Law Library Stacks

Back to Index of of Legal Reports
Back to Comparative Summary

Full Report (PDF, 2.78MB)
Map: COVID-19 Contact Tracing Apps (PDF, 550KB)

Jurisdictions Surveyed:
The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates

European Union

In order to fight the spread of COVID-19 in the European Union (EU), the European Commission has suggested developing contact tracing and warning mobile apps, complemented by other measures such as increased testing capabilities. It recommends voluntary apps that comply with data protection and privacy rules and are deleted once they are no longer necessary. Its recommendation sets out detailed rules for the development of such apps and for the use of anonymized mobility data. The eHealth Network, a voluntary network that provides a platform of Member States’ competent authorities dealing with digital health, has published a practical guide for Member States for developing privacy-preserving mobile apps for contact tracing. It is planning on publishing another toolbox for the use of mobility data in June 2020.

The protection of personal data and the respect for private life are fundamental rights in the EU. The data protection legal framework in the EU currently consists of two main pillars, the Directive on Privacy and Electronic Communications (ePrivacy Directive) and the General Data Protection Regulation (GDPR). The GDPR and the ePrivacy Directive set out various requirements for the processing of traffic and location data. In general, consent is required or processing must be necessary for the provision of the service; however, exceptions are possible for reasons of public interest such as public health, or for public security. Derogations must be necessary, appropriate, and proportionate measures. In addition, the EU Decision on Combating Serious Cross-Border Threats to Health, which lays down rules on epidemiological surveillance and on monitoring, early warning, and responsive measures to combat serious cross-border threats to health, allows the transmission of personal data necessary for the purpose of contact tracing.

I. Introduction

On April 17, 2020, the European Commission (Commission) published a “Joint European Roadmap Towards Lifting COVID-19 Containment Measures” that sets out recommendations for the EU Member States to reopen their economies.[1] The three criteria used to assess whether measures taken can be relaxed are epidemiological criteria, sufficient health system capacity, and appropriate monitoring capacity.[2] With regard to monitoring, the Commission suggests, among other things, creating a “framework for contact tracing and warning with the use of mobile apps, which respects data privacy.”[3] For that purpose, it has adopted a recommendation to develop a common European approach (“toolbox”) for the use of mobile applications and has published guidance for the development of such mobile apps with regard to data protection and privacy.[4] The common EU toolbox was published by the eHealth Network on April 15, 2020, and provides a practical guide for Member States for developing privacy-preserving mobile apps for contact tracing.[5]

As of May 22, 2020, there have been a total number of 1.34 million cases of COVID-19 in the European Union (EU)/European Economic Area (EEA) and the United Kingdom (UK), with the most cases being reported in the UK (250,908), Spain (233,037), and Italy (228,006).[6] Of those cases, 160,002 people have died in the EU/EEA and the UK combined.[7] A Eurobarometer survey published in July 2018 found that a total of 89% of the respondents in each EU Member State have at least one mobile phone, ranging from 83% in Italy to 99% in Finland.[8] Furthermore, at least two-thirds of respondents in each Member State live in a household with mobile internet access, with the highest rate (91%) reported in the Netherlands and Denmark.[9] In response to another survey published in March 2020, 60% of the respondents stated that they were willing to share personal data securely to improve public services, with 43% willing to share personal data to improve medical research and care and 31% willing to do so to improve the response to a crisis situation such as an epidemic.[10]

II. Legal Framework

A. Privacy and Data Protection

The protection of personal data and the respect for private life are fundamental rights in the EU.[11] Personal data is defined as “any information relating to an identified or identifiable natural person (data subject).”[12] Among other things, location data is one of the factors that can make a person identifiable.[13] The data protection legal framework in the EU currently consists of two main pillars, the Directive on Privacy and Electronic Communications (ePrivacy Directive)[14] and the General Data Protection Regulation (GDPR).[15] The ePrivacy Directive is slated to be replaced by an ePrivacy Regulation; however, the legislative process is still ongoing, with the last action taken in November 2019, and there appears to be no consensus among the EU countries.[16]

