Guidance for COVID-19 App Development from European Data Protection Board

In response to a request from the European Commission (EC) , the European Data Protection Board (EDPB) provided feed for the organization’s draft guidance on the development and implementation of apps used for contact tracing purposes during the COVID-19 crisis.

Previously, on April 8, the European Commission had published its recommendation. As part of the policy formulation process the EC sought feedback from the EDPB as they strive to create a common EU toolbox for the use of technology and data to combat and exit from the COVID-19 pandemic period.

The EDPB feedback focuses on the the use of apps for the contact tracing and warning tasks. This is the area that could record the highest amount of breaches as private data will have to be processed in a compliant manner, while at the same time not having an adverse impact the provision of any necessary healthcare.

Support is lent to the Commission’s proposal for a voluntary adoption of such apps, with the addition that this process of adoption should indicate a choice was made by the individuals involved as ‘a token of collective responsibility’. There is also the recommendation that the source code of the apps should be made publicly available for the widest possible scrutiny by the scientific community.

For location tracking, the EPDB stated that contact tracing apps do not require location tracking of individual users as their main function is to discover possible contact with those who have contracted COVID-19. Remarks were included that the tracking a person’s movements would be a breach of the principle of data minimization and that the use of the contact tracing apps must cease as soon as the pandemic is deemed to be over. All gathered data must be erased or anonymized.

The letter went on to say that the design process for these type of apps must be conduct tracked and include a data protection impact assessment that reviews all parts of the app’s evolution.

There was also a plea that the EDPB be allowed to participate in the European Commission’s planning for the use of technology in the fight against COVID19.

Andrea Jelinek, Chair of the EDPB, commented: “The EDPB welcomes the Commission’s initiative to develop a pan-European and coordinated approach as this will help to ensure the same level of data protection for every European citizen, regardless of where he or she lives.”

If you would like to view the EDPB, visit: