of GPS data, thereby tracking your geo-location. Other apps may even make use of AI. Besides, it seems a little concerning that the Commission hints at a possibility to access your contacts list. This concern was also raised by the EDPS whom in turn asked for further explanation.

Who will be responsible for my data protection?

The identification of the data controller is crucial to establish who is responsible for compliance with data protection rules. Given the sensitivity of tracing apps, the Commission recommends that this task should fall upon national health authorities. Among other obligations, the national health authorities will thus have to provide information to citizens about what will happen to their data and their rights.

I agree with the Commission that appointing national health authorities as data controllers may contribute to higher trust among citizens and ensure that the app fulfils the intended purpose of protecting public health. Though one may wonder if it is fair to expect from health authorities to place privacy and data protection at the same level of importance as public health. In principle, privacy and public health are both fundamental rights and therefore should be granted the same amount of attention. However, given the extraordinary circumstances of the current pandemic and the pressure relying on health authorities, can we trust that they will not almost automatically let public health prevail when the need arises to balance both?

Can the app be made mandatory?

European governments and the Commission, backed up by the EDPB, are very cautious to place ‘citizen empowerment’ at the center of their marketing strategy. Contact tracing apps are meant to be installed only by those who voluntarily want to use it and citizens must perceive it as a tool that empowers them to take care of their health. They should feel in control and the EDPB stresses it should not become a tool to control, stigmatise, or repress individuals. The European governments know it is necessary to gain citizen’s trust before they will agree to download a contact tracing app, which in turn is necessary to guarantee the effectiveness of the app. Although theoretically a legal possibility, it seems highly unlikely the apps will be made mandatory.

Will they need my consent?

The GDPR lays out many different data quality principles and one of them is the principle of lawfulness. The principle of lawfulness is something very different from the voluntary character of the app. The latter describes the idea of not making the download of the app mandatory. The former requires a legal basis for personal data to be processed lawfully. One of these legal bases is ‘consent’. But the idea that the GDPR always imposes consent is a common misconception. In fact, there are other legal bases, including the necessity to perform a task of public interest. An app could be downloaded on a voluntary basis, but not relying on your consent to process your data. There is thus an important distinction to make between the act of downloading the app and the further processing of your data.

When it comes to downloading the app, the ePrivacy Directive and GDPR make your freely given, specific, informed and unambiguous consent necessary in order to lawfully process your data. However, when it comes to the subsequent processing of your data by national health authorities, both the EDPB and the Commission favour the use of national legislation as a legal basis. Privacy-conscious citizens seem skeptical of this decision: if you do not have to consent, how can you revoke it? It is important to remember that, even if you do not have to consent to the processing of your personal data, you are still entitled to exercise your data subject rights. Users can still demand for erasure of their data if it is no longer necessary for the purpose of the contact tracing app.

Will my data be secure?

As mentioned above, the PEPP-PT umbrella was created to assist national governments in their contact tracing app initiatives. Although it proposes a protocol based on the more privacy-friendly Bluetooth technology, it has been criticized about its lack of transparency and centralized approach. As a result, many partners left the initiative and rejoined DP-3T instead. They mainly criticized PEPP-PT’s centralized approach and its high potential for function creep. This means that the data need to leave the user’s phone in the PEPP-PT method as opposed to a decentralized solution and that, with a small amount of additional data, the user’s identity could be revealed. A contact tracing app could thereby be transformed into to a potential surveillance tool, leaving all the phone’s data insecure.

How long will this app be needed?

The EDPB indicates that a tracing app is acceptable under the circumstances as exceptional as the emergency caused by the COVID-19 pandemic. The Commission assures that the apps should be deactivated at the latest when the pandemic is declared to be under control. However, the easy spreading of COVID-19 causes a lot of uncertainty here. As long as there is no vaccine for this new viral disease, it is almost impossible to predict when the emergency will be over, and apps can be deactivated.


Although many questions and concerns can be raised from a data protection perspective, taking everything into account, there is not yet a reason to panic. So far, the EU has been advocating for voluntary apps and rejected the option of geolocation in favour of the usage of a more privacy-friendly Bluetooth technology. However, we must keep in mind that these are non-binding suggestions. In Belgium, the federal minister for privacy has issued a statement indicating that an app is not necessary for tracing contacts and that they will engage in manual contact tracing instead. In its press conference of 27 April 2020, the Belgian national security council seems to have again opened up the possibility for a contact tracing app by saying it would create an appropriate legal framework for these apps. Hungarian citizens might have more reasons for concern as their government recently suspended data subjects rights (articles 15-22 GDPR) in relation to Covid-19 until the end of the state of emergency. There is thus a lot of uncertainty surrounding the deployment of these apps and the concrete implementation of it by the different Member States. In some countries more than others, it seems appropriate to remain vigilant and to continuously ask the right questions.

This article gives the views of the author(s), and does not represent the position of CiTiP, nor of the University of Leuven.
ABOUT THE AUTHOR — Daphné Van der Eycken @DaphneEycken

Daphné Van der Eycken holds a Master in Laws from Ghent University, with a particular focus on IP, IT and European Economic Law (2019, magna cum laude). She started working at CiTiP on 1 November 2019 and is currently pursuing an advanced LL.M. degree from Liège University, with a particular focus on EU Competition and IP Law.

View all posts by Daphné Van der Eycken


blog comments powered by Disqus