1. General Data Protection Regulation

As a regulation, the GDPR is directly applicable in the EU Member States with generally no domestic implementing legislation needed.[17] Processing of personal data[18] according to the GDPR must comply with the principles of lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy and keeping data up to date; storage limitation; and integrity and confidentiality.[19] Article 6 of the GDPR sets out the conditions under which data processing is considered lawful, with the most common ground being consent given by the data subject.[20]

The processing of certain special categories of personal data (sensitive data), such as data concerning health, is generally prohibited.[21] However, as an exception, sensitive data may be processed if it is “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health . . . , on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject.”[22] Recital 52 of the GDPR clarifies that derogations from the general prohibition are possible for reasons of “health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health.” Furthermore, processing is allowed when it is necessary to protect the vital interests of the data subject.[23] The GDPR explains that this exception may be used as a basis to monitor epidemics and their spread.[24]

Pseudonymization means the “processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.” The GDPR views pseudonymization of personal data as an appropriate technical and organizational measure to achieve “privacy by design” and to ensure the security of data processing.[25] It is not to be confused with anonymization of data, which allows use of the data without any restriction.[26]

2. ePrivacy Directive

The aim of the ePrivacy Directive is to ensure an equivalent level of protection of fundamental rights and freedoms (particularly the right to privacy) with respect to data processing in the electronic communications sector and to ensure the free movement of such data.[27] The ePrivacy Directive covers the processing of personal data by traditional telecom providers in public communications networks in the EU and mandates that Member States protect the confidentiality of the content of electronic communications through national legislation.[28] In particular, Member States must “prohibit listening, tapping, storage, or other kinds of interception or surveillance of communications and the related traffic data . . . without the consent of the users concerned.”[29] The proposed ePrivacy Regulation would extend coverage to internet-based voice and messaging services such as WhatsApp, Facebook Messenger, and Skype.[30]

B. Data Retention and Location Tracking

1. ePrivacy Directive

The ePrivacy Directive allows processing of traffic and other location data under certain circumstances. Traffic data, defined as “any data processed for the purpose of a conveyance of a communication on an electronic communications network or for the billing thereof,”[31] may be processed for billing purposes and must be deleted or made anonymous when no longer needed.[32] Traffic data may also be processed for marketing purposes if prior consent from the user was obtained.[33] Other location data, defined as “any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service,”[34] may only be processed after being made anonymous, or with the consent of the users or subscribers, to the extent and for the duration necessary for the provision of a value-added service.[35] Value-added services are commonly known as location-based services. Users must be informed whether the data will be transmitted to a third party for the purpose of providing the service and must be able to withdraw consent at any time.[36]

Furthermore, storing or gaining access to information already stored on a device requires the consent of the user or must be necessary to provide the service.[37] The user must be provided with clear and comprehensive information on the purpose of the processing in line with the requirements set out in the GDPR.[38]

Derogations from the obligations and rights with regard to traffic and other location data, in particular the requirement to obtain consent, are allowed for national or public security reasons or for law enforcement purposes, among others, if the restriction is a necessary, appropriate, and proportionate measure.[39]

2. Data Retention Directive

The EU Data Retention Directive, which was declared invalid by the Court of Justice of the European Union (CJEU) on April 8, 2014, was another EU legislative instrument that is relevant in the context of data protection and storing traffic and location data.[40] The CJEU held that the Data Retention Directive violated the right to privacy (article 7), the right to protection of personal data (article 8), and the principle of proportionality (article 52) as codified in the EU Charter.[41] The Directive has not been replaced with new EU legislation. Instead, national data retention laws are applicable, but they are subject to review by the CJEU.[42] The CJEU stated that data retention obligations and access to that data are only permissible under EU law if they are strictly necessary.[43] In the Court’s opinion, EU law precludes national legislation that prescribes general and indiscriminate retention of data.[44] The Commission announced in 2017 that it would develop guidance as to how national data retention laws can be constructed to comply with the CJEU ruling; however, such guidance has not yet been released.[45]

3. Decision on Combating Serious Cross-Border Threats to Health

Decision No. 1082/2013/EU on Combating Serious Cross-Border Threats to Health lays down rules on epidemiological surveillance and on monitoring, early warning, and responsive measures to combat serious cross-border threats to health.[46] Recital 25 to the Decision points out that cross-border threats to health

could require the Member States concerned to take particular control or contact-tracing measures in a coordinated manner to identify those persons already contaminated and those persons exposed to risk. Such cooperation could require the exchange of personal data through the system, including sensitive information related to health and information about confirmed or suspected human cases of disease, between those Member States directly involved in the contact-tracing measures.

