The European Data Protection Board (EDPB) has set out how app developers and national authorities can process peoples’ health data safely to help battle the coronavirus pandemic while also agreeing with guidelines on how geolocation and other tracing tools should be used.

Like other regions, the European Union has struggled with how to open up citizens’ medical data to tech firms to help fight the spread of coronavirus, especially when data protection authorities are unsure these firms have the necessary safeguards in place to ensure personal information is not misused.

On April 8, the European Commission, the EU’s executive body, called for a common EU approach to boost the development and effectiveness of apps, while ensuring key rights and freedoms are respected.

“People should not have to choose between an efficient response to the crisis and the protection of fundamental rights.”

EDPB Chair Andrea Jelinek

The latest EDPB guidelines, made public Wednesday, state that the General Data Protection Regulation (GDPR) allows certain special categories of personal data, including health data, to be processed where it is necessary for scientific research purposes. It says the GDPR contains several provisions that allow the processing of health data for scientific research, in particular relating to consent and to the respective national legislations of the EU’s 28 member states.

“The GDPR does not stand in the way of scientific research, but enables the lawful processing of health data to support the purpose of finding a vaccine or treatment for COVID-19,” EDPB Chair Andrea Jelinek said in a statement.

The EDPB, the EU’s body to ensure privacy rules are enforced consistently, says both the GDPR and the ePrivacy Directive—a piece of EU legislation that covers the tracking and monitoring of digital communications—contain specific provisions allowing for the use of anonymous or personal data to support public authorities and other national or EU bodies in their efforts to control public health crises.

The guidance also makes it clear, however, that “the general principles of effectiveness, necessity, and proportionality must guide any measures adopted by member states or EU institutions that involve processing of personal data to fight COVID-19.”

The guidelines—which have been issued without the usual public consultation—also address legal questions around international data transfers involving health data for research purposes related to the fight against COVID-19—in particular in the absence of an adequacy decision or other appropriate safeguards. They also aim to clarify the conditions and principles for the “proportionate” use of location data and contact tracing tools.

In fact, only two specific purposes are allowed.

Location data can only be used to support the response to the pandemic by modelling the spread of the virus in order to assess the overall effectiveness of confinement measures. Contact tracing, which aims to notify individuals who may have been in close proximity to someone who is eventually confirmed as a carrier of the virus, may only be used to help break the contamination chains as early as possible.

No other uses of personal data acquired by these tools, such as commercial or law enforcement purposes, are sanctioned—thereby putting an end to potential “function creep” and mass surveillance.

The EDPB believes the use of contact tracing apps should be “voluntary” and “should not rely on tracing individual movements, but rather on proximity information” regarding users.

The board has also issued a “non-exhaustive” guide to provide designers and implementers of contact tracing apps with a better steer as to what their responsibilities are, underlining that any assessment of how the tools are used must be carried out on a case-by-case basis.

Furthermore, to ensure accountability, the EDPB says the controller of any contact tracing application “should be clearly defined”—preferably being national health authorities, although “other controllers may also be envisaged.”

“People should not have to choose between an efficient response to the crisis and the protection of fundamental rights,” said Jelinek.

Separately, on April 10, tech giants Apple and Google announced they were working together to release an application programming interface (API) by mid-May that would allow apps from public health organizations to use a phone’s Bluetooth to keep track of whether a smartphone’s owner has come into contact with someone who later turns out to have been infected with COVID-19. Once alerted, that user can then self-isolate or get tested themselves.

Crucially, Google and Apple say the system will not involve tracking user locations or even collecting any identifying data that would be stored on a server.