After months of uncertainty, economic and health efforts and international tensions, we seem to be moving towards “Phase 2” in Europe. This means that a return, albeit partial and gradual, to normality will be possible. And here is the point. How can the relaxation of quarantine and lockdown measures not lead to a new outbreak of the pandemic? The solutions envisaged range from prolonging the use of personal protective equipment, such as masks, to promoting contingency in access to services to limited numbers of people. However, all of this requires an extremely high effort in terms of control by the authorities and, at the same time, a significant capacity for health facilities to react efficiently and effectively if emergency situations occur again.
These reflections have been at the heart of the EU debate in recent weeks, driven by the urgent need to re-establish the status quo ante as soon as possible with the aim of minimising the economic and social consequences of the current crisis. That is why the European Commission, in cooperation with the national authorities, has launched a procedure to identify all the instruments that can stimulate this process. Among these, the development of contact tracing apps is one of the key issues of the moment. These apps offer the possibility to monitor the virus trend and alert citizens if they have been in close proximity with Covid-19 positive subjects.
However, finding and sharing such information is only possible through the management of sensitive health data, the tracking and tracing of individual movements and other categories of data that require proportionate, transparent, time-limited, targeted criteria and, above all, are subject to a high level of control. This is also linked to consent, assuming that a clear definition of informed consent is actually provided to address the awareness of individuals who decide to use such applications.
For this reason, in line with the EDPB (European Data Protection Board) guidelines, the European Commission has launched a toolbox aimed at ensuring that the development and use of contact tracing apps is carried out in full respect of citizens’ fundamental rights and, at the same time, serves as a valuable tool for governments and public health authorities.
The pivotal point is the principle of accountability, both in terms of impact assessment in a preliminary phase to the dissemination of the apps, and the need to intervene through actions of public awareness on the ways in which the shared data will be used.
In line with the technical requirements identified by ENISA ( the European Cybersecurity Agency),- the toolbox, therefore, has the essential requirements to ensure that each app developed is functional to the management of the crisis situation and compliant with the framework provided at national and European level in terms of security and privacy protection. First of all, this involves the voluntary nature of subscribing, which responds to the pursuit of public interest. In addition, the development and use of a given application should be under the control of the national data protection authorities and subject to the approval of the national health authorities. These tools must then be fully in line with the protection of privacy and security of citizens’ data, in compliance with the principles of privacy by design and privacy by default provided for in Article 25 of the GDPR. Another fundamental requirement concerns the possibility of sharing such data at European level, i.e. interoperability of the various systems also at transnational level, so as to ensure the highest possible degree of cooperation to speed up and make the transition process towards normality more uniform. A final point refers to the processing of the data collected once the emergency situation is over – the data collected will have to be permanently and compulsorily deleted or anonymised.
In addition to the essential requirements, the toolbox also outlines a series of measures to ensure accessibility and inclusiveness addressed both to the developers and to the authorities that will then be in charge of the management of the processing. The role of public health authorities with regard to the approval of apps and their access to the data generated must be defined, as well as support actions for the sharing of epidemiological information in cooperation with the ECDC. Furthermore, measures to monitor the effectiveness and prevent the proliferation of harmful or non-compliant applications must be put in place.
An effective cooperation between institutions and Member States is therefore expected in the coming weeks in the context of the eHealth Network, also in view of the reports to be presented by national governments and the Commission’s assessment scheduled for next June.