Data processing for this purpose must comply with the EU data protection framework and must provide specific safeguards for the exchange of personal data.[47] In particular, personal data must be protected against accidental or illegal destruction, accidental loss, or unauthorized access and against any form of illegal processing.[48]

The Decision establishes an Early Warning and Response System (EWRS) for information exchange on serious cross-border threats to health between the Commission and the competent national authorities.[49] Member States must notify an alert in the EWRS where a threat to health that is unusual or unexpected, causes significant mortality/morbidity in humans, grows rapidly in scale, or exceeds national response capacity affects more than one Member State and requires a coordinated response at the EU level.[50] Among other things, Member States must transmit personal data necessary for the purpose of contact tracing.[51] The national authorities are considered controllers of data for that purpose.[52] They must use the selective messaging functionality of the EWRS for the transfer of such contact tracing data and only communicate it to the other Member States involved in the contact tracing measures.[53] The personal data will be automatically deleted from the selective messaging functionality of the EWRS after 12 months.[54]

The Commission has issued a recommendation that provides guidance to national authorities  on data protection issues within the framework of the EWRS and has published an indicative list of personal data for contact tracing.[55] The indicative list allows the exchange of the following personal data for coordinating contact tracing measures:

1.      PERSONAL INFORMATION

—     First name and surname,

—     Nationality, date of birth, sex,

—     Country of residence,

—     ID type, number and issuing authority,

—     Current home/residence address (street name and number, city, country, postal code),

—     Telephone numbers (mobile, residential, business),

—     Email (private, business).

2.      TRAVEL SPECIFICATIONS

—     Conveyance data (such as flight number, date and length of flight, ship name, plate number),

—     Seat number(s),

—     Cabin number(s).

3.      CONTACT INFORMATION

—     Names of visited persons/places of stay,

—     Dates and addresses of the places of stay (street name and number, city, country, postal code),

—     Telephone numbers (mobile, residential, business),

—     Email (private, business).

4.      INFORMATION ON ACCOMPANYING PERSONS

—     First name and surname,

—     Nationality,

—     Country of residence,

—     ID type, number and issuing authority,

—     Current home address (street name and number, city, country, postal code),

—     Telephone numbers (mobile, residential, business),

—     Email (private, business).

5.      EMERGENCY CONTACT DETAILS

—     Name of person to be contacted,

—     Address (street name and number, city, country, postal code),

—     Telephone numbers (mobile, residential, business),

—     Email (private, business).[56]

III. Electronic Measures to Fight COVID-19 Spread

A. COVID-19 Mobile Applications

1. General Overview of Apps

As mentioned, the Commission recommends developing mobile apps to help reduce the spread of COVID-19, complemented by other measures such as increased testing capabilities. Its legally non-binding App Guidance issued on April 17, 2020, addresses the development of voluntary apps to fight the COVID-19 pandemic. It does not cover mandatory apps or those enforcing quarantine requirements. In the opinion of the Commission, further analysis is needed for mandatory apps because of the “high degree of intrusiveness of such an approach,” and therefore recommends the use of voluntary apps.[57] The App Guidance deals with apps with one or several of the following characteristics:

  • provides accurate information to individuals about the COVID-19 pandemic;
  • has symptom-checker functionality;
  • has contact tracing and warning functionality; or
  • increases the use of telemedicine.[58]

The App Guidance states that symptom checker and contact tracing and warning functionalities are useful both for individuals and public health authorities.[59] Individuals that have been in contact with an infected person are informed about appropriate next steps, such as testing, self-quarantine, or treatment. Furthermore, the data may be useful in understanding transmission patterns and provide information on virus circulation.[60] The Commission recommends interoperability of IT solutions used by the different Member States to enable cross-border collaboration and to ensure contact detection between users of different apps.[61]

2. Compatibility with Privacy and Data Protection Principles

In a next step, the Commission lays out different elements that are meant to ensure that the mobile apps comply with the EU privacy and personal data protection framework.

a. Designation and Role of Controllers

The Commission recommends the designation of national health authorities or other similar bodies as the controllers of data.[62] Controllers are charged with ensuring compliance with data protection rules and must inform individuals of how their data is going to be used.[63] Furthermore, as the processing of sensitive health data will likely result in a high risk to the rights and freedoms of individuals, the controller must conduct a prior data protection impact assessment (DPIA).[64] The European Data Protection Board (EDPB) recommends publication of the DPIAs.[65]

b. Individual Control of Data

Secondly, the Commission emphasizes that individuals must remain in control of their data.[66] Being “in control” means that

  • the download and installation of the app are voluntary and there are no negative repercussions for individuals who chose not to download it;
  • consent is given for each individual functionality of the app;
  • proximity data is stored on the device and will not be shared unless a person is infected with COVID-19 and consents to the data sharing;
  • health authorities provide individuals with all necessary information about the processing of their data in line with the GDPR and the ePrivacy Directive;
  • individuals are able to exercise their data protection rights, such as access, rectification, and deletion, among others;
  • restrictions of rights are provided for in a necessary and proportionate law and satisfy the requirements set out in the GDPR and the ePrivacy Directive; and
  • the app is automatically deleted from the mobile device once the pandemic is declared to be under control.[67]

c. Consent of the User

Furthermore, the Commission points out that contact tracing and warning apps generally require the storage of information on the device. According to the ePrivacy Directive, storing information or gaining access to information already stored on a device requires either consent of the user or must be necessary to provide the service.[68] The Commission explains that as the user may need to upload proximity data, which is not necessary for the operation of the app as such, consent is required.[69] Consent according to the GDPR is only valid if it is freely given,[70] specific, informed,[71] and an unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her.[72] That means that silence, pre-ticked boxes (checked by default), or inactivity do no constitute valid consent.[73] Furthermore, withdrawing consent needs to be as easy as giving consent.[74] The EDPB issued guidelines in May 2020 that provide more details on the requirements for valid consent.[75]

d. Processing for Reasons Other than Consent

The GDPR also allows processing of personal data when it is necessary to comply with a legal obligation to which the controller is subject or when such processing is necessary for the performance of a task carried out to further the public interest.[76] The Commission states that national laws that were already in place before the COVID-19 pandemic or laws enacted or amended in response to it can provide a valid legal basis for processing personal data in a mobile app if they meet the requirements of the GDPR.[77] The legal obligation or public interest task must be codified in either EU law or Member State law to which the controller is subject, and that legal basis must identify the purpose of the processing or the processing must be necessary for the performance of the task.[78] Furthermore, the legal basis must “meet an objective of public interest and be proportionate to the legitimate aim pursued.”[79] In the opinion of the Commission, a generic purpose of “prevention of further COVID-19 infections” is not specific enough for an app with contact tracing and warning functionalities. Instead, it proposes “retaining of the contacts of the persons who use the app and who may have been exposed to infection by COVID-19 in order to warn those persons who could have been potentially infected.”[80]

The Commission recommends not bundling functionalities and only using the data for the fight against COVID-19. If Member States would like to use the data for additional purposes such a scientific research and statistics, such purposes should be clearly communicated to the user and included in the legal basis.[81]

The Commission emphasizes that even if there is a valid legal basis that allows the processing of personal data to fight epidemics by national authorities, individuals must remain free to install or de-install a contact tracing and warning app.[82]

e. Automated Individual Decision-making

If the warnings are issued directly by the app, national authorities also need to abide by the requirements codified in the GDPR for automated individual decision-making.[83] The GDPR establishes a general prohibition for decision-making based solely on automated processing that has legal or similarly significant effects. “Solely” means that the decision is totally automated and there is no human review.[84] “Legal or similarly significant effects” means that the decision either affects a person’s legal status or rights, such as the denial of a social benefit, or has equivalent impact on an individual’s circumstances, behavior, or choices, or leads to exclusion/discrimination of an individual, such as the denial of an online credit application or access to education.[85] However, as an exception, decision-making based solely on automated processing may be performed when it is necessary for the performance of or entering into a contract, is authorized by EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the user’s rights and freedoms and legitimate interests, or is based on the user’s explicit consent.[86] In addition, for sensitive data such as health data, the processing may only take place when the user has consented or when it is necessary for reasons of substantial public interest and there are sufficient safeguards in place.[87]

f. Data Minimization

The Commission emphasizes that the apps must abide by the principle of data minimization, meaning that the processing of personal data should be adequate, relevant, and limited to what is necessary.[88] For example, an app with symptom checking or telemedicine functionality does not need access to the contact list stored on the device.[89] Mobile apps with contact tracing and warning functionality will generally require proximity data from the user. The Commission recommends the use of Bluetooth Low Energy (BLE) communications data or data generated by equivalent technology for this purpose.[90] In the opinion of the Commission, BLE, unlike geolocation data, is more precise, thereby minimizing the risk of having false positives, and avoids the possibility of tracking.[91] It should only be recorded when there is an actual risk of infection.[92] The Commission advises against the use of location data as it is not necessary for contact tracing.

With regard to the warning of people who have been in close contact with an infected person, the Commission proposes two solutions, a centralized and a decentralized solution. When a user has tested positive and inputs that information into the app, where it is subsequently stored, an automatic alert is sent to the close contacts (decentralized processing). The Commission recommends that the alert message should be drafted by the health authorities. Under the second option, arbitrary temporary identifiers that cannot directly identify the user are stored on a backend server held by the health authorities. Users who have been in close contact with someone who has tested positive receive an alert on their phone through the identifiers (centralized processing). For contact via phone or text message, health authorities would need additional consent of those users.[93] The Commission prefers the first solution as it aligns better with the principle of data minimization.[94] There is no need to reveal the identity of the infected person to the individuals who have been in close contact with him or her.[95]

g. Data Storage Limitation

Data should not be kept longer than necessary for the specific functionality of the app based on medical relevance and administrative processing.[96] That means that proximity data for apps with contact tracing and warning functionalities should be deleted after a maximum of one month (incubation period plus margin) or after a negative test result. It may be kept longer in an anonymized form. Only data that is necessary to fulfill the purpose of the app should be uploaded to the server of the health authorities.[97]

h. Data Security

With regard to data security, the Commission emphasizes encryption and pseudonymization of the data. It advises that the data be stored on the user’s device in an encrypted form with state-of-the-art cryptographic techniques.[98] Such techniques could be symmetric and asymmetric encryption, hash functions, private membership test, private set intersection, Bloom filters, private information retrieval, and homomorphic encryption, among others.[99] Proximity data should be encrypted and pseudonymized. When proximity data is collected via BLE, the Commission recommends establishing and storing temporary device IDs that change regularly instead of the actual ID.[100] Temporary IDs offer more protection against hacking and tracking. Additional security measures proposed are automatic deletion or anonymization of data after a certain time. In general, the more sensitive the data is, the more security is required. The EDPB additionally recommends that a mechanism be established to verify the status of users who log a positive test result in the app¾for example, by providing a single-use code linked to a test station or health care professional.[101]

Furthermore, the Commission states that the source code should be published and be made available for review.[102] In the opinion of the Commission and the EDPB, such a review of the algorithm by independent experts will ensure fairness, accountability, and compliance with the law.[103]

3. Development of a CEN Technical Specification

The European Committee for Standardization (CEN) has been asked by the Commission to develop a new CEN technical specification for “Quality and Reliability of Health and Wellness Apps.”[104] It is slated to be completed in 2020 and is meant to provide app developers with a consistent set of criteria for such apps. CEN states that such a quality standard will “giv[e] users and health professionals confidence that the apps are fit for purpose, and provid[e] app developers easier access to European markets.”[105] The specification will be compatible with the world health informatics standards from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

4. Pan-European Privacy-Preserving Proximity Tracing Initiative

The Pan-European Privacy-Preserving Proximity Tracing Initiative (PEPP-PT) is a consortium made up of various European firms and research institutions that is in the process of developing a software for national contact or proximity tracing apps to fight the spread of COVID-19.[106] Several European countries had reportedly announced they would use the software as a basis for developing their own COVID-19 app.[107] However, after a controversy over whether a centralized or a decentralized approach should be used and concerns over transparency, several partners dropped out and governments withdrew support.[108]

B. Use of Mobility Data

Furthermore, the Commission recommends developing a common approach for the use of anonymized and aggregated mobility data to inform measures and exit strategies.[109] The EDPB emphasizes that preference should be given to the processing of anonymized data rather than personal data.[110] The eHealth Network plans to release a plan for a common approach in June 2020.[111] In particular, such mobility data can be used to map and predict the diffusion of the disease and its impact on health system needs in the Member States, optimize the effectiveness of measures to contain the spread of COVID-19, and address its effects. The Commission advises Member States to exchange best practices on the use of mobility data, share and compare modelling and predictions of the spread of the virus, and monitor the impact of measures to limit its spread.[112] It emphasizes that the appropriate use of anonymized and aggregated mobility data for modelling needs to be addressed and the methodology that providers used for anonymizing data must be checked for plausibility. Furthermore, safeguards need to be put in place to prevent de-anonymization.[113] The EDPB points out that robust anonymization requires examining

  • whether data can be singled-out, meaning whether an individual can be isolated in a larger group based on the data;
  • linkability; and
  • inference, meaning whether unknown information about an individual can be deduced with significant probability.[114]

Data that was accidentally processed must be immediately and irreversibly deleted. All other data should be deleted after 90 days or no later than the end of the pandemic. Lastly, the mobility data should only be used for the aforementioned purposes and not be shared with third parties.[115]

Back to Top

Prepared by Jenny Gesley
Foreign Law Specialist
June 2020


[1] Joint European Roadmap Towards Lifting COVID-19 Containment Measures, 2020 O.J. (C 126) 1, https://perma.cc/M67Z-YEUL.

[2] Id. at 4.

[3] Id. at 4 & 6.

[4] Commission Recommendation (EU) 2020/518 on a Common Union Toolbox for the Use of Technology and Data to Combat and Exit From the COVID-19 Crisis, in Particular Concerning Mobile Applications and the Use of Anonymised Mobility Data, 2020 O.J. (L 114) 7, https://perma.cc/XL2M-3UJX; Commission Communication 2020/C 124 I/01, Guidance on Apps Supporting the Fight Against COVID 19 Pandemic in Relation to Data Protection (App Guidance), 2020 O.J. (C 124 I) 1, https://perma.cc/S7CZ-8NMV.

[5] eHealth Network, Mobile Applications to Support Contact Tracing in the EU’s Fight Against COVID-19. Common EU Toolbox for Member States. Version 1.0 (Apr. 15, 2020), https://perma.cc/C98Y-7NNV; eHealth Network, Annex IV: Inventory Mobile Solutions Against COVID-19 (Apr. 16, 2020), https://perma.cc/HW9F-AMHL. The eHealth Network is a voluntary network, set up under article 14 of Directive 2011/24/EU. It provides a platform of Member States’ competent authorities dealing with digital health. See eHealth Network, Mobile Applications, at 2.

[6] Situation Update for the EU/EEA and the UK, as of 22 May 2020, European Centre for Disease Prevention and Control [ECDC] (last updated May 22, 2020), https://perma.cc/A9UZ-Z9XU.

[7] Id.

[8] European Commission, Special Eurobarometer 462. Report. E-Communications and Digital Single Market 37 (July 2018), https://perma.cc/L6BY-DRMJ.

[9] Id. at 49.

[10] European Commission, Special Eurobarometer 503. Report. Attitudes Towards the Impact of Digitalisation on Daily Lives 33 (Mar. 2020), https://perma.cc/U29Z-UPYK.

[11] Charter of Fundamental Rights of the European Union (EU Charter) arts. 7, 8, 2012 O.J. (C 326) 391, https://perma.cc/PAX8-4MYJ; Consolidated Version of the Treaty on the Functioning of the European Union (TFEU) art. 16, para. 1, 2016 O.J. (C 202) 1, https://perma.cc/GPB6-64TG.

[12] General Data Protection Regulation (GDPR), art. 4, point (1), 2016 O.J. (L 119) 1, https://perma.cc/7T85-89ZQ.

[13] An “identifiable natural person” is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” See GDPR, art. 4, point (1).

[14] Consolidated Version of the Directive on Privacy and Electronic Communications (ePrivacy Directive), 2002 O.J. (L 201) 37, https://perma.cc/YHA5-EFXV.

[15] GDPR, supra note 12.

[16] ePrivacy Regulation Proposal, COM(2017) 10 final (Jan. 10, 2017), https://perma.cc/N2WU-H2RL; Legislative Train Schedule. Proposal for a Regulation on Privacy and Electronic Communication, European Parliament (last updated Dec. 15, 2019), https://perma.cc/M49E-Q5UR.

[17] TFEU, art. 288, para. 2; GDPR, art. 99. Some provisions nonetheless require for their implementation the adoption of measures of application by the Member States—for example, the appointment of a national regulator and administrative sanctions for a violation of the GDPR. The GDPR also contains “opening clauses” that permit diverging national legislation in certain areas—for example, for the processing of special categories of personal data or in the context of employment.

[18] “Processing” means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” GDPR, art. 4, point (2).

[19] Id. art. 5, para. 1. For a more detailed overview, see Jenny Gesley, Online Privacy Law: European Union (Law Library of Congress, Dec. 2017), https://perma.cc/D36L-7EH8.

[20] GDPR, art. 6, para. 1(a), art. 7.

[21] Id. art. 9, para. 1.

[22] Id. art. 9, para. 2(g).

[23] Id. art. 9, para. 2(c).

[24] Id. recital 42.

[25] Id. arts. 25, 32.

[26] European Data Protection Board (EDPB), Guidelines 04/2020 on the Use of Location Data and Contact Tracing Tools in the Context of the COVID-19 Outbreak para. 17 (Apr. 21, 2020), https://perma.cc/3GYK-JYD4.

[27] ePrivacy Directive, art. 1, para. 1.

[28] Id. arts. 3, 5.

[29] Id. art. 5.

[30] ePrivacy Regulation Proposal, art. 18.

[31] ePrivacy Directive,art. 2(b).

[32] Id. art. 6.

[33] Id. art. 6, para. 3.

[34] Id. art. 2(c).

[35] Id. art. 9, para. 1.

[36] Id.

[37] Id. art. 5, para. 3.

[38] Id.

[39] Id. art. 6; art. 15, para. 1.

[40] Data Retention Directive, 2006 O.J. (L 105) 54, https://perma.cc/7NM9-LX64.

[41] Joined Cases C-293/12 and C-594/12, Dig. Rights Ireland Ltd. v. Minister for Communications, Marine and Natural Resources, ECLI:EU:C:2014:238, https://perma.cc/DS6L-C2UK. For background information, see Theresa Papademetriou, European Union: ECJ Invalidates Data Retention Directive (Law Library of Congress, June 2014), https://perma.cc/KE7S-EB93.

[42] Joined Cases C-203/15, Tele2 Sverige AB v. Post-och telestyrelsen and C-698/15 Secretary of State for the Home Department v. Tom Watson, paras. 75–81, ECLI:EU:C:2016:970, https://perma.cc/KE9W-9M6M.

[43] Id. at 96.

[44] Id. at 112.

[45] Commission Communication,at 8, COM (2017) 41 final (Jan. 25, 2017), https://perma.cc/MPJ9-NVZL.

[46] Consolidated Version of Decision No. 1082/2013/EU, art. 1, 2013 O.J. (L 293) 1, https://perma.cc/UBY9-BVEH.

[47] Id. art. 16, recital 27.

[48] Id. art. 16, para. 1.

[49] Id. art. 8.

[50] Id. art. 9, para. 1.

[51] Id. art. 9, para. 3(i).

[52] Id. art. 16, para. 7.

[53] Id. art. 16, paras. 2, 3.

[54] Id. art. 16, para. 5.

[55] Id. art. 16, para. 9; Commission Recommendation (EU) 2017/1140, 2017 O.J. (L 164) 65, https://perma.cc/D9NX-SVMW. The indicative list of personal data that may be communicated by the EWRS competent authorities is included in the Annex to the Commission Recommendation.

[56] Id. Annex.

[57] App Guidance, supra note 4, at 2.

[58] Id.

[59] Id. at 3, para. 2.

[60] Id.

[61] Id.

[62] Id. at 3, para. 3.1.

[63] GDPR, art. 5, para. 2.

[64] Id. art. 35.

[65] EDPB, supra note 26, para. 39.

[66] App Guidance, supra note 4, at 4, para 3.2

[67] Id.

[68] Id. at 4, para. 3.3; ePrivacy Directive, art. 5, para. 3.

[69] App Guidance, supra note 4, at 4, para. 3.3.

[70] GDPR, art. 7, para. 4; recital 43.

[71] Id. recital 42.

[72] Id. art. 4, point (11).

[73] Id. recital 32.

[74] Id. art. 7, para. 3.

[75] EDPB, Guidelines 05/2020 on Consent Under Regulation 2016/679 (May 4, 2020), https://perma.cc/XG4F-YMBL. These guidelines update guidelines previously issued by the Article 29 Working Party in 2018, which were endorsed by the EDPB. See EDPB, Guidelines 05/2020, at 3.

[76] GDPR, art. 6, para. 1(c), (e).

[77] App Guidance, supra note 4, at 5, para 3.3.

[78] GDPR, art. 6, para. 3.

[79] Id.

[80] App Guidance, supra note 4, at 8, para. 3.6.

[81] Id.

[82] Id. at 5, para 3.3.

[83] Id.; GDPR, art. 22.

[84] Article 29 Working Party, Guidelines on Automated Individual Decision-making and Profiling for the Purposes of Regulation 2016/679 20 (Feb. 2018), https://perma.cc/L4GP-26NN.

[85] Id. at 21.

[86] GDPR, art. 22, para. 2.

[87] Id. art. 22, para. 4.

[88] App Guidance, supra note 4, at 5, para. 3.4; GDPR, art. 5, para. 1(c).

[89] App Guidance, supra note 4, at 5, para. 3.4.

[90] Id. at 6, para. 3.4.

[91] Id. at 6, para. 3.4. & 9, para. 3.9.

[92] Id. at 6, para. 3.4.

[93] Id.

[94] Id. at 7, para. 3.5

[95] Id.

[96] Id. at 8, para. 3.7.

[97] Id.

[98] Id. at 8, para. 3.8.

[99] EDPB, supra note 26, at 16, no. 8.

[100] App Guidance, supra note  4, at 8, para. 3.8.

[101] EDPB, supra note 26, at 16, no. 8.

[102] App Guidance, supra note 4, at 9, para. 3.8.

[103] EDPB, supra note 26, para. 37.

[104] Quality & Reliability for Health and Wellness Apps, CEN, https://perma.cc/HB7W-G72Y.

[105] Id.

[106] Pan-European Privacy-Preserving Proximity Tracing, PEPP-PT, https://perma.cc/LA59-URUB.

[107] Douglas Busvine, European Coronavirus App Platform Gains Traction With Governments, Reuters (Apr. 17, 2020), https://perma.cc/Z27T-9Z6F.

[108] Douglas Busvine, Rift Opens Over European Coronavirus Contact Tracing Apps, Reuters (Apr. 20, 2020), https://perma.cc/AQM6-VCK3.

[109] Commission Recommendation (EU) 2020/518, supra note 4, at 14, para. 18.

[110] EDPB, supra note 26, para. 14.

[111] EHealth Network, Mobile Applications, supra note 5, at 24, point V.c.

[112] Commission Recommendation (EU) 2020/518, supra note 4, at 14, para. 19.

[113] Id. at 14, para. 20.

[114] EDPB, supra note 26, para. 16.

[115] Commission Recommendation (EU) 2020/518, supra note 4, at 14, para. 20.

Last Updated: 06/24/